Game theoretic modeling, analysis, and mitigation of security risks. Assane Gueye NIST/ITL/CCTG, Gaithersberg NIST ACMD Seminar Tuesday, June 7, 2011 Click to edit Master subtitle style 6/7/11
Outline Motivations 1. Security 1. Game Theory for Security 2. Game Theory 2. History 1. Game Theory Basics 2. Examples of Communication 3. Security Game Model 6/7/11 22 / 34 Intruder Game 1.
Motivations 6/7/11 33 / 34
Life just before Slammer 30 minutes later! worm attack • Double size every 8.5 sec • 10 min to infect 90% of vulnerable hosts è Network Outages, cancelled airline flights, 6/7/11 44 ATM failures… / 34 Source : CAIDA, www.caida.org/publications/papers/2003/sapphire/sapphire.html
6/7/11 55 / 34
Who is attacking our communication Systems? Hacktivi sts Hacke Terrorists, Criminal rs Groups Foreign Disgruntled Governments ? Insiders 6/7/11 66 / 34
A lot of good effort! • Some practical solutions Cryptogra Anti-Viruses phy Firewa Software Hardware lls Security Security Intrusion Risk … Detection Management systems Attack Graphs • Some theoretic basis Decision Machine Theory Learning … Information Optimizat 6/7/11 77 / 34 Theory ion
Why Game Theory for Security? Traditional Security Solutions Attac Defense k Defender Attacker : Remote strategy Security strategy 1 Attack 1 A mathematical strategy problem! strategy 2 Solution tool: Game Predict attacker’s behavior, Build defense mechanisms, Compute 2 ….. Theory cost of security, ….. Understand attacker’s behavior, etc… Game Theory also E.g. : Rate of Port IDS helps: Scanning tuning Trus Incentiv Externali Machine … t es ties Intelligence Conferences (GameSec, GameNets) , Workshops, books, Tutorials,… This Talk: How GT can help understand/develop security solutions? 6/7/11 88 / 34 Using illustrative Examples!
Game Theory 6/7/11 99 / 34
Game Theory “…Game Theory is designed to address situations in which the outcome of a person’s decision depends not just on how they choose among several options, but also on the choices made by the people they are interacting with…” “… Game theory is the study of the 6/7/11 1010 / 34 ways in which strategic
Game Theory: A Little History • Cournot (1838), Bertrand (1883): Economics • J. von Neumann, O. Morgenstern O. Morgenstern 1902- 1977 (1944) • “Theory of Games and Economic Behavior” • Existence of mixed strategy in 2- von Neumann 1903- 1957 player game • J. Nash (1950): Nash Equilibrium • (Nobel Prize in Economic Sciences 6/7/11 1111 1994) John F. Nash / 34 (1928)
Game Theory Basics • GAME = (P,A,U) – Players ( P1; … ; PN): Finite number (N≥2) of decision makers. – Action sets (A1; … ;AN): player Pi has a nonempty set Ai of actions. – Payoff functions ui : A1x … xAN: R; i = 1;….;N 6/7/11 1212 / 34 - materialize players’ preference,
Key Concepts Example: Forwarder’s dilemma Forwarding has an energy cost of c (c<< 1) Successfully delivered packet: reward of 1 If Green drops and Blue forwards: 6/7/11 1313 (1,-c) / 34 Source : Buttyan and Hubaux, “Security and Cooperation in Wireless Networks”
Key Concepts Example: Forwarder’s dilemma Game: Players: Green, Blue Actions: Forward (F), Drop (D) Actions of Payoffs: (1-c,1-c), (-c,-c), (-c,1), (1,- Green c) Matrix representation: Actions of Reward of Blue Reward of Green 6/7/11 1414 / 34 Blue Source : Buttyan and Hubaux, “Security and Cooperation in Wireless Networks”
Equilibrium Concept John F. Nash (1928) Nash equilibrium: “…a solution concept of a game involving two or more players, in which no player has anything to gain by changing his own strategy unilaterally …” 6/7/11 1515 / 34
Other Concepts • Cooperative / Non- Cooperative Game Network Theory Security: • Static / dynamic Drew A Decision and Fudenberg Game Theoretic (finite/infinite) Jean Tirole Approach Tansu Alpcan • Complete / Incomplete Tamer Basar Information Bayesian Security and • Zero-Sum, Constant- Cooperation in A Course in Game Wireless Theory Sum, Variable-Sum Networks Martin J. Osborne Levente Buttyan Ariel Rubinstein 6/7/11 1616 • Stochastic / 34 Jean-Pierre Hubaux
3 Communication Security Game Models Intrud T ru d y p X Y Z A lic e B o b er 1 -p Game Normal traffic α X Intellige n Virus β nt Detection Virus If Xn > λ => Alarm Availabilit y Attack 1717 6/7/11 / 34
Intruder Game Scenari o: M Networ Source User (Alice) k (Bob) M’ ≠ Μ M What if it is possible that: Intruder (Trudy) Encryption is not always practical …. Formulation: Game between Intruder and User 6/7/11 1818 / 34
Intruder Game: Binary Trudy Bob Alice Interce Y pt • Strategies (mixed i.e. randomized) • Trudy: (p0,p1), Bob: (q0,q1) • Payoffs: • One shot, simultaneous choice game • Nash Equilibrium? 6/7/11 1919 / 34
Intruder game: Trudy NE Payoff : 1 0 1 text 1 1 Trudy 0 0 0 1 1 1 Always trust Always decide Always decide Bob the less costly the less costly bit (1) bit (1) 6/7/11 2020 / 34
What if the receiver (Bob) can verify the message? (by paying a cost and using a side secure channel) Trudy p X Y Z Alice Bob 1-p Pay: V 6/7/11 2121 / 34
Cost and Trudy p X Y Z Alice Bob 1-p Reward Never use side channel Use only V sometimes Use more often B Challenge: A Credible threat Deter Attacker from attacking p 1 6/7/11 2222 / 34
Intelligent Virus Game Scenari Normal o X traffic α n Viru β Detection s If Xn > λ => Αλαρµ, � . Assume α known Virus: choose β to maximize infection cost Detection system: choose λ to minimize cost of infection + clean up 6/7/11 2323 / 34
Intelligent Virus Game (IDS) Scenari Normal o X traffic α n Viru β Detection s If Xn > λ => Αλαρµ, � . 2 .4 λ 0 = 5 Smart virus designer 2 .2 λ 0 = 1 0 λ 0 = 1 5 picks 2 Virus Gain: Linear 1 .8 very large β , so that the 1 .6 cost is always high …. 1 .4 Regardless of λ! 1 .2 6/7/11 2424 / 34 1 β 0 1 0 2 0 3 0 4 0 5 0 6 0 7 0 8 0 9 0 1 0 0 λ (/s e c)
Intelligent Virus Game (IPS) Modified Scenario Normal X traffic α Detection n Viru β s If Xn > λ => Alarm • Detector: buffer traffic and test threshold • Xn < λ process • If Xn > λ Flush & Alarm • Game between Virus ( β ) and Detector ( λ ) 6/7/11 2525 / 34
Availability Attack Models! Tree-Link Game : 6/7/11 2626 / 34
Model • Game Exampl – Graph = (nodes V, links E, spanning e: trees T ) • Defender: chooses T T Defender: Defender: 0 Attacker: - -1 µ2 Attacker: • Attacker: – Defender : on T, to minimize 1- µ1 chooses e E (+ “No Attack”) – Attacker: on E, to maximize – Rewards – One shot game 6/7/11 2727 • Defender: -1e / 34 T
Let’s Play a Assume: zero attack Game! cost µe=0 Graph Most vulnerable links a ) 1/ 2 Chanc b e ) 1/ 1/2 2 1/ 1/ 7 7 1/ Chanc c 1/ 7 e 1/ ) 7 1/ 1/ 7 7 7 4/7>1/ 2 6/7/11 2828 / 34
Critical Subset of Links 1 2 4 3 (G)= (G)= 7 5 6 (G) =1 1/2 4/7 • Definition 1&2 : For any nonempty subset E Ε E={1,4, 5} M (E) = min{| T E|, T Т } |T E| 1. =2 (minimum number of links E has in common with any M (E) =1 spanning tree) (E) = 2. Vulnerability of E 1/3 (E) = M (E)/|E| (minimum fraction of links E has in common with any spanning tree) • Definition 3: A nonempty subset C Ε is said to be critical if (C) = maxE Ε ( (E)) (C has maximum vulnerability) vulnerability of graph ( (G) ) := vulnerability Defender: choose trees that minimally cross critical 6/7/11 2929 / 34 of critical subset subset
Critical Subset Attack Theorem Theorem 1: There exists a Nash Equilibrium where • Attacker attacks only the links of a critical set C, with equal probabilities • Defender chooses only spanning trees that have a minimal intersection with C, and have equal likelihood of using each link of C, no larger than that of using any link not in C. [Such a choice is possible.] There exists a polynomial algorithm to find C [Cunningham 1982 ] Theorem generalizes to a large class 6/7/11 3030 of games. / 34
Some implications Edge-Connectivity is not always the right metric! If ν ≤ 0: Attacker: “No Attack” If can invest to make µ high èDeter attacker from attacking • Need to randomize choice of tree Network Design Additional Network in b) is more vulnerable than link network in c) ν= 3/4 ν= 2/3 ν= 3/5 a b c ) ) ) 2/3 > 6/7/11 3131 / 34 3/5
Recommend
More recommend
