A Metric to Assess Cyberattacks

Many individuals are now confused about what measures they can or should take in order to protect their information. We can give a model—in a very limited circumstance—where that level of protection can be determined very precisely. It should be noted that the research developed in this chapter has had the invaluable assistance of one of the leading cybersecurity researchers in Africa, Professor Michael Ekonde Sone of the University of Buea in Cameroon (Sone & Patterson, 2017).

Defining a Cybersecurity Metric

One of the main problems in trying to develop a definitive metric to describe a cybersecurity scenario that takes into account human decision-making is the difficulty in trying to measure the cost to either an attacker or defender of a specific approach to a cybersecurity event.

We can, however, describe one situation in which it is possible to describe very precisely the cost of engaging in a cybersecurity attack or defense. This example is somewhat unique in terms of the precision or cost/benefit.

The case in point will be the use of the RSA public key cryptosystem.

The Attacker/Defender Scenario

In terms of the overall approach to the problem, it is necessary to define a metric useful to both parties in a cyberattack environment, whom we will call the attacker and the defender. An attacker may be an individual, an automated “bot,” or a team of intruders.

The classic challenge we will investigate will be formulated in this way: The attacker is capable of intercepting various communications from the defender to some other party, but the intercepted message is of little use because it has been encrypted.

With any such encrypted communication, which we also call ciphertext, we can define the cost of an attack (to the attacker) in many forms. Assuming the attack takes place in an electronic environment, then the cost to decipher the communication will involve required use of CPU time to decipher, or the amount of memory storage for the decryption, or the attacker’s human time in carrying out the attack. Each of these costs can essentially be exchanged for one of the others. Let us assume that we will standardize the cost of an attack or defense by the computer time necessary for the attack.


Rivest–Shamir–Adleman: An Interesting Example

There is one example where, despite many efforts over the past 40years, it is possible to determine precisely the cost to an attacker to break a given encryption. This is the encryption method known as the RS A (see Chapter 13.9).

The ingenuity in the definition of the RSA is that a very simple algebraic process can lead to the only known method of breaking the encryption through the factoring of a number n that is the product of two primes, p and q. It is also the case that there is a wide latitude in choosing a number n that may have any number of decimal digits. For numbers n that will provide sufficient security, we will allow n to have between 70 and 200 decimal digits, i.e„ 1070200.

Fortunately for this discussion, the RSA cryptosystem is highly scalable in that it can begin with an arbitrary number of digits for the choice of primes p and q (although p and q should be roughly of the same size). Consequently, the designer of a crypto defense can choose these parameters and therefore parameterize the cost to a potential attacker based on the number of digits of p and q. Furthermore, because the n = pq is known to all as part of the algorithm, the attacker also can determine the costs in launching an attack based on factoring the number n.

Fortunately, there is a great deal of literature on the cost of factoring such a number (Pomerance, 1996). To date, the best known factoring algorithms are of:

  • ( ((64b/9)l/3(logb)2'3)
  • (15.1)
  • O e' ' where b is the number of bits of n expressed as a binary.

Let us consider the range of values for the public key, n, that can be productively used in an attack/defense scenario. First, since p and q, the only prime factors of n, should be approximately the same size, say M decimal digits, then logK)n~2M decimal digits. So we can choose n so that logl()n can be any even integer.

Furthermore, in the complexity of the best known factoring i(64b/9)l/3(logt>)2'3) method, the actual time will be some constant times e where b is the number of bits of n expressed as a binary.

The constant will be determined by external factors unique to the factoring attempt, such as multithreaded computing, speed of the processor, and so on. Nevertheless, relatively speaking, the overall cost of the factoring attempt will not vary greatly.

If we compute the predicted run times over a large range, using all n values from 1070<n< IO350, we can predict within a constant the cost of an attack for any value of n in the range.

For large values of log10 n, it is more descriptive of the attacker’s cost when using a log plot. For example, a few values calculated are as follows: If the log10n is, respectively, 70, 100, 130, or 200 decimal digits, the time to factor an integer of those magnitudes are 3373 seconds, 439.4 hours, 10.4years, or approximately 247,000years, respectively.

For a strong defense, the size of n will certainly need to be greater than 70. However, the function

  • ( (<64b/9)1/3(logb)2/’)A
  • O e' '

grows in faster than polynomial time. So the runtime to factor n will be given by the following best fit linear function: y = (3.01720 x 1012) x -2.26540 x 1015, with a positive correlation coefficient of 0.95. So this linear fit will give a good (enough) first approximation to the time to factor for any n in a sufficiently large range.

Attack/Defense Scenarios

Unfortunately, this example so far is almost unique in trying to establish a reliable metric in terms of potential attacks or defenses in the cybersecurity environment. The reason for this is that with many other security measures, there is not the same reliability on a specific nature of the attack that might be attempted, and thus the measures cannot be so reliably determined.

The simplicity of RSA encryption lends itself to the type of analysis described earlier and the type of metric that can be assigned to it because of a number of characteristics of the RSA. First, RSA is virtually completely scalable, so that a defender establishing an RSA system, as long it is done properly, can make the choice of almost any size integer n as the base of the public information. Second, the choice of n can be taken based on the computational cost of trying to factor that number n, a cost that is very well known and quite stable in terms of research on factoring. Next, despite approximately 40 years of effort in trying to find other ways of breaking RSA, factoring the number n remains the only known way of breaking the cryptosystem.

Thus, the example described in this chapter hopefully provides a methodology for establishing the strategy for a successful defense strategy based on the precision of the metric that has been designed in this chapter.

In essence, then, the use of RSA, under the control of the defender, can determine precisely the cost to an attacker of trying to break the encryption, and so it implies that the defender can thus issue the challenge, knowing that both attacker and defender will be able to calculate the cost of a successful attack. Let us consider several examples:

First scenario: The intent of the defender is simply to deter the attacker from any attempt to use a factoring algorithm, because the calculation of the cost will be so high that no rational attacker will bother to attempt the attack, knowing that the cost will be beyond any potential value of the resource to be stolen, or the attacker’s ability to assume the cost for successful attack. Thus, the reasonable attacker will not even bother to try the attack.

The defender will assess the value of his or her information, and from the analysis, choose the appropriate value for n, say n(D). This sets a lower bound for D’s actual choice of n. Next, D will estimate A’s ability to attack, then convert to a n(A), and choose for the actual n the value so that n>max(n(A), n(D)).

For this scenario, the defender will choose values of n in the range 16010 n<200. The cost involved will deter the attacker even if he or she is using a multipurpose attack with k processors.

Second scenario: The defender will deliberately choose the cost of the attack to be so low that any and every potential attacker will determine the cost to be acceptable and thus proceed to solve the factoring problem. This would not seem to be the best strategy for the defender; however, it may be that the defender has deliberately decided to allow the attacker to enter because upon retrieving the decrypted information, the attacker may be led into a trap. This, in cybersecurity technology, is often referred to as a honeypot.

In this case, regardless of the value of D’s information, D will estimate A’s ability to attack as n(D) and then deliberately choose n

Third scenario: The defender chooses a difficulty level for the RSA that will cause the potential attacker to make a judgment call about whether the cost of an attack would be expected to be less than the projected value of the information obtained in a successful attack. In this way, the defender and attacker essentially establish a game theory problem, whereby both the attacker and defender will need to establish a cost and benefit of the information being guarded.


We can continue to look for other measures to establish the cost to attack or defend, but this example is so far almost unique. Despite 40years of effort in trying to break RSA, factoring the number n remains the only known way of doing so.


  • 1. Suggest an attack on the 20-letter alphabet encryption method described earlier that w'ould be an improvement on trying all 20! keys.
  • 2. In Chapter 5, we introduced the ABCD method of classifying hackers. Suppose you knew which type of hacker you had to defend against. Using the aforementioned terminology, what magnitude of prime products (n) would you choose if you were facing an A, B, C, or D attacker?
  • 3. Comment on the scenarios described earlier.


Patterson. W. 2016. Lecture Notes for CSCI 654: Cybersecurity I. Howard University, September, Washington, DC, USA.

Pomerance, C. 1996 . A tale of two sieves. Notices of the AMS, 43(12), 1473-1485.

Rivest. R., Shamir, A., & Adleman. L. 1978. A method for obtaining digital signatures and public-key cryptosystems (PDF). Communications of the ACM, 21(2), 120-126. doi: 10.1145/359340.359342.

Sone, M. E., & Patterson, W. 2017. Wireless Data Communication: Security-Throughput Tradeoff. Editions Universitaires Européennes, Saarbrücken.

< Prev   CONTENTS   Source   Next >