Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Playing Hide-and-Seek: An Abstract Game for Cyber Security

66 views

Published on

AAMAS, ACYSE, Paris, France.

Published in: Science
  • Be the first to comment

  • Be the first to like this

Playing Hide-and-Seek: An Abstract Game for Cyber Security

  1. 1. PlayingHide-And-Seek: An Abstract Game for Cyber Security 1 Martin Chapman Gareth Tyson Simon Parsons Michael Luck Peter McBurney
  2. 2. 2
  3. 3. 3
  4. 4. Issue:The complexity of research at the intersection of ABM and Cyber Security 3
  5. 5. 4
  6. 6. 4
  7. 7. 4
  8. 8. 5
  9. 9. 6
  10. 10. 6
  11. 11. ? ? ? ? ? ? ? ? ? ? 6
  12. 12. ? ? ? ? ? ? ? ? ? ? 6
  13. 13. 7
  14. 14. 8
  15. 15. 8
  16. 16. ? ? ? ? ? ? ? ? ? ? 8
  17. 17. Claim: A number of different Cyber Security problems can be abstracted to a simple game of ‘Hide-And-Seek’ 9
  18. 18. Claim: A number of different Cyber Security problems can be abstracted to a simple game of ‘Hide-And-Seek’ . . . therefore . . . We are motivated to explore strategies for seeking (and, ultimately, hiding) in this game. 9
  19. 19. Parameters 1. Topology 2. Number of nodes 3. Number of hidden objects “Nature” “AgentProperties” ... 10 What is the structure of a H&S game?
  20. 20. Parameters 1. Topology 2. Number of nodes 3. Number of hidden objects “Nature” “AgentProperties” ... 10 What is the structure of a H&S game?
  21. 21. Parameters 1. Topology 2. Number of nodes 3. Number of hidden objects “Nature” “AgentProperties” ... Network 10
  22. 22. Parameters 1. Topology 2. Number of nodes 3. Number of hidden objects “Nature” “AgentProperties” ... Network Hider 10
  23. 23. Parameters 1. Topology 2. Number of nodes 3. Number of hidden objects “Nature” “AgentProperties” ... Network Hider Seeker 10
  24. 24. Parameters 1. Topology 2. Number of nodes 3. Number of hidden objects “Nature” “AgentProperties” ... Network Hider Seeker 10
  25. 25. Parameters 1. Topology 2. Number of nodes 3. Number of hidden objects “Nature” “AgentProperties” ... Hider Seeker 10
  26. 26. Parameters 1. Topology 2. Number of nodes 3. Number of hidden objects “Nature” “AgentProperties” ... Hider Seeker 10
  27. 27. Parameters 1. Topology 2. Number of nodes 3. Number of hidden objects “Nature” “AgentProperties” ... Hider Seeker 10
  28. 28. Parameters 1. Topology 2. Number of nodes 3. Number of hidden objects “Nature” “AgentProperties” ... Hider Seeker 10
  29. 29. Parameters 1. Topology 2. Number of nodes 3. Number of hidden objects “Nature” “AgentProperties” ... Hider Seeker 10
  30. 30. Parameters 1. Topology 2. Number of nodes 3. Number of hidden objects “Nature” “AgentProperties” ... Seeker 10
  31. 31. Parameters 1. Topology 2. Number of nodes 3. Number of hidden objects “Nature” “AgentProperties” ... Hider Seeker 10
  32. 32. Parameters 1. Topology 2. Number of nodes 3. Number of hidden objects “Nature” “AgentProperties” ... Assuming no knowledge of an opponent it is intuitive to conceal these objects randomly. Hider Seeker 10
  33. 33. Parameters 1. Topology 2. Number of nodes 3. Number of hidden objects “Nature” “AgentProperties” ... In this instance, the best a seeker can do is conduct a random walk. Hider Seeker 10
  34. 34. Sohowcanwestrategise? 11
  35. 35. Sohowcanwestrategise? In reality, hiders (attackers) are either unable or unwillingto express randomness [Rubinstein, 1999] 11
  36. 36. Sohowcanwestrategise? In reality, hiders (attackers) are either unable or unwillingto express randomness [Rubinstein, 1999] - Bug’s in code - Human fallibility - Infrastructure constraints - Perceived ‘secrecy’ of locations 11
  37. 37. Sohowcanwestrategise? In reality, hiders (attackers) are either unable or unwillingto express randomness [Rubinstein, 1999] - Bug’s in code - Human fallibility - Infrastructure constraints - Perceived ‘secrecy’ of locations Repeatbehaviour 11
  38. 38. Hider Seeker 12
  39. 39. Hider Seeker 1 v1 v2 v3 2 v5v1 v4 3 v1 v6 v7 v1 v2 v3 v5v1 v4 v1 v6 v7 12
  40. 40. Hider Seeker 1 v1 v2 v3 2 v5v1 v4 3 v1 v6 v7 4 ? v1 v2 v3 v5v1 v4 v1 v6 v7 12
  41. 41. Hider Seeker 1 v1 v2 v3 2 v5v1 v4 3 v1 v6 v7 4 ? v1 v2 v3 v5v1 v4 v1 v6 v7 12
  42. 42. Hider Seeker 1 v1 v2 v3 2 v5v1 v4 3 v1 v6 v7 4 ? v1 v2 v3 v5v1 v4 v1 v6 v7 v1 12
  43. 43. Seeker 13
  44. 44. Seeker 13
  45. 45. 1. How muchof this bias needs to be exhibited before a hider’s repetitions become exploitable? 2. How many bias nodes need to be included a directed search to yield maximum performance for the seeker? 3. How should a seeker operate in the face of potential deceptionon the part of the hider? 14
  46. 46. 1. How muchof this bias needs to be exhibited before a hider’s repetitions become exploitable? 2. How to yield maximum performance for the seeker? 3. How should a seeker operate in the face of potential deception 14
  47. 47. 15‘b’timesmorelikelytoselectanode 8 9 11 12 14 15 0 5 10 15 20 25 30 35 40 45 50 55 60 65 70 75 80 85 90 95 Hider Bias (b) Random Exploit (r = 1) AverageCostofGames(log2) Onlylookingforonehiddenobject
  48. 48. 15 Bias does not have an impact until ~ b = 45 ‘b’timesmorelikelytoselectanode 8 9 11 12 14 15 0 5 10 15 20 25 30 35 40 45 50 55 60 65 70 75 80 85 90 95 Hider Bias (b) Random Exploit (r = 1) AverageCostofGames(log2) Onlylookingforonehiddenobject
  49. 49. 15 Bias does not have an impact until ~ b = 45 ‘b’timesmorelikelytoselectanode 8 9 11 12 14 15 0 5 10 15 20 25 30 35 40 45 50 55 60 65 70 75 80 85 90 95 Hider Bias (b) Random Exploit (r = 1) AverageCostofGames(log2) Onlylookingforonehiddenobject If it is costly for a Seeker to employ a non-random strategy, does not need to do so below this amount of bias
  50. 50. 15 Bias does not have an impact until ~ b = 45 ‘b’timesmorelikelytoselectanode 8 9 11 12 14 15 0 5 10 15 20 25 30 35 40 45 50 55 60 65 70 75 80 85 90 95 Hider Bias (b) Random Exploit (r = 1) AverageCostofGames(log2) Onlylookingforonehiddenobject Hider can afford to favour a node significantly before his behaviour becomes exploitable by the seeker If it is costly for a Seeker to employ a non-random strategy, does not need to do so below this amount of bias
  51. 51. 1. How muchof this bias needs to be exhibited before a hider’s repetitions become exploitable? 2. How to yield maximum performance for the seeker? 3. How should a seeker operate in the face of potential deception 16
  52. 52. 1. How hider’s repetitions become exploitable? 2. How many bias nodes need to be included a directed search to yield maximum performance for the seeker? 3. How should a seeker operate in the face of potential deception 16
  53. 53. 17 Lookingformultiplehiddenobjects 12.0 12.5 13.0 13.5 14.0 14.5 15.0 15.5 16.0 16.5 17.0 0 5 10 15 20 25 30 35 40 45 50 Number of High Probability Nodes Included in Search (r) Random Exploit (0 ≤ r < n) AverageCostofGames(log2) Assume‘perfect’informationonopponent Totalnumberofhiddenobjects
  54. 54. 17 Lookingformultiplehiddenobjects 12.0 12.5 13.0 13.5 14.0 14.5 15.0 15.5 16.0 16.5 17.0 0 5 10 15 20 25 30 35 40 45 50 Number of High Probability Nodes Included in Search (r) Random Exploit (0 ≤ r < n) AverageCostofGames(log2) Assume‘perfect’informationonopponent Totalnumberofhiddenobjects Probability information only becomes useful when used to locate almost all hidden objects
  55. 55. 17 Little benefit to conducing a search with only partial knowledge Lookingformultiplehiddenobjects 12.0 12.5 13.0 13.5 14.0 14.5 15.0 15.5 16.0 16.5 17.0 0 5 10 15 20 25 30 35 40 45 50 Number of High Probability Nodes Included in Search (r) Random Exploit (0 ≤ r < n) AverageCostofGames(log2) Assume‘perfect’informationonopponent Totalnumberofhiddenobjects Probability information only becomes useful when used to locate almost all hidden objects
  56. 56. 17 Little benefit to conducing a search with only partial knowledge Good news for the hider again: the number of nodes he can be biased towards, as well as the degree, is highLookingformultiplehiddenobjects 12.0 12.5 13.0 13.5 14.0 14.5 15.0 15.5 16.0 16.5 17.0 0 5 10 15 20 25 30 35 40 45 50 Number of High Probability Nodes Included in Search (r) Random Exploit (0 ≤ r < n) AverageCostofGames(log2) Assume‘perfect’informationonopponent Totalnumberofhiddenobjects Probability information only becomes useful when used to locate almost all hidden objects
  57. 57. 1. How hider’s repetitions become exploitable? 2. How many bias nodes need to be included a directed search to yield maximum performance for the seeker? 3. How should a seeker operate in the face of potential deception 18
  58. 58. 1. How hider’s repetitions become exploitable? 2. How to yield maximum performance for the seeker? 3. How should a seeker operate in the face of potential deceptionon the part of the hider? 18
  59. 59. 19 14 15 16 0 5 10 15 20 25 30 35 40 45 50 AverageCostofGames(log2) Number of High Probability Nodes Included in Search (r) Random Exploit
  60. 60. 19 14 15 16 0 5 10 15 20 25 30 35 40 45 50 AverageCostofGames(log2) Number of High Probability Nodes Included in Search (r) Random Exploit When we don’t know the portion of objects which are hidden with bias, difficult to strategise against
  61. 61. 19 14 15 16 0 5 10 15 20 25 30 35 40 45 50 AverageCostofGames(log2) Number of High Probability Nodes Included in Search (r) Random Exploit When we don’t know the portion of objects which are hidden with bias, difficult to strategise against r is arbitrary; should be symmetrically random
  62. 62. 20
  63. 63. 1. Results as heuristics; importance of verification 20
  64. 64. 1. Results as heuristics; importance of verification 20 2. Impact of parameters
  65. 65. 1. Results as heuristics; importance of verification 20 2. Impact of parameters 3. Importance of data-driven simulation
  66. 66. 21
  67. 67. 1. The performance of both Hiders and Seekers when there are a varying number of items to find. 21
  68. 68. 1. The performance of both Hiders and Seekers when there are a varying number of items to find. 21 2. Performance of agents on different topologies (fully connected, so movement not constrained).
  69. 69. 22
  70. 70. 1. Hiders who are also constrained by the topology. 22
  71. 71. 1. Hiders who are also constrained by the topology. 22 2. ‘Intelligent’ hiders who also track seeker’s behaviour, if repetitions exist (i.e. start point).
  72. 72. 3. Edge by edge probability scores for boththe Seeker and Hider. 1. Hiders who are also constrained by the topology. 22 2. ‘Intelligent’ hiders who also track seeker’s behaviour, if repetitions exist (i.e. start point).
  73. 73. 23
  74. 74. 1. Agents with a ‘strategy portfolio’ who are able to switch between these strategies on-the-fly. 23
  75. 75. 2. Agents with a self-analysis component, allowing them to judge their own performance, and change strategy as appropriate. 1. Agents with a ‘strategy portfolio’ who are able to switch between these strategies on-the-fly. 23
  76. 76. PlayingHide-And-Seek: An Abstract Game for Cyber Security 24 martin.chapman@kcl.ac.uk www.martin-chapman.com

×