Optimal Security Investments in a Prevention and Detection Game Carlos Barreto, Carlos.BarretoSuarez@utdallas.edu Alvaro A. C´ ardenas, Alvaro.Cardenas@utdallas.edu Alain Bensoussan, Alain.Bensoussan@utdallas.edu University of Texas at Dallas Hot Topics in the Science of Security Symposium 2017
Problem: How to invest in security? Although security is important, firms fail to protect systems because they ◮ underestimate their exposure ◮ ignore the cost/benefit of technologies ◮ lack incentives ◮ firms do not know the best way to protect a system
Related works Previous work on increasing security investments: Interdependences: Deal with the negative effects of networked systems, which create cooperation problems. Insurance: Tool that might give incentives to invest in protection. How can we protect systems? 1 1 New York State Department of Financial Services: Report on Cyber Security in the Insurance Sector, Feb. 2015, url : http: //www.dfs.ny.gov/reportpub/dfs_cyber_insurance_report_022015.pdf .
Objective: investigate the best investment strategy to protect a system We propose a model of the interactions between a defender and an attacker where Defender invest in two type of technologies ◮ Prevention ◮ Detection Attacker invest its resources in ◮ Finding vulnerabilities ◮ Attacking the system How does the attacker’s strategy change as a function of the defense? How does the defense strategy change with limited resources? with limited information?
Outline Model Players Security Model Attacker Optimal Attack Strategy Defender Simulations Nash Equilibrium Budget constraints
Players Attacker Objective Maximize its profit attacking firms (e.g., stealing information) ◮ Find bugs (hack the system) v h ∈ [0 , 1] Actions ◮ Exploit bugs v e ∈ [0 , 1] Defender Objective Minimize operation costs of a system. Balance between costs of attacks and cost of protection ◮ Prevent bugs in the system v p ∈ [0 , 1] (e.g., Actions secure code development) ◮ Detect attacks and correct failures v d ∈ [0 , 1] (e.g., IDS) The cost of each player is affected by the decisions of the adversary.
Modeling We model the dynamic Players’ actions affect the change in security with security of the system. a Markov process. The decision of each The players make player is formulated as decisions under uncer- a problem of stochastic tainties that optimize dynamic programming. their performance. Problems of stochastic dynamic programming 2 involve solving iteratively a Bellman equation that describes the conditions of optimal decisions. 2 Alain Bensoussan: Dynamic programming and inventory control, vol. 3 (Studies in Probability, Optimization and Statistics), 2011; On´ esimo Hern´ andez-Lerma/Jean B Lasserre: Discrete-time Markov control processes: basic optimality criteria, vol. 30, 2012.
System’s Security as a Markov Decision Process Vulnerable state S 0 Secure state S 1 An adversary can exploit a The adversary must search a vulnerability. vulnerability to attack. π ( v e , v d ) 1 − π ( v e , v d ) 1 − δ ( v h , v p ) S 0 S 1 δ ( v h , v p ) In the state S 0 Attacker Defender Gains: g a ( v e ) Loses: g d ( v e ) Cost: C d ( v d ) + C p ( v p ) Cost: C 0 l A = − ga ( v e ) + C 0 l D = g d ( v e ) + C d ( v d ) + C p ( v p ) The defender detects the attack with probability π ( v e , v d ), which increases with v e and v d
System’s Security as a Markov Decision Process Vulnerable state S 0 Secure state S 1 An adversary can exploit a The adversary must search a vulnerability. vulnerability to attack. π ( v e , v d ) 1 − π ( v e , v d ) 1 − δ ( v h , v p ) S 0 S 1 δ ( v h , v p ) In the state S 1 Defender Attacker Loses: 0 Gains: 0 Cost: C v Cost = C d ( v d ) + C p ( v p ) l D = C d ( v d ) + C p ( v p ) l A = C v The attacker finds a vulnerability with probability δ ( v h , v p ). ◮ increases with the effort of the attacker v h . ◮ decreases with the effort of the defender v p .
Attacker’s Discounted Payoff S 1 S 1 S 1 S 1 S 1 S 1 S 1 S 1 S 0 S 0 S 0 S 0 S 0 S 0 S 0 x 0 x 1 x 2 x 3 x 4 The discounted payoff of the attacker with the attack and defense strategies v A and v D is J A ( x 0 , v A , v D ) = l A ( x 0 , v A )+ β E v A , v D { l A ( x 1 , v A )+ x 0 β E v A , v D { l A ( x 2 , v A )+ x 1 β E v A , v D { l A ( x 3 , v A )+ x 2 . . . + β E v A , v D x n − 1 { l A ( x n , v A ) + . . . }}}} The discount factor β relates future costs with the present.
Attacker’s Discounted Payoff We consider an infinite horizon problem in which the attacker wants to find the best attack strategy v A . The cost functional can be written as Future Cost Present Cost � �� � � �� � J A ( x 0 , v A , v D ) = E v A , v D { J A ( x 1 , v A , v D ) } , l A ( x 0 , v A ) + β x 0 where x 0 is the initial state. The minimum cost is given by the Bellman equation u A ( x 0 , v D ) = min v A J A ( x 0 , v A , v D ) = � � �� l A ( x 0 , v A ) + β E v A , v D u A ( x 0 , v D ) min x 0 v A The optimal attack strategy v ∗ A satisfies u A ( x 0 , v D ) = J A ( x 0 , v ∗ A , v D )
Optimal Attack strategy: Procedure 1. Show that the cost functional is a contraction mapping 2. From the Banach Fixed point theorem we can approximate the cost functional as v n ∈ [0 , 1] { l A ( x , v n ) + β E v n , v D u n +1 ( x , v d ) = inf { u n ( x , v d ) }} , x where u n ( x , v d ) → u ( x , v d ) as n → ∞ . 3. We can analyze the optimal actions of the attacker with the approximated function.
Optimal Attack strategy Theorem: Optimal strategy of the attacker 1. v a = 0 and v h = 0 if K > 0, 2. v a = 1 and v h = 0 if K < 0 and B > 0, 3. v a = 1 and v h = 1 if K < 0 and B < 0, where K K = C 0 − g a (1) , B = C v + β 1 + βπ (1 , v d ) − β δ (1 , v p ) . � �� � � �� � Independent of v D Increases with v d , v p Notes ◮ The decision to attack the system in S 0 ( v a = 1) depends on the profitability of the attack, not on the defense strategy. ◮ The defender affects the decision to hack the system through its defense strategy. B increases with both v d and v p .
Attacker’s Hack Decision Boundary Attacker’s gain g a (1) = 2 . 5 Region where Attacks are Unprofitable 1 0 . 9 No Hacking 0 . 8 Effort preventing attacks ( v p ) 0 . 7 0 . 6 0 . 5 0 . 4 0 . 3 0 . 2 0 . 1 Hack! 0 0 0 . 1 0 . 2 0 . 3 0 . 4 0 . 5 0 . 6 0 . 7 0 . 8 0 . 9 1 Effort detecting attacks ( v d )
Attacker’s Hack Decision Boundary Attacker’s gain g a (1) = 4 Region where Attacks are Unprofitable 1 0 . 9 No Hacking 0 . 8 Effort preventing attacks ( v p ) 0 . 7 0 . 6 0 . 5 0 . 4 0 . 3 0 . 2 0 . 1 Hack! 0 0 0 . 1 0 . 2 0 . 3 0 . 4 0 . 5 0 . 6 0 . 7 0 . 8 0 . 9 1 Effort detecting attacks ( v d )
Attacker’s Hack Decision Boundary Attacker’s gain g a (1) = 5 Region where Attacks are Unprofitable 1 0 . 9 No Hacking 0 . 8 Effort preventing attacks ( v p ) 0 . 7 0 . 6 0 . 5 0 . 4 0 . 3 0 . 2 0 . 1 Hack! 0 0 0 . 1 0 . 2 0 . 3 0 . 4 0 . 5 0 . 6 0 . 7 0 . 8 0 . 9 1 Effort detecting attacks ( v d )
Attacker’s Hack Decision Boundary Attacker’s gain g a (1) = 6 Region where Attacks are Unprofitable 1 0 . 9 No Hacking 0 . 8 Effort preventing attacks ( v p ) 0 . 7 0 . 6 0 . 5 0 . 4 0 . 3 0 . 2 0 . 1 Hack! 0 0 0 . 1 0 . 2 0 . 3 0 . 4 0 . 5 0 . 6 0 . 7 0 . 8 0 . 9 1 Effort detecting attacks ( v d )
Attacker’s Hack Decision Boundary Attacker’s gain g a (1) = 7 Region where Attacks are Unprofitable 1 0 . 9 No Hacking 0 . 8 Effort preventing attacks ( v p ) 0 . 7 0 . 6 0 . 5 0 . 4 0 . 3 0 . 2 0 . 1 Hack! 0 0 0 . 1 0 . 2 0 . 3 0 . 4 0 . 5 0 . 6 0 . 7 0 . 8 0 . 9 1 Effort detecting attacks ( v d )
Outline Model Players Security Model Attacker Optimal Attack Strategy Defender Simulations Nash Equilibrium Budget constraints
Defender Payoff The cost of implementing the defense strategy v D = ( v d , v p ) in a time period is Defender loss � �� � g d ( v a ) + C p ( v p ) + C d ( v d ) if x = S 0 , l D ( x , v A , v D ) = C p ( v p ) + C d ( v d ) if x = S 1 , � �� � Protection cost loss caused by an attack g d ( v a ) is increasing with v a . The cost to prevent ( C p ( v p )) and detect ( C d ( v d )) attacks increase with v p and v d .
Defender’s Objective: Full Information The defender observes the state of the system (i.e., knows when the system is compromised, but does not know the precise cause). π ( v e , v d ) 1 − π ( v e , v d ) 1 − δ ( v h , v p ) S 0 S 1 v d ≥ 0 v d = 0 δ ( v h , v p ) v p = 0 v p ≥ 0 The cost functional is defined as J D ( x 0 , v A , v D ) = l D ( x 0 , v A , v D ) + β E v A , v D { J D ( x 1 , v A , v D ) } . x 0
Defender’s Objective: Asymmetric Information The defender cannot observe the state of the system, instead, has some belief about the initial state. π ( v e , v d ) ? ? 1 − π ( v e , v d ) 1 − δ ( v h , v p ) S 0 S 1 δ ( v h , v p ) v d ≥ 0 v p ≥ 0 The cost function becomes ˆ J D n ( v A , v D ) = P ( x n = S 0 ) l D ( S 0 , v A , v D )+ P ( x n = S 1 ) l D ( S 1 , v A , v D ) + β ˆ J D n +1 ( v A , v D )
Recommend
More recommend