Skip to main content
SpringerLink
Log in

Revenue maximizing markets for zero-day exploits

  • Published:
Autonomous Agents and Multi-Agent Systems Aims and scope Submit manuscript

Abstract

Markets for zero-day exploits (software vulnerabilities unknown to the software vendor) have a long history and a growing popularity. We study these markets from a revenue-maximizing mechanism design perspective. We first propose a theoretical model for zero-day exploits markets. In our model, one exploit is being sold to multiple buyers. There are two kinds of buyers, which we call the defenders and the offenders. The defenders are buyers who buy vulnerabilities in order to fix them (e.g., software vendors). The offenders, on the other hand, are buyers who intend to utilize the exploits (e.g., national security agencies and police). We study the problem of selling one zero-day exploit to multiple defenders and offenders. Our model has a few unique features that make it different from single-item auctions. First, an exploit is a piece of information, so one exploit can be sold to multiple buyers. Second, buyers have externalities. If any defender wins, then the exploit becomes worthless to the offenders. Third, if the auctioneer discloses the details of the exploit to the buyers before the auction, then they may leave with the information without paying. On the other hand, if the auctioneer does not disclose enough details, then the buyers cannot determine how valuable the exploit is. Considering the above, our proposed mechanism discloses the details of the exploit to all offenders at the beginning of the auction. The defenders will receive the information slightly delayed. The offenders bid to prolong the delay and the defenders bid to shorten the delay. We derive the optimal mechanism for single-parameter valuations. For general valuations, we propose three numerical solution techniques. One is based on iterative linear programming and the other two are based on neural networks and evolutionary computation.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6

Similar content being viewed by others

Notes

  1. Example such companies include ZeroDium and Vupen [8].

  2. Both mean the same thing – this offender does not get to use the exploit.

  3. They may come up with expected valuation functions by estimating how likely the exploit is new, but this may then lead to regret after the auction.

  4. The extra constant term in the integration result equals 0, because whenever an agent’s type equals 0, her payment must be 0.

  5. [10] summarized the computationally feasible automated mechanism approach which transforms mechanism design into optimization within parameterized mechanism families.

  6. The authors also proposed a restricted version of AMA called the VVCA mechanisms. A VVCA mechanism is only characterized by 2n parameters, which makes it much easier to optimize over. On the other hand, due to the fact that the VVCA family is only a tiny subset of the whole AMA family, we lose revenue by focusing only on it.

  7. We have to emphasize that this is not an uncommon constraint when it comes to automated mechanism design.

  8. For an overview of automatic differentiation in PyTorch, please refer to [16].

  9. For two agents, besides the curve a(t), we also have another model parameter \(u_{defender}\), which is a single parameter that can be dealt with separately (using a naive for loop).

  10. In Fig. 5, the presented data points for the batch data revenue are the average revenue for every 100 batches.

References

  1. Algarni, A., & Malaiya, Y. (2014). Software vulnerability markets: Discoverers and buyers. International Journal of Computer, Information Science and Engineering, 8(3), 482–484.

    Google Scholar 

  2. Bilge, L., & Dumitras, T. (2012). Before we knew it: An empirical study of zero-day attacks in the real world. In Proc. of 2012 ACM Conf. on Computer and Communications Security, ACM, New York, NY, USA, CCS ’12 (pp. 833–844). https://doi.org/10.1145/2382196.2382284.

  3. Brams, S. J., Jones, M. A., & Klamler, C. (2007). Better ways to cut a cake - revisited. In Brams, S., Pruhs, K., Woeginger, G. (Eds) Fair Division, Internationales Begegnungs- und Forschungszentrum für Informatik (IBFI), Schloss Dagstuhl, Germany, Dagstuhl, Germany, no. 07261 in Dagstuhl Seminar Proceedings.

  4. Chen, Y., Lai, J. K., Parkes, D. C., & Procaccia, A. D. (2013). Truth, justice, and cake cutting. Games and Economic Behavior, 77(1), 284–297. https://doi.org/10.1016/j.geb.2012.10.009.

    Article  MathSciNet  MATH  Google Scholar 

  5. Duetting, P., Feng, Z., Narasimhan, H., Parkes, D., & Ravindranath, S. S. (2019). Optimal auctions through deep learning. In Chaudhuri, K., Salakhutdinov, R. (Eds) Proceedings of the 36th International Conference on Machine Learning, PMLR, Long Beach, California, USA, Proceedings of Machine Learning Research (Vol. 97, pp. 1706–1715).

  6. Egelman, S., Herley, C., & van Oorschot, P. C. (2013). Markets for zero-day exploits: Ethics and implications. In Proceedings of the 2013 New Security Paradigms Workshop, Association for Computing Machinery, New York, NY, USA, NSPW ’13 (p. 41–46), https://doi.org/10.1145/2535813.2535818.

  7. Emek, Y., Feldman, M., Gamzu, I., PaesLeme, R., & Tennenholtz, M. (2014). Signaling schemes for revenue maximization. ACM Transactions on Economics and Computation. https://doi.org/10.1145/2594564.

    Article  Google Scholar 

  8. Fisher, D. (2015). Vupen founder launches new zero-day acquisition firm zerodium. July 24, 2015 online: https://threatpost.com/vupen-launches-new-zero-day-acquisition-firm-zerodium/113933/.

  9. Greenberg, A. (2012). Shopping for zero-days: A price list for hackers’ secret software exploits. March 23, 2012 online: http://www.forbes.com/sites/andygreenberg/2012/03/23/shopping-for-zero-days-an-price-list-for-hackers-secret-software-exploits/.

  10. Guo, M., & Conitzer, V. (2010). Computationally feasible automated mechanism design: General approach and case studies. In Fox, M., Poole, D. (Eds) Proceedings of the Twenty-Fourth AAAI Conference on Artificial Intelligence, AAAI 2010, Atlanta, Georgia, USA, July 11-15, 2010, AAAI Press. http://www.aaai.org/ocs/index.php/AAAI/AAAI10/paper/view/1868

  11. Guo, M., & Deligkas, A. (2013). Revenue maximization via hiding item attributes. In: Rossi, F. (Ed) IJCAI 2013, Proceedings of the 23rd International Joint Conference on Artificial Intelligence, Beijing, China, August 3-9, 2013, IJCAI/AAAI (pp. 157–163). http://www.aaai.org/ocs/index.php/IJCAI/IJCAI13/paper/view/6909.

  12. Guo, M., Deligkas, A., & Savani, R. (2014). Increasing VCG revenue by decreasing the quality of items. In Brodley, C. E., Stone, P. (Eds) Proceedings of the Twenty-Eighth AAAI Conference on Artificial Intelligence, July 27 -31, 2014, Québec City, Québec, Canada (pp. 705–711). AAAI Press., http://www.aaai.org/ocs/index.php/AAAI/AAAI14/paper/view/8186

  13. Lavi, R., Ahuva Mu’alem, & Nisan, N. (2003). Towards a characterization of truthful combinatorial auctions. In 44th Annual IEEE Symposium on Foundations of Computer Science, 2003. Proceedings (pp. 574–583).

  14. Manisha, P., Jawahar, C. V., & Gujar, S. (2018). Learning optimal redistribution mechanisms through neural networks. In: André, E., Koenig, S., Dastani, M., Sukthankar, G. (Eds) Proceedings of the 17th International Conference on Autonomous Agents and MultiAgent Systems, AAMAS 2018, Stockholm, Sweden, July 10-15, 2018, International Foundation for Autonomous Agents and Multiagent Systems Richland, SC, USA / ACM (pp. 345–353).

  15. Myerson, R. B. (1981). Optimal auction design. Mathematics of Operations Research, 6(1), 58–73.

    Article  MathSciNet  Google Scholar 

  16. Paszke, A., Gross, S., Chintala, S., Chanan, G., Yang, E., DeVito, Z., Lin, Z., Desmaison, A., Antiga, L., & Lerer, A. (2017). Automatic differentiation in PyTorch. In NIPS Autodiff Workshop.

  17. Projects, T. C. (2015). Severity guidelines for security issues. Retrieved September 15, 2015 online: https://www.chromium.org/developers/severity-guidelines.

  18. Sandholm, T., & Likhodedov, A. (2015). Automated design of revenue-maximizing combinatorial auctions. Operations Research, 63(5), 1000–1025.

    Article  MathSciNet  Google Scholar 

  19. Shen, W., Tang, P., & Zuo, S. (2019). Automated mechanism design via neural networks. In Proceedings of the 18th International Conference on Autonomous Agents and MultiAgent Systems, International Foundation for Autonomous Agents and Multiagent Systems, Richland, SC, AAMAS ’19 (pp. 215–223).

  20. Wang, G., Guo, R., Sakurai, Y., Babar, A., & Guo, M. (2020). Mechanism design for public projects via neural networks. arXiv:2002.11382

Download references

Ackowledgments

The work was supported by the Cyber Security Cooperative Research Centre whose activities are partially funded by the Australian Government’s Cooperative Research Centres Programme.

Author information

Authors and Affiliations

  1. School of Computer Science, University of Adelaide, Adelaide, Australia

    Mingyu Guo, Guanhua Wang & Muhammad Ali Babar

  2. Faculty of Engineering, Shinshu University, Nagano, Japan

    Hideaki Hata

Authors
  1. Mingyu Guo
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Guanhua Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Hideaki Hata
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Muhammad Ali Babar
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Mingyu Guo.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Guo, M., Wang, G., Hata, H. et al. Revenue maximizing markets for zero-day exploits. Auton Agent Multi-Agent Syst 35, 36 (2021). https://doi.org/10.1007/s10458-021-09522-w

Download citation

  • Accepted:

  • Published:

  • DOI: https://doi.org/10.1007/s10458-021-09522-w

Keywords

Search

Navigation