a learning-based approach to reactive security *
DESCRIPTION
A Learning-Based Approach to Reactive Security *. Ben Rubinstein Microsoft Research Silicon Valley With: Adam Barth 1 , Mukund Sundararajan 2 , John Mitchell 3 , Dawn Song 1 , Peter Bartlett 1 1 UC Berkeley 2 Google 3 Stanford. * Appeared at Financial Crypto. & Data Security 2010. - PowerPoint PPT PresentationTRANSCRIPT
A Learning-Based Approach to Reactive Security*
Ben RubinsteinMicrosoft Research Silicon Valley
With: Adam Barth1, Mukund Sundararajan2,John Mitchell3, Dawn Song1, Peter Bartlett1
1UC Berkeley 2Google 3Stanford
* Appeared at Financial Crypto. & Data Security 2010
Reactive Security 2
Proactive vs. Reactive SecurityWhat's important is to understand the delineation between what’s considered “acceptable” and “unacceptable” spending. The goal is
to prevent spending on reactive security “firefighting”.– John N. Stewart, VP (CSO), Cisco Systems
• Conventional wisdom for CISOs– Adopt forward-looking, proactive, approach to
managing security risks– Reactive security is akin to myopic bug chasing
TRUST Conference F'10
Reactive Security 3
Strategic Reactive Security
• Good reactive security– Should be strategic and not “firefighting”– Under certain conditions keeps up with or beats
proactive approaches– Machine Learning & Economics can help
TRUST Conference F'10
Reactive Security 4
Focus on Truly Adversarial Attacker• No probabilistic assumptions on
attacker
• Allow attacker to be omniscient
• Consider reactive defender with limited knowledge of– System vulnerabilities– Attacker’s incentives– Attacker’s rationality
TRUST Conference F'10
Reactive Security 5
Focus on Incentives• We model attacker cost and payoff, combined as
– additive profit; or multiplicative ROA
TRUST Conference F'10
An effective defense need not be perfect–but it should reduce attacker’s utility relative to attacking other systems.
Reactive Security 6
Results in a Nutshell• If…
– Security budget is fungible– Attack costs linear in defense allocation– No catastrophic attacks to defender
• Attacker’s utility against reactive defense approaches utility under fixed proactive
• In many cases reactive is much better
TRUST Conference F'10
Reactive Security 7
Formal Model: Attack Graph• System as directed graph
– Nodes: states– Edges: state
transitions
• Attacks are paths
• Examples– Compromised machines connected by a network– Components in a complex software system– Internet fraud “battlefield”
TRUST Conference F'10
PeeringPoints
Gateway
ApplicationServers
DatabaseServers
Internet
Reactive Security 8
Formal Model: Iterated Game• Fixed properties of graph
– Node v’s reward r(v)≥0– Edge e’s attack surface w(e)
• Repeated game– Defender allocates total budget
B, with dt(e) to edge e– Attacker launches attack at
– Attacker pays and receives
• Attacker sees defense prior to attack• Defender sees edges/weights only once attacked
TRUST Conference F'10
tavtt vraPayoff )()(
tae ttt ewedaCost )(/)()(
Attacksurface
Defenseallocation
Reactive Security 9
Proactive Defender(s)• Pro’s of analysis: includes
defenders who– Have perfect knowledge of the
entire graph– Have perfect knowledge of the
attacks– Play rationally given in/complete
information
• Con’s of analysis– We (mostly) assume proactive
plays fixed strategy
TRUST Conference F'10
Reactive Security 10
Strategic Reactive Defender
• Based on Multiplicative Weights algorithm of Online Learning Theory• Unseen edges get no allocation• Budget is increased on attacked edges• Allocation due to “the past” is exponentially down-weighed since 0<β<1
TRUST Conference F'10
All edges initially unseen
Observe attacked edges
Count #times edge attacked
Multiplicative update
Re-normalize in [0,1]; allocate this times budget B
Reactive Security 11
Main Theorems• Attacker’s utility
– Profit = Payoff – Cost– ROA = (Total Payoff) / (Total Cost)
• Compared to any proactive strategy d*, the reactive strategy achieves–
– for any α
TRUST Conference F'10
Reactive Security 12
Robustness & Extensions• Robustness
– Proactive not robust touncertainty in attacker’sutility; reactive is!!
– Reactive can do muchbetter under uncertainpayoffs
• Extensions– Hypergraphs / Datalog– Multiple attackers– Adaptive proactive defenders
TRUST Conference F'10
Reactive Security 13
Conclusions• Incentives-based, fully-adversarial risk model
• Learning-based defender performs close to or better than fixed proactive defenders
• Recommendations for CISOs– Employ monitoring tools to help focus on real attacks– Make security organization more agile– Avoid overreacting to the most recent attack;
consider past attacks (down-weighed exponentially)
TRUST Conference F'10
Thanks!!
Reactive Security 15
Model Case Studies• Perimeter defense
– Non-zero reward at one vertex
– Rational attacker will select minimum-cost path from start to reward
– Rational defense is to maximize minimum-cost path: allocate budget to minimum-cut
TRUST Conference F'10
Reactive Security 16
Model Case Studies
• Defense in Depth
– Allocate budget evenly to edges
– ROA = 1
TRUST Conference F'10
Reactive Security 17
Proof Sketch• Profit when edges are known
– Simple reduction to standard regret bound of Freund-Schapire for Multiplicative Update alg
• Profit under hidden edges– Simulation argument shows that a slight modification to
MultUp produces same allocations as MultUp on observed graph
– Care taken with – Algorithms’ profits bounded by
• ROA under hidden edges– Ratio of two numbers is small if numbers are large & similar.
Need:
TRUST Conference F'10
Reactive Security 18
Lower Bound
• Lemma: for all reactive algorithms the competitive ratio is at least .
• Implies a convergence rate in terms of α matching that of the ROA regret bound up to constants
TRUST Conference F'10
s r:1
w:1
w:1Budget=1
Reactive Security 19
Learning Rewards• Consider star configuration
with unknown rewards
• Proactive defense– Allocates budget equally– Competitive ratio for ROA is
#{leaf vertices}
• Reactive defense– Learns the rewards
TRUST Conference F'10
Reactive Security 20
Robustness to Objective
• Given defense budget of 9
• Proactive defender assuming profit-seeking – Allocates 9 to right-hand edge: 1 profit for all
attacks– ROA for left-hand edge is infinite!!
• Reactive defender’s play is invariant
TRUST Conference F'10