Bilar slides-81v3

569 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
569
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
5
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • The original goals of Game Theory were to model adversarial environments and to optimize strate- gies for operating in those environments. This would seem ideal for modeling cyber operations as well as other national security situations - indeed, there is a community of researchers currently investigating the application of classical Game Theory to information assurance and cyber opera- tions.However, the overwhelming focus of Game Theory research over the past 60 years has been on the problem of “solving” games that are defined a priori. That is, most Game Theory research to date begins by assuming a game is already defined (namely, the players, their possible moves and payoffs) and then explores properties of optimal strategies and how to compute them. Optimality is with respect to a solution criterion such as Nash Equilibrium or Pareto Optimality [5].An obvious and growing criticism of the classical approach is that in most real world adversarial situations players do not know who the other players are, what their possible moves might be and, perhaps most importantly, what their preferred outcomes or objectives are. Put another way, none of the players actually know the complete details of the game that they are playing! A further complication is that few people outside of the Game Theory literati know what a Nash Equilibrium is, let alone how to compute one, so they typically cannot be expected to play the Nash solution.As a result, while Game Theory can inform us about how to play chess, checkers, poker and simple illustrative examples found in most Game Theory texts, it has not been as useful in the majority of real-world adversarial situations as one might have hoped for (see [19, 20] for an inter- esting discussion). New directions and ideas are needed, especially in the area of cyber security.
  • c used in evolutionary game theory. The replicator equation differs from other equations used to model replication, such as the quasispecies equation, in that it allows the fitness function to incorporate the distribution of the population types rather than setting the fitness of a particular type constant.
  • Replicator equations: see simple predator-prey Lotko-Voltera model)http://mathinsight.org/applet/lotka_volterra_versus_time
  • Bilar slides-81v3

    1. 1. Moving Target Defenses: Conficker Case Study Daniel Bilar (Siege Technologies) George Cybenko (Dartmouth College) John Murphy (ProQueSys) CSIIRW 8, ONRL (Oak Ridge, TN) January 9, 2013 9/10/2013 1
    2. 2. Support • Research partially supported by DARPA I2O, DHS, AFRL, DOD, OSD, and AFOSR with UTEP, Ball Aerospace, Pikewerks, Siege – All opinions and results expressed are those of authors and not necessarily those of the funding agencies • Thanks also to V. Berk, I. Gregoriou-de Souza, J.T House, D. Sicilia, G. Stocco, P. Sweeney 9/10/2013 2
    3. 3. Outline of talk 1/2 • Background: Studied public data in various domains – US border security, computer vulnerability databases, offensive & defensive coevolution of worms (Conficker) – Modeled as players in adversarial situation • Findings: Performance metrics oscillate over time – No asymptotic convergence, not monotonic • Claim: In majority of (adversarial) games, players do not compute Nash Equilibriums over (static) strategy sets but use myopically perceived best responses at each time step – ‘Classical’ game theory is not the best fit • Why: Not a stationary environment! Ongoing sequences of moves, countermoves, deception and strategic adaptation – Explains exhibited oscillations and consistent with data 9/10/2013 3
    4. 4. Outline of talk 2/2 • Problem: Oscillations modeled by replicator equations – Typically 3rd degree, non-linear, analytically difficult – Inverse problem of estimating RE parameters from observations of behavior computationally tractable • Claim: Possible to infer players motives, costs and move options by observation of oscillation – Not discussed in this talk • Contributions of authors – Detailed empirical analysis of players Conficker & environment (Bilar & Murphy) – Abstraction of game through Quantitative Attack Graph (Bilar & Cybenko & Murphy) – “Asymptotic” cut set theorem (Cybenko) for optimal defense allocation 9/10/2013 4
    5. 5. You know you are working in an adversarial domain when you want to see this kind of progress… Better “performance” here means fewer deaths/mile Limit ? 9/10/2013 5
    6. 6. ...but instead, you see this … Better “performance” here means fewer deaths/mile Limit ? Internet Crime Complaint Center, http://www.ic3.gov/default.aspx 9/10/2013 6
    7. 7. ...or this … From OSVDB by P. Sweeney9/10/2013 7
    8. 8. Border security... 9/10/2013 8
    9. 9. War on drugs... 9/10/2013 9
    10. 10. Comments • “Performance” measures may oscillate (not monotonic) – Depends partly on normalization of metrics (see Fig 3.1 in BMC (2012)) • Operating against human adversaries is different than operating against nature • Games not defined a priori, game details not known – Players do not know who the other players are, what their possible moves might be and, perhaps most importantly, what their preferred outcomes or objectives are • Result: Co-evolution, adaptation as evinced through oscillations 9/10/2013 10
    11. 11. Conficker • AKA Downup, Downadup, Kido • Detected November 2008 • Largest worm/botnet infection since 2003 • Infected million’s of machines • Evolved through 5 versions in several months • Affected military systems in France, UK etc • Used many vulnerabilities and techniques 9/10/2013 11
    12. 12. Conficker Versions A-E Host States Adversarial Dynamics: The Conficker Case Study. Daniel Bilar, George Cybenko and John Murphy In Moving Target Defenses II, edited by S. Jajodia, Springer, 2012 9/10/2013 12
    13. 13. Conficker Timeline 9/10/2013 13
    14. 14. Examples of Conficker Analysis 9/10/2013 14
    15. 15. Abstraction of Attack/Defend Game • Attackers attacks “weakest” paths to achieve goals – Weakest according to attackers’ understanding – Paths consist of one or more technical steps – Can create completely new paths and/or steps • Defenders make some step(s) of the most common/damaging paths harder to traverse – Most common/damaging according to defenders’ understanding – Users/boss want to create new services so new paths emerge • Iterate the above over time 9/10/2013 15
    16. 16. Attack Graph for a Critical System State 1 State 2 Start Goal An attacker must traverse a path from the start state to the goal state to succeed Note: This is an actual attack graph on a real but proprietary system Each step is a technical means to achieve a subgoal 9/10/2013 16
    17. 17. State 1 State 2 Start Goal Attack Graph for a Critical System An attacker must traverse a path from the start state to the goal state to succeed Attacker uses his “shortest” path Each step is a technical means to achieve a subgoal 9/10/2013 17
    18. 18. State 1 State 2 Start Goal Attack Graph for a Critical System An attacker must traverse a path from the start state to the goal state to succeed Each step is a technical means to achieve a subgoal Attacker uses his “shortest” path Defender protects a step by increasing its cost 9/10/2013 18
    19. 19. State 1 State 2 Start Goal Attack Graph for a Critical System An attacker must traverse a path from the start state to the goal state to succeed Attacker changes some edges in attack path Each step is a technical means to achieve a subgoal 9/10/2013 19
    20. 20. State 1 State 2 Start Goal Attack Graph for a Critical System An attacker must traverse a path from the start state to the goal state to succeed Each step is a technical means to achieve a subgoal Or the attacker picks a completely new path 9/10/2013 20
    21. 21. State 1 State 2 Start Goal Attack Graph for a Critical System An attacker must traverse a path from the start state to the goal state to succeed Each step is a technical means to achieve a subgoal Or the attacker creates a new path 9/10/2013 21
    22. 22. Comments • Attacks graphs are old technique but hard to build and quantify – State space explosions, how to assign edge costs, blind spots, etc – Maybe like democracy, worst way except for all others • Prediction markets: QuERIES provides a technique for quantifying the attack graphs by cost, difficulty, etc • We will adapt, invest and perform better if we quantify – Pursuit-evasion – go to where the prey will be – Flu shots anticipate the flu, not respond to current ones – Wayne Gretzky – “A good hockey player plays where the puck is. A great hockey player plays where the puck is going to be.” 9/10/2013 22
    23. 23. Attack-Defend Game • Optimization problem – maximize the cost of the shortest path from Start to Goal states • Can formulate this as a linear programming problem – solution is the investment allocation that makes the least cost attack as expensive as possible  Estimate costs to attacker of traversing attack graph edges – shortest path is the most attractive for an attacker to take Start Goal Cost = 2 4 1 5 2 Simple Example – Shortest path in yellow Real Problem – What is/are the shortest path(s)? State 1 State 2 Start Goa l 9/10/2013 23
    24. 24. Linear Programming Formulation Start Goal A B C D E 1 1 0 0 0 1 0 1 0 1 0 0 0 1 1 M = 5 edges 3 paths One column per edge One row per path u = A B C D E x = Vector of initial edge costs a b c d e Vector of allocated costs max z such that M*(u+x) ≥ z ≥ 0 1* x = K > 0, x ≥ 0 9/10/2013 24
    25. 25. Example strategies  Which edges are “best” to invest in? Suppose budget = 1.  Analysis has shown that optimal investments are ultimately in a “cut set” Start Goal Cost = 2 4 1 5 2 Simple Example – Shortest path in yellow Start Goal Cost = 2 4 1+1=2 5 2 “Harden” the weakest link? Start Goal Cost = 2 4 1 5 2 Simple Example – Shortest path in yellow If possible, invest in minimal cut set edges Start Goal 2+1=3 4 1 5 2 “Harden” selected cut set edges cut set 9/10/2013 25
    26. 26. Back to Real System Start Goal 37 edges 180 paths 12 nodes Multiple edges mean multiple attack steps possible Matrix M has 37 columns and 180 rows 9/10/2013 26
    27. 27. • Result shows benefit from hardening multiple paths according to iterative algorithm • X-axis shows total budget, Y-axis shows investment in hardening specific paths • As budget increases, the defensive strategy is diversified, but investment into minimal cut edges continues • Once the inputs to state 2 are hardened, investment begins in edges 20 and 37 Edges 1,2 Edges 20,37 Total Defense Investment Start Goa l Linear Programming Results Identify High Value Protection Paths for Different Investment Levels 9/10/2013 27
    28. 28. Minimal cost paths for attacker • Graph shows total cost of minimum-cost path resulting from investment strategy • Minimum effort required by attacker • Includes initial edge costs along path • Slope decreases as investment strategy diversifies into hardening multiple paths • “Diminishing rate of return”, ROI 9/10/2013 28 Total Defense Investment
    29. 29. Role of minimal cut sets Start Goal Each edge has cost 1 You have a budget of 19/10/2013 29
    30. 30. Role of minimal cut sets Start Goal Invest that 1 unit here But this is the minimal cut set 9/10/2013 30 Each edge has cost 1 You have a budget of 1
    31. 31. Role of minimal cut sets Start Goal Now invest in the minimal cut set 2 9/10/2013 31
    32. 32. “Asymptotic” Attack Graph Theorem (Cybenko) If we are given an attack graph with • a minimal cut set that has e edges • a large investment budget, K then • the optimal budget allocation assigns ≈ K/e to each edge in the cut set and; • the minimal cost path grows like c + K/e where c is a constant 9/10/2013 32
    33. 33. • Theorem states that optimal investment is eventually K/e in minimal cut set edges • Initially, optimal investments can occur in other edgesEdges 1,2 Edges 20,37 Total Defense Investment Linear Programming Results Identify High Value Protection Paths for Different Investment Levels Start Goa l 9/10/2013 33
    34. 34. Back to Real System Start Goal 37 edges 180 paths 12 nodes e = 6, cut set Multiple edges mean multiple attack steps possible Matrix M has 37 columns and 180 rows 9/10/2013 34
    35. 35. Adversarial Dynamics Takeaways 1/2 • “Big data” needed – Red and blue forces’ data sets are needed – New, non-stationary statistics and estimation are key – Adaptation, not static equilibria, describe “solutions” • “Hidden data” needed – Need to capture what players/agents think, not just the outcomes • Anticipating moves is the way to gain advantage – Kasparov who can think 5-6 moves ahead 9/10/2013 35
    36. 36. References 1. Cybenko, Landwehr, “Security Analytics and Measurements”, IEEE S&P , May-June 2012 http://tinyurl.com/securityanalytics 2. Bilar, Murphy, Cybenko, “Conficker Case Study”, in MTD II (ed. Jajodia), 2012 http://tinyurl.com/confickerQAG 3. Saltaformaggio, Bilar “ABCD-ACP”, ICCC3 NATO CCD COE, 2011 http://tinyurl.com/ICCC3 4. Stocco, Cybenko, “Inverse game theory”, SPIE 8359, 2012 http://tinyurl.com/inversegame 5. Carin, Cybenko, Hughes, “Queries methodology”, IEEE Computer, 2008 http://tinyurl.com/queries2008 6. Ohtsuki, Novaw, “Replicator equations”, Journal of Theoretical Biology 243 (2006) 86–97 http://tinyurl.com/replicationequ 9/10/2013 36
    37. 37. Thank you Thank you for the kind consideration of these ideas We are happy to answer questions / field comments  Contact: • Daniel Bilar: dbilar@acm.org • George Cybenko: gvc@dartmouth.edu • John Murphy: jmurphy@proquesys.com 9/10/2013 37
    38. 38. Additional Slides 9/10/2013 38
    39. 39. Oscillations as Manifestation of Adversarial Dynamics • Evolution is a response to competition • Competition exists among adversaries • How do you know you are operating in an “adversarial” domain? – Oscillations of performance metrics • Dynamics can be modeled by replicator equations – Typically 3rd order, non-linear (analytically difficult) • Inverse problem of observing behavior and estimating parameters of replicator equation that guide behavior is tractable • Possible to observe game play and strategy evolution and then make inferences about player’s motives, costs and move options 9/10/2013 39

    ×