f78aad5b5694d89746aa245fcb0016c9.ppt

- Количество слайдов: 35

Game theoretic modeling, analysis, and mitigation of security risks. Assane Gueye NIST/ITL/CCTG, Gaithersberg NIST ACMD Seminar Tuesday, June 7, 2011

Outline 1. Motivations 1. Security 2. Game Theory for Security 2. Game Theory 1. History 2. Game Theory Basics 3. Examples of Communication Security Game Model 1. Intruder Game 2. Intelligent Virus Game 3. Topology Design Game 4. Conclusion and Discussion 5. Future work 1 / 34

Motivations 2 / 34

Life just before Slammer worm attack 30 minutes later! • Double size every 8. 5 sec • 10 min to infect 90% of vulnerable hosts Network Outages, cancelled airline flights, ATM failures… Source: CAIDA, www. caida. org/publications/papers/2003/sapphire. html 3 / 34

4 / 34

Who is attacking our communication Systems? Hacktivists Hackers Foreign Governments Terrorists, Criminal Groups ? Disgruntled Insiders 5 / 34

A lot of good effort! • Some practical solutions Cryptography Firewalls Anti-Viruses Software Security Intrusion Detection systems Hardware Security Risk Management Attack Graphs … • Some theoretic basis Decision Theory Machine Learning … Information Theory Optimization 6 / 34

Why Game Theory for Security? Traditional Security Solutions Attack Defender: strategy 1 strategy 2 …. . Defense Example: Remote Attack Security A mathematical problem! Solution tool: Game Theory Attacker strategy 1 strategy 2 …. . Predict players’ strategies, Build defense mechanisms, Compute cost of security, Understand attacker’s behavior, etc… Game Theory also helps: E. g. : Rate of Port Scanning Trust Incentives Externalities IDS Tuning Machine Intelligence … Conferences (Game. Sec, Game. Nets) , Workshops, books, Tutorials, … This Talk: How GT can help understand/develop security solutions? Using illustrative Examples! 7 / 34

Game Theory 8 / 34

Game Theory “…Game Theory is designed to address situations in which the outcome of a person’s decision depends not just on how they choose among several options, but also on the choices made by the people they are interacting with…” “… Game theory is the study of the ways in which strategic interactions among economic (rational) agents produce outcomes with respect to the preferences (or utilities) of those 9 / 34

Game Theory: A Little History • • Cournot (1838), Bertrand (1883): Economics J. von Neumann, O. Morgenstern (1944) • “Theory of Games and Economic Behavior” • Existence of mixed strategy in 2 -player game O. Morgenstern 1902 -1977 J. Nash (1950): Nash Equilibrium • (Nobel Prize in Economic Sciences 1994) Selten (1965): Subgame Perfect Equilibrium Harsani (1967 -68): Bayesian (Incomplete Information) Games The 80’s • Nuclear disarmament negotiations • Game Theory for Security (Burke) More recently: • Auction modeling, mechanism design • Routing, Congestion Control, Channel Access • Network Economics • Network Security • Biology • … von Neumann 1903 -1957 John F. Nash (1928) 10 / 34

Game Theory Basics • GAME = (P, A, U) – Players (P 1; … ; PN): Finite number (N≥ 2) of decision makers. – Action sets (A 1; … ; AN): player Pi has a nonempty set Ai of actions. – Payoff functions ui : A 1 x … x. AN: R; i = 1; …. ; N - materialize players’ preference, - take a possible action profile and assign to it areal number (von Neumann-Morgenstern). 11 / 34

Key Concepts Example: Forwarder’s dilemma Forwarding has an energy cost of c (c<< 1) Successfully delivered packet: reward of 1 If Green drops and Blue forwards: (1, -c) If Green forwards and Blue drops: (-c, 1) If both forward: (1 -c, 1 -c) If both drop: (0, 0) Each player is trying to selfishly maximize it’s net gain. What can we predict? Source: Buttyan and Hubaux, “Security and Cooperation in Wireless Networks” 12 / 34

Key Concepts Example: Forwarder’s dilemma Game: Players: Green, Blue Actions: Forward (F), Drop (D) Payoffs: (1 -c, 1 -c), (0, 0), (-c, 1), (1, -c) Matrix representation: Actions of Green Actions of Blue Reward of Blue Source: Buttyan and Hubaux, “Security and Cooperation in Wireless Networks” Reward of Green 13 / 34

Equilibrium Concept John F. Nash (1928) Nash equilibrium: “…a solution concept of a game involving two or more players, in which no player has anything to gain by changing his own strategy unilaterally…” 14 / 34

Other Concepts • Cooperative / Non-Cooperative • Static / dynamic (finite/infinite) • Complete / Incomplete Information Bayesian • Zero-Sum, Constant-Sum, Variable-Sum • Stochastic • . . . • Mixed Strategy (equilibrium) – Players randomize among their actions Game Theory Network Security: Drew Fudenberg A Decision and Game Jean Tirole Theoretic Approach Tansu Alpcan Tamer Basar Security and Cooperation in A Course in Game Theory Wireless Networks Martin J. Osborne Levente Buttyan Ariel Rubinstein Jean-Pierre Hubaux / 34 15

3 Communication Security Game Models Intruder Game Normal traffic Intelligent Virus a Virus Xn b Detection If Xn > l => Alarm Availability Attack 16 / 34

Intruder Game Scenario: Source (Alice) M What if it is possible that: Network M’ ¹ M M User (Bob) Intruder (Trudy) Encryption is not always practical …. Formulation: Game between Intruder and User 17 / 34

Intruder Game: Binary Trudy Bob Alice pt ce ter In Y Z • Strategies (mixed i. e. randomized) • Trudy: (p 0, p 1), Bob: (q 0, q 1) • Payoffs: • One shot, simultaneous choice game • Nash Equilibrium? 18 / 34

Intruder game: NE Trudy Payoff : 1 0 Trudy Bob Always flip Always trust Always decide (1); the less costly bit Cost 19 / 34

What if the receiver (Bob) can verify the message? (by paying a cost and using a side secure channel) Pay: V 20 / 34

Cost and Reward Never use side channel Use only sometimes Use more often Challenge: Credible threat Deter Attacker from attacking 21 / 34

Intelligent Virus Game Scenario Normal traffic a Virus b Xn Detection If Xn > l => Alarm, …. Assume a known Virus: choose b to maximize infection cost Detection system: choose l to minimize cost of infection + clean up 22 / 34

Intelligent Virus Game (IDS) Scenario Normal traffic a Virus b Xn Detection If Xn > l => Alarm, …. Smart virus designer picks very large b, so that the cost is always high …. Regardless of l! b 23 / 34

Intelligent Virus Game (IPS) Normal traffic a Xn Virus b Modified Scenario Detection If Xn > l => Alarm • Detector: buffer traffic and test threshold • Xn < l process • If Xn > l Flush & Alarm • Game between Virus (b) and Detector (l) 24 / 34

Availability Attack Models! Tree-Link Game: 25 / 34

• Game Model – Graph = (nodes V, links E, spanning trees T) Example: • Defender: chooses T T • Attacker: chooses e E (+ “No Attack”) – Rewards • Defender: -1 e T • Attacker: 1 e T - µe (µe cost of attacking e) Defender: -1 Defender: 0 Attacker: 1 - µ Attacker: - µ 21 – Defender : on T, to minimize – Attacker: on E, to maximize – One shot game 26 / 34

Let’s Play a Game! Graph Assume: zero attack cost µe=0 Most vulnerable links a) 1/2 Chance 1/2 b) 1/2 1/7 c) 1/7 1/7 1/7 Chance 4/7>1/2 1/7 27 / 34

Critical Subset of Links (G)=1/2 (G)=4/7 • Definition 1&2: For any nonempty subset E Ε 1 2 4 3 7 6 5 E={1, 4, 5} |T E|=2 M(E) =1 1. M(E) = min{| T E|, T Т} (minimum number of links E has in common with any spanning tree) 2. Vulnerability of E (E) = 1/3 (E) = M(E)/|E| (minimum fraction of links E has in common with any spanning tree) • Definition 3: A nonempty subset C Ε is said to be critical if (C) = max. E Ε( (E)) (C has maximum vulnerability) vulnerability of graph ( (G)) : = vulnerability of critical subset Defender: choose trees that minimally cross critical subset 28 / 34

Critical Subset Attack Theorem 1: There exists a Nash Equilibrium where • Attacker attacks only the links of a critical set C, with equal probabilities • Defender chooses only spanning trees that have a minimal intersection with C, and have equal likelihood of using each link of C, no larger than that of using any link not in C. [Such a choice is possible. ] There exists a polynomial algorithm to find C [Cunningham 1982] Theorem generalizes to a large class of games. 29 / 34

Some implications Edge-Connectivity is not always the right metric! If ν ≤ 0: Attacker: “No Attack” If can invest to make µ high Deter attacker from attacking • Need to randomize choice of tree Network Design Additional link ν= 3/4 Network in b) is more vulnerable than network in c) ν= 2/3 a) ν= 3/5 b) c) 2/3 > 3/5 30 / 34

Conclusion Game Theory helps for a better understanding of the Security problem! Intruder and Intelligent Virus Games: • Most aggressive attackers are not the most dangerous ones • Mechanisms to deter attackers from attacking Availability Games – Critical set • • Vulnerability ( (G)): a metric more refined than edge-connectivity Analyzing NE helps determine most vulnerable subset of links Importance in topology design Polynomial-time algorithm to compute critical set – Generalization • Set of resources for mission critical task – Most vulnerable subset of resources. 31 / 34

This is an “young” research field! • A certain number of issues – Costs model Not based on solid ground Game Theory for Airport Security – Mixed strategy equilibrium How to interpret it? – Nash equilibrium computation In general difficult to compute ARMOR (LAX) Airports create security systems and terrorists seek out breaches. Placing checkpoint Allocate canine units – Still “theoretic”? ARMOR: L. A Lax airport patrol dispatching Federal Marshals on airplanes The ARMOR project: http: //teamcore. usc. edu/ARMOR-LAX/ 32 / 34

Future Work • Repeated versions of the games – More realistic models – Applications: Attack Graphs • Collaborative Security – Team of Attackers vs Team of Defenders – Trust and Security – Role of Information • Security of Cloud Computing – Are you willing to give away your information? • Policing the Internet – Who is responsible for security flaws? 33 / 34

Thank you! Questions? 34 / 34