audit games jeremiah blocki, nicolas christin, anupam datta, ariel d. procaccia, arunesh sinha 1...
DESCRIPTION
Auditing Permissive real time access control policy Inspect accesses after occurrence Find and punish policy violators How does it help? Deter potential violators Take remedial measures to prevent future losses 3TRANSCRIPT
1
Audit Games
Jeremiah Blocki, Nicolas Christin, Anupam Datta, Ariel D. Procaccia, Arunesh Sinha
Carnegie Mellon University
2
Motivation
3
Auditing Permissive real time access control policy Inspect accesses after occurrence Find and punish policy violators
How does it help? Deter potential violators Take remedial measures to prevent future losses
4
Auditing for Policy Enforcement
HIPAA
GLBA
EU Data Protection Directive
5
Auditing in Practice FairWarning Audit Tool for hospitals
Flags all celebrity record accesses as suspicious Place traffic police at strategic locations
Intelligent heuristics, but, no mathematical model or guarantees
6
Why study Audit Process? Optimize costs expended in auditing
Audits costs money
Prevent violations Decide appropriate punishment for deterrence
Efficiently computable audit strategies Enable cost-optimal prioritized inspections
7
Outline Simple rational game model
Example
Main Algorithm for computing equilibrium Example
Future Work
8
Simple Rational ModelSimple Rational Model
Adversary: violation, fined if detected Utility when target is attacked
targets
inspection𝑝1 𝑝2 𝑝3 𝑝4
Utility when auditedUtility when unaudited
9
Punishment as an Action
High Punishment: Hostile Work Environment
Low Punishment: No incentive to follow policy.
x
Simple Rational Model
10
Stackelberg Equilibrium Concept Defender commits to a randomized resource
allocation strategy (’s and ) Adversary plays best response to that
strategy
For defender Stackelberg better than Nash eq.
Goal Compute optimal defender strategy
Simple Rational Model
11
Small exampleExample
2 2 31 0.1 0.5
Utility audited ()Utility unaudited ()
0.25 0.5 0.251 1 1
Utility audited ()Utility unaudited ()
Defender’s utility
Adversary’s utility
𝑝𝑖𝑈𝑎 ,𝐷 ( 𝑡𝑖 )+ (1−𝑝𝑖)𝑈𝑢 ,𝐷 (𝑡𝑖 )−𝑎0𝑥
𝑝𝑖(𝑈𝑎 , 𝐴(𝑡 𝑖) – 𝑥 )+ (1−𝑝𝑖)𝑈𝑢 , 𝐴(𝑡 𝑖)
= 0.5
12
Example contd.Example
Defender’s Stackelberg strategy (utility )
Adversary’s strategy: Attack target
Fix , equivalent to security games (utility )
0.285 0.43 0.285
0.43 0.57 0 0.25
13
Computing Optimal Defender StrategySolve optimization problems for all and pick the best solution
subject to
and ’s lie on the probability simplexand
QuadraticNon-
convex
Simple Rational Model
Properties of Optimal Point
14
Problem
𝑥
𝑝𝑖
TightConstraint
s
𝐶1
𝐶2𝐶3
𝐶41
1
Main Algorithm
15
Main Idea in Algorithm
Iterate over regions, solve sub-problems Set probabilities to zero for curves that lie above & make other
constraints tight Pick best solution of all
𝑥
𝛿=−3𝛿=−2𝛿=−1
𝛿=1− Δn 1
1
Main Algorithm
16
Solving Sub-problem 1.Objective can reduced to a polynomial function of
2. Find potential points of maxima by finding roots
3. Take the maximum over all values from steps 2
Splitting circle method: approximate real roots with precision in time polynomial in input size and
Main Algorithm
17
Main Theorem The problem can be approximated to an
additive ϵ factor in time using the splitting circle method, where K is the bit precision of inputs.
Main Algorithm
18
0.285 0.43 0.285 0
Varying cost of punishment , medium cost of punishment
, high cost of punishment
, low cost of punishment
0.43 0.57 0 0.25
0.46 0.54 0 0.99
Example
19
Future Work Studying security games variations in audit
games Budget-constrained defender Combinatorial constraints on use of defender
resources
Varying punishment with violation severity
Validation: Simulation: studying effect of various parameters Real world case study
Future Work
20
Conclusion
First model of auditing and first step toward a computationally
feasible solution of audit games.
Research at the intersection of AI and security & privacy holds lot of promise, given the encouraging precedent set by the deployment of security games
algorithms
21
Extensions inspections performed by single resource
Probability sum to : Each inspection’s probability distribution is Decompose using Birkhoff-von Neumann
decomposition
Zero violations by the adversary With no punishment Adds an additional non-convex constraint Handled in almost same way as the other
constraints
Extensions