of 33 assane gueye information technology laboratory, national institute of standards and technology...
TRANSCRIPT
of 33
Assane Gueye Information Technology Laboratory,
National Institute of Standards and Technology
Joint work with:Dr. Vladimir Marbukh (NIST)Aron Lazska (Budapest University of Technology and Economics)Prof. Jean C. Walrand, Prof. Venkat Anantharam (UC Berkeley)
Applied and Computational Mathematics Division Seminar SeriesNational Institute of Standards and Technology
Gaithersburg, April 16, 2013
A Game Theoretic Framework for Evaluating Resilience of Networks Against Attacks
of 332
1. How robust/vulnerable is the network against such attacks?
2. What are the links that are most likely to be attacked?
3. Where to put additional link?
4. …
Network
CommunicationPower GridTransportation FinancialSocial
AttackerOperator
Additional link
SSI*SSI
This Talk: A game-theoretic framework to answer to these questions
Motivations
of 33
Network value model
3
+Communication model
Network Topology
2-Player Game Payoffs definition Nash equilibrium characterization
Vulnerability metric
Critical subsets of links
Framework
of 334
• Goals: Quantifying network vulnerability, identify most critical links• Solution: Game Theory to capture strategic nature, equilibrium payoff for vulnerability
metric
– Communication models • Network value models, Cost of loss of connectivity (Loss-in-Value)
– Game Model• Nash equilibrium characterization, Vulnerability metric
– Properties of vulnerability metric• Identification of critical links, Relate to known graph theory notions
– Quantification of security cost/benefit tradeoff? • Budget constraint
– Economics of vulnerability reduction• Hardening vs Redundancy
• Concluding Remarks and Future Work
Summary/Outline
of 336
All-to-One Networks (e.g., Sensor Network)S
LOSTCost of loss of connectivity: |V|-|VS| VS connected component containing S
S
There is a designated node (the gateway) to which everyone wants to connect
Network Value Function (proxy)f(G) := # of nodes (connected to S)
Communication infrastructure (Rooted) spanning arborescence
S
A. Gueye, A. Laszka, J.C. Walrand, V. Anantharam: A Polyhedral-Based Analysis of Nash Equilibria of Quasi-Zero-Sum Games and its Applications to Communication Network Security. Submitted to ACM TEAC, 2012
Examples (1/4)
of 337
Many-to-Many Networks (e.g., Supply-Demand)
S1
S2
D1
D2
D3
S1
S2
D1
D2
D3
LOSTD2+D3-S2 (>0)
A total amount of goods (Δ) is to be movedfrom a set of sources to a set of destinations
Cost of loss of connectivity: Δ(T)- Δ(T\e) Δ(X) := amount of goods moved over X
Network Value Function f(G) := total amount of goods moved from S to D
Communication infrastructure Feasible flow (capacity constraints, conservation of flows)
S1
S2
D1
D2
D3
21
3
1
11
1
1
13
2
3
A. Gueye, V. Marbukh, A. Laszka, J.C. Walrand, V. Anantharam: A Polyhedral-Based Analysis of Nash Equilibria of Quasi-Zero-Sum Games and its Applications to Communication Network Security. Submitted to ACM TEAC, 2012
Examples (2/4)
of 338
All-to-All Networks (e.g., Bridged Ethernet—constant loss)
LOST
Need a path between any pair of nodes(All nodes must be connected at all time)
Cost of loss of connectivity: K × (1-1connected) 1connected: indicator function
Network Value Function f(G) := K (constant)
Communication infrastructure Spanning tree
A. Gueye, V. Marbukh, A. Laszka, J.C. Walrand, V. Anantharam: A Polyhedral-Based Analysis of Nash Equilibria of Quasi-Zero-Sum Games and its Applications to Communication Network Security. Submitted to ACM TEAC, 2012
Examples (3/4)
of 339
All-to-All Networks (e.g., Bridged Ethernet—linear loss)
LOST
Need a path between any two nodes(when nodes are disconnected, the decision reached by the maximum number of nodes prevails)
Cost of loss of connectivity: |V|-max(|Vi|) max(|Vi|) = # nodes in largest connected component
Network Value Function f(G) := # of connected nodes (in largest cluster)
Communication infrastructure Spanning tree
A. Gueye, V. Marbukh, A. Laszka, J.C. Walrand, V. Anantharam, : A Polyhedral-Based Analysis of Nash Equilibria of Quasi-Zero-Sum Games and its Applications to Communication Network Security. Submitted to ACM TEAC, 2012
Examples (4/4)
of 3310
• Walrand: n1+a a≤1 (friendship network)
• Sarnoff: n (Broadcast Network)
• Metcalfe: n2 (Peer Connecting Network)
• Reed: 2n (Group Forming network)
• Odlyzky, Briscoe, Tilly (OBT): nlog(n)
Graph G=(V,E)|V|=n, |E|=m
A. Gueye, V. Marbukh, J.C. Walrand: Towards a Metric for Communication Network Vulnerability to Attacks: A Game Theoretic Approach, In 3rd International ICST Conference on Game Theory for Networks (GameNets), May 25-26, 2012, Vancouver, Canada
Alternate Network Value Models
of 3311
• Network operator’s goal– choose a set of links to maintain “some” connectivity… Denote T: set of links
S
– … and get some value: f(T) (=|V|)
S
Example 1: Sensor Network
= f(T)- f(T\e)
T: a (rooted) spanning arborescence
• When link e fails• (New) network T\e, with value f(T\e) Loss-in-Value (LiV) relative to T and e
Loss-in-Value (LiV)
of 3312
S S1
S2
D1
D2
D3
21
3
1
11
1
1
13
2
3
= 3# of nodes disconnected from S (when connection is over T and e fails)
= 3amount of goods that T carries over e
= Kx1eTtotal network value ( if e T)
= 3size of smallest connected component (when connection is over T and e fails)
S S1
S2
D1
D2
D3
21
3
1
11
1
1
13
2
3
SS1
S2
D1
D2
D3
Sensor Network Supply-DemandEthernet:
(constant loss)Ethernet
(linear loss)
LostLost Lost
Lost
Loss-in-Value (LiV)
of 3313
Build Loss-in-Value matrix: LiV[E,T]
LiV[T,e]
Reso
urce
s
links
Loss-in-Value (LiV) Matrix
Payoff matrix
of 3315
• Graph G=(V,E)
– Players• (Network) Manager• Attacker
– (Pure) Strategies:• Manager: resources (TT) • Attacker: links (eE)
– Payoff• Manager: - • Attacker: – μ(e) (possible attack cost)
Network Blocking Game Model
of 3316
• Game– One shot game
– (Mixed) Strategies
» Defender: on T, to minimize
» Attacker: on E, to maximize
𝐿 (𝜶 ,𝜷 )= ∑𝑇∈𝒯 𝜶𝑇 ∑
𝑒∈ℰ𝜷𝑒 𝐿𝑖𝑉 (𝑇 ,𝑒)
𝑅 (𝜶 ,𝜷 )=∑𝑒∈ℰ
𝜷𝑒( ∑𝑇∈𝒯 𝜶𝑇 𝐿𝑖𝑉 (𝑇 ,𝑒)−𝜇 (𝑒))
SSI
Network Blocking Game Model
of 3317
• Nash equilibrium always exists [Nash 1950]
– Expected Loss (defender):
– Vulnerability metric ( = attacker’s expected reward)
𝐿∗(𝜶𝑵𝑬 ,𝜷𝑵𝑬 )= ∑𝑇∈𝒯 𝜶𝑇
𝑁𝐸 ∑𝑒∈ℰ
𝜷𝑒𝑁𝐸𝐿𝑖𝑉 (𝑇 ,𝑒)
𝝁=∑𝑒∈ℰ
𝜷𝑒𝑵𝑬𝜇(𝑒)
Vulnerability Metric
Theorem[Gueye et. al., 2012]• is uniquely defined (there might exist multiple equilibria)
• If , • Attacker’s best choice is to never launch an attack• Defender will randomize communication (e.g., multipath routing)
• If ,• There exists a critical subset of links (possibly multiple)• Attacker will target a critical subset of links• Defender will randomize and minimally use critical links
of 3318
• is uniquely defined
• reflects defender’s loss as well as attacker’s desire to attack• closely depends on network structure (topology, amount of goods to be moved, etc…) metric for vulnerability to attack (strategic failures ≠reliability metric which is based on random failure)• indicates attacker’s behavior
• If <0 attacker does not attack• If 0 attacker always attack
• corresponds to “vulnerability” of most critical links () identify most critical (vulnerable) links
Vulnerability Metric: Properties
of 3320
All-to-One Networks (e.g., Sensor Network)S
Vulnerability Metric
Game• Operator: choose a rooted spanning arborescence• Attacker: Attack a link
by removing links in E
𝜽∗=𝒎𝒂𝒙 {𝝀 (𝑬 )|𝑬|
: 𝑬⊆𝓔 (𝑮 )}
Critical subset of links: E* achieves Uniform attack in each critical subset
(Inverse) Directed Strength of Graph (Cunningham 1982)
= # of nodes disconnected from S associated with T and e
(= Average # of disconnected nodes per attacked link)
S
=4
=2
Vulnerability Metric & Graph Theory (1/4)
of 3321
Many-to-Many Networks (e.g., Supply-Demand)
S1
S2
D1
D2
D3
Game• Operator: choose a feasible flow• Attacker: Attack a link
Vulnerability Metric
𝜽∗=𝒎𝒂𝒙 ¿
(= Average excess demand per attacked link)
= amount of goods T carries over e
Critical subset of links: E* achieves Uniform attack in each critical subset
Vulnerability Metric & Graph Theory (2/4)
X 𝐗𝜹(𝑿) = = total demand in = Total supply in = excess demand in
of 3322
All-to-All Networks (e.g., Bridged Ethernet—constant loss) Game
• Operator: choose a spanning tree• Attacker: Attack a link
Vulnerability Metric
𝜽∗=𝐦𝐚𝐱 ¿Spanning Tree Packing Number (SPT)(Tutte & Nash-Williams 1961)
= total value ( if e T)
(= Average # of (dis)connected components per attacked link)
Critical subset of links: E* achieves Uniform attack in each critical subset
Vulnerability Metric & Graph Theory (3/4)
E = Set of edges going across the partitions = number of connected components
of 3323
All-to-All Networks (e.g., Bridged Ethernet—linear loss)Game
• Operator: choose a spanning tree• Attacker: Attack a link
Vulnerability Metric
𝜽∗=𝐦𝐚𝐱 ¿ (inverse) Cheeger’s constant, Edge expansion factor of G
nfinite number of graphs
= size of smallest connected component
(=Average # of disconnected nodes per links)
Critical subset of links: E* achieves Uniform attack in each critical subset
Vulnerability Metric & Graph Theory (4/4)
X 𝐗𝜹(𝑿)
=
of 33
Vulnerability = 1/2
= 4/7>1/2
a)
b)
zero attack cost µe=0
1/2
1/2
1/7
1/7
1/7
1/7
1/71/7
1/7
24
All-2-All (constant loss)
Vulnerability Metric & Critical Links
of 3325
All-2-All (constant loss)
Bridges Edges in the cloud Edges to the cloud
Critical Subsets depends on network value model (f(.))All-2-All
(linear loss) All-2-All
(exponential loss)
Criticality depends on network topology
Edges to the cloudBridges
Vulnerability Metric & Critical Links
of 3326
= 3/4 = 2/3 = 3/5
2/3 > 3/5
Network in b) is more vulnerable than network in c)Additional link
Network Design
a) b) c)
Vulnerability Metric & Network Design
of 3328
• Each subset of resources T (e.g., feasible flow, spanning tree) has a cost w(T)
• Defender has a “maximum” budget b
• Can use only resources that satisfy budget constraint b≤w(T) Set of pure strategies
(Buying out more randomness)
• Define games parameterized by budget b
• Vulnerability metric is a function of b:
• Study function 4 6 8 10 12 14 16 18
1
1.5
2
2.5
3
3.5
4
4.5
(Maximum) Flow Cost
Vul
nera
bilit
y *
Cost b
𝒯(𝑏)= {𝑇∈𝒯∨𝑤 (𝑇 )≤𝑏 }
Vulnerability/Cost Tradeoff
A. Gueye, V. Marbukh: A Game Theoretic Framework for Network Security Vulnerability Assessment and Mitigation, In 3rd International ICST Conference on Decision and Game Theory (GameSec), November 5-6, 2012, Budapest, Hungary
of 3329
Vulnerability ReductionHardening vs Redundancy (ongoing)
AttackerOperator
Additional budget!
Hardening Redundancy
of 3330
Vulnerability ReductionRedundancy vs Hardening (ongoing)
Run1 Run2 Run3
Relevant parameters:
• Network topology• Current set of available “routes”• Benefit function• Cost of attack• Budget
(fixed)(random for each run)(linear for hardening)(random for each run)(varies)
A. Gueye, V. Marbukh: Economics of Network Vulnerability Reduction: Hardening versus Redundancy, submitted, In Joint Workshop on Pricing and Incentives in Networks and Systems, June 21, 2013, in conjunction with ACM SIGMETRICS 2013 (Pittsburg, PA, USA)
of 3331
• Network Blocking Games– Communication model– Network value function, Loss-in-Value (LiV)– NE theorem for blocking games
• Application: Quantify network vulnerability in adversarial environment– Vulnerability Metric– Critical subset of links– Properties– Algorithms
• Security/Cost Tradeoff– Budget constraints – Tradeoff curves– Computational complexity
Summary
Conclusion….the ability of a malicious/selfish agent to acquire and exploit system information may alter conclusions drawn by using conventional predictive security metrics…
of 3332
• Fundamentals of adversarial relationship E.g. Game Theory• Security as a design principle E.g.: System Design• Predictive metrics for security of large-scale systems
Future Work
• Models for local Interaction E.g.: Game Theory, Decision Theory
• Identify macro parameters• Predict global behavior• Global level of security E.g.: Complex System Theory Statistical Inference
• Develop appropriate feedback control loops E.g.: Control Theory
1.
2.
3.