game-theoretic approaches to critical infrastructure protection workshop on statistics and...
TRANSCRIPT
Game-Theoretic Approaches to
Critical Infrastructure Protection
Workshop on Statistics and CounterterrorismNovember 20, 2004
Vicki Bier University of Wisconsin-Madison
Research ObjectivesResearch Objectives
Objective:– Study optimal allocation of resources
for protection of systems against intentional attacks
Related to risk analysis:– With close tie to economics – (Game theory is a branch of
economics) Potentially applicable in many areas
BackgroundBackground
Because attackers can modify their strategies in response to our defensive investment: – Defense will generally be more costly when the
adversary can observe the system defenses “Investment in defensive measures, unlike
investment in safety measures, saves a lower number of lives…than the apparent direct contribution of those measures” – Ravid (2002)
Security improvements may be less cost-effective than they would initially appear
Game TheoryGame Theory
Determine the optimal defense against an optimal attack
Game theory is a useful model for security and critical infrastructure protection:– Appropriate when protecting against intelligent
and adaptable adversaries– Recognizes that defensive strategies must
account for attacker behavior
Game between Game between Attackers and Attackers and DefendersDefenders Need to make assumptions about:
– Attacker goals and constraints– Defender goals and constraints– System design features
Protective investment assumed to reduce success probability of attacks
Game between Game between Attackers and Attackers and DefendersDefenders Consider security of a simple series system:
– Defending series systems against informed and determined attackers is a difficult challenge
If the attacker knows about the system’s defenses, the defender’s options are limited:– The defender is largely deprived of the ability to
allocate defensive investments by their cost-effectiveness
– Instead, defensive investments must equalize the “attractiveness” of all defended components
Importance of Importance of RedundancyRedundancy Parallel systems:
– Any component can perform the function
– Attacker must disable all to succeed
Series systems:– Attacker has a wide
choice of targets– Defender must
protect all components!
Physically in series (pipelines, electric lines) Multiple failure modes (e.g., multiple points of entry)
Weakest Link ModelsWeakest Link Models
Defender must equalize the attractiveness of all defended components
This is generally consistent with the Brookings Institution recommendation to defend only the most valuable assets
However, terrorists also consider the probability of success in choice of targets:– So models should take the success probabilities
of attacks against various targets into account
Attacker KnowledgeAttacker Knowledge
The assumption that attackers know our defenses may not be unrealistic:– Due to the openness of our society
Public demands knowledge of our defense:– Even when this weakens its effectiveness!
This increases difficulty of defense:– E.g., anthrax protection
Defensive measures may not be effective if they can be easily observed
System Design System Design FeaturesFeatures
Redundancy reduces attacker flexibility:– And increases defender flexibility
Traditional reliability design considerations:– Spatial separation– Functional diversity
are also important to defensive strategy Examples:
– Defenses that do not require electricity– Use of both land lines and satellite communications
Secrecy and deception can also be valuable
Extensions with Extensions with HedgingHedging Real-world decision makers will want to
hedge: – In case they guess wrong about which targets
are most attractive to attackers Recent work assumes that attackers target
the most attractive component:– But defenders are uncertain about their
attractiveness Attackers will in general have different
values for targets than defenders:– For example, Al-Qaeda prefers targets that are
“recognizable in the Middle East” (Woo)
Defending one target can deflect attacks to targets that are: – Less attractive to attackers (a priori)– But more damaging to defenders!
Optimal defense frequently still involves allocating zero resources to targets with a non-zero probability of successful attack, especially if:– Targets value widely in their values– Defender is highly resource-constrained
Extensions with Extensions with HedgingHedging
Sample ApplicationSample Application
Our results shed light on appropriate Our results shed light on appropriate allocation of resources among allocation of resources among targets:targets:– Focus on the most attractive (and most Focus on the most attractive (and most
vulnerable) targetsvulnerable) targets– Spend less money on targets that are Spend less money on targets that are
unlikely to be attackedunlikely to be attacked Some states may have relatively few Some states may have relatively few
targets worth much investment targets worth much investment
Security versus SafetySecurity versus Safety
In safety applications:In safety applications:– Natural hazardsNatural hazards– Accident preventionAccident prevention
the 80/20 rule works well:the 80/20 rule works well:– Address the top 80% of the risks, at 20% of the Address the top 80% of the risks, at 20% of the
costcost By contrast, in security applications:By contrast, in security applications:
– It may not be worthwhile spending anything at all It may not be worthwhile spending anything at all – Unless you addressUnless you address all all serious vulnerabilities serious vulnerabilities
Example:Example:– Don’t bother searching purses and backpacks Don’t bother searching purses and backpacks – If you don’t also search baby carriages!If you don’t also search baby carriages!
Extensions in Extensions in ProgressProgress
More complicated system structures: – E.g., adapting past work on least-cost diagnosis to
identify “least-cost” attack strategies– As a building block for optimal (or near-optimal)
defenses Non-convex functions for attack success
probability as a function of investment: – If minimal levels of investment are required– If investment beyond a threshold deters attackers
Secrecy and deception:– When are these useful?– How can we quantify their benefits?
Game between Game between DefendersDefenders Consider effects of defensive actions on the
risks faced by other defenders:– And therefore the strategies they adopt
Some defenses (e.g., car alarms) increase risk to other defenders: – Payoff of investing to any one individual is greater
than the net payoff to society– Typically leads to overinvestment in security
Other defenses (e.g., vaccination) decrease risk to other defenders:– “Free riders”– Typically lead to underinvestment in security
Extended an earlier “static” model by Kunreuther and Heal to account for attacks over time:– Example--computerized supply chain partners
Differences in discount rates can lead some agents not to invest in security when it is otherwise in their interests:– If other agents choose not to invest
Differences in discount rates can arise due to:– Industries with different rates of return– Risk of impending bankruptcy– Myopia
This game can have multiple equilibrium solutions:– Creating a need for coordinating mechanisms
Game between Game between DefendersDefenders
Sample ApplicationSample Application
Computer security in electronic supply chains:– Companies may be vulnerable to weaknesses in
computer security on the part of their partners– This can reduce their incentives to invest in their
own computer security Coordinating mechanisms can help to
address this problem:– Contract terms– Government regulation– Development of international standards– Loans to enable partners who are not as
financially stable to improve their computer security
ConclusionsConclusions
Protecting against intentional attacks must account for attacker responses:– Most applications of risk analysis fail to take
this into account– Most applications of game theory to security
deal with individual components in isolation Combining these approaches makes it
possible to invest more cost-effectively:– Avoids wasting resources on defenses that
can easily be disabled or circumvented by attackers