operations research approaches to cyber conflict
DESCRIPTION
Operations Research Approaches to Cyber Conflict. CCW Short Course 21 September 2011 CDR Harrison Schramm. Lecture Goal. To provide an executive overview of Operations Research… …And the application of these techniques to problems in the cyber domain. Introduction . - PowerPoint PPT PresentationTRANSCRIPT
Operations Research Approaches to Cyber Conflict
CCW Short Course 21 September 2011
CDR Harrison Schramm
Lecture Goal
• To provide an executive overview of Operations Research…
…And the application of these techniques to problems in the cyber domain.
Introduction
• Who am I and Why am I here?• How did I get interested in Cyber?
• What are sorts of approaches might the OR community have to offer?
• Future ideas in OR
Outline
Big Questions• What is OR and how
can it be applied to the cyber problem?
• What specific problems are amenable to analysis?
Applications• Network Flow Models
– Formulation– Interdiction
• Game theory and deterrence– How cyber conflict is
different
• Epidemic Models
History of Operations Research
• Origins in WWII – Convoy Planning (Royal Navy)– Anti-submarine warfare (USA)
• Quick case study: Should Air Defense guns be placed on Merchant Vessels?
Difficulties: • No clear-cut ‘one-to-one’
mapping between traditional models and cyber conflict
• Uncertainties in cyber conflict make problem difficult to parameterize.
Approaches:• Lanchester Equations• Game Theory• Attacker / Defender
Modeling• Applied mathematics
from other disciplines
Ultimate Goal: to integrate cyber conflict into Campaign Analysis to inform investment and tactical decisions for DoD.
Military OR and Cyber Conflict
• Fluidity of arsenals– Adversaries’ discovery of vulnerability may make
opponents weapon useless. – Deterrence implications
• Difficulties with detection and attribution– How do you know when you’re under attack?
• Wide estimates of ‘how bad could bad be’– What is a ‘cyber pearl harbor?’
How cyber conflict is different(And why our old tools don’t work)
Our purpose
• Is the application of the scientific method to military / policy problems to inform better decisions.
• OR is ‘The Science of Better’
Part I a. Networks
What is a Network?
• A NETWORK is any system that can be described as a set of Nodes and Arcs.
• Arcs have attributes:– Capacity– Cost
• Nodes are where Arcs meet– We’re interested in the relationship between the
‘inflow’ and ‘outflow’ at each arc.
Network Example
• Example: Driving to San Jose International Airport
Mathematical Representation
1
2
3
4
5
6
(1, 2)
(1, 1)
(2, 1)
(3, 1)
(1, 4)
(2, 2)
(2, 2)
(1, 2)
i j
(cij, qij)
The math (in words)
• We seek to minimize costs across the network• Such that:
– Demand is met– Supply is not exceeded– The net flow at a ‘transient’ node is zero– No arc’s capacity is exceeded– No arc has negative flow.
• This becomes a Mathematical Programming problem and is easily solved.
Network Questions
• How much can we push through? – Maximum Flow
• What’s the cheapest way to move one unit?– Minimum Cost
• What’s the cheapest way to move supplies from one or more sources to multiple destinations
• What’s the best way to schedule jobs?
Network Flow Problems - Practical
• Obvious Networks:– Electrical systems– Road Systems– Computer Networks
• Non-obvious networks:– Schedules…– Like a weapons development program
Intermission
• Gee, Harrison, that’s really cool. Why are we talking about this?
• Glad you asked!
Part Ib. Network Interdiction
Using attack-based strategies to identify critical infrastructure components is not a new idea
• Harris, T.E., and Ross, F.S. (1955), Fundamentals of a Method for Evaluating Rail Net Capacities (SECRET, declassified 1999), RM-1573, RAND Corp.
• As documented by Schrijver (2002).
This math used to be Classified!
(Sorry, I just have to say that every chance I get)
How is this approach different than others?
Decision Making
Certainty Uncertainty
Mother Nature(non-deliberate)
Enemy(deliberate)
Optimization
Probability Game Theory
Assess the “Worst Case”• Model the system• Evaluate potential damage by
adversary (capability-based) • Relies on system knowledge
Assess “What is Likely”• Model the threat• Evaluate expected outcome• Relies on historical record, SMEs,
“crystal ball”
Non-Deliberate
Hazard
DeliberateThreat
Probabilistic Risk Analysis(Natural Disasters)Safety (Accidents)
Reliability (Failures)
Intent-Based Analysis(e.g., predicting terrorists)
Short-term planning onlyRequires strong intelligence
Works for long-term & short-term planning and resource allocation
Capability-Based Analysis (e.g., game theory)
Might not be conservative enough (Limited by imagination)
Might be too conservative (Impractical to mitigate)
Different Approaches to Assessing Risk
Risk = f (T, V, C)
David Alderson – NPS – 22June2011
A Fundamental Question:Is defending a system…• More like protecting against Mother Nature?• Or more like defending against an intelligent
adversary?
• This is a fundamental issue in the use of risk analysis techniques, but it is not the only one…
David Alderson – NPS – 22June2011
Attacking an Arc
What does it mean to ‘attack an arc’?
Two interpretations:• The Black Knight Method “NONE SHALL PASS”
– set it’s capacity to zero (this is the same as removing it from the model)
Or• “The Tollbooth Method”
– place an unaffordable tax on the arc to make it cost-prohibitive.
Suppose someone hands you a network model
Network Operator (Defender) problem
• How do I continue to operate my network under attack?
• Mathematically: How do I minimize total cost given a set interdicted arcs?
Interdictor (Attacker) problem:
• Which arc(s) are the best to attack in order to minimize the operators’ best performance
• Mathematically: How do I choose a set of arcs to attack?
Math Slide Master Problem Sub Problem Decision Variable
Y X
Formulation
max
. .
0,1
Y
kk k k
z
s t
z cX qX Y
Y
Y Atks
., ,.
, , ,
, ,
min
. .11
0
0
X
i ii i
i j i j i j
i j i j
c qY X
s tsource
X X drain Balanceof flowtransient
X u Flow Constrant
X Non Negativity
Attacker / Defender Schematic
Operator Attacker
Operator shows attacker ‘best’ system operation under attack
Attacker shows defender ‘best’ attack
for system configuration
Okay, so why all the math?
One Attack
Two Attacks
Three Attacks
“Punch line”
• Added numbers of attacks may lead you to attack different things
• An attacker with more resources may attack different things than a less capable attacker; both may be acting optimally!
Example: PORT OF LOS ANGELES
33
Attacker’s problem: find attack paths for multiple,
simultaneous attackers that minimize getting stopped.
Defender’s problem: preposition radar and small boats to
maximize early detection
NPS OR Department 34
Example II: Building a first nuclear weapon
• A regional power seeksinternational prestige and influence
• Growing industrial base• Well-funded research universities• Several civilian power reactors
under IAEA safeguards• Established, high-volume producer
of uranium ore and yellowcake
David Alderson – NPS – 22June2011
Gantt chart
Operator’s problem is to managehis project to minimize thecompletion time of his first weapon
Attacker’s problem is to delay thecompletion time of his first weapon
David Alderson – NPS – 22June2011
Part II: Deterrence
• “Deterrence, it seems, works better in Practice than in Theory”
References
• Thomas Schelling: Arms and Influence• Herman Khan: On Thermonuclear War• Glenn Kent: Thinking about America’s Defense
Deterrence:Is..• A coercive strategy which aims to
maintain the status quo by forcing an adversary to re-consider the costs and benefits of their actions
• Requires:– The ability to inflict harm to
something the adversary values– The Will to inflict this harm– Effective communication of the
ability and will• Can sum these up in one word:
CREDIBILITY
Is challenging to study because…• We only gain partial information
about effectiveness.– When we (or others are attacked)
we can conclude that our deterrence was insufficient
– When attacks to not happen, it may be because of our deterrent, or another effect.
• We never truly know the motivations / utilities of our adversaries. – Their private utilities are probably
‘unknowable’
38
No one wants to be in the position of finding a problem both important for study and without good analytic methods to tackle it. - Jervis
Analytic Methods
39
• Critical Thinking / Systems Analysis– Kent’s First Strike Stability
• Statistical Analysis: fitting models to datasets – Difficulties: Coding data, model specification, descriptive statistics.
Presupposes model format.– Huth, Signoriono
• Game Theory– Difficulties: presupposes an ability to compute utilities– Schelling, Zagare and Kilgour
• History– Difficulties: May not be applicable to future campaigns– Meershimer, Keegan, others
General Conclusions
40
• Deterrence requires all the levers of national power – it is not simply a military problem – (all methods)
• Deterrence is most likely to fail when:– At least one side perceives the campaign will be ‘quick’
and ‘easy’ (History, Strike Stability)– At least one side perceives the campaign feels that they
are in a ‘use or lose’ situation (History, Game Theory)– Deterrence postures irrelevant if not effectively
communicated (History, Statistics) – Communication Fails (History)
• The objective of deterrence cannot be ‘Everything – Everywhere’ – we should prioritize what we wish to deter.
Who is deterrable? Deterrable• Nations that seek to
minimize costs
• Nations that feel secure in their nuclear (and other) deterrents
Not deterrable• Groups who do not seek to
minimize costs– Because they don’t count
them– Because they have ideological
imperatives to act– Because they seek conflict
• Nations who feel they are in a use / loose situation.
41
Nuclear Deterrence: The Gold Standard?
42
•Kent’s model of Nuclear Deterrence•Advantages: tractable, simple, elegant•Disadvantages: Measures the ‘costs’ of attacking first versus the ‘costs’ of attacking second•The closer this ratio is to unity, the more stable the system is.
• Sources of Stability:– Clear Communications– Assured Retaliation
• Sources of Instability: – “Splendid First Strike”– Deterrence capability made
irrelevant:• Communication lapses i.e.
Saddam Hussein– “Mandates” – Political or
personal motives that force a solution
• Germany WWII?
Kent’s Model of deterrence
43
First strike Stability Index:
Where: C represents costs; several definitions have been used
Ratios don’t tell the whole story; magnitude of potential costs key as well.
,1 ,1
,2 ,2
A B
A B
FSSI C CC C
Missing Rungs on the “ladder of Escalation
44
Nuclear Exchange
Conventional War
Limited Retaliatory Strike
Diplomatic Censure
Adversaries’ Provocation
Blue left with the choices of increasing
escalation beyond their desires or simply
‘taking it’
Blue has no appropriate response
Discussion:
• What are the prospects for deterrence in cyberspace?
Research Question
• What sorts of actions will best enable deterrence of hostile acts in cyberspace?
Part III: Epidemic Models and Applications
• Used to study the transmission of disease from antiquity.
• Separate a closed population into groups or ‘Cohorts’
• Here we will discuss the simplest model.
The ‘Simple’ Epidemic
• The story:
There is a population with a fixed number of members, some of whom are infected with a virus for which there is no cure. Population members meet and mingle with some intensity.
Members
S
I
Susceptible. Does not have the disease, but may become infected if encounters an Infective
Infective. Has the disease and may spread it to any susceptible he meets.
Stick Figure Dynamics
S S+ = No Change
I + I = No Change
S + I =
I + I
S + I
With some Probability, S converts to I
Math Slide
dS SIdtdI SIdt
Sapphire Growth
Courtesy: Stefan Savage.
DShield is the Distributed Intrusion Detection System Project (www.dshield.org)
Applying this to Stuxnet…(Unclassified data in Symantec Dossier)
0.00 50.00 100.00 150.00 200.00 250.00 300.00 350.00 400.00 450.00 500.000
5000
10000
15000
20000
25000
30000
35000
40000
Stuxnet Propagation by Country
IranindonesiaIndiaAzerbaijanPakistanMalaysiaUSAUszbekistanRussiaGreat Britain
Days since zero
Mac
hine
s Inf
ecte
d
You could also do this…
Iran
indonesia
India
Azerbaij
an
Pakista
n
Malaysi
aUSA
Uszbek
istan
Russia
Great B
ritain
0
0.002
0.004
0.006
0.008
0.01
0.012
0.014
0.016
0.018
Iranindonesia
IndiaAzerbaijan
PakistanMalaysia
USAUszbekistan
RussiaGreat Britain
Stuxnet infectivity parameters (Least Squares Fit)
IranindonesiaIndiaAzerbaijanPakistanMalaysiaUSAUszbekistanRussiaGreat Britain
S-I-R Model
Whiteboard
)(
)()()(
)()(
tIdtdR
tItStIdtdI
tStIdtdS
How to Mitigate the Worm Threat?S(0) = N = / M probe rate of wormM total population (=232 IPv4) “removal” rate
3. Reduce # of infected hosts(containment)
2. Reduce rate of infection(suppression)
1. Reduce # of susceptible hosts(prevention)
Research Question
• What are the tradeoffs between speed of detection, speed of development, and speed of deployment of patches to minimize the infectiveness damage from a virus-like attack?
Wrap-up
• Today we’ve discussed:• Network Attacker Defender models: A
method for determining vulnerabilities that doesn’t depend on knowing intent
• Deterrence: How Cyber is similar to, and different from, nuclear deterrence.
• Epidemic Models: One way to consider the problem of virus spread.
Synthesis
Highlighted Areas are tensions amenable to analysis.
Game Theory Approach• More mature effort• Explores trades at the
National Level between discovery of vulnerabilities, speed of development and policy
• Implications for policy and deterrence
Epidemic Approach• Explores trades at the
tactical level between discovering an attack and sending a patch
Current Efforts
• CDR Harrison Schramm – [email protected]– 831 656 2358
• Professor David Alderson– [email protected]– 831 656 1814
Points of Contact
Selected References
Early Work on Network Interdiction Problems:Interdicting Drug Smuggling Operations
• Wood, R.K., 1993, “Deterministic Network Interdiction,” Mathematical and Computer Modelling, 17, pp. 1-18.
• Washburn, A. and Wood, K., 1995 “Two-Person Zero Sum Games for Network Interdiction,” Operations Research, 43, pp. 243-251.
• Cormican, K.J., Morton, D.P. and Wood, R.K., 1998, “Stochastic Network Interdiction,” Operations Research, 46, pp. 184-197.
• Israeli, E. and Wood, R.K., 2002, “Shortest-Path Network Interdiction,” Networks, 40, pp. 97-111.
David Alderson – NPS – 22June2011
64
Selected References on DAD Modeling
• Alderson, D.L., Brown, G.G., Carlyle, M.C., and Wood, R.K., 2011,“ Solving Defender-Attacker-Defender Models for Infrastructure Defense,” To appear in Operations Research, Computing and Homeland Defense, K. Wood and R. Dell, eds., Institute for Operations Research and the Management Sciences, Hanover, MD, 2011.
• Brown, G., Carlyle, M., Salmerón, J. and Wood, K., 2006, “Defending Critical Infrastructure” Interfaces, 36, pp. 530-544.
• Brown, G., Carlyle, M., Salmerón, J. and Wood, K., 2005, “Analyzing the Vulnerability of Critical Infrastructure to Attack, and Planning Defenses,” in Tutorials in Operations Research: Emerging Theory, Methods, and Applications, H. Greenberg and J. Smith, eds., Institute for Operations Research and Management Science, Hanover, MD.
Selected References: Delaying a (Nuclear Weapons) Project
• Brown, G.G., Carlyle, W.M., Harney, R.C., Skroch, E., and Wood, R.K. 2009, “Interdicting a Nuclear-Weapons Project,” Operations Research, 57, pp. 866-877.
• Brown, G., Carlyle M., Harney R., Skroch E., Wood, K., 2006, “Anatomy of a Project to Produce a First Nuclear Weapon,” Science and Global Security, 14, pp. 163–182.
• Brown, G., Carlyle, M., Royset, J. and Wood, K., 2005, “On The Complexity of Delaying an Adversary's Project,” in The Next Wave in Computing, Optimization and Decision Technologies , 2005, eds. B. Golden, S. Raghavan and E.Wasil, Springer, New York, pp. 3-17.
David Alderson – NPS – 22June2011