2012.12 Games We Play: Defenses & Disincentives

Allison Miller
Allison MillerProduct strategy, Security at Google
Games We Play Defenses and Disincentives Allison Miller
Overview Overview of econ & game theory concepts Game theory games Infosec issues as games Designing games to win Walk-through a defense built on disincentives Wrap-up
Economics applied to security Utility theory Externalities Information Asymmetries Signaling Marginal cost
Game theory Branch of applied mathematics Studies decisions made by players interacting (or competing) - Scenarios have rules and pay-offs - Costs & benefits dependent on decisions of other players Used as a framework in economics, comp sci, biology, & philosophy - Also business, negotiation, and military strategy
Discussing Games Mechanics of a payoff matrix Player 2 A B Player 1 A A1, A2 A1, B2 B B1, A2 B1, B2
Discussing Games Mechanics of decision trees UP DOWN CIRCLE RED BLUE MARIO LUIGI KIRBY GIZMO 10, 3 2, 10 2, 5 -3, 3 A B B A A A
Typical game theory "games" Chicken / Brinkmanship - Push it to the edge Volunteer’s Dilemma - For the greater good Tragedy of the Commons - Share and share alike (cumulative effect of cheating) Prisoner’s Dilemma
Discussing Games Prisoner’s Dilemma Player 2 Keep quiet Confess Player 1 Keep quiet -1, -1 Mutual cooperation 0, -10 Individual defection Confess -10, 0 Individual defection -3, -3 Mutual punishment
Predicting outcomes Cooperation Defection Dominant strategies Equilibrium
Nash Equilibrium Equilibrium is reached when: - Players in a game have selected a strategy - Neither side can change it’s strategy independently & improve position Optimal solution in games with limited outcomes
Discussing Games Prisoner’s Dilemma Player 2 Keep quiet Confess Player 1 Keep quiet -1, -1 Mutual cooperation 0, -10 Individual defection Confess -10, 0 Individual defection -3, -3 Mutual punishment
Setting up risk problems as games Identify players in the game Clarify the “rules” Show me your moves Describe payoffs Single move or repeated game
Discussing Games Tragedy of the Commons: Spam, Bandwidth usage Everyone else’s choices > n choose wise usage Less than n choose wise usage Individual choice Use resource wisely Cost, but social benefit Mutual cooperation Cost (Subsidize social use) Overuse resource Social benefit (Benefit w/o cost) 0 Resources depleted
Discussing Games Chicken/Brinkmanship: Vulnerability Disclosure Vulnerability Researcher Report Exploit Asset Owner Reward / Respond 0, 0 Responsible disclosure -2, +2 Early disclosure Ignore / Deny +2, -2 Defer vulnerability -10, -10 0-day go boom
Discussing Games Volunteer’s Dilemma: Data breach cost info sharing All other victims At least one shares All keep quiet Victim Share 0 0 Cost, limited benefit Keep quiet 1 Benefit w/o cost -10 Everyone’s in the dark
How games are won Clarify dominant strategies Find equilibrium Pursue equilibrium or change the payoffs
Moves Current game-play - Controls are layered or chained until we're satisfied that for some set of attackers, the cost of the attack is higher than the utility associated with their payoff Reputation requirements for participation Role requirements for participation (access control) Incremental authentication Content/context based filtering Blacklisting / whitelisting Rate limiting Bot limiters (Captcha) Obfuscation/Encryption
Counter-moves For every move there is a counter-move
Putting the pieces on the board The amount of friction inserted into the system depends on: - Value of asset to the owner - Value of the asset to potential attackers - Number of attackers expected - Portion of attacks that must be averted - Disincentive value of each layer of friction for an attacker Now it’s time to play our game
Does this sound familiar?
Managing Decisions Game Theory is a framework for studying decisions - Since payoffs depends on the choices of other players, moves are risky - Players play based on their risk appetite - Risk management = decision management Defenders design control systems that make decisions - Where risks manifest in observable behavior - That make moves/counter-moves depending on the context and understanding of an actor’s identity or intent - Where system or individual costs/payoffs depend on the outcome of an actor’s actions
SHALL WE PLAY A GAME? (SINCE WE CAN’T PLAY “CLUE” FOR EVERY LOGIN TRANSACTION NEW USER MESSAGE FRIEND REQUEST ATTACHMENT PACKET WINK POKE CLICK WE BUILD RISK MODELS)
Applying Decisions Risk management is decision management ACTOR ATTEMPTS ACTION SUBMIT WHAT IS THE REQUEST HOW TO HONOR THE REQUEST SHOULD WE HONOR? RESULT ACTION OCCURS
Not all risk decisions have a competitive element, but all competition / games have risks
Create account using fake identity Script completion of verifications Outsource captcha Create accounts across virtual devices Distribute creation of accts using botnet Scrape identities from public sites Age accounts, then reactivate Use stolen credentials Defraud verification process ... Require email verification Test for human behind keyboard Rate limit by device ID Rate limit by IP/location Look for similarities across accounts Require reputation level to proceed Filter for content / context, add auth challenge Require manual verification Manual review of account/event ...
Except one small thing... ...what kind of game is this?
Multi-player Mode Offense Attempt Success Defense Deflect 4, 4 0, 10 Ignore 10, 0 1, 1 Offense Attempt Success Defense Deflect 4, 4 0, 10 Ignore 10, 0 1, 1 Offense Attempt Success Defense Deflect 4, 4 0, 10 Ignore 10, 0 1, 1 Offense Attempt Success Defense Deflect 4, 4 0, 10 Ignore 10, 0 1, 1 Attackers are not the only players in the game Legitimate users that are also affected by added friction
Team Dynamics So this adds another factor into the appropriate level of friction question, which is: - Disincentive value of each layer of friction for an innocent - Likelihood the disincentive will be incorrectly applied to an innocent - Likelihood the disincentive value > payoff value for the innocent (go find a new game)
Decisions, Decisions Authorize Block Good false positive Bad false negative RESPONSE POPULATION Incorrect decisions have a cost Correct decisions are free (usually) Good Action Gets Blocked Bad Action Gets Through Downstream Impacts
GAME OVER 1-UP?
Why are we still playing? Economic/mathematical models depend on rational participants Free will doesn’t imply rationality Economics studies what should happen, behavioral economics studies what does happen
Example of rational irrationality Ultimatum Game - Player A given $1000 Player A needs to split the $ with Player B Player A gets to choose the split - Player B receives offer If B accepts, both get $ If B rejects, both get 0
Take it or leave it Outcomes - Player A’s usually offer ~50% - Player B’s often reject if offered <30% - This behavior occurs across cultures, levels of wealth Emotions matter - Heightened brain activity in Bilateral antierior insula (disgust) w/low offers Dorsolateral prefrontal cortext (cognitive decision making) w/high offers - Fairness, Fear, Punishing the mean
Therefore: Winning strategies depend on understanding behavior Both attackers and defenders may exhibit bias when making decisions - about the game and other players Retrofit conceptual models to actual experiences Fill in the blanks on player costs/payoffs Risk controls still either need to - Change friction (cost), or - Change expected value of pay-off Continue to analyze game dynamics over time - Low-risk, high frequency interactions (data) - High-risk, low frequency interactions (negotiation)
Prediction is very difficult, especially about the future Niels Bohr Allison Miller @selenakyle
Some references Axelrod, Robert. The Evolution of Cooperation. Dixit, Avinash and Nalebuff, Barry. The Art of Strategy: A Game Theorist’s Guide to Success in Business and in Life. Fisher, Len. Rock, Paper, Scissors: Game Theory in Everyday Life. Gibbons, Robert. Game Theory for Applied Economists. Meadows, Donella. Thinking in Systems: A Primer. Wikipedia’s sections on Game Theory, Economics, & Probability.
1 of 36

2012.12 Games We Play: Defenses & Disincentives

Download to read offline
Technology

Applying concepts from Game Theory & Behavioral Economics to designing defense and control systems.

Allison Miller
Allison MillerProduct strategy, Security at Google

Recommended

2013.05 Games We Play: Payoffs & Chaos Monkeys by
2013.05 Games We Play: Payoffs & Chaos Monkeys2013.05 Games We Play: Payoffs & Chaos Monkeys
2013.05 Games We Play: Payoffs & Chaos MonkeysAllison Miller
675 views46 slides
Game theory by
Game theoryGame theory
Game theorygtush24
5K views47 slides
AI Strategies for Solving Poker Texas Hold'em by
AI Strategies for Solving Poker Texas Hold'emAI Strategies for Solving Poker Texas Hold'em
AI Strategies for Solving Poker Texas Hold'emGiovanni Murru
10.7K views53 slides
Game Theory by
Game TheoryGame Theory
Game TheoryAli Salek
801 views22 slides
Game theory by
Game theoryGame theory
Game theorySoumya Bilwar
6.4K views21 slides
Game theory in network security by
Game theory in network securityGame theory in network security
Game theory in network securityRahmaSallam
4.7K views17 slides

More Related Content

What's hot

Game theory by
Game theoryGame theory
Game theoryAmritanshu Mehra
4.1K views48 slides
Advanced Game Theory guest lecture by
Advanced Game Theory guest lectureAdvanced Game Theory guest lecture
Advanced Game Theory guest lectureJonas Heide Smith
1.6K views37 slides
Game theory application by
Game theory applicationGame theory application
Game theory applicationshakebaumar
3.5K views29 slides
An introduction to Game Theory by
An introduction to Game TheoryAn introduction to Game Theory
An introduction to Game TheoryPaul Trafford
64.5K views72 slides
Ssrn a brief inrtoduction to the basic of game theory by
Ssrn a brief inrtoduction to the basic of game theorySsrn a brief inrtoduction to the basic of game theory
Ssrn a brief inrtoduction to the basic of game theoryYing wei (Joe) Chou
48 views21 slides
Game theory in Economics by
Game theory in EconomicsGame theory in Economics
Game theory in EconomicsElvin Aghammadzada
362 views15 slides

What's hot(20)

Game theory by Amritanshu Mehra
Game theoryGame theory
Game theory
Amritanshu Mehra4.1K views
Advanced Game Theory guest lecture by Jonas Heide Smith
Advanced Game Theory guest lectureAdvanced Game Theory guest lecture
Advanced Game Theory guest lecture
Jonas Heide Smith1.6K views
Game theory application by shakebaumar
Game theory applicationGame theory application
Game theory application
shakebaumar3.5K views
An introduction to Game Theory by Paul Trafford
An introduction to Game TheoryAn introduction to Game Theory
An introduction to Game Theory
Paul Trafford64.5K views
Ssrn a brief inrtoduction to the basic of game theory by Ying wei (Joe) Chou
Ssrn a brief inrtoduction to the basic of game theorySsrn a brief inrtoduction to the basic of game theory
Ssrn a brief inrtoduction to the basic of game theory
Ying wei (Joe) Chou48 views
Game theory in Economics by Elvin Aghammadzada
Game theory in EconomicsGame theory in Economics
Game theory in Economics
Elvin Aghammadzada362 views
Lecture 1 - Game Theory by Luke Dicken
Lecture 1 - Game TheoryLecture 1 - Game Theory
Lecture 1 - Game Theory
Luke Dicken3.6K views
Game by VISHNU VISWANATH
Game Game
Game
VISHNU VISWANATH470 views
Game theory project by Aagam Shah
Game theory projectGame theory project
Game theory project
Aagam Shah14.4K views
Applications of game theory on event management by Sameer Dhurat
Applications of game theory on event management Applications of game theory on event management
Applications of game theory on event management
Sameer Dhurat1.2K views
Introduction to Game Theory by Cesar Sobrino
Introduction to Game TheoryIntroduction to Game Theory
Introduction to Game Theory
Cesar Sobrino1.7K views
Science of negotiation by Alexander Carter-Silk
Science of negotiationScience of negotiation
Science of negotiation
Alexander Carter-Silk607 views
Game theory by Dr. Sinem Bulkan
Game theory Game theory
Game theory
Dr. Sinem Bulkan8.8K views
Prisoner's Dilemma by Acquate
Prisoner's DilemmaPrisoner's Dilemma
Prisoner's Dilemma
Acquate10.3K views
Dynamics by urinadav
DynamicsDynamics
Dynamics
urinadav320 views
Exposé biad game-theory by Malak Souf
Exposé biad game-theoryExposé biad game-theory
Exposé biad game-theory
Malak Souf615 views
Cognitive Bias in Risk-Reward Analysis by Damon Levine, CFA, ARM, CRCMP, Open FAIR
Cognitive Bias in Risk-Reward AnalysisCognitive Bias in Risk-Reward Analysis
Cognitive Bias in Risk-Reward Analysis
Damon Levine, CFA, ARM, CRCMP, Open FAIR365 views
A brief introduction to the basics of game theory by Ying wei (Joe) Chou
A brief introduction to the basics of game theoryA brief introduction to the basics of game theory
A brief introduction to the basics of game theory
Ying wei (Joe) Chou528 views
Game Theory - An Introduction (2009) by mattbentley34
Game Theory - An Introduction (2009)Game Theory - An Introduction (2009)
Game Theory - An Introduction (2009)
mattbentley346.3K views
GT Presentation by Arif Hussain
GT PresentationGT Presentation
GT Presentation
Arif Hussain346 views

Viewers also liked

Boomtime: Risk as Economics (Allison Miller, SiRAcon15) by
Boomtime: Risk as Economics (Allison Miller, SiRAcon15)Boomtime: Risk as Economics (Allison Miller, SiRAcon15)
Boomtime: Risk as Economics (Allison Miller, SiRAcon15)Allison Miller
10.5K views19 slides
2010.08 Applied Threat Modeling: Live (Hutton/Miller) by
2010.08 Applied Threat Modeling: Live (Hutton/Miller)2010.08 Applied Threat Modeling: Live (Hutton/Miller)
2010.08 Applied Threat Modeling: Live (Hutton/Miller)Allison Miller
1.2K views75 slides
2012.09 A Million Mousetraps: Using Big Data and Little Loops to Build Better... by
2012.09 A Million Mousetraps: Using Big Data and Little Loops to Build Better...2012.09 A Million Mousetraps: Using Big Data and Little Loops to Build Better...
2012.09 A Million Mousetraps: Using Big Data and Little Loops to Build Better...Allison Miller
1.2K views41 slides
Smallbizhouston Company Ppt by
Smallbizhouston Company PptSmallbizhouston Company Ppt
Smallbizhouston Company PptGordon LaFleur, LUTCF
478 views5 slides
8 Places to use Keywords on Your Website by
8 Places to use Keywords on Your Website8 Places to use Keywords on Your Website
8 Places to use Keywords on Your WebsiteWired Flare
823 views11 slides
Redbrick safety sneakers Redbrick veiligheidsschoenen - werkschoenen by woltex by
Redbrick safety sneakers Redbrick veiligheidsschoenen - werkschoenen by woltexRedbrick safety sneakers Redbrick veiligheidsschoenen - werkschoenen by woltex
Redbrick safety sneakers Redbrick veiligheidsschoenen - werkschoenen by woltexWoltex.nl
1.2K views8 slides

Viewers also liked(16)

Boomtime: Risk as Economics (Allison Miller, SiRAcon15) by Allison Miller
Boomtime: Risk as Economics (Allison Miller, SiRAcon15)Boomtime: Risk as Economics (Allison Miller, SiRAcon15)
Boomtime: Risk as Economics (Allison Miller, SiRAcon15)
Allison Miller10.5K views
2010.08 Applied Threat Modeling: Live (Hutton/Miller) by Allison Miller
2010.08 Applied Threat Modeling: Live (Hutton/Miller)2010.08 Applied Threat Modeling: Live (Hutton/Miller)
2010.08 Applied Threat Modeling: Live (Hutton/Miller)
Allison Miller1.2K views
2012.09 A Million Mousetraps: Using Big Data and Little Loops to Build Better... by Allison Miller
2012.09 A Million Mousetraps: Using Big Data and Little Loops to Build Better...2012.09 A Million Mousetraps: Using Big Data and Little Loops to Build Better...
2012.09 A Million Mousetraps: Using Big Data and Little Loops to Build Better...
Allison Miller1.2K views
Smallbizhouston Company Ppt by Gordon LaFleur, LUTCF
Smallbizhouston Company PptSmallbizhouston Company Ppt
Smallbizhouston Company Ppt
Gordon LaFleur, LUTCF478 views
8 Places to use Keywords on Your Website by Wired Flare
8 Places to use Keywords on Your Website8 Places to use Keywords on Your Website
8 Places to use Keywords on Your Website
Wired Flare823 views
Redbrick safety sneakers Redbrick veiligheidsschoenen - werkschoenen by woltex by Woltex.nl
Redbrick safety sneakers Redbrick veiligheidsschoenen - werkschoenen by woltexRedbrick safety sneakers Redbrick veiligheidsschoenen - werkschoenen by woltex
Redbrick safety sneakers Redbrick veiligheidsschoenen - werkschoenen by woltex
Woltex.nl1.2K views
Do you get alerts before your contracts expire by Practice-League
Do you get alerts before your contracts expireDo you get alerts before your contracts expire
Do you get alerts before your contracts expire
Practice-League171 views
9 claves de la Ley de Cestaticket Socialista by Nayma Consultores
9 claves de la Ley de Cestaticket Socialista9 claves de la Ley de Cestaticket Socialista
9 claves de la Ley de Cestaticket Socialista
Nayma Consultores2K views
The Microsoft platform for education analytics (mpea) by Willy Marroquin (WillyDevNET)
The Microsoft platform for education analytics (mpea)The Microsoft platform for education analytics (mpea)
The Microsoft platform for education analytics (mpea)
Willy Marroquin (WillyDevNET)556 views
Patterson Boulevard Canal Parkway - Before and After by City of Dayton
Patterson Boulevard Canal Parkway - Before and AfterPatterson Boulevard Canal Parkway - Before and After
Patterson Boulevard Canal Parkway - Before and After
City of Dayton1.2K views
Philanthropic Curve by Maryam Hidayatallah CPFA,MIPA,MA,CICA
Philanthropic CurvePhilanthropic Curve
Philanthropic Curve
Maryam Hidayatallah CPFA,MIPA,MA,CICA121 views
Castañeda y ppk by Jim Andrew Uni Diverso
Castañeda y ppkCastañeda y ppk
Castañeda y ppk
Jim Andrew Uni Diverso870 views
Чат боты как пробный, коммуникационный, шар ии на пути иичу by Sergey Skabelkin
Чат боты как пробный, коммуникационный, шар ии на пути иичуЧат боты как пробный, коммуникационный, шар ии на пути иичу
Чат боты как пробный, коммуникационный, шар ии на пути иичу
Sergey Skabelkin639 views
APPRAISAL OF GROUND WATER CHARACTERISTICS AND WATER QUALITY INDEX OF RICH IRO... by AM Publications
APPRAISAL OF GROUND WATER CHARACTERISTICS AND WATER QUALITY INDEX OF RICH IRO...APPRAISAL OF GROUND WATER CHARACTERISTICS AND WATER QUALITY INDEX OF RICH IRO...
APPRAISAL OF GROUND WATER CHARACTERISTICS AND WATER QUALITY INDEX OF RICH IRO...
AM Publications191 views
Iva Natura- Kozmetik sektörünün dünü, bugünü ve yarını by IVA NATURA
Iva Natura- Kozmetik sektörünün dünü, bugünü ve yarınıIva Natura- Kozmetik sektörünün dünü, bugünü ve yarını
Iva Natura- Kozmetik sektörünün dünü, bugünü ve yarını
IVA NATURA543 views
NSPCC Silent Auction Sponsored by GB Consultancy UK Ltd by Gary Boys
NSPCC Silent Auction Sponsored by GB Consultancy UK LtdNSPCC Silent Auction Sponsored by GB Consultancy UK Ltd
NSPCC Silent Auction Sponsored by GB Consultancy UK Ltd
Gary Boys326 views

Similar to 2012.12 Games We Play: Defenses & Disincentives

gt_2007 by
gt_2007gt_2007
gt_2007webuploader
1.8K views46 slides
Bec doms ppt on the economics of information and uncertainty by
Bec doms ppt on the economics of information and uncertaintyBec doms ppt on the economics of information and uncertainty
Bec doms ppt on the economics of information and uncertaintyBabasab Patil
583 views31 slides
Game Analytics: Opening the Black Box by
Game Analytics: Opening the Black BoxGame Analytics: Opening the Black Box
Game Analytics: Opening the Black BoxAnders Drachen
2.4K views72 slides
Libratus by
LibratusLibratus
LibratusAnatol Alizar
731 views12 slides
Writing a gaming proposal by
Writing a gaming proposalWriting a gaming proposal
Writing a gaming proposalJ'ette Novakovich
93K views56 slides
LAFS Game Mechanics - Information and Game Mechanics by
LAFS Game Mechanics - Information and Game MechanicsLAFS Game Mechanics - Information and Game Mechanics
LAFS Game Mechanics - Information and Game MechanicsDavid Mullich
486 views78 slides

Similar to 2012.12 Games We Play: Defenses & Disincentives(20)

gt_2007 by webuploader
gt_2007gt_2007
gt_2007
webuploader1.8K views
Bec doms ppt on the economics of information and uncertainty by Babasab Patil
Bec doms ppt on the economics of information and uncertaintyBec doms ppt on the economics of information and uncertainty
Bec doms ppt on the economics of information and uncertainty
Babasab Patil583 views
Game Analytics: Opening the Black Box by Anders Drachen
Game Analytics: Opening the Black BoxGame Analytics: Opening the Black Box
Game Analytics: Opening the Black Box
Anders Drachen2.4K views
Libratus by Anatol Alizar
LibratusLibratus
Libratus
Anatol Alizar731 views
Writing a gaming proposal by J'ette Novakovich
Writing a gaming proposalWriting a gaming proposal
Writing a gaming proposal
J'ette Novakovich93K views
LAFS Game Mechanics - Information and Game Mechanics by David Mullich
LAFS Game Mechanics - Information and Game MechanicsLAFS Game Mechanics - Information and Game Mechanics
LAFS Game Mechanics - Information and Game Mechanics
David Mullich486 views
Lecture 2 Social Preferences I by Alexandros Karakostas
Lecture 2 Social Preferences ILecture 2 Social Preferences I
Lecture 2 Social Preferences I
Alexandros Karakostas2.1K views
Game Theory Introduction by Robin Anderson
Game Theory IntroductionGame Theory Introduction
Game Theory Introduction
Robin Anderson7 views
Strategies Without Frontiers by maradydd
Strategies Without FrontiersStrategies Without Frontiers
Strategies Without Frontiers
maradydd7.8K views
Learning Through Gaming by Colin Smith-Clark
Learning Through GamingLearning Through Gaming
Learning Through Gaming
Colin Smith-Clark565 views
Volatile Memory: Behavioral Game Theory in Defensive Security by Kelly Shortridge
Volatile Memory: Behavioral Game Theory in Defensive SecurityVolatile Memory: Behavioral Game Theory in Defensive Security
Volatile Memory: Behavioral Game Theory in Defensive Security
Kelly Shortridge3.6K views
navingameppt-191018085333.pdf by DebadattaPanda4
navingameppt-191018085333.pdfnavingameppt-191018085333.pdf
navingameppt-191018085333.pdf
DebadattaPanda41 view
James Gatto by Mediabistro
James GattoJames Gatto
James Gatto
Mediabistro726 views
James Gatto by Mediabistro
James GattoJames Gatto
James Gatto
Mediabistro653 views
Big Game Theory Hunting: The Peculiarities of Human Behavior in the InfoSec Game by Kelly Shortridge
Big Game Theory Hunting: The Peculiarities of Human Behavior in the InfoSec GameBig Game Theory Hunting: The Peculiarities of Human Behavior in the InfoSec Game
Big Game Theory Hunting: The Peculiarities of Human Behavior in the InfoSec Game
Kelly Shortridge466 views
Mba Ebooks ! Edhole by Edhole.com
Mba Ebooks ! EdholeMba Ebooks ! Edhole
Mba Ebooks ! Edhole
Edhole.com254 views
game THEORY ppt by Dronak Sahu
game THEORY pptgame THEORY ppt
game THEORY ppt
Dronak Sahu3.4K views
Security Issues in Massively Multiplayer Online Games by DebbieJiang
Security Issues in Massively Multiplayer Online GamesSecurity Issues in Massively Multiplayer Online Games
Security Issues in Massively Multiplayer Online Games
DebbieJiang1.2K views
Game Theory Essay Example by Shannon Sand
Game Theory Essay ExampleGame Theory Essay Example
Game Theory Essay Example
Shannon Sand3 views
LAFS Game Mechanics - Narrative Elements by David Mullich
LAFS Game Mechanics - Narrative ElementsLAFS Game Mechanics - Narrative Elements
LAFS Game Mechanics - Narrative Elements
David Mullich653 views

More from Allison Miller

Something Wicked by
Something WickedSomething Wicked
Something WickedAllison Miller
732 views57 slides
When Algorithms Are Our Co-Pilots by
When Algorithms Are Our Co-PilotsWhen Algorithms Are Our Co-Pilots
When Algorithms Are Our Co-PilotsAllison Miller
1.7K views34 slides
2014.06 Defending Debit by
2014.06 Defending Debit2014.06 Defending Debit
2014.06 Defending DebitAllison Miller
463 views5 slides
2014.04 Bit, Bit, Coin by
2014.04 Bit, Bit, Coin2014.04 Bit, Bit, Coin
2014.04 Bit, Bit, CoinAllison Miller
878 views14 slides
2013.10 Operating * by the Numbers by
2013.10 Operating * by the Numbers2013.10 Operating * by the Numbers
2013.10 Operating * by the NumbersAllison Miller
1.4K views67 slides
2011.04 How to Isotope Tag a Ghost by
2011.04 How to Isotope Tag a Ghost2011.04 How to Isotope Tag a Ghost
2011.04 How to Isotope Tag a GhostAllison Miller
650 views40 slides

More from Allison Miller(6)

Something Wicked by Allison Miller
Something WickedSomething Wicked
Something Wicked
Allison Miller732 views
When Algorithms Are Our Co-Pilots by Allison Miller
When Algorithms Are Our Co-PilotsWhen Algorithms Are Our Co-Pilots
When Algorithms Are Our Co-Pilots
Allison Miller1.7K views
2014.06 Defending Debit by Allison Miller
2014.06 Defending Debit2014.06 Defending Debit
2014.06 Defending Debit
Allison Miller463 views
2014.04 Bit, Bit, Coin by Allison Miller
2014.04 Bit, Bit, Coin2014.04 Bit, Bit, Coin
2014.04 Bit, Bit, Coin
Allison Miller878 views
2013.10 Operating * by the Numbers by Allison Miller
2013.10 Operating * by the Numbers2013.10 Operating * by the Numbers
2013.10 Operating * by the Numbers
Allison Miller1.4K views
2011.04 How to Isotope Tag a Ghost by Allison Miller
2011.04 How to Isotope Tag a Ghost2011.04 How to Isotope Tag a Ghost
2011.04 How to Isotope Tag a Ghost
Allison Miller650 views

Recently uploaded

KVM Security Groups Under the Hood - Wido den Hollander - Your.Online by
KVM Security Groups Under the Hood - Wido den Hollander - Your.OnlineKVM Security Groups Under the Hood - Wido den Hollander - Your.Online
KVM Security Groups Under the Hood - Wido den Hollander - Your.OnlineShapeBlue
225 views19 slides
Setting Up Your First CloudStack Environment with Beginners Challenges - MD R... by
Setting Up Your First CloudStack Environment with Beginners Challenges - MD R...Setting Up Your First CloudStack Environment with Beginners Challenges - MD R...
Setting Up Your First CloudStack Environment with Beginners Challenges - MD R...ShapeBlue
178 views15 slides
2FA and OAuth2 in CloudStack - Andrija Panić - ShapeBlue by
2FA and OAuth2 in CloudStack - Andrija Panić - ShapeBlue2FA and OAuth2 in CloudStack - Andrija Panić - ShapeBlue
2FA and OAuth2 in CloudStack - Andrija Panić - ShapeBlueShapeBlue
152 views23 slides
State of the Union - Rohit Yadav - Apache CloudStack by
State of the Union - Rohit Yadav - Apache CloudStackState of the Union - Rohit Yadav - Apache CloudStack
State of the Union - Rohit Yadav - Apache CloudStackShapeBlue
303 views53 slides
Future of AR - Facebook Presentation by
Future of AR - Facebook PresentationFuture of AR - Facebook Presentation
Future of AR - Facebook PresentationRob McCarty
65 views27 slides
Business Analyst Series 2023 - Week 4 Session 7 by
Business Analyst Series 2023 - Week 4 Session 7Business Analyst Series 2023 - Week 4 Session 7
Business Analyst Series 2023 - Week 4 Session 7DianaGray10
146 views31 slides

Recently uploaded(20)

KVM Security Groups Under the Hood - Wido den Hollander - Your.Online by ShapeBlue
KVM Security Groups Under the Hood - Wido den Hollander - Your.OnlineKVM Security Groups Under the Hood - Wido den Hollander - Your.Online
KVM Security Groups Under the Hood - Wido den Hollander - Your.Online
ShapeBlue225 views
Setting Up Your First CloudStack Environment with Beginners Challenges - MD R... by ShapeBlue
Setting Up Your First CloudStack Environment with Beginners Challenges - MD R...Setting Up Your First CloudStack Environment with Beginners Challenges - MD R...
Setting Up Your First CloudStack Environment with Beginners Challenges - MD R...
ShapeBlue178 views
2FA and OAuth2 in CloudStack - Andrija Panić - ShapeBlue by ShapeBlue
2FA and OAuth2 in CloudStack - Andrija Panić - ShapeBlue2FA and OAuth2 in CloudStack - Andrija Panić - ShapeBlue
2FA and OAuth2 in CloudStack - Andrija Panić - ShapeBlue
ShapeBlue152 views
State of the Union - Rohit Yadav - Apache CloudStack by ShapeBlue
State of the Union - Rohit Yadav - Apache CloudStackState of the Union - Rohit Yadav - Apache CloudStack
State of the Union - Rohit Yadav - Apache CloudStack
ShapeBlue303 views
Future of AR - Facebook Presentation by Rob McCarty
Future of AR - Facebook PresentationFuture of AR - Facebook Presentation
Future of AR - Facebook Presentation
Rob McCarty65 views
Business Analyst Series 2023 - Week 4 Session 7 by DianaGray10
Business Analyst Series 2023 - Week 4 Session 7Business Analyst Series 2023 - Week 4 Session 7
Business Analyst Series 2023 - Week 4 Session 7
DianaGray10146 views
Hypervisor Agnostic DRS in CloudStack - Brief overview & demo - Vishesh Jinda... by ShapeBlue
Hypervisor Agnostic DRS in CloudStack - Brief overview & demo - Vishesh Jinda...Hypervisor Agnostic DRS in CloudStack - Brief overview & demo - Vishesh Jinda...
Hypervisor Agnostic DRS in CloudStack - Brief overview & demo - Vishesh Jinda...
ShapeBlue164 views
Future of Indian ConsumerTech by Kapil Khandelwal (KK)
Future of Indian ConsumerTechFuture of Indian ConsumerTech
Future of Indian ConsumerTech
Kapil Khandelwal (KK)36 views
ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ... by Jasper Oosterveld
ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ...ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ...
ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ...
Jasper Oosterveld35 views
Updates on the LINSTOR Driver for CloudStack - Rene Peinthor - LINBIT by ShapeBlue
Updates on the LINSTOR Driver for CloudStack - Rene Peinthor - LINBITUpdates on the LINSTOR Driver for CloudStack - Rene Peinthor - LINBIT
Updates on the LINSTOR Driver for CloudStack - Rene Peinthor - LINBIT
ShapeBlue208 views
Live Demo Showcase: Unveiling Dell PowerFlex’s IaaS Capabilities with Apache ... by ShapeBlue
Live Demo Showcase: Unveiling Dell PowerFlex’s IaaS Capabilities with Apache ...Live Demo Showcase: Unveiling Dell PowerFlex’s IaaS Capabilities with Apache ...
Live Demo Showcase: Unveiling Dell PowerFlex’s IaaS Capabilities with Apache ...
ShapeBlue129 views
What’s New in CloudStack 4.19 - Abhishek Kumar - ShapeBlue by ShapeBlue
What’s New in CloudStack 4.19 - Abhishek Kumar - ShapeBlueWhat’s New in CloudStack 4.19 - Abhishek Kumar - ShapeBlue
What’s New in CloudStack 4.19 - Abhishek Kumar - ShapeBlue
ShapeBlue265 views
Don’t Make A Human Do A Robot’s Job! : 6 Reasons Why AI Will Save Us & Not De... by Moses Kemibaro
Don’t Make A Human Do A Robot’s Job! : 6 Reasons Why AI Will Save Us & Not De...Don’t Make A Human Do A Robot’s Job! : 6 Reasons Why AI Will Save Us & Not De...
Don’t Make A Human Do A Robot’s Job! : 6 Reasons Why AI Will Save Us & Not De...
Moses Kemibaro35 views
The Role of Patterns in the Era of Large Language Models by Yunyao Li
The Role of Patterns in the Era of Large Language ModelsThe Role of Patterns in the Era of Large Language Models
The Role of Patterns in the Era of Large Language Models
Yunyao Li91 views
Developments to CloudStack’s SDN ecosystem: Integration with VMWare NSX 4 - P... by ShapeBlue
Developments to CloudStack’s SDN ecosystem: Integration with VMWare NSX 4 - P...Developments to CloudStack’s SDN ecosystem: Integration with VMWare NSX 4 - P...
Developments to CloudStack’s SDN ecosystem: Integration with VMWare NSX 4 - P...
ShapeBlue196 views
The Power of Generative AI in Accelerating No Code Adoption.pdf by Saeed Al Dhaheri
The Power of Generative AI in Accelerating No Code Adoption.pdfThe Power of Generative AI in Accelerating No Code Adoption.pdf
The Power of Generative AI in Accelerating No Code Adoption.pdf
Saeed Al Dhaheri39 views
Business Analyst Series 2023 - Week 4 Session 8 by DianaGray10
Business Analyst Series 2023 - Week 4 Session 8Business Analyst Series 2023 - Week 4 Session 8
Business Analyst Series 2023 - Week 4 Session 8
DianaGray10145 views
Elevating Privacy and Security in CloudStack - Boris Stoyanov - ShapeBlue by ShapeBlue
Elevating Privacy and Security in CloudStack - Boris Stoyanov - ShapeBlueElevating Privacy and Security in CloudStack - Boris Stoyanov - ShapeBlue
Elevating Privacy and Security in CloudStack - Boris Stoyanov - ShapeBlue
ShapeBlue224 views
Initiating and Advancing Your Strategic GIS Governance Strategy by Safe Software
Initiating and Advancing Your Strategic GIS Governance StrategyInitiating and Advancing Your Strategic GIS Governance Strategy
Initiating and Advancing Your Strategic GIS Governance Strategy
Safe Software184 views
Transcript: Redefining the book supply chain: A glimpse into the future - Tec... by BookNet Canada
Transcript: Redefining the book supply chain: A glimpse into the future - Tec...Transcript: Redefining the book supply chain: A glimpse into the future - Tec...
Transcript: Redefining the book supply chain: A glimpse into the future - Tec...
BookNet Canada41 views

2012.12 Games We Play: Defenses & Disincentives

  • 1. Games We Play Defenses and Disincentives Allison Miller
  • 2. Overview Overview of econ & game theory concepts Game theory games Infosec issues as games Designing games to win Walk-through a defense built on disincentives Wrap-up
  • 3. Economics applied to security Utility theory Externalities Information Asymmetries Signaling Marginal cost
  • 4. Game theory Branch of applied mathematics Studies decisions made by players interacting (or competing) - Scenarios have rules and pay-offs - Costs & benefits dependent on decisions of other players Used as a framework in economics, comp sci, biology, & philosophy - Also business, negotiation, and military strategy
  • 5. Discussing Games Mechanics of a payoff matrix Player 2 A B Player 1 A A1, A2 A1, B2 B B1, A2 B1, B2
  • 6. Discussing Games Mechanics of decision trees UP DOWN CIRCLE RED BLUE MARIO LUIGI KIRBY GIZMO 10, 3 2, 10 2, 5 -3, 3 A B B A A A
  • 7. Typical game theory "games" Chicken / Brinkmanship - Push it to the edge Volunteer’s Dilemma - For the greater good Tragedy of the Commons - Share and share alike (cumulative effect of cheating) Prisoner’s Dilemma
  • 8. Discussing Games Prisoner’s Dilemma Player 2 Keep quiet Confess Player 1 Keep quiet -1, -1 Mutual cooperation 0, -10 Individual defection Confess -10, 0 Individual defection -3, -3 Mutual punishment
  • 10. Nash Equilibrium Equilibrium is reached when: - Players in a game have selected a strategy - Neither side can change it’s strategy independently & improve position Optimal solution in games with limited outcomes
  • 11. Discussing Games Prisoner’s Dilemma Player 2 Keep quiet Confess Player 1 Keep quiet -1, -1 Mutual cooperation 0, -10 Individual defection Confess -10, 0 Individual defection -3, -3 Mutual punishment
  • 12. Setting up risk problems as games Identify players in the game Clarify the “rules” Show me your moves Describe payoffs Single move or repeated game
  • 13. Discussing Games Tragedy of the Commons: Spam, Bandwidth usage Everyone else’s choices > n choose wise usage Less than n choose wise usage Individual choice Use resource wisely Cost, but social benefit Mutual cooperation Cost (Subsidize social use) Overuse resource Social benefit (Benefit w/o cost) 0 Resources depleted
  • 14. Discussing Games Chicken/Brinkmanship: Vulnerability Disclosure Vulnerability Researcher Report Exploit Asset Owner Reward / Respond 0, 0 Responsible disclosure -2, +2 Early disclosure Ignore / Deny +2, -2 Defer vulnerability -10, -10 0-day go boom
  • 15. Discussing Games Volunteer’s Dilemma: Data breach cost info sharing All other victims At least one shares All keep quiet Victim Share 0 0 Cost, limited benefit Keep quiet 1 Benefit w/o cost -10 Everyone’s in the dark
  • 16. How games are won Clarify dominant strategies Find equilibrium Pursue equilibrium or change the payoffs
  • 17. Moves Current game-play - Controls are layered or chained until we're satisfied that for some set of attackers, the cost of the attack is higher than the utility associated with their payoff Reputation requirements for participation Role requirements for participation (access control) Incremental authentication Content/context based filtering Blacklisting / whitelisting Rate limiting Bot limiters (Captcha) Obfuscation/Encryption
  • 18. Counter-moves For every move there is a counter-move
  • 19. Putting the pieces on the board The amount of friction inserted into the system depends on: - Value of asset to the owner - Value of the asset to potential attackers - Number of attackers expected - Portion of attacks that must be averted - Disincentive value of each layer of friction for an attacker Now it’s time to play our game
  • 20. Does this sound familiar?
  • 21. Managing Decisions Game Theory is a framework for studying decisions - Since payoffs depends on the choices of other players, moves are risky - Players play based on their risk appetite - Risk management = decision management Defenders design control systems that make decisions - Where risks manifest in observable behavior - That make moves/counter-moves depending on the context and understanding of an actor’s identity or intent - Where system or individual costs/payoffs depend on the outcome of an actor’s actions
  • 22. SHALL WE PLAY A GAME? (SINCE WE CAN’T PLAY “CLUE” FOR EVERY LOGIN TRANSACTION NEW USER MESSAGE FRIEND REQUEST ATTACHMENT PACKET WINK POKE CLICK WE BUILD RISK MODELS)
  • 23. Applying Decisions Risk management is decision management ACTOR ATTEMPTS ACTION SUBMIT WHAT IS THE REQUEST HOW TO HONOR THE REQUEST SHOULD WE HONOR? RESULT ACTION OCCURS
  • 24. Not all risk decisions have a competitive element, but all competition / games have risks
  • 25. Create account using fake identity Script completion of verifications Outsource captcha Create accounts across virtual devices Distribute creation of accts using botnet Scrape identities from public sites Age accounts, then reactivate Use stolen credentials Defraud verification process ... Require email verification Test for human behind keyboard Rate limit by device ID Rate limit by IP/location Look for similarities across accounts Require reputation level to proceed Filter for content / context, add auth challenge Require manual verification Manual review of account/event ...
  • 26. Except one small thing... ...what kind of game is this?
  • 27. Multi-player Mode Offense Attempt Success Defense Deflect 4, 4 0, 10 Ignore 10, 0 1, 1 Offense Attempt Success Defense Deflect 4, 4 0, 10 Ignore 10, 0 1, 1 Offense Attempt Success Defense Deflect 4, 4 0, 10 Ignore 10, 0 1, 1 Offense Attempt Success Defense Deflect 4, 4 0, 10 Ignore 10, 0 1, 1 Attackers are not the only players in the game Legitimate users that are also affected by added friction
  • 28. Team Dynamics So this adds another factor into the appropriate level of friction question, which is: - Disincentive value of each layer of friction for an innocent - Likelihood the disincentive will be incorrectly applied to an innocent - Likelihood the disincentive value > payoff value for the innocent (go find a new game)
  • 29. Decisions, Decisions Authorize Block Good false positive Bad false negative RESPONSE POPULATION Incorrect decisions have a cost Correct decisions are free (usually) Good Action Gets Blocked Bad Action Gets Through Downstream Impacts
  • 31. Why are we still playing? Economic/mathematical models depend on rational participants Free will doesn’t imply rationality Economics studies what should happen, behavioral economics studies what does happen
  • 32. Example of rational irrationality Ultimatum Game - Player A given $1000 Player A needs to split the $ with Player B Player A gets to choose the split - Player B receives offer If B accepts, both get $ If B rejects, both get 0
  • 33. Take it or leave it Outcomes - Player A’s usually offer ~50% - Player B’s often reject if offered <30% - This behavior occurs across cultures, levels of wealth Emotions matter - Heightened brain activity in Bilateral antierior insula (disgust) w/low offers Dorsolateral prefrontal cortext (cognitive decision making) w/high offers - Fairness, Fear, Punishing the mean
  • 34. Therefore: Winning strategies depend on understanding behavior Both attackers and defenders may exhibit bias when making decisions - about the game and other players Retrofit conceptual models to actual experiences Fill in the blanks on player costs/payoffs Risk controls still either need to - Change friction (cost), or - Change expected value of pay-off Continue to analyze game dynamics over time - Low-risk, high frequency interactions (data) - High-risk, low frequency interactions (negotiation)
  • 35. Prediction is very difficult, especially about the future Niels Bohr Allison Miller @selenakyle
  • 36. Some references Axelrod, Robert. The Evolution of Cooperation. Dixit, Avinash and Nalebuff, Barry. The Art of Strategy: A Game Theorist’s Guide to Success in Business and in Life. Fisher, Len. Rock, Paper, Scissors: Game Theory in Everyday Life. Gibbons, Robert. Game Theory for Applied Economists. Meadows, Donella. Thinking in Systems: A Primer. Wikipedia’s sections on Game Theory, Economics, & Probability.