a learning-based approach to reactive security *

A Learning-Based Approach to Reactive Security*

Ben RubinsteinMicrosoft Research Silicon Valley

With: Adam Barth1, Mukund Sundararajan2,John Mitchell3, Dawn Song1, Peter Bartlett1

1UC Berkeley 2Google 3Stanford

* Appeared at Financial Crypto. & Data Security 2010

Reactive Security 2

Proactive vs. Reactive SecurityWhat's important is to understand the delineation between what’s considered “acceptable” and “unacceptable” spending. The goal is

to prevent spending on reactive security “firefighting”.– John N. Stewart, VP (CSO), Cisco Systems

• Conventional wisdom for CISOs– Adopt forward-looking, proactive, approach to

managing security risks– Reactive security is akin to myopic bug chasing

TRUST Conference F'10

Reactive Security 3

Strategic Reactive Security

• Good reactive security– Should be strategic and not “firefighting”– Under certain conditions keeps up with or beats

proactive approaches– Machine Learning & Economics can help


Reactive Security 4

Focus on Truly Adversarial Attacker• No probabilistic assumptions on

attacker

• Allow attacker to be omniscient

• Consider reactive defender with limited knowledge of– System vulnerabilities– Attacker’s incentives– Attacker’s rationality


Reactive Security 5

Focus on Incentives• We model attacker cost and payoff, combined as

– additive profit; or multiplicative ROA


An effective defense need not be perfect–but it should reduce attacker’s utility relative to attacking other systems.

Reactive Security 6

Results in a Nutshell• If…

– Security budget is fungible– Attack costs linear in defense allocation– No catastrophic attacks to defender

• Attacker’s utility against reactive defense approaches utility under fixed proactive

• In many cases reactive is much better


Reactive Security 7

Formal Model: Attack Graph• System as directed graph

– Nodes: states– Edges: state

transitions

• Attacks are paths

• Examples– Compromised machines connected by a network– Components in a complex software system– Internet fraud “battlefield”


PeeringPoints

Gateway

ApplicationServers

DatabaseServers

Internet

Reactive Security 8

Formal Model: Iterated Game• Fixed properties of graph

– Node v’s reward r(v)≥0– Edge e’s attack surface w(e)

• Repeated game– Defender allocates total budget

B, with dt(e) to edge e– Attacker launches attack at

– Attacker pays and receives

• Attacker sees defense prior to attack• Defender sees edges/weights only once attacked


tavtt vraPayoff )()(

tae ttt ewedaCost )(/)()(

Attacksurface

Defenseallocation

Reactive Security 9

Proactive Defender(s)• Pro’s of analysis: includes

defenders who– Have perfect knowledge of the

entire graph– Have perfect knowledge of the

attacks– Play rationally given in/complete

information

• Con’s of analysis– We (mostly) assume proactive

plays fixed strategy


Reactive Security 10

Strategic Reactive Defender

• Based on Multiplicative Weights algorithm of Online Learning Theory• Unseen edges get no allocation• Budget is increased on attacked edges• Allocation due to “the past” is exponentially down-weighed since 0<β<1


All edges initially unseen

Observe attacked edges

Count #times edge attacked

Multiplicative update

Re-normalize in [0,1]; allocate this times budget B


Main Theorems• Attacker’s utility

– Profit = Payoff – Cost– ROA = (Total Payoff) / (Total Cost)

• Compared to any proactive strategy d*, the reactive strategy achieves–

– for any α



Robustness & Extensions• Robustness

– Proactive not robust touncertainty in attacker’sutility; reactive is!!

– Reactive can do muchbetter under uncertainpayoffs

• Extensions– Hypergraphs / Datalog– Multiple attackers– Adaptive proactive defenders



Conclusions• Incentives-based, fully-adversarial risk model

• Learning-based defender performs close to or better than fixed proactive defenders

• Recommendations for CISOs– Employ monitoring tools to help focus on real attacks– Make security organization more agile– Avoid overreacting to the most recent attack;

consider past attacks (down-weighed exponentially)


Thanks!!


Model Case Studies• Perimeter defense

– Non-zero reward at one vertex

– Rational attacker will select minimum-cost path from start to reward

– Rational defense is to maximize minimum-cost path: allocate budget to minimum-cut



Model Case Studies

• Defense in Depth

– Allocate budget evenly to edges

– ROA = 1



Proof Sketch• Profit when edges are known

– Simple reduction to standard regret bound of Freund-Schapire for Multiplicative Update alg

• Profit under hidden edges– Simulation argument shows that a slight modification to

MultUp produces same allocations as MultUp on observed graph

– Care taken with – Algorithms’ profits bounded by

• ROA under hidden edges– Ratio of two numbers is small if numbers are large & similar.

Need:



Lower Bound

• Lemma: for all reactive algorithms the competitive ratio is at least .

• Implies a convergence rate in terms of α matching that of the ROA regret bound up to constants


s r:1

w:1

w:1Budget=1


Learning Rewards• Consider star configuration

with unknown rewards

• Proactive defense– Allocates budget equally– Competitive ratio for ROA is

#{leaf vertices}

• Reactive defense– Learns the rewards



Robustness to Objective

• Given defense budget of 9

• Proactive defender assuming profit-seeking – Allocates 9 to right-hand edge: 1 profit for all

attacks– ROA for left-hand edge is infinite!!

• Reactive defender’s play is invariant


a learning-based approach to reactive security *

Documents