The unexamined life-missing metrics of malware
David Perry Trend Micro
There are so many metrics, so many stats produced in this industry, and almost all of them are produced for our (the
vendors') purposes. We look to prove the effectiveness of scanning, the reach and scope of a particular attack, but our
metrics are centred in our own world view. For years I have been asked salient questions by reporters, by the general
public, and by listeners on radio and in person that are nowhere addressed by our industry.
While we all report vulnerabilities as they are disclosed, we never follow up as to whether these
vulnerabilities move on to become attacks. What percentage of vulnerabilities actually become malware? Is there a
measurable window for attacking after disclosure of a particular vulnerability? How many that go proof of concept
actually move on to a genuine malicious attack? We may be able to extrapolate statistics like these from the known data,
but they are not 'salable' in our normal business - the only people such data would serve would be the general public and
computer users everywhere. In other words, the people who need help most desperately.
This presentation will report which metrics the researchers and I can create and map, and will discuss the possible
methods of obtaining them and what use they can be to the public at large.