ebook img

Game Theory for Security and Risk Management PDF

438 Pages·2018·9.322 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Game Theory for Security and Risk Management

Static & Dynamic Game Theory: Foundations & Applications Stefan Rass Stefan Schauer Game Theory for Security and Risk Management From Theory to Practice Static & Dynamic Game Theory: Foundations & Applications SeriesEditor TamerBas¸ar,UniversityofIllinois,Urbana-Champaign,IL,USA EditorialAdvisoryBoard DaronAcemoglu,MIT,Cambridge,MA,USA PierreBernhard,INRIA,Sophia-Antipolis,France MaurizioFalcone,Universita` degliStudidiRoma“LaSapienza,”Italy AlexanderKurzhanski,UniversityofCalifornia,Berkeley,CA,USA ArielRubinstein,TelAvivUniversity,RamatAviv,Israel;NewYorkUniversity, NY,USA WilliamH.Sandholm,UniversityofWisconsin,Madison,WI,USA YoavShoham,StanfordUniversity,CA,USA GeorgesZaccour,GERAD,HECMontre´al,Canada Moreinformationaboutthisseriesathttp://www.springer.com/series/10200 Stefan Rass•Stefan Schauer Editors Game Theory for Security and Risk Management From Theory to Practice Editors StefanRass StefanSchauer InstituteofAppliedInformatics CenterforDigitalSafety&Security UniversityofKlagenfurt AustrianInstituteofTechnoGmbH Klagenfurt,Ka¨rnten,Austria Klagenfurt,Ka¨rnten,Austria ISSN2363-8516 ISSN2363-8524 (electronic) Static&DynamicGameTheory:Foundations&Applications ISBN978-3-319-75267-9 ISBN978-3-319-75268-6 (eBook) https://doi.org/10.1007/978-3-319-75268-6 LibraryofCongressControlNumber:2018940773 MathematicsSubjectClassification:91A35,90B50,91A24,91A80,91A40 ©SpringerInternationalPublishingAG,partofSpringerNature2018 Chapter7:©NationalTechnology&EngineeringSolutionsofSandia,LLC2018 Chapter 11 is a U.S. government work and its text is not subject to copyright protection in the UnitedStates;however,itstextmaybesubjecttoforeigncopyrightprotection2018 AllrightsarereservedbythePublisher,whetherthewholeorpartofthematerialisconcerned,specif- icallytherightsoftranslation,reprinting,reuseofillustrations,recitation,broadcasting,reproduction onmicrofilmsorinanyotherphysicalway,andtransmissionorinformationstorageandretrieval,elec- tronicadaptation,computersoftware,orbysimilarordissimilarmethodologynowknownorhereafter developed. Theuseofgeneraldescriptivenames,registerednames,trademarks,servicemarks,etc.inthispublication doesnotimply,evenintheabsenceofaspecificstatement,thatsuchnamesareexemptfromtherelevant protectivelawsandregulationsandthereforefreeforgeneraluse. Thepublisher,theauthorsandtheeditorsaresafetoassumethattheadviceandinformationinthisbook arebelievedtobetrueandaccurateatthedateofpublication.Neitherthepublishernortheauthorsor theeditorsgiveawarranty,expressorimplied,withrespecttothematerialcontainedhereinorforany errorsoromissionsthatmayhavebeenmade.Thepublisherremainsneutralwithregardtojurisdictional claimsinpublishedmapsandinstitutionalaffiliations. Printedonacid-freepaper This book is published under the imprint Birkha¨user, www.birkhauser-science.com by the registered companySpringerInternationalPublishingAGpartofSpringerNature. Theregisteredcompanyaddressis:Gewerbestrasse11,6330Cham,Switzerland Toourfamilies... Preface Withtheincreaseinthecomplexityandprevalenceofmoderncommunicationtech- nology, security faces bigger challenges than ever. New security concepts and no- tions have been developed and are continuously seeing deployment in practice. Someofthesenewsecuritymechanismsrootingametheory,whoseapplicationto securitydatesbackalmosttwodecades,andwhichhasprovenitselfasapowerful andfruitfulfieldtotacklethenaturalcompetitionandcomplexinteractionbetween thosewhoprotectandthosewhoattackassets. Whiletheideabehindgametheoryissimpleinthesenseofoptimizingopposing goals and efforts towards them, using the theory for security appears as a natural step. Applying the respective models, however, is a different story, and the chal- lengesarisinginsecurityaredifferentfromthoseineconomics,wheregametheory originates. Indeed, exactly this difference is what brings an interesting viewpoint onsecurity,ifwenolongerconsidersecurityastheabsenceofthreats(astatethat wouldnotbereachableanyway),butratherasastateinwhichtheexpensesforan attack outweigh the gains from it. This economic view on security is not new, but somewhatsurprisingly,muchresearchonsecurityisstillfocusedonpreventingall knownattacks(atanycost),ratherthanoptimizingthedefender’seffortsandlimited resources to gain the maximal security achievable. The difficulty of security man- agement is the difficulty of quantifying security. It may not be plausible to claim thatsecuritycanbemeasuredlikeaphysicalquantity,butcanitatleastbescored (i.e.,assignedanumberthathasnomeaningbyitself,butletsuscompareandrank different situations based on their scores)? The difficulty of finding good security metricsmaypartlybeduetoanoverlystrongrequirementimplicitlyimposedhere. Certainly, management would like to talk about numbers that show trends, say to recognizeifweareslowlybecomingmoreandmoreexposedtocertainthreats,but securityisnotaphysicalquantityormeasurableinexperiments.Itisapropertyof a system that undergoes an evolution and must be continuously checked and kept up.Notethatthissimpleviewbynomeanslimitsthediversityofwhatsecurityor vulnerabilitymeans.Thegoalsofattackscanbemanifoldandmonetarylosses(say, byphysicaldamageortheftofinformation)areonlyonepossibility.Variousgames vii viii Preface may be played for reputation, where the attacker’s goal is destroying the victim’s credibility, but without any intention to cause physical damage or steal anything. Riskisthereforeanequallydiverseterm,andriskmanagementisusuallyamatter ofcontroltowardsoptimizingmultipleindicatorsofinterest. Riskmanagementcanbeviewedasacertainkindofcontrolproblem.Thecondi- tionsandconstraintsunderwhichthecontrollertriestoputorkeepthesystemstate at a defined level are a matter of choice and decision making, based on numbers that quantify risks (in all aspects of interest). The decision making itself is based onamodel thatdescribes thesystem(typically awhole enterprise,whose internal dynamics is often too complex to be put into equations or other simple terms), anddependingontheexpressivenessandpowerofthemodel,itshipswithvarious parameters.Inanycase,agoodmodelhelpstoestablishacomprehensiveprotection strategy that can flexibly adapt itself to changing conditions and new innovations. While the existing theory is huge, practitioners and nonexperts in game theory may face severe difficulties in unleashing the power of game theory in their daily business. This volume is intended to fill this gap by telling a story in three acts, being partsinthebook,andcontributedbyatotalof38authors,whomweherebygreatly acknowledge. PartIiscomposedofselectedmodelsofgamesanddecisionmaking.Here,models canbedistinguishedaccordingtotheircomponents.Letusfixthedefender(possi- blybeingamultitudeofphysicalentities,persons,etc.)asafixedcomponent,play- ing against an adversary (also physically allowed to appear as multiple and likely collaboratingactors).Iftheadversaryactsirrationally,wecanconsideritasbeing an act of nature, since there is no incentive to cause harm to the defender, and the defender is simply exposed to some ecosystem and subject to changing environ- mental conditions. Finding optimal strategies in a changing and uncertain but not hostileenvironmentissubjectofdecisiontheory.Gametheorychangesthepicture byendowingtheenvironmentwithitsownincentives,whichare(inthemosttypical cases) in conflict with the defender’s intentions (though not necessarily opposite). Decisiontheorycanthus,inasimplifiedperspective,beviewedasoptimizationof one(ormore)goalsbyoneplayer,whilegametheorydoesoptimizationofusually conflictinggoalsofatleasttwoormoreplayers. Thetemporalaspectaddsfurtherdistinctionshere,sincethedefender’sproblem canbefindinganoptimaldecisionfornow,oranoptimalplantomaterializetowards a longer term goal in future. The simpler case is obviously making a decision for the moment, and disregarding the consequences that it may have in future. In that case, we arrive at the simplest form of static games (against rational opponents) or simple decisions (to deal with nature). If the consequences of an action taken now will matter for the future, then we have either a control problem (against an irrationaladversarylikenature)oradynamicgame,iftheadversaryactsrationally. Extensionsandcombinationsofthesetypesleadtomorecomplex(andhencemore powerful) models like Markov decision processes and relatives. All these models are to be treated individually, and the chapters in Part I cover theoretical basics to makeastartwithsomeselectedcandidates. Preface ix Specifically,PartIofthisvolumeisdividedintothefollowingchapters: Chapter1:UtilizingGameTheoryforSecurityRiskAssessment,byL.Rajbhandari andE.A.Snekkenes Theopeningofthebookisdedicatedtomakingtheconnectionbetweenriskman- agementandgametheoryexplicit.Thesimilaritiesbetweenagame-theoreticanal- ysis of best behavior and risk management are striking, yet not obvious and this chapter opens the book by making the connection explicit. At the same time, it pointsatvariousproblemsofdecisionmaking(coveredinPartIofthisbook)and model building, which the whole Part II of the book is dedicated to. Concrete ap- plications up to tool support for game-theoretic risk management are reported in Chapters16,12,13and4,amongothers. Chapter2:DecisionMakingWhenConsequencesAreRandom,byS.Rass The dynamics in an enterprise or general process that is subject to risk manage- ment are rarely open to accurate descriptions in formal terms. Thus, much of risk management is a matter of taking decisions whose consequences are hardly deter- mined or foreseeable to a decent extent. Game theory’s hypothesis of rationality being induced by utility maximization is herein generalized towards a decision- making framework that builds upon fuzzy and vague knowledge, and introduces randomvariablesthemselvesasobjectsforoptimization.Theframeworkestablished isessentiallyapossiblereplacementforconventionalnumbersusedinoptimization, suchaseloquentlydescribedinChapters5,10or11.Applicationsoftheframework laidoutinthischapterarefoundinChapters12,13,14,15and16. Chapter3:SecurityStrategiesandMulti-CriteriaDecisionMaking,byS.Rass Aconsiderabledealofattentioninriskmanagementisdedicatedtoanassessment oftheattacker’sintentionorthegeneralincentiveastowhyaninfrastructuremaybe underattack.Ifsuchinformationisavailable,thenatailoreddefensecanbedefined. However,lackinganideaaboutwhoisattackingusorwhy,thebestwecandoisus- ingourownincentivesasguidelinetomodelthehypotheticaladversary.Thisleads totheconceptofsecuritystrategies,which,roughlyspeaking,arethebestdefense possibleagainstasetofknownthreats,whoseconcreteincarnationsdependonthe unknownincentivesoftheunknownattacker.Findingsuchanoptimaldefensew.r.t. severalassetstobeprotectedandseveralgoalsofsecurityisthemainbodyofthis chapter.Thetechniqueestablishedreducestheproblemofsecuritystrategycompu- tation to a standard equilibrium computation problem, which all other chapters in thisbookrevisitanddiscussindifferentvariations. Chapter 4: A Scalable Decomposition Method for the Dynamic Defense of Cyber Networks,byM.Rasouli,E.Miehling,andD.Teneketzis Picking up at a similar point as Chapter 3, this also adopts the defender’s point of viewwhenadefenseagainstcyber-attacksshallbedefined.Theuncertaintyafore- mentionedinChapter2is,however,mademuchmoreprecisehereinassumingthe defendernothavingfullinformationaboutthenetworkstatusatalltimes.Theaddi- tionalcomplexityissueofdeterminingsecuritystrategiesinlarge-scalenetworksis astoryonitsown,andacorecontributionofthischapterisamethodtohandlethe x Preface scalabilityissueinthecomputationofworst-casedefenses(i.e.,securitystrategies, similartoChapter3),obtainedfromtreatingtheissueasasecuritycontrolproblem. Chapter5:FactoredMarkovGameTheoryforSecureInterdependentInfrastructure Networks,byL.Huang,J.Chen,andQ.Zhu ThediversityandscalabilityissuesthatChapter4talksaboutarediscussedbythis chapterfromadifferentangleofview.Whilenetworksmaygrowlargeinsizeand thus entail complex models, additional complexity (different in nature) may also arise from the diversity of devices and from extending the view to include cross- layerconsiderationsspanningpurelylogicalbutalsophysicalpartsofthenetwork. Themosttypicalexampleofsuchasystemistheinternet-of-things(IoT).Thecyber- physicalperspectivegenerallyrevealsscalabilityissuesthatcallforefficienttreat- ment, which this chapter approaches by designated game-theoretic models. Like Chapter 4, decompositions and approximations of problems to handle practically intractablemodelsareinthecenterofattentionhere,supportedbynumericexam- ples. PartIIbeginsatthepointwherethemodelhasbeenselected,andnowweareasking ourselveshowtosettheparameters,ormoregenerally,howaconcretesuchmodel shouldbedefined.Letusconsidergame-theoreticmodelsasanexampletoillustrate theissue:supposethatplayer1runsanITnetwork,whoseadministratorhasrecently been informed about a new malware “in the wild.” Irrespectively of whether there isaninfectionalready,wearealreadyinagamebetweenthesystemadministrator andtheattacker.Agame-theoreticmodelwouldrequirethreeingredients: 1. Theactionsetofthedefender:thisistypicallyaknownitem,sincethesystem administratorcanconsultstandardcataloguessuchasthoseshippingwithrisk managementstandardslikeISO31000. 2. Theactionsetoftheattacker:thisistypicallymoreinvolvedtospecify,based ondomain expertiseandexperience andsupportedbycatalogues inriskman- agement standards like the “BSI Grundschutzkatalog” of the German Federal OfficeforInformationSecurity(www.bsi.bund.de) 3. A valuation of the consequences that the actions of the defender and attacker will have. A standard game model asks for this consequence to be described by a number, but how shall we do this? What numeric measure would be ac- curate to describe the effects of malware in a system. If it causes damage and outages, how would we quantify the loss that the company suffers from this? If the malware spreads in a electricity network and shuts down parts of it, how much would the total damage be in customer’s households? If the prob- lem is with a water supplier, who is obliged to inform customers, how would the supplier’s reputation be affected (damaged) upon this incident? While the game-theoreticmodelitselfmaybeusefultodescribethemanagementdecision challenge,parameterizingthemodeltoaccuratelydescribetheeffectsofactions takenisadifferentchallengeandneedsitsowntreatmentandtheory.

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.