A Behavioral Model of Ideologically-motivated “Snowball” Attacks Natalia Stakhanova 1 Oleg Stakhanov 2 Ali A. Ghorbani 1 1 Faculty of Computer Science University of New Brunswick Fredericton, NB Canada {natalia, ghorbani}@unb.ca 2 Department of Sociology Iowa State University Ames, IA 50011 USA ostakha@iastate.edu Abstract As our daily life depends more and more on Internet technology, it also becomes increasingly susceptible to new types of cyber threats. These threats often take a form of innovative malicious behavior and commonly emerge in a pace that exceeds the capability of security experts to de- velop timely solutions to counter such threats. In this con- text it becomes particularly important to develop a good understanding of the complete cycle of malicious behavior including its evolution and the factors contributing to its spread so that these types of threats are addressed in proac- tive manner. In this paper we describe and define the new type of re- cently emerged threat - the ideologically-motivated “snow- ball” attack. We develop a conceptual model for explaining the evolution of ideologically motivated attacks and discuss a set of methods that can be used to detect and respond to this type of threat at all stages of its development. Finally, we use the recent case of ideologically motivated attack - the attack on Estonia’s cyber infrastructure to evaluate our conceptual model. 1 Introduction On April 27, 2007 the massive cyber attack was launched against Estonian cyber infrastructure as a result of long heated tensions between Estonia and Russia. The attacks continued over the course of the next two weeks crip- pling or making fully unaccessible the government, finan- cial and educational cyber systems. The attackers voiced their objections against the controversial relocation of Rus- sian WWII memorial and in solidarity with routinely dis- criminated Russian minority in Estonia by disrupting all e- services [14]. The attack on Estonia is only one of the most recent cases of similar types of attacks that happened around the globe. For instance, in Spring of 1999, US government websites were hijacked by intruders coming from China as a result of the accidental bombing of the Chinese embassy in Bel- grade [27]. In August of the same year Taiwanese websites were defaced with pro-China messages following the Tai- wan’s President’s statement that China must deal with Tai- wan on a “state-to-state” basis [13]. Finally, in the winter of 2002, US servers were hit with a distributed denial-of- service (DDoS) attack coming from South Korea following the disqualification of the South Korean speed-skater and resulting Olympics gold medal controversy [30]. In our cyber age, more and more often the Internet be- comes a powerful instrument for making social and politi- cal statements through cyber attacks on network infrastruc- ture. Although such attacks usually employ well known tools ranging from DDoS attacks, web sites defacement and spam/email bombing to a spread of computer viruses, they are different from conventional hacking. One distinctive feature of these attacks is their objectives. Unlike other high profile cases where organized perpetrators attempt to extort money, participants of these attacks are making ideo- logical statements. Thus, these attacks are often referred to as ideological hacking. Another distinctive feature of ideologically- motivated attacks is a sheer number of peo- ple who routinely participate in the attack. In substantial number of cases ideologically-motivated attacks are mas- sive and often come in a snowball fashion. Relatively unso- phisticated means of attack may create a false impression of their insignificance for the security state among uninitiated public. Experts, on the other hand, are well aware how dif- ficult it can be to predict and preempt these attacks in order to reduce the damage. In light of the above it is obvious that clear understanding of the nature of ideologically-motivated attacks, their evo- lution and factors influencing their emergence is crucial for developing effective defense against this new type of threat. The main focus of this work is the ideologically- motivated “snowball” attacks. Since ideologically- motivated “snowball” attack is a classic example of a phe- The Third International Conference on Availability, Reliability and Security 0-7695-3102-4/08 $25.00 © 2008 IEEE DOI 10.1109/ARES.2008.57 88 The Third International Conference on Availability, Reliability and Security 0-7695-3102-4/08 $25.00 © 2008 IEEE DOI 10.1109/ARES.2008.57 88 The Third International Conference on Availability, Reliability and Security 0-7695-3102-4/08 $25.00 © 2008 IEEE DOI 10.1109/ARES.2008.57 88