This presentation discusses using economics and AI to identify critical infrastructures. It summarizes issues with traditional models and proposes using AND/OR graphs and flow models to better integrate computer and mechanical systems. The presentation also discusses modeling an adversary's objectives and budget to optimize attacks, and using costs and capacities to model competitive strategies between defenders and attackers.

1. Using economics and artificial intelligence to identify critical infrastructures by Yvo Desmedt Florida State University, USA

2. This presentation is based on joint works with: Yongge Wang (University of North Carolina, Charlotte) Mike Burmester (Florida State University)

3. Main issue Methods to identify the most critical infrastructures: CIAO list was clearly incomplete. How address this from scientific method? This is the focus of this presentation

4. The problems with traditional models Using an AI model Discussion and extensions The economics of the enemy

5. The problems with traditional models Why models? describe world mathematical abstract away details allows us to focus Why do models get outdated? world changes details are no longer details may have focused on wrong aspects Why we must update: otherwise: incorrect results waste of resources, dangerous, ...

6. The problems with traditional models Typical aspects of outdated models: start with linear (simpler) but often leads to incorrect results still used with terrible consequences still being advocated

7. The problems with traditional models Problems with security models: assume insider (machine, software, user) is trusted: outdated due to (e.g.): computer viruses/worms ease of installing new software lip service only to security large untested operating systems massive hacking users could be disgruntled, . . . bribing: makes “trusted computers” untrustworthy

8. The problems with traditional models Problems with security models: models that do not assume this are: linear (cost enemy: linear in #machines) too simplistic: copied models of network reliability lack impact factor and lack more global viewpoint lack timing aspect parameters not necessarily known

9. The problems with traditional models Focus on models that do not assume trusted insider: usual model: Byzantine i.e. breaking into: any k-1 machines: feasible any k machines: infeasible

10. The problems with traditional models problems: linear aspect: too homogeneous: cost to break into k computers is not k * cost to break into one, due to: automated attacks availability of attack on WWW same platform, ... not homogeneous: some computers are better protected than others

11. The problems with traditional models problems: too simplistic network model: too homogeneous: computers do not play similar roles: good only for theoretical results. Theory: general purpose computers Practice: also e.g. Sensors, control unit Can be broken into

12. The problems with traditional models problems: too simplistic network model: Sensors, control unit Can be broken into using new (1986!) attack using a special worm that targets the CAD programs. Potential impact: VLSI with trapdoors (1986) (EP)ROM: no scanners Dedicated machines Needs to be planned ahead.

13. The problems with traditional models problems: too simplistic lack impact factor: what is the impact if a computer is no longer accessible/faulty: home computer: minor critical infrastructure: major need to have model that integrates mechanical and computer world

14. The problems with traditional models problems: too simplistic lack timing aspect : world is dynamic: parameters change enemy can adapt defense must must upgrade buffers (as food, water, computers) new attacks take time to be detected time to recover

15. The problems with traditional models problems: too simplistic parameters not necessarily known (e.g.): even for network case . Classical algorithms to find network graph assume no untrusted insiders #untrusted machines: what value

16. Using an AI model Problems with the communication model: network model: too homogeneous: computers do not play similar roles: good only for theoretical results

17. Using an AI model Network graph: reliable communication A B P 3 P 1 P 2 information : can go via P 1 or P 2 or P 3

18. Using an AI model Problems with the communication model: network model: certain distributed computation (e.g. transactions require that all sub-transactions have taken place: well known in mechanical world. Mechanical world uses PERT graph

19. Using an AI model PERT graph (Program Evaluation and Review Technique): Directed acyclic graph car manufacturing system car plant . . . steel plastics screw

20. Using an AI model Impact goes beyond computers. So we need to have a model that integrates mechanical and computer world.

21. Using an AI model AND/OR graphs as a model for distributed computation AND/OR graphs: acyclic directed graph: vertices labeled: AND or OR AND: PERT aspect, i.e. multiple inputs OR: network aspect redundancy allow to integrate computer and mechanical aspects

22. Secure distributed computation needs a different model The airplane’s next position s = s 0  v  t  1/2 a  t 2 P : current position S : speed a : acceleration, here a = 0 with redundancy Without redundancy P P P S S T P S T * * * * P The airplane’s position sensor; S The airplane’s speed sensor; T The time interval (input); + + + + Vote

23. Wang-Desmedt-Burmester use an AI concept :  AND-vertex OR-vertex a vertex is: a sensor, or a process, or a dedicated computer +

24. Using an AI model Disadvantage of AND/OR graph: Deciding whether a given graph is k-connected is in P , however equivalent problem in AND/OR graph is NP -complete.

25. Using an AI model

26. Using an AI model Adding impact factor flow: Preliminary question : Given : AND/OR graph G, capacity function positive integer z Question : Is there a flow f (additive) such that the flow at the output is at least z? Is already NP-complete for the case z=1.

27. Using an AI model Adding impact factor: flow: critical vertices : set U, |U|<k: removed from graph (no input/output vertices) for all U’, |U’|<k: maximal flow U =< maximal flow U’ Given : AND/OR graph G, capacity function, set U Question : Is U critical? Is NP-hard , and L is not in NP and not in co-NP (if P is different from NP).

28. Using an AI model Adding impact factor: flow: below critical flow: Given : AND/OR graph G, capacity function, integers k and p. Question : Does there exists a vertex set U such that: |U| < k maximal flow U < p Is NP-hard , and L is not in NP and not in co-NP (if P is different from NP).

29. Discussion and extensions Byzantine model had its time Our models can be improved by including: control theory aspects, such as: time parameters, e.g.: between attack and detection of attack time to recover from an attack time of no return

30. Discussion and extensions time survivability condition: (time to repair the system) + (time to detect an attack) < (the time of no return) + (the time the stock will last)

31. Discussion and extensions Impact Byzantin model implies expensive redundant hardware. However, if the cost to attack a node is prohibitive: no redundancy is needed.

32. The economics of the enemy Introduction: Seems hard to model since different opponents have different goals: war: undermine economy, military output terrorist: visible targets or targets with large impact hacker: e.g. show that a system is insecure

33. The economics of the enemy Introduction: Assume the enemy has a budget B E : not necessarily expressed in $. Optimization of the attack: may be, may be not

34. The economics of the enemy Feasible attacks? Analysis of the Byzantine model Breaking into: any k machines: feasible any k+1 machines: infeasible First economic model: uniform (same price to attack any machine), implies that the cost is linear.

35. The economics of the enemy Problems of the linear aspect: too linear: cost to break into k computers is not k * cost to break into one, due to: automated attacks availability of attack on WWW same platform, ... not homogeneous: some computers are better protected than others

36. The economics of the enemy A first alternative: To each subset S of the nodes we assign c S,E as the cost of the enemy E to break into all nodes in S . Still Byzantine iff: for each subset S of at most k nodes: c S,E =< B E for each subset S of k+1 nodes or more: c S,E > B E call this the Byzantine cost assumption.

37. The economics of the enemy A more realistic model: Enemy can attack nodes and links S: a subset of these To each subset corresponds a cost: c S,E Enemy can attack iff c S,E =< B E This defines an access structure of the enemy: Gamma.

38. The economics of the enemy Difficulties: Too many subsets! How to estimate the costs? Possible solution: cost of attacking m+1 machines using the same operating system (platform) = cost of attacking m machines using the same operating system (platform). Stability?

39. The economics of the enemy Introduction Feasible attacks? Optimizing the attack The enemy can attack any subset of computers/links in Gamma. Good viewpoint for hacker, not for terrorists and information warfare.

40. The economics of the enemy Optimizing the attack for an application “a” several computers/links T a are involved. Natural to talk about a flow f T a . Maximum flow: capacity: C T a attacking different flow units has a different impact. So we have an impact factor I a .

41. The economics of the enemy Optimizing the attack Total impact of the application: f T a *I a . This gives: a weighted total flow F (warning not necessarily linear), and a weighted total capacity C.

42. The economics of the enemy Optimizing the attack BIG QUESTION: which nodes/links are the most optimal for the enemy to take over?

43. The economics of the enemy Optimizing the attack When enemy takes over a set S in Gamma the weighted total capacity is reduced from C to C S Enemy will choose S such that: C S is minimal, or C S < C crit (winning strategy)

44. The economics of the enemy Analysis of the Byzantine case under: Byzantine cost assumption each unit of flow has the same impact when optimized gives: enemy should attack k disjoint paths.

45. The economics of the enemy Generalizations Hypergraphs instead of graphs Dynamic value of C crit

46. The economics of the designer Given (at least): B D : budget of designer C D : minimum required weighted total capacity F T : maximum tolerable impact flow reduction B E : budget of the enemy others: maintenance, user friendliness, etc.

47. The economics of the designer Question: design a graph G of computers: cost(G) =< B D total impact flow >= C D the enemy cannot win If possible: designer won, else the enemy will.

48. The economics of the designer Note: This is very general! We need a relation between the cost of setting up computer and the cost to attack, etc.