< Publications

• Papers
  • Security Econometrics
  • Security Ecosystem
  • Silent Updates
  • Insecurity Iceberg
  • 0-Day Patch Metric
  • Firefox Update Dynamics
  • Mail DDOS Attacks
• Articles
• Talks
• Press+Media

Publications - Papers

There are two ways of constructing a software design. One way is to make it so simple that there are obviously no deficiencies and the other is to make it so complicated that there are no obvious deficiencies (C.A.R. Hoare)

2012

---

• Cybercrime Kill Chain vs. Effectiveness of Defense Layers
  Stefan Frei, Francisco Artes
  This talk examines the attackers' kill chain and the measured effectiveness of typical defense technologies such as Next Generation Firewalls, Intrusion Prevention Systems IPS, Antivirus/Malware Detection, and browsers internal protection. Empirical data on the effectiveness of security products derived from NSS Labs harsh real world testing is presented. We find a considerable gap of protection levels within/and across different security product groups. Using Maltego complex correlations between undetected exploits, crimware kits, and affected software vendor and products are demonstrated.
  Published: BlackHat Abu Dhabi, December 2012
  [ Talk | Paper | Supplement: Modeling Evasions]

2011

---

• Cybercriminals do not need administrative users, 2011
  Stefan Frei
  This paper discusses the limitations of security by denying users administrative access to their systems, and highlights how cybercriminals can achieve their goals without administrative access.
  Published: Secunia, August 2011
  [ Paper ]

• How to Secure a Moving Target with Limited Resources, 2011
  Stefan Frei, Brian Birkvald
  This white paper outlines the limitations of traditional defence mechanisms; specifically how cybercriminals have refined the malware manufacturing and development process to systematically bypass them – thereby initiating an arms race with defenders. Security patches are found to be a primary and effective means to escape this arms race as they remediate the root cause of compromise. However, timely patching of the software portfolio of any organisation is like chasing a continually moving target.
  Published: Secunia, July 2011
  [ Paper | Bibtex ]

2010

---

• Quantification of deviations from rationality with heavy-tails in human dynamics, 2010
  Thomas Maillart, Didier Sornette, Stefan Frei, Thomas Duebendorfer, Alexander Saichev
  The dynamics of technological, economic and social phenomena is controlled by how humans organize their daily tasks in response to both endogenous and exogenous stimulations. The general validity of the power law and the nature of other regimes remain unsettled. Using anonymized data collected by Google at the World Wide Web level, we identify the existence of several additional regimes characterizing the time required for a population of Internet users to execute a given task after receiving a message.
  Published: arXiv, July 2010
  [ Paper | Bibtex ]

• The Security Exposure Of Software Portfolios, 2010
  Stefan Frei, Thomas Kristensen
  In this paper, we examine the software portfolio of the average user based on empirical data from over two million users frequently scanning their systems with Secunias Personal Software Inspector (PSI). We demonstrate, that the complexity and frequency of the actions required to keep a typical end-user system secure, most likely exceeds what users able to invest.
  Published: RSA Conference, San Francisco, March 2010
  [ Paper | Secunia Blog | Bibtex ]

2009

---

• Modelling the Security Ecosystem - The Dynamics of (In)Security, 2009
  Stefan Frei, Dominik Schatzmann, Bernhard Plattner, Brian Trammel
  In this paper we provide a metric for the success of the "responsible disclosure" process. We measure the prevalence of the commercial markets for vulnerability information and highlight the role of security information providers (SIP), which function as the "free press" of the ecosystem.
  Published: Workshop on the Economics of Information Security (WEIS), London, June 2009
  [ Paper | HTML | Bibtex ]

• Dissertation: Security Econometrics - The Dynamics of (In)Security, 2009
  Stefan Frei
  In this thesis I examine the security ecosystem, consolidating many aspects of security that have hitherto been discussed only separately. I analyze the paths vulnerability data take through the ecosystem, and the impact of each of these on security risk based on a quantitative analysis of 30,000 vulnerabilities disclosed over the past decade.
  [ Book | HTML | Bibtex ]

• Why Silent Updates Boost Security, 2009
  Thomas Duebendorfer, Stefan Frei
  In this paper we analyze the effectiveness of different Web browsers update mechanisms; from Google Chrome's silent update mechanism to Opera's update requiring a full re-installation
  Published: CRITIS 2009 Critical Infrastructures Security Workshop, Bonn, 05-May-2009
  [ Paper | HTML | Slides (pdf) | Blog | Bibtex | Media Coverage]

• Firefox (In) security update dynamics exposed, 2009
  Stefan Frei, Thomas Duebendorfer, Bernhard Plattner
  How (in)secure is your Internet browser? You never know. One way to know more is to look at how frequently it gets updated, at global scale
  Published: ACM SIGCOMM Computer Communication Review, January 2009
  [ Paper | HTML | Bibtex ]

2008

---

• Understanding the Web browser threat, 2008
  Stefan Frei, Thomas Duebendorfer, Gunter Ollmann, Martin May
  Examination of vulnerable online Web browser populations and the "insecurity iceberg"
  Published: DefCon 16 2008, 10-Aug-2008, Las Vegas, USA,
  [ Paper | HTML | Slides (pdf) | Bibtex | Media Coverage ]

• Putting private and government CERT’s to the test, 2008
  Stefan Frei, Martin May
  In an independent research project at ETH Zurich, we monitored for more than 18 months the world’s top security advisory providers. Due to a short 30-minute monitoring interval, we discovered significant differences in quality, quantity, and timeliness.
  Published: FIRST Annual Conference 2008, 27-Jun-2008, Vancouver, Canada
  [ Paper | Slides (pdf) | Bibtex ]

• 0-Day Patch - Exposing Vendors (In)security Performance
  Stefan Frei, Bernhard Tellenbach, Bernhard Plattner
  We introduce the 0-day patch rate as a new metric to measure and compare the performance of the vulnerability handling and patch development processes of major software vendors. We use this metric to analyze Microsoft and Apple.
  Published: BlackHat 2008 Europe, 27-Mar-2008 Amsterdam NL
  [ Paper | HTML | Slides (pdf) | Bibtex | Media Coverage ]

2006

---

• Large-Scale Vulnerability Analysis, 2006
  Stefan Frei, Martin May, Ulrich Fiedler, Bernhard Plattner
  We quantify the gap between exploit and patch availability for known vulnerabilities since 2000 and provide an analytical representation of our data which lays the foundation for further analysis and risk management.
  Published: ACM SIGCOMM 2006 Workshop, 11-Sep-2006 Pisa, Italy
  [ Paper | Bibtex ]

• Technology Speed of Civil Jet Engines, 2006
  Stefan Frei, Urban Mäder
  The speed of technology innovation of civil jet engines is investigated. A technology measure based on airplane efficiency is derived and applied to jet airlines of different sizes and time periods, ranging back to the 1960's.
  Published: Case study at MTEC, 2006
  [ Paper ]

• The Speed of (In)Security, 2006
  Stefan Frei, Martin May
  In depth analysis of the speed of security vs. the speed of insecurity.
  Published: BlackHat 2006 USA, 03-Aug-2006 Las Vegas, USA
  [ Paper | Bibtex ]

2004

---

• Mail DDoS Attacks through Non Delivery Messages, 2004
  Stefan Frei, Gunter Ollmann, Ivo Silvestri
  Analysis and empirical study on how mail non-delivery notifications processes can be exploited to launch denial of service attacks.
  Published: FullDisclosure, 05-Apr-2004
  [ Paper | HTML | Bibtex ]