1 / 35

Game theoretic modeling, analysis, and mitigation of security risks.

Game theoretic modeling, analysis, and mitigation of security risks. Assane Gueye NIST/ITL/CCTG, Gaithersberg NIST ACMD Seminar Tuesday, June 7, 2011. Outline. Motivations Security Game Theory for Security Game Theory History Game Theory Basics

caroline
Télécharger la présentation

Game theoretic modeling, analysis, and mitigation of security risks.

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Game theoretic modeling, analysis, and mitigation of security risks. AssaneGueye NIST/ITL/CCTG, Gaithersberg NIST ACMD Seminar Tuesday, June 7, 2011

  2. Outline • Motivations • Security • Game Theory for Security • Game Theory • History • Game Theory Basics • Examples of Communication Security Game Model • Intruder Game • Intelligent Virus Game • Topology Design Game • Conclusion and Discussion • Future work

  3. Motivations

  4. 30 minutes later! Life just before Slammer worm attack • Double size every 8.5 sec • 10 min to infect 90% of vulnerable hosts • Network Outages, cancelled airline flights, • ATM failures… Source: CAIDA, www.caida.org/publications/papers/2003/sapphire/sapphire.html

  5. Who is attacking our communication Systems? Hacktivists Hackers Terrorists, Criminal Groups Foreign Governments Disgruntled Insiders ?

  6. A lot of good effort! • Some practical solutions Cryptography Anti-Viruses Firewalls Software Security Hardware Security Intrusion Detection systems Risk Management Attack Graphs … • Some theoretic basis Decision Theory Machine Learning … Information Theory Optimization

  7. Why Game Theory for Security? Example: Remote Attack E.g.: Rate of Port Scanning IDS Tuning Traditional Security Solutions Defender: strategy 1 strategy 2 ….. Attacker strategy 1 strategy 2 ….. Attack Defense A mathematical problem!  Solution tool: Game Theory Predict players’ strategies, Build defense mechanisms, Compute cost of security, Understand attacker’s behavior, etc… Security Game Theory also helps: Trust Incentives Externalities Machine Intelligence … Conferences (GameSec, GameNets) , Workshops, books, Tutorials,… This Talk: How GT can help understand/develop security solutions? Using illustrative Examples!

  8. Game Theory

  9. Game Theory “…Game Theory is designed to address situations in which the outcome of a person’s decision depends not just on how they choose among several options, but also on the choices made by the people they are interacting with…” “… Game theory is the study of the ways in which strategic interactions among economic (rational) agents produce outcomes with respect to the preferences (or utilities) of those agents….”

  10. Game Theory: A Little History • Cournot (1838), Bertrand (1883): Economics • J. von Neumann, O. Morgenstern (1944) • “Theory of Games and Economic Behavior” • Existence of mixed strategy in 2-player game • J. Nash (1950): Nash Equilibrium • (Nobel Prize in Economic Sciences 1994) • Selten (1965): Subgame Perfect Equilibrium • Harsani (1967-68): Bayesian (Incomplete Information) Games • The 80’s • Nuclear disarmament negotiations • Game Theory for Security (Burke) • More recently: • Auction modeling, mechanism design • Routing, Congestion Control, Channel Access • Network Economics • Network Security • Biology • …

  11. Game Theory Basics • GAME = (P,A,U) • Players (P1; … ; PN): Finite number (N≥2) of decision makers. • Action sets (A1; … ;AN): player Pi has a nonempty set Ai of actions. • Payoff functions ui : A1x … xAN: R; i = 1;….;N - materialize players’ preference, - take a possible action profile and assign to it areal number (von Neumann-Morgenstern).

  12. Key Concepts Example: Forwarder’s dilemma Forwarding has an energy cost of c (c<< 1) Successfully delivered packet: reward of 1 If Greendrops and Blueforwards: (1,-c) If Green forwards and Blue drops: (-c,1) If both forward: (1-c,1-c) If both drop: (0,0) Each player is trying to selfishly maximize it’s net gain. What can we predict? Source: Buttyan and Hubaux, “Security and Cooperation in Wireless Networks”

  13. Actions ofGreen Actions of Blue Reward ofGreen Reward of Blue Key Concepts Example: Forwarder’s dilemma Game: Players: Green, Blue Actions: Forward (F), Drop (D) Payoffs: (1-c,1-c), (0,0), (-c,1), (1,-c) Matrix representation: Source: Buttyan and Hubaux, “Security and Cooperation in Wireless Networks”

  14. Equilibrium Concept Nash equilibrium: “…a solution concept of a game involving two or more players, in which no player has anything to gain by changing his own strategy unilaterally…”

  15. Other Concepts • Cooperative / Non-Cooperative • Static / dynamic (finite/infinite) • Complete / Incomplete Information  Bayesian • Zero-Sum, Constant-Sum, Variable-Sum • Stochastic • ... • Mixed Strategy (equilibrium) • Players randomize among their actions Game Theory Drew Fudenberg  Jean Tirole Network Security: A Decision and Game Theoretic Approach Tansu Alpcan  Tamer Basar Security and Cooperation in Wireless Networks Levente Buttyan Jean-Pierre Hubaux A Course in Game Theory Martin J. Osborne  Ariel Rubinstein

  16. 3 Communication Security Game Models Intruder Game Normal traffic a Xn Intelligent Virus Virus b Detection If Xn > l => Alarm Availability Attack

  17. Intruder Game Scenario: Network M Source (Alice) User (Bob) M’ ¹ M M What if it is possible that: Intruder (Trudy) Encryption is not always practical …. Formulation: Game between Intruder and User

  18. Intruder Game: Binary Trudy Bob Alice Z Intercept Y • Strategies (mixed i.e. randomized) • Trudy: (p0,p1), Bob: (q0,q1) • Payoffs: • One shot, simultaneous choice game • Nash Equilibrium?

  19. Trudy Intruder game: NE Payoff : 1 0 Always flip Trudy Always decide (1); the less costly bit Always decide (1); the less costly bit Bob Always trust Cost

  20. What if the receiver (Bob) can verify the message?(by paying a cost and using a side secure channel) Pay: V

  21. Cost and Reward Never use side channel Use only sometimes Use more often Challenge: Credible threat Deter Attacker from attacking

  22. Intelligent Virus Game Scenario Normal traffic Xn a Virus b Detection If Xn > l => Alarm, …. Assume a known Virus: choose b to maximize infection cost Detection system: choose l to minimize cost of infection + clean up

  23. Intelligent Virus Game (IDS) Scenario Normal traffic Xn a Virus b Detection If Xn > l => Alarm, …. Smart virus designer picks very large b, so that the cost is always high …. Regardless of l! b

  24. Intelligent Virus Game (IPS) Modified Scenario Normal traffic Xn a Detection Virus b If Xn > l => Alarm • Detector: buffer traffic and test threshold • Xn < l  process • If Xn > l Flush & Alarm • Game between Virus (b) and Detector (l)

  25. Availability Attack Models! Tree-Link Game:

  26. Model Example: • Game • Graph = (nodes V, links E, spanning trees T) • Defender: chooses T T • Attacker: chooses e E (+ “No Attack”) • Rewards • Defender:-1eT • Attacker: 1eT - µe(µe cost of attacking e) Defender: 0 Attacker: - µ2 Defender: -1 Attacker: 1- µ1 • Defender : on T,to minimize • Attacker:  on E,to maximize • One shot game

  27. Assume: zero attack cost µe=0 Let’s Play a Game! Graph Most vulnerable links a) 1/2 Chance 1/2 b) 1/2 1/7 1/7 1/7 Chance 4/7>1/2 c) 1/7 1/7 1/7 1/7

  28. Critical Subset of Links 1 2 4 3 7 6 5 (G)=1 (G)=1/2 (G)=4/7 • Definition 1&2: For any nonempty subset E Ε • M(E) = min{| TE|, TТ} • (minimum number of links E has in common with any spanning tree) • 2. Vulnerability of E • (E) = M(E)/|E| • (minimum fraction of links E has in common with any spanning tree) • Definition 3: A nonempty subset C Εis said to be critical if • (C) = maxE Ε((E)) • (C has maximum vulnerability) • vulnerability of graph ((G)):= vulnerability of critical subset E={1,4,5} |T  E|=2 M(E) =1 (E) = 1/3 Defender: choose trees that minimally cross critical subset

  29. Critical Subset Attack Theorem • Theorem 1:There exists a Nash Equilibrium where • Attacker attacks only the links of a critical set C, with equal probabilities • Defender chooses only spanning trees that have a minimal intersection with C, and have equal likelihood of using each link of C, no larger than that of using any link not in C. [Such a choice is possible.] • There exists a polynomial algorithm to find C [Cunningham 1982] Theorem generalizes to a large class of games.

  30. Some implications Edge-Connectivity is not always the right metric! If ν ≤ 0: Attacker: “No Attack” • If can invest to make µ high • Deter attacker from attacking • Need to randomize choice of tree Network Design Additional link Network in b) is more vulnerable than network in c) ν= 3/4 ν= 2/3 ν= 3/5 a) b) c) 2/3 > 3/5

  31. Conclusion Game Theory helps for a better understanding of the Security problem! Availability Games • Critical set • Vulnerability ((G)): a metric more refined than edge-connectivity • Analyzing NE helps determine most vulnerable subset of links • Importance in topology design • Polynomial-time algorithm to compute critical set • Generalization • Set of resources for mission critical task • Most vulnerable subset of resources. • Intruder and Intelligent Virus Games: • Most aggressive attackers are not the most dangerous ones • Mechanisms to deter attackers from attacking

  32. This is an “young” research field! • A certain number of issues • Costs model  Not based on solid ground • Mixed strategy equilibrium  How to interpret it? • Nash equilibrium computation  In general difficult to compute • Still “theoretic”?  ARMOR: L.A Lax airport patrol dispatching  Federal Marshals on airplanes Game Theory for Airport Security ARMOR (LAX) Airports create security systems and terrorists seek out breaches. Placing checkpoint Allocate canine units The ARMOR project: http://teamcore.usc.edu/ARMOR-LAX/

  33. Future Work • Repeated versions of the games • More realistic models • Applications: Attack Graphs • Collaborative Security • Team of Attackers vs Team of Defenders • Trust and Security • Role of Information • Security of Cloud Computing • Are you willing to give away your information? • Policing the Internet • Who is responsible for security flaws?

  34. Thank you!Questions?

More Related