Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Cyber Hide-And-Seek: Ph.D. Viva Presentation

70 views

Published on

King's College London

Published in: Science
  • Be the first to comment

  • Be the first to like this

Cyber Hide-And-Seek: Ph.D. Viva Presentation

  1. 1. Cyber Hide-and-Seek: Ph.D. Viva Presentation Martin Chapman King’s College London martin.chapman@kcl.ac.uk November 30, 2015 Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 1 / 45 Overview High level overview of key themes in work; some comment on methodology. Designed as potential points for discussion; not exhaustive. Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 2 / 45
  2. 2. Motivation I Problem: Network attacks are becoming more frequent. Traditional response to a network attack is to use human expertise. (Generally) reliable and suited to the situation. Slow. Automated techniques exist, but they lack sophistication in that they can only perform trivial remedial actions. Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 3 / 45 Motivation II Formal decision-making frameworks explicitly quantify the salient elements of a phenomena such as a network attack. This provides the opportunity for both fast... Once a problem is quantified within a framework, it can be solved automatically ...sophisticated... Frameworks distill the knowledge of experts, such that each framework can be applied to new situations, potentially with an adjustment of variables (attacker or defender strategies, payoff values etc.) to account for the particular situation. ... and scalable... Capturing this knowledge allows situations to be addressed on a larger scale. ...automated response. Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 4 / 45
  3. 3. Existing Models I Known as Network Security Games. Game theoretic, in order to enable multi-player strategic decision-making Some models contain variables that can altered (as described previously) and solution concepts that relate these variables in a certain way [1]: −αc αm βc −βs αf 0 0 0 d1 nd a1 na D A p∗ 1 = αf αf + αc + αm q∗ 1 = βs βc + βs . Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 5 / 45 Existing Models II βc represents the detection penalty for an attacker, βs the benefit to an attacker from a successful attack, αc the benefit to a defender of detecting an attack, αf the cost of a false alarm and αm the cost of missing an attack. p∗ 1 is a probability distribution for the attack, where the potential for attack increases with the potential for false alarm. q∗ 1 is a probability distribution for the defender, where potential for defending (i.e. the IDS monitoring) increases with the benefit to attacking This constitutes one solution to the game. Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 6 / 45
  4. 4. Existing Models III Some models estimate these variables instead, in an attempt to make general comments about how to approach security situations (e.g. attackers will often operate at a slightly lower capacity, in order not to trigger a reaction from the defender [3]). Most importantly, for our purposes, this field demonstrates an important idea: games and game theory can be used to both model and solve the problems exhibited by network attacks. Common approach: take an existing game, and apply it to a security scenario, based upon parallels between properties of the game, and properties of the scenario e.g. a Stackelberg game; attacker leads, defender follows [4]. Provides an accepted format in which problems can be understood. May bring existing solutions to bear on a new problem. Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 7 / 45 Multiple Node Attacks I A specific, yet important, category of network attacks, that haven’t been examined in detail in the security games literature. Attacks involve a significant number of intermediate nodes. Botnets (a compromised set of slave nodes) Problem: How do we discern compromised nodes in an overlay network, such as a P2P network, from legitimate nodes? Attack Pivoting (incremental intrusion into a network) Problem: How do we organise the network, and the sensitive resources within it, in order to account for incremental intrusion? Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 8 / 45
  5. 5. Multiple Node Attacks II Same methodology: Find parallels between these types of attack, and a game. The link: two-sided search problem Traditional search, but the item(s) being sought is not just lost but it has been concealed. Must take into account the strategy of the ‘concealer’. Multiple node attacks exhibit the two-sided search problem with multiple hidden objects. When facing a pivoting attack, the problem must be considered from the reverse perspective (i.e. how will the attacker attempt to second guess my hide locations). Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 9 / 45 Hide-and-Seek games I Search games are designed to model and investigate the two-sided search problem. Hide-and-seek games, a subset of search games, are designed to do this for multiple hidden objects. Proposal It is logical to study hide-and-seek games in order to study multiple node attacks. Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 10 / 45
  6. 6. Hide-and-Seek games II Different permutations on same basic model. The permutation of interest to us: Two competing players; the hider and the seeker A search space; for our purposes, a network Hidden objects to be concealed on the network Some cost to seeker for undertaking a search; the hider is rewarded in an inverse amount. This model is simple, but already promising in what it can capture from a multiple node attack. Richer variants to the model are natural, why aren’t they explored? ‘Complexity’. Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 11 / 45 Complexity of analytic solution Gal: ‘Networks of arbitrary topology are likely to have a very difficult analytic solution’ [2] Increasing the richness of a game representation makes it increasingly difficult to derive a solution Why? It becomes less apparent what the payoff values attributed to each potential strategy are or how to formalise a relationship between the variables in the framework as part of a solution. Richer games often have different configurations. This greatly increases the strategy space. Tacking this complexity: Empirical Game Theoretic Analysis Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 12 / 45
  7. 7. Methodology Empirical Game Theoretical Analysis (EGTA) estimates the payoff values associated with different strategies by realising computational representations of them. This computational environment, and the EGTA methodology, also indirectly fosters the derivation of the strategies themselves. Solution concepts Candidate strategies Estimated payoff matrix Simulation Strategic reasoningAdd candidates Further simulations Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 13 / 45 Research Questions I In order to study a richer hider-and-seek model, amenable to capturing the elements of a network attack at a less abstract level, we choose to adopt this approach. Studies that follow the EGTA methodology naturally pursue the following three research questions: 1 Which strategies exist for both players? 2 What are the payoffs for each strategy? 3 What is the solution to the game? Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 14 / 45
  8. 8. Research Questions II Therefore, in this thesis, we ask: 1 Which strategies exist for both the hider and the seeker? 2 What are the payoffs for each of these strategies? 3 What is the solution to the game? Contribution: Recommendations for the hide-and-seek game, that can directly influence how the defender of a network approaches the potential for, and responds to, a multiple node attack. Long term aim: To provide a framework within which further strategic experimentation can take place. First, we need to define a new model of the game that facilitates this method. Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 15 / 45 Conceptual Model I Despite the chosen methodology, it is still important to still define our model conceptually; this provides the potential for future analytic attention. Our model exhibits a new constraint derived from explicitly treating the hider and the objects as separate entities; the hider must traverse the network in order to reach desired hide locations. This creates a novel payoff structure: A seeker’s payoff is inversely proportional to the total cost of their traversal in one interaction: Payoff (S) = −TCost(S). A hider’s payoff is a seeker’s traversal cost, minus their own traversal cost in one interaction: Payoff (H) = TCost(S) − TCost(H). Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 16 / 45
  9. 9. Conceptual Model II This constraint coupled with an existing constraint – an unknown network – creates challenges for the hider (and indeed the seeker) not seen previously (e.g. strategies must respond as more is learnt about the network, a hider no longer has complete freedom to move anywhere etc.). These features are the source of complexity, as previously described. Complexity is also in the computational model... Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 17 / 45 Computation Model I Conceptual model makes no assumption about the format of the topology, but the actual variations in topology are provided within the computational model. Supported by the library JGraphT. We end up with something tangible that can be run for an arbitrary number of iterations Implemented in Java as an interactive platform. Structured for use by the community as a distributed research game. Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 18 / 45
  10. 10. Computation Model II A run of the computational model (otherwise known as a game) is defined by: A set of hider and seeker strategies. All pairwise meetings between the hider and the seeker, for each strategy. A particular configuration of variables in the model. Each game is repeated multiple times to increase validity. Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 19 / 45 Model configuration I 1 G Graph topology 2 N Number of nodes in network 3 K The number of hidden objects 4 c Upper limit on edge costs 5 R Number of interactions 6 ... Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 20 / 45
  11. 11. Model configuration II The conditions under which we answer each research question. Some conditions have a greater impact on some questions than others (e.g. increasing the number of nodes doesn’t necessarily open up a space for introducing a greater number of strategies.). Default configuration: 5% of nodes will contain hidden objects (K = 5, N = 100). Why? Reflect the ‘needle in a haystack’ element of a multiple node attack. Other configuration: 50% of nodes will contain hidden objects (N = 2K), for 1 ≤ K ≤ 100. Why? Understand the impact that a greater number of nodes has on different strategies Understand the impact that having a higher ratio of hidden objects to nodes has on different strategies Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 21 / 45 Main Configurations 1 Games containing a single interaction. 2 Games containing multiple interactions. Other variables are considered as sub-configurations within these. Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 22 / 45
  12. 12. Single Interaction Games I Each game consists of a single interaction. High frequency of attacks, but may be from different parties with different strategies. A specific attack that is difficult to replicate (e.g. a targeted piece of malware such as Stuxnet). Player Strategy Description Hider hRandomSet Chooses a subset of K nodes stochastically from all N nodes. Seeker sBacktrackGreedy Traverses the graph by choosing the cheapest, unvisited outgoing edge from amongst those edges connected to the current node, and previously visited nodes. Hider hFirstK Hides its start node, and the first K −1 locations it reaches on a random walk. Seeker sLinkedPath Attempts to find the trail of objects left by hFirstK by exploring until one object is found, and then iteratively examining each connected node in turn, backtracking if the path ends. Hider hNotConnected Hides in the first K nodes which it visits that have no connections to any of the nodes that already exist in the hide set. Hider hLeastConnected Expresses a preference for concealing objects in nodes that have the lowest degree centrality. Hider hMaxDistance Expresses a preference for concealing objects in a set of nodes that exist at the maximum distance from one another. Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 23 / 45 Single Interaction Games II Example application of methodology: 1 Enumerate strategies; in response to the behaviour of opponents, behaviour in a network attack or simply natural behaviour. hFirstK, hRandomSet, sBacktrackGreedy and sLinkedPath 2 Realise strategies in computational model. 3 Configure parameters (K = 5, N = 100, c = 1). 4 Run simulation (containing sufficient number of games (typically 1000)). 5 Measure performance of strategies in simulation (payoff is the typical metric). Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 24 / 45
  13. 13. Single Interaction Games III 6 Plot results for analysis. 0.3 0.35 0.4 0.45 0.5 0.55 0.6 0.65 hFirstK hRandom Set Payoff Strategy sBacktrackGreedy *** *** sLinkedPath *** *** Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 25 / 45 Single Interaction Games IV 7 Translate to payoff information in order to solve game. −6.0 −3.0 6.0 3.0 −6.0 −10.0 4.0 8.0 sBacktrackGreedy sLinkedPath hFirstK hRandomSet Hider: hFirstK (57.14%) hRandomSet (42.86%) (Payoff: 5.14) and Seeker: sBacktrackGreedy (71.43%) sLinkedPath (28.57%) (Payoff: -6.00) Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 26 / 45
  14. 14. Single Interaction Games V Examples of translating solutions to the hide-and-seek game into recommendations for network attacks. ‘The best strategy for a hider to adopt against sBacktrackGreedy, depending on the existence of other strategies, is hFirstK’. The hider is the defender. Concealing vulnerabilities arbitrarily (hRandomSet) is costly, yet desirable because it deters an attacker; the attacker knows this will necessitate extensive tours once inside the network. This threat can be maintained by adopting a strategy in which resource, unbeknown to the attacker, and placed in close proximity, while simultaneously reducing cost. An element of psychology, further supporting the use of game theory. Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 27 / 45 Single Interaction Games VI ‘The best strategy for a hider to adopt against sBacktrackGreedy and sLinkedPath is hNotConnected’. The hider is the defender. We now have a strategy that is dominant against a range of choices by the defender; correctly balancing effort with anonymity can deter an attacker as much as taking the effort to hide completely anonymously, without the additional cost (as with hFirstK) and without the potential for exploitation. Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 28 / 45
  15. 15. Multiple Interaction Games (Reactive Strategies) I Multiple interaction game: the same attacker and defender meet each other multiple times. Natural if an attacker exerts effort establishing a botnet. Limitation of strategies in a single game: Preference strategies are natural, but ill-suited to a single game interaction. Instead, with the multiple interaction dynamic, we consider how strategies (existing and new) are able to react based upon acquiring incremental knowledge of their environment, their opponent’s actions and their own past actions. Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 29 / 45 Multiple Interaction Games (Reactive Strategies) II Player Strategy Description Seeker sLeastConnectedFirst Visits those nodes with the lowest connectivity, first. Seeker sMaxDistanceFirst Visits those nodes that it computes to be at the diameter of the graph, first. Seeker sHighProbability Visits those nodes that have been hidden in most frequently by a hider, first. Seeker sInverseHighProbability Visits those nodes that a hider has not yet hidden in, first. Hider hDeceptive Hides in K nodes for a set number of rounds, and then in the remaining rounds never hides in these nodes again. Hider hUniqueRandomSet Does not repeat its choice of hide location for as along as possible, and then restarts this process. Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 30 / 45
  16. 16. Multiple Interaction Games (Reactive Strategies) III ‘The best strategy for a seeker to adopt against hMaxDistance, when there are multiple interactions, is sMaxDistanceFirst, but this is the worst strategy to play against hLeastConnected’ The seeker is the defender. If a defender is able to correctly second guess the mentality (i.e. the strategy) of the attacker, in terms of their selection of nodes to compromise as bots, they are rewarded highly. However, if their estimation is wrong, they suffer. Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 31 / 45 Multiple Interaction Games (Reactive Strategies) IV ‘The best strategy for a seeker to adopt against both hMaxDistance and hLeastConnected is sHighProbability’ The seeker is the defender. Rather than trying to second guess the actions of an attacker, a defender can wait for evidence of their behaviour. In this instance, they cannot exploit the attacker to the same extent as if they made a correct estimation, but instead protect themselves by reacting to behaviour. The best response from an attacker to this is to ‘space’ bots out within the compromised overlay network (i.e. hMaxDistance). Achieving this in practice requires additional effort, and is a challenge logistically, so the attacker may be deterred from attacking the network outright. Again about psychology. Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 32 / 45
  17. 17. Multiple Interaction Games (Meta Strategies) I Limitation of reactive strategies: A short-sighted, reactive approach has its limitations. Meta-strategies: A framework that facilitates the gradual acquisition of knowledge; react to how the opponent is playing, not simply to patterns in their behaviour. Abstracts the notion of strategy selection to a single strategy with multiple behaviours. Player Strategy Description Seeker sMetaProbability Assesses whether an opponent is playing hRandom- Set or hUniqueRandomSet, and acts accordingly. Hider hMetaConnected Assesses whether there are a suitable number of low connectivity nodes in the graph to make hLeastCon- nected a viable strategy. Hider hMetaRandom Aims to understand the suitability of the strategy currently being emulated in order to respond to a seeker playing either sHighProbability or sInverse- HighProbability. Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 33 / 45 Multiple Interaction Games (Meta Strategies) II ‘The best strategy to play against an opponent playing a concrete strategy is a meta strategy’ A warning to a defender adopting a specific defence mechanism (e.g. speak up [5]); once an attacker understands that this is the mechanism being used, they can adjust for it. Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 34 / 45
  18. 18. Multiple Interaction Games (Meta Strategies) III ‘The best strategy to play against an opponent playing a meta strategy is a concrete strategy’ Meta-strategies are useful when the opponent does not recognise that their behaviour is being monitored, and respond. If they do, we end up with a large amount of flux in the choice of strategy, as each player tries to better the other. Reflects current state of affairs: defenders continually patch, while attackers continually exploit. Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 35 / 45 Potential Weaknesses? Minor: Parameter configurations (e.g. the relative values of N and K), are made without the inject of real data; setting values is a move towards this, but more could easily be done. Some may find the notion that strategies defeat each other unintuitive; a component of the EGTA method, import tests for robustness. Worth elaboration: Relationship with Security Literature Recommendation Caveats Abstraction Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 36 / 45
  19. 19. Relationship with Existing Security Literature Existing security literature is contemporary. This work is essential. Our work aims to complement this work by looking at the bigger picture; aims to contribute some, or at least provide a framework in which, ‘timeless’ strategies can be developed. Focusses on literature from well established areas; game theory, network security games etc. As such, compromises some contemporary themes; easy to update the model to account for more contemporary information. Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 37 / 45 Recommendation Caveats I The model is abstract; it is not a network simulator, nor was it designed to be (explained momentarily...). This means recommendations require further verification; they are heuristics. Important to differentiate them as heuristics by leaving them in the context of the model. This is not an exhaustive list (but logical within the scope defined); we are not claiming to have all the answers; instead the model provides a framework within which further recommendations can be derived. Recommendations are often intuitive, but sometimes not; changing strategy in response to your opponent’s change in strategy (i.e. also adopting a meta-strategy) is of no benefit. Knowing something is different to showing it. Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 38 / 45
  20. 20. Recommendation Caveats II In the end, the recommendations are important, but the impact of this work goes above that, in accordance with the aim highlighted earlier: Furthers the important methodology of abstraction, and the methodology of applying games to new problems. Contributes a model (both in its conceptual and computation form) to the research community as a whole; distributed research game. Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 39 / 45 Recommendation Caveats III You’re helping the attacker as well as the defender! Because an attacker and a defender can be either the hider or the seeker, recommendations could, in theory, help both. Understanding how an attacker may think, and their optimal course of play, is essential. Often find that there are natural restrictions when the attacker is the hider. e.g. While it may seem that an attacker will also benefit from the recommendation that hiding in adjacent nodes achieves comparable anonymity to hiding uniformly randomly, being in a network outside of their control limits the freedom they have to hide anywhere. Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 40 / 45
  21. 21. Abstraction I Why do we approach the problem at this level? An important first step in solving problems. Studies that attempt to model problems such as multiple node attacks directly, often end up unwieldly. Initially motivated by multiple node attacks, but could have applications elsewhere. Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 41 / 45 Abstraction II Potential issues: 1 Verification (mentioned) Common in computer science. There are therefore mechanisms in place to enable this. 2 Implicit expectation that hider and seeker can be used interchangeably with attacker or defender; nice because it helps harmonise the concepts, but may lead to ambiguities, or further questions of applicability e.g. Chapter 1 considers the hider as the benign entity, while Chapter 2 considers the seeker as the benign entity. Flexibility outweighs the potential ambiguity. Important to consider the level of abstraction in relation to existing hide-and-seek games. Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 42 / 45
  22. 22. Strengths Multiple Interaction Games with Meta Strategies (Chapter 5). Distributed Research Game (DRG) Abstraction, while a challenge, is also a significant strength in terms of versatility and providing a new perspective on problems. Classification of Network Attacks (D2C3). Investigating the hide-and-seek game from a computational perspective, and search games in general, is itself a whole new field. ... Also could provide the basis for future publication Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 43 / 45 Looking to the future... In the process of listing desirable features to extend a search game prior to conducting the study, we also introduce the potential for future work: Specific: Strategies with a greater number of topological preferences. A greater number of rounds in a game. Further permutations on the meta-strategy model (varying degrees of knowledge regarding when and how to change behaviour). General: Further validate heuristics; provide more heuristics as a result of expanding the model. Where cost falls in the model (Edges and Nodes?) The impact of multiple hiders and seekers. ... Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 44 / 45
  23. 23. References Tansu Alpcan and Tamer Ba¸sar. Network Security: A Decision and Game-theoretic Approach. Cambridge University Press, 2010. Shmuel Gal. Search games. In Wiley Encyclopedia of Operations Research and Management Scilence. Wiley, 2011. Jorma Jormakka and Jarmo M¨ols¨a. Modelling Information Warfare as a Game. Journal of Information Warfare, 4(2):12–25, 2005. Heinrich Von Stackelberg. Market Structure and Equilibrium. Springer Science and Business Media, 2010. Michael Walfish, Mythili Vutukuru, Hari Balakrishnan, David Karger, and Scott Shenker. Ddos Defense by Offense. In Proceedings of The 2006 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications (SIGCOMM 06), pages 303–314, 2006. Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 45 / 45

×