1

Audit Games

Jeremiah Blocki, Nicolas Christin, Anupam Datta, Ariel D. Procaccia, Arunesh Sinha

Carnegie Mellon University

2

Motivation

3

Auditing Permissive real time access control policy Inspect accesses after occurrence Find and punish policy violators

How does it help? Deter potential violators Take remedial measures to prevent future losses

4

Auditing for Policy Enforcement

HIPAA

GLBA

EU Data Protection Directive

5

Auditing in Practice FairWarning Audit Tool for hospitals

Flags all celebrity record accesses as suspicious Place traffic police at strategic locations

Intelligent heuristics, but, no mathematical model or guarantees

6

Why study Audit Process? Optimize costs expended in auditing

Audits costs money

Prevent violations Decide appropriate punishment for deterrence

Efficiently computable audit strategies Enable cost-optimal prioritized inspections

7

Outline Simple rational game model

Example

Main Algorithm for computing equilibrium Example

Future Work

8

Simple Rational ModelSimple Rational Model

Adversary: violation, fined if detected Utility when target is attacked

targets

inspection𝑝1 𝑝2 𝑝3 𝑝4

Utility when auditedUtility when unaudited

9

Punishment as an Action

High Punishment: Hostile Work Environment

Low Punishment: No incentive to follow policy.

x

Simple Rational Model

10

Stackelberg Equilibrium Concept Defender commits to a randomized resource

allocation strategy (’s and ) Adversary plays best response to that

strategy

For defender Stackelberg better than Nash eq.

Goal Compute optimal defender strategy

Simple Rational Model

11

Small exampleExample

2 2 31 0.1 0.5

Utility audited ()Utility unaudited ()

0.25 0.5 0.251 1 1

Utility audited ()Utility unaudited ()

Defender’s utility

Adversary’s utility

𝑝𝑖𝑈𝑎 ,𝐷 ( 𝑡𝑖 )+ (1−𝑝𝑖)𝑈𝑢 ,𝐷 (𝑡𝑖 )−𝑎0𝑥

𝑝𝑖(𝑈𝑎 , 𝐴(𝑡 𝑖) – 𝑥 )+ (1−𝑝𝑖)𝑈𝑢 , 𝐴(𝑡 𝑖)

= 0.5

12

Example contd.Example

Defender’s Stackelberg strategy (utility )

Adversary’s strategy: Attack target

Fix , equivalent to security games (utility )

0.285 0.43 0.285

0.43 0.57 0 0.25

13

Computing Optimal Defender StrategySolve optimization problems for all and pick the best solution

subject to

and ’s lie on the probability simplexand

QuadraticNon-

convex

Simple Rational Model

Properties of Optimal Point

14

Problem

𝑥

𝑝𝑖

TightConstraint

s

𝐶1

𝐶2𝐶3

𝐶41

1

Main Algorithm

15

Main Idea in Algorithm

Iterate over regions, solve sub-problems Set probabilities to zero for curves that lie above & make other

constraints tight Pick best solution of all

𝑥

𝛿=−3𝛿=−2𝛿=−1

𝛿=1− Δn 1

1

Main Algorithm

16

Solving Sub-problem 1.Objective can reduced to a polynomial function of

2. Find potential points of maxima by finding roots

3. Take the maximum over all values from steps 2

Splitting circle method: approximate real roots with precision in time polynomial in input size and

Main Algorithm

17

Main Theorem The problem can be approximated to an

additive ϵ factor in time using the splitting circle method, where K is the bit precision of inputs.

Main Algorithm

18

0.285 0.43 0.285 0

Varying cost of punishment , medium cost of punishment

, high cost of punishment

, low cost of punishment

0.43 0.57 0 0.25

0.46 0.54 0 0.99

Example

19

Future Work Studying security games variations in audit

games Budget-constrained defender Combinatorial constraints on use of defender

resources

Varying punishment with violation severity

Validation: Simulation: studying effect of various parameters Real world case study

Future Work

20

Conclusion

First model of auditing and first step toward a computationally

feasible solution of audit games.

Research at the intersection of AI and security & privacy holds lot of promise, given the encouraging precedent set by the deployment of security games

algorithms

21

Extensions inspections performed by single resource

Probability sum to : Each inspection’s probability distribution is Decompose using Birkhoff-von Neumann

decomposition

Zero violations by the adversary With no punishment Adds an additional non-convex constraint Handled in almost same way as the other

constraints

Extensions