330 likes | 501 Views
A Game Theoretic Framework for Evaluating Resilience of Networks Against Attacks. Assane Gueye Information Technology Laboratory, National Institute of Standards and Technology. Applied and Computational Mathematics Division Seminar Series
E N D
A Game Theoretic Framework for Evaluating Resilience of Networks Against Attacks AssaneGueye Information Technology Laboratory, National Institute of Standards and Technology Applied and Computational Mathematics Division Seminar Series National Institute of Standards and Technology Gaithersburg, April 16, 2013 Joint work with: Dr. Vladimir Marbukh (NIST) AronLazska (Budapest University of Technology and Economics) Prof. Jean C. Walrand, Prof. VenkatAnantharam (UC Berkeley)
Motivations Network Additional link Attacker Operator SSI* SSI • How robust/vulnerable is the network against such attacks? • What are the links that are most likely to be attacked? • Where to put additional link? • … Communication Power Grid Financial Transportation Social This Talk: A game-theoretic framework to answer to these questions
Framework Network value model + Communication model Vulnerability metric Critical subsets of links Network Topology 2-Player Game Payoffs definition Nash equilibrium characterization
Summary/Outline • Goals: Quantifying network vulnerability, identify most critical links • Solution: Game Theory to capture strategic nature, equilibrium payoff for vulnerability metric • Communication models • Network value models, Cost of loss ofconnectivity (Loss-in-Value) • Game Model • Nash equilibrium characterization, Vulnerability metric • Propertiesof vulnerability metric • Identification of critical links, Relate to known graph theory notions • Quantification of security cost/benefittradeoff? • Budget constraint • Economics of vulnerability reduction • Hardening vs Redundancy • Concluding Remarks and Future Work
Communication Models Examples
Examples (1/4) All-to-One Networks (e.g., Sensor Network) There is a designated node (the gateway) to which everyone wants to connect S S S • Communication infrastructure • (Rooted) spanning arborescence • Network Value Function (proxy) • f(G) := # of nodes (connected to S) • Cost of loss of connectivity: |V|-|VS| • VS connected component containing S LOST A. Gueye, A. Laszka, J.C. Walrand, V. Anantharam: A Polyhedral-Based Analysis of Nash Equilibria of Quasi-Zero-Sum Games and its Applications to Communication Network Security. Submitted to ACM TEAC, 2012
Examples (2/4) Many-to-Many Networks (e.g., Supply-Demand) A total amount of goods (Δ) is to be moved from a set of sources to a set of destinations • Communication infrastructure • Feasible flow (capacity constraints, conservation of flows) 1 1 1 3 2 3 3 1 D1 D1 1 1 S1 S1 1 2 D2 D2 • Network Value Function • f(G) := total amount of goods moved from S to D D1 S1 S2 S2 D3 D3 D2 S2 D3 • Cost of loss of connectivity: Δ(T)- Δ(T\e) • Δ(X) := amount of goods moved over X LOST D2+D3-S2 (>0) A. Gueye, V. Marbukh, A. Laszka, J.C. Walrand, V. Anantharam: A Polyhedral-Based Analysis of Nash Equilibria of Quasi-Zero-Sum Games and its Applications to Communication Network Security. Submitted to ACM TEAC, 2012
Examples (3/4) All-to-All Networks (e.g., Bridged Ethernet—constant loss) Need a path between any pair of nodes (All nodes must be connected at all time) • Communication infrastructure • Spanning tree • Network Value Function • f(G) := K (constant) • Cost of loss of connectivity: K × (1-1connected) • 1connected: indicator function LOST A. Gueye, V. Marbukh, A. Laszka, J.C. Walrand, V. Anantharam: A Polyhedral-Based Analysis of Nash Equilibria of Quasi-Zero-Sum Games and its Applications to Communication Network Security. Submitted to ACM TEAC, 2012
Examples (4/4) All-to-All Networks (e.g., Bridged Ethernet—linear loss) Need a path between any two nodes (when nodes are disconnected, the decision reached by the maximum number of nodes prevails) • Communication infrastructure • Spanning tree • Network Value Function • f(G) := # of connected nodes (in largest cluster) • Cost of loss of connectivity: |V|-max(|Vi|) • max(|Vi|) = # nodes in largest connected component LOST A. Gueye, V. Marbukh, A. Laszka, J.C. Walrand, V. Anantharam, : A Polyhedral-Based Analysis of Nash Equilibria of Quasi-Zero-Sum Games and its Applications to Communication Network Security. Submitted to ACM TEAC, 2012
Alternate Network Value Models Graph G=(V,E) |V|=n, |E|=m • Sarnoff: n(Broadcast Network) • Walrand: n1+a a≤1 (friendship network) • Metcalfe: n2 (Peer Connecting Network) • Reed: 2n(Group Forming network) • Odlyzky, Briscoe, Tilly (OBT): nlog(n) A. Gueye, V. Marbukh, J.C. Walrand: Towards a Metric for Communication Network Vulnerability to Attacks: A Game Theoretic Approach, In 3rd International ICST Conference on Game Theory for Networks (GameNets), May 25-26, 2012, Vancouver, Canada
Loss-in-Value (LiV) • Network operator’s goal • choose a set of links to maintain “some” connectivity… Denote T: set of links S S Example 1: Sensor Network • T: a (rooted) spanning arborescence • … and get some value: f(T) (=|V|) • When link efails • (New) network T\e, with value f(T\e) • Loss-in-Value (LiV) relative to T and e = f(T)- f(T\e)
Loss-in-Value (LiV) Ethernet (linear loss) Ethernet: (constant loss) Sensor Network Supply-Demand S S S 1 1 1 1 1 1 3 3 2 2 3 3 3 3 1 1 D1 D1 D1 1 1 1 1 S1 S1 S1 1 1 2 2 D2 D2 D2 Lost S2 S2 S2 D3 D3 D3 Lost Lost Lost = 3 size of smallest connected component (when connection is over T and e fails) = Kx1eT total network value ( if eT) = 3 # of nodes disconnected from S (when connection is over T and e fails) = 3 amount of goods that T carries over e
Loss-in-Value (LiV) Matrix Build Loss-in-Value matrix: LiV[E,T] links Resources LiV[T,e] Payoff matrix
Game Model SSI
Network Blocking Game Model • Graph G=(V,E) • Players • (Network) Manager • Attacker • (Pure) Strategies: • Manager: resources (TT) • Attacker: links (eE) • Payoff • Manager: - • Attacker: – μ(e) (possible attack cost)
Network Blocking Game Model • Game • One shot game • (Mixed) Strategies • Defender: on T,to minimize • Attacker: on E,to maximize SSI
Vulnerability Metric • Nash equilibrium always exists [Nash 1950] • Expected Loss (defender): • Vulnerability metric( = attacker’s expected reward) Theorem[Gueyeet. al., 2012] • is uniquely defined (there might exist multiple equilibria) • If , • Attacker’s best choice is to never launch an attack • Defender will randomize communication (e.g., multipath routing) • If , • There exists a critical subset of links (possibly multiple) • Attacker will target a critical subset of links • Defender will randomize and minimally use critical links
Vulnerability Metric: Properties • isuniquely defined • reflects defender’s loss as well as attacker’s desire to attack • closely depends on network structure (topology, amount of goods to be moved, etc…) • metric for vulnerability to attack • (strategic failures≠reliability metric which is based on • random failure) • indicates attacker’s behavior • If <0 attacker does not attack • If 0 attacker always attack • corresponds to “vulnerability” of most critical links () • identify most critical (vulnerable) links
Vulnerability Metric & Graph Theory (1/4) All-to-One Networks (e.g., Sensor Network) • Game • Operator: choose a rooted spanning arborescence • Attacker: Attack a link = # of nodes disconnected from S associated with T and e S S Vulnerability Metric (= Average # of disconnected nodes per attacked link) (Inverse) Directed Strength of Graph (Cunningham 1982) by removing links in E =2 =4 Critical subset of links: E* achieves Uniform attack in each critical subset
Vulnerability Metric & Graph Theory (2/4) Many-to-Many Networks (e.g., Supply-Demand) • Game • Operator: choose a feasible flow • Attacker: Attack a link = amount of goods T carries over e Vulnerability Metric (= Average excess demand per attacked link) D1 S1 D2 X S2 D3 = = total demand in = Total supply in = excess demand in Critical subset of links: E* achieves Uniform attack in each critical subset
Vulnerability Metric & Graph Theory (3/4) All-to-All Networks (e.g., Bridged Ethernet—constant loss) • Game • Operator: choose a spanning tree • Attacker: Attack a link = total value ( if e T) Vulnerability Metric (= Average # of (dis)connected components per attacked link) Spanning Tree Packing Number (SPT) (Tutte& Nash-Williams 1961) E = Set of edges going across the partitions = number of connected components Critical subset of links: E* achieves Uniform attack in each critical subset
Vulnerability Metric & Graph Theory (4/4) All-to-All Networks (e.g., Bridged Ethernet—linear loss) • Game • Operator: choose a spanning tree • Attacker: Attack a link = size of smallest connected component (=Average # of disconnected nodes per links) Vulnerability Metric (inverse) Cheeger’s constant, Edge expansion factor of G nfinite number of graphs X = Critical subset of links: E* achieves Uniform attack in each critical subset
Vulnerability Metric & Critical Links zero attack cost µe=0 All-2-All (constant loss) 1/2 a) 1/2 Vulnerability = 1/2 1/7 1/7 1/7 b) 1/7 1/7 1/7 1/7 = 4/7>1/2
Vulnerability Metric & Critical Links Critical Subsets depends on network value model (f(.)) All-2-All (exponential loss) All-2-All (linear loss) All-2-All (constant loss) Edges to the cloud Edges in the cloud Bridges Criticality depends on network topology Edges to the cloud Bridges
Vulnerability Metric & Network Design Network Design Additional link Network in b) is more vulnerable than network in c) = 3/4 = 2/3 = 3/5 a) b) c) 2/3 > 3/5
Security LimitsVulnerability/Cost Tradeoff ? Vulnerability/Risk Cost
Vulnerability/Cost Tradeoff • Each subset of resources T (e.g., feasible flow, spanning tree) has a cost w(T) • Defender has a “maximum” budget b • Can use only resources that satisfy budget constraint b≤w(T) • Set of pure strategies • (Buying out more randomness) • Define games parameterized by budget b • Vulnerability metric is a function of b: • Study function Gueye, V. Marbukh: A Game Theoretic Framework for Network Security Vulnerability Assessment and Mitigation, In 3rd International ICST Conference on Decision and Game Theory (GameSec), November 5-6, 2012, Budapest, Hungary Cost b
Vulnerability Reduction Hardening vsRedundancy (ongoing) Operator Attacker Additional budget! Hardening Redundancy
Vulnerability Reduction Redundancy vs Hardening (ongoing) • (fixed) • (random for each run) • (linear for hardening) • (random for each run) • (varies) • Relevant parameters: • Network topology • Current set of available “routes” • Benefit function • Cost of attack • Budget Run1 Run2 Run3 Gueye, V. Marbukh: Economics of Network Vulnerability Reduction: Hardening versus Redundancy, submitted, In Joint Workshop on Pricing and Incentives in Networks and Systems, June 21, 2013, in conjunction with ACM SIGMETRICS 2013 (Pittsburg, PA, USA)
Summary • Network Blocking Games • Communication model • Network value function, Loss-in-Value (LiV) • NE theorem for blocking games • Application: Quantify network vulnerability in adversarial environment • Vulnerability Metric • Critical subset of links • Properties • Algorithms • Security/Cost Tradeoff • Budget constraints • Tradeoff curves • Computational complexity Conclusion ….the ability of a malicious/selfish agent to acquire and exploit system information may alter conclusions drawn by using conventional predictive security metrics…
Future Work • Fundamentals of adversarial relationship E.g. Game Theory • Security as a design principle E.g.: System Design • Predictive metrics for security of large-scale systems • Models for local Interaction • E.g.: Game Theory, Decision Theory 1. • Identify macro parameters • Predict global behavior • Global level of security • E.g.: Complex System Theory • Statistical Inference 2. • Develop appropriate feedback control loops • E.g.: Control Theory 3.
Thank You! Questions?