logging in or signing up Game Theoretic Driven Intrusion Response to National Security Threats rmfinn68 Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT lite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 41 Category: Education License: All Rights Reserved Like it (0) Dislike it (0) Added: November 28, 2011 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript Application of Game Theory Toward National Security: Application of Game Theory Toward National Security Part II- Game Theoretic Driven Intrusion Response to National Security Threats Richard FinnA cyber security threat is not always considered a national security threat. : A cyber security threat is not always considered a national security threat. There are cyber security threats that are not threats to national security There are national security threats that are completely unrelated to cyber security ( Rosenzweig , 2009)When is Cyber Security Threat a National Security Threat?: When is Cyber Security Threat a National Security Threat? The threat must be damaging to the nation’s vital infrastructure- Transportation, Communications, Energy The threat causes leakage of intellectual property- National Security Secrets, Industrial Espionage The threat undermines the National Economy- Financial Market Manipulation, Preventing Financial Markets from FunctioningWhen is Cyber Security Threat a National Security Threat?(Cont.): When is Cyber Security Threat a National Security Threat?(Cont.) Causing interference with the nation’s ability to utilize technology for National Security purposes ( Rosenzweig , 2009 )There is a large area of exposure to cyber born threats: There is a large area of exposure to cyber born threats Society has built a reliance on cyber space Complex software and malignant use of powerful hardware causes vulnerabilities There will always be a certain amount of danger stemming from cyber space ( Rosenzweig , 2009, p. 1)Common areas of control in cyber space: Common areas of control in cyber space Are sources of contention between nations with different social and economic interests These areas are combined on a global level, leaving no means of separation ( Rosenzweig , 2009, p. 2) Because computer related equipment is manufactured globally, there is no system to ensure product safety ( Rosenzweig , 2009, p. 1)The scope of physical attack is always limited: The scope of physical attack is always limited The destructive force of an explosive device is limited, no matter the size Because of the large area of exposure to attack cyber space offers, the effects of an attack can be more far reaching than any physical attack ( Rosenzweig , 2009, p. 1)Using cyber space to attack can have actual kinetic consequences: Using cyber space to attack can have actual kinetic consequences The Stuxnet Worm, “the most sophisticated cyberweapon ever deployed” Generally attributed as being a joint creation of United States and Israeli governments For the first time, a cyber-attack was carried out with the purpose of causing physical damage (Broad, Markoff , & Sanger, 2011).The Stuxnet worm was an attack on Iran’s Nuclear Program: The Stuxnet worm was an attack on Iran’s Nuclear Program Targetet vulnerability in Microsoft Windows to attack a certain type of Siemans industrial switches These Siemans switches controlled centrifuges used to create fuel for Iran’s nuclear program This software exploit caused the centrifuges to spin uncontrollably Caused the destruction of 1000 centrifuges (Broad, Markoff , & Sanger, 2011)This attack is a great source of knowledge about cyber security: This attack is a great source of knowledge about cyber security The attacks had success, but weren’t completely successful It didn’t fully destroy Iran’s nuclear program (Broad, Markoff , & Sanger, 2011) Analysis of successes and failures of this cyber attack could be a great resource to those charged with defending the national security infrastructure from threats originating in cyber space.Traditional risk management and deterrent techniques: Traditional risk management and deterrent techniques Costly and do not always provide complete or adequate coverage when applied to the vast reaches of cyber space The cost of protection from any threat is passed on to an actor using the system ( Rosenzweig , 2009, p. 2)The popular methods of IR defenses involve automating processes with table-based defenses: The popular methods of IR defenses involve automating processes with table-based defenses Allow for a more rapid response to malicious activity using preset functions But methods are rigid because of the lack of factorization of the cost of the intrusion Lack of scalability because of its inability to predict all possible combinations of alerts in a sizable network system ( Zonouz , Himanshu , Sanders, & Yardley, 2009, p. 1)Increasingly popular methods of intrusion response defense are cost-based methodologies: Increasingly popular methods of intrusion response defense are cost-based methodologies A cost-effective, efficient intrusion detection/response system using Markov Game Theory Modeling is a viable option to protect national security assets The RRE (Response and Recovery Engine) is such a system ( Zonouz , Himanshu , Sanders, & Yardley, 2009, p. 1)The RRE design : The RRE design A model based on “security battle(s) between itself and the attacker as a multi-step, sequential, hierarchical, non-zero-sum, two-player stochastic game” A new decision tree is generated for each step of the attack ( Zonouz , Himanshu , Sanders, & Yardley, 2009, p. 1).Decision Trees in RRE: Decision Trees in RRE Each new decision tree is based on security alerts received by the RRE and evaluated against the system’s security properties Inconclusive alerts, such as false positives and false negatives are incorporated in the response calculation The attack trees are converted into Markovian competitive decision processes which are calculated and the most efficient response in keeping the attacker’s total accumulated damage to the minimum ( Zonouz , Himanshu , Sanders, & Yardley, 2009, p. 1)Inconclusive alerts : Inconclusive alerts The importance of their inclusion in the response calculation and minimizing them is critical for systems related to national security to run in the most effective way possible. Every transaction that is subject to any kind of protective measure collectively costs society, which is paid for in efficiency, added financial costs, and lost privacy ( Rosenzweig , 2009, p. 2)The design of RRE is a bi-level architecture: The design of RRE is a bi-level architecture Locally resident engines The response and recovery server resides on the global server The appropriate response or recovery action is selected at the global level when a local engine is disrupted ” ( Zonouz , Himanshu , Sanders, & Yardley, 2009, pp. 1-2)Advantages of bi level design: Advantages of bi level design Scalability Design flexibility High performance in the area of protection from attack in large scale computer domains ” ( Zonouz , Himanshu , Sanders, & Yardley, 2009, pp. 1-2)High level design of the RRE: High level design of the RRE ( Zonouz , Himanshu , Sanders, & Yardley, 2009, p. 2)Attack/Counter Attack: Attack/Counter Attack Attacks usually occur in stages RRE engines considers that attackers will use counter measures to try to defeat logical actions a systems administrator will take to counter the attack Utilizes game theory that searches for “responses that optimize on long-term gains”, not short term, greedy goals ( Zonouz , Himanshu , Sanders, & Yardley, 2009, pp. 1-2)Response calculation: Response calculation The second level of RRE constructs partially observable Markov decision processes from decision trees based on the alerts Inconclusive alerts are taken into consideration the optimal response is calculated Current IDS (Intrusion Detection Systems) do not have the ability to exactly match alerts to successful attacks, which a practical response has to contain ( Zonouz , Himanshu , Sanders, & Yardley, 2009, p. 2)Optimal Response Formula: Optimal Response Formula is the complete set of information systems under protection of the RRE represents the complete set of alerts sent by the IDS that suggest an attack on a specific exploit represents the complete set of possible responses, including No Op, to a specific threat made on an exploitation that the RRE can select from defines the Attack Response Tree graph structure that systematically define how intrusive (responsive) scenarios about the attacker (response engine) affect system security . The root function of the engine is ( Zonouz , Himanshu , Sanders, & Yardley, 2009, p. 2)The Local Engine: The Local Engine Contains inputs made up from alerts for IDS and attack-response trees The alerts are stored in the alert database, which is replicated to all the local RRE engines When information concerning local assets is committed to the alert database, the local engines are updated The local engines use this information to ”compute local response actions and send them to RRE agents that are in charge of enforcing received commands and reporting back the accomplishment status, i.e., whether the command was successfully carried out ( Zonouz , Himanshu , Sanders, & Yardley, 2009, p. 2).”The Local Engine (Cont.): The Local Engine (Cont.) The engines consist of a decision engine and a state space generator All security states for the host systems involved are calculated when inputs are received a partial state space is generated so a decision about the optimal response can be made rapidly The decision calculator calls the ”game theoretic algorithm”, which constructs a model of the attacker/RRE exchanges, using the best overall outcome instead of the best immediate return as the goal ( Zonouz , Himanshu , Sanders, & Yardley, 2009, p. 2)The Global RRE Engine: The Global RRE Engine The local engines require globally acquired inputs to calculate the optimal response action Control of the local RRE engine might be lost to the attacker and it may be turned against the network The global RRE engine collects information from the local hosts, and correlates the optimal response among all the local hosts using that informationThe Global RRE Engine (Cont.): The Global RRE Engine (Cont.) An attack/response tree is assembled from network topology mappings which shows how combinations of responses will affect the network and which will halt the network attack The global attack/response trees are dependent on specific network topologies and it should be left to experts to design Local attack/response trees are reused after their initial creation ( Zonouz , Himanshu , Sanders, & Yardley, 2009, p. 3)The most important goal of the system: The most important goal of the system To ascertain what security properties are being violated, which is determined by alerts Threats are categorized using extended attack trees that combine countermeasures and inconclusive alerts From this set, subsets of consequences are derived, which are partially based on AND/OR gating of the local asset ( Zonouz , Himanshu , Sanders, & Yardley, 2009, p. 3).Inconclusive alerts add a new level of complexity to the calculations: Inconclusive alerts add a new level of complexity to the calculations A naïve Bayes binary classifier is used determine the relationship between alerts and the probability a consequence has really occurred or not occurred ( Zonouz , Himanshu , Sanders, & Yardley, 2009, p. 4)Construction of the Decision/Response Model: Construction of the Decision/Response Model A sequential Stackelberg game where the engine leads, the attacker follows, and a finite set of security states ( s ) is the model for the response engine The attacker “observes” the response of the RRE, and responds with an “adversarial action” The attacker’s true goal is unknown, so it assumed that it is to cause the maximum amount of damage. The attack/response trees are then converted into decision response models using satisfied/unsatisfied as variables in a binary vector. ( Zonouz , Himanshu , Sanders, & Yardley, 2009, p. 4)Case studies involving a SCADA network: Case studies involving a SCADA network In 64 out of 64 cases, RRE had a recovery cost less than or equal to that of a traditional static type intrusion recovery system In cases where the attacker was allowed two moves to the RRE’s one move, the RRE had smaller recovery costs in 59 out 64 scenarios. In five scenarios, the cost was greater ( Zonouz , Himanshu , Sanders, & Yardley, 2009, p. 9).RRE and National Security: RRE and National Security The Response and Recovery engine is a flexible, scalable, intrusion detection/response/recovery model which offers a uniform approach to security for information systems critical to the National Security infrastructureThe US Government’s response to Cyber Security: The US Government’s response to Cyber Security There has been no organized or consistent approach to cyber security on the governmental level. The governmental response to cyber security has been to address legal issues and on the organizational level, where there is widespread “unawareness” ( Rosenzweig , 2009, pp. 6, 7)The private sector’s response to cyber security: The private sector’s response to cyber security The private sector’s response has been characterized as “unstructured” The private sector relies on government security on most occasions The cost of security failure in the private sector is not properly calculated so that the actors that are actually responsible for the costs aren’t held accountable so they take adequate protective measuresPowerPoint Presentation: If a cyber asset was declared a national security asset, perhaps it would be wise to assign minimum RRE standards designed by credentialed industry professionals in order to bring our critical infrastructure’s cyber defenses up to a minimum standard of response and recovery?Works Cited: Works Cited Broad, W., Markoff , J., & Sanger, D. (2011, January 11). Israeli test on worm called crucial in Iran nuclear delay. Retrieved November 15, 2011, from The New York Times: http://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html?pagewanted=all Rosenzweig , P. (2009, June 4). National security threats in cyberspace: a workshop. Retrieved November 10, 2011, from National Strategy Forum: http://www.nationalstrategy.com/Portals/0/documents/National%20Security%20Threats%20in%20Cyberspace.pdf Zonouz , S., Himanshu , K., Sanders, W., & Yardley, T. (2009). RRE: a game-theoretic intrusion response and recovery engine. Dependable Systems & Networks, 2009. DSN '09. IEEE/IFIP International Conference (pp. 439 - 448). Lisbon: IEEE/IFIP. You do not have the permission to view this presentation. In order to view it, please contact the author of the presentation.
Game Theoretic Driven Intrusion Response to National Security Threats rmfinn68 Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT lite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 41 Category: Education License: All Rights Reserved Like it (0) Dislike it (0) Added: November 28, 2011 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript Application of Game Theory Toward National Security: Application of Game Theory Toward National Security Part II- Game Theoretic Driven Intrusion Response to National Security Threats Richard FinnA cyber security threat is not always considered a national security threat. : A cyber security threat is not always considered a national security threat. There are cyber security threats that are not threats to national security There are national security threats that are completely unrelated to cyber security ( Rosenzweig , 2009)When is Cyber Security Threat a National Security Threat?: When is Cyber Security Threat a National Security Threat? The threat must be damaging to the nation’s vital infrastructure- Transportation, Communications, Energy The threat causes leakage of intellectual property- National Security Secrets, Industrial Espionage The threat undermines the National Economy- Financial Market Manipulation, Preventing Financial Markets from FunctioningWhen is Cyber Security Threat a National Security Threat?(Cont.): When is Cyber Security Threat a National Security Threat?(Cont.) Causing interference with the nation’s ability to utilize technology for National Security purposes ( Rosenzweig , 2009 )There is a large area of exposure to cyber born threats: There is a large area of exposure to cyber born threats Society has built a reliance on cyber space Complex software and malignant use of powerful hardware causes vulnerabilities There will always be a certain amount of danger stemming from cyber space ( Rosenzweig , 2009, p. 1)Common areas of control in cyber space: Common areas of control in cyber space Are sources of contention between nations with different social and economic interests These areas are combined on a global level, leaving no means of separation ( Rosenzweig , 2009, p. 2) Because computer related equipment is manufactured globally, there is no system to ensure product safety ( Rosenzweig , 2009, p. 1)The scope of physical attack is always limited: The scope of physical attack is always limited The destructive force of an explosive device is limited, no matter the size Because of the large area of exposure to attack cyber space offers, the effects of an attack can be more far reaching than any physical attack ( Rosenzweig , 2009, p. 1)Using cyber space to attack can have actual kinetic consequences: Using cyber space to attack can have actual kinetic consequences The Stuxnet Worm, “the most sophisticated cyberweapon ever deployed” Generally attributed as being a joint creation of United States and Israeli governments For the first time, a cyber-attack was carried out with the purpose of causing physical damage (Broad, Markoff , & Sanger, 2011).The Stuxnet worm was an attack on Iran’s Nuclear Program: The Stuxnet worm was an attack on Iran’s Nuclear Program Targetet vulnerability in Microsoft Windows to attack a certain type of Siemans industrial switches These Siemans switches controlled centrifuges used to create fuel for Iran’s nuclear program This software exploit caused the centrifuges to spin uncontrollably Caused the destruction of 1000 centrifuges (Broad, Markoff , & Sanger, 2011)This attack is a great source of knowledge about cyber security: This attack is a great source of knowledge about cyber security The attacks had success, but weren’t completely successful It didn’t fully destroy Iran’s nuclear program (Broad, Markoff , & Sanger, 2011) Analysis of successes and failures of this cyber attack could be a great resource to those charged with defending the national security infrastructure from threats originating in cyber space.Traditional risk management and deterrent techniques: Traditional risk management and deterrent techniques Costly and do not always provide complete or adequate coverage when applied to the vast reaches of cyber space The cost of protection from any threat is passed on to an actor using the system ( Rosenzweig , 2009, p. 2)The popular methods of IR defenses involve automating processes with table-based defenses: The popular methods of IR defenses involve automating processes with table-based defenses Allow for a more rapid response to malicious activity using preset functions But methods are rigid because of the lack of factorization of the cost of the intrusion Lack of scalability because of its inability to predict all possible combinations of alerts in a sizable network system ( Zonouz , Himanshu , Sanders, & Yardley, 2009, p. 1)Increasingly popular methods of intrusion response defense are cost-based methodologies: Increasingly popular methods of intrusion response defense are cost-based methodologies A cost-effective, efficient intrusion detection/response system using Markov Game Theory Modeling is a viable option to protect national security assets The RRE (Response and Recovery Engine) is such a system ( Zonouz , Himanshu , Sanders, & Yardley, 2009, p. 1)The RRE design : The RRE design A model based on “security battle(s) between itself and the attacker as a multi-step, sequential, hierarchical, non-zero-sum, two-player stochastic game” A new decision tree is generated for each step of the attack ( Zonouz , Himanshu , Sanders, & Yardley, 2009, p. 1).Decision Trees in RRE: Decision Trees in RRE Each new decision tree is based on security alerts received by the RRE and evaluated against the system’s security properties Inconclusive alerts, such as false positives and false negatives are incorporated in the response calculation The attack trees are converted into Markovian competitive decision processes which are calculated and the most efficient response in keeping the attacker’s total accumulated damage to the minimum ( Zonouz , Himanshu , Sanders, & Yardley, 2009, p. 1)Inconclusive alerts : Inconclusive alerts The importance of their inclusion in the response calculation and minimizing them is critical for systems related to national security to run in the most effective way possible. Every transaction that is subject to any kind of protective measure collectively costs society, which is paid for in efficiency, added financial costs, and lost privacy ( Rosenzweig , 2009, p. 2)The design of RRE is a bi-level architecture: The design of RRE is a bi-level architecture Locally resident engines The response and recovery server resides on the global server The appropriate response or recovery action is selected at the global level when a local engine is disrupted ” ( Zonouz , Himanshu , Sanders, & Yardley, 2009, pp. 1-2)Advantages of bi level design: Advantages of bi level design Scalability Design flexibility High performance in the area of protection from attack in large scale computer domains ” ( Zonouz , Himanshu , Sanders, & Yardley, 2009, pp. 1-2)High level design of the RRE: High level design of the RRE ( Zonouz , Himanshu , Sanders, & Yardley, 2009, p. 2)Attack/Counter Attack: Attack/Counter Attack Attacks usually occur in stages RRE engines considers that attackers will use counter measures to try to defeat logical actions a systems administrator will take to counter the attack Utilizes game theory that searches for “responses that optimize on long-term gains”, not short term, greedy goals ( Zonouz , Himanshu , Sanders, & Yardley, 2009, pp. 1-2)Response calculation: Response calculation The second level of RRE constructs partially observable Markov decision processes from decision trees based on the alerts Inconclusive alerts are taken into consideration the optimal response is calculated Current IDS (Intrusion Detection Systems) do not have the ability to exactly match alerts to successful attacks, which a practical response has to contain ( Zonouz , Himanshu , Sanders, & Yardley, 2009, p. 2)Optimal Response Formula: Optimal Response Formula is the complete set of information systems under protection of the RRE represents the complete set of alerts sent by the IDS that suggest an attack on a specific exploit represents the complete set of possible responses, including No Op, to a specific threat made on an exploitation that the RRE can select from defines the Attack Response Tree graph structure that systematically define how intrusive (responsive) scenarios about the attacker (response engine) affect system security . The root function of the engine is ( Zonouz , Himanshu , Sanders, & Yardley, 2009, p. 2)The Local Engine: The Local Engine Contains inputs made up from alerts for IDS and attack-response trees The alerts are stored in the alert database, which is replicated to all the local RRE engines When information concerning local assets is committed to the alert database, the local engines are updated The local engines use this information to ”compute local response actions and send them to RRE agents that are in charge of enforcing received commands and reporting back the accomplishment status, i.e., whether the command was successfully carried out ( Zonouz , Himanshu , Sanders, & Yardley, 2009, p. 2).”The Local Engine (Cont.): The Local Engine (Cont.) The engines consist of a decision engine and a state space generator All security states for the host systems involved are calculated when inputs are received a partial state space is generated so a decision about the optimal response can be made rapidly The decision calculator calls the ”game theoretic algorithm”, which constructs a model of the attacker/RRE exchanges, using the best overall outcome instead of the best immediate return as the goal ( Zonouz , Himanshu , Sanders, & Yardley, 2009, p. 2)The Global RRE Engine: The Global RRE Engine The local engines require globally acquired inputs to calculate the optimal response action Control of the local RRE engine might be lost to the attacker and it may be turned against the network The global RRE engine collects information from the local hosts, and correlates the optimal response among all the local hosts using that informationThe Global RRE Engine (Cont.): The Global RRE Engine (Cont.) An attack/response tree is assembled from network topology mappings which shows how combinations of responses will affect the network and which will halt the network attack The global attack/response trees are dependent on specific network topologies and it should be left to experts to design Local attack/response trees are reused after their initial creation ( Zonouz , Himanshu , Sanders, & Yardley, 2009, p. 3)The most important goal of the system: The most important goal of the system To ascertain what security properties are being violated, which is determined by alerts Threats are categorized using extended attack trees that combine countermeasures and inconclusive alerts From this set, subsets of consequences are derived, which are partially based on AND/OR gating of the local asset ( Zonouz , Himanshu , Sanders, & Yardley, 2009, p. 3).Inconclusive alerts add a new level of complexity to the calculations: Inconclusive alerts add a new level of complexity to the calculations A naïve Bayes binary classifier is used determine the relationship between alerts and the probability a consequence has really occurred or not occurred ( Zonouz , Himanshu , Sanders, & Yardley, 2009, p. 4)Construction of the Decision/Response Model: Construction of the Decision/Response Model A sequential Stackelberg game where the engine leads, the attacker follows, and a finite set of security states ( s ) is the model for the response engine The attacker “observes” the response of the RRE, and responds with an “adversarial action” The attacker’s true goal is unknown, so it assumed that it is to cause the maximum amount of damage. The attack/response trees are then converted into decision response models using satisfied/unsatisfied as variables in a binary vector. ( Zonouz , Himanshu , Sanders, & Yardley, 2009, p. 4)Case studies involving a SCADA network: Case studies involving a SCADA network In 64 out of 64 cases, RRE had a recovery cost less than or equal to that of a traditional static type intrusion recovery system In cases where the attacker was allowed two moves to the RRE’s one move, the RRE had smaller recovery costs in 59 out 64 scenarios. In five scenarios, the cost was greater ( Zonouz , Himanshu , Sanders, & Yardley, 2009, p. 9).RRE and National Security: RRE and National Security The Response and Recovery engine is a flexible, scalable, intrusion detection/response/recovery model which offers a uniform approach to security for information systems critical to the National Security infrastructureThe US Government’s response to Cyber Security: The US Government’s response to Cyber Security There has been no organized or consistent approach to cyber security on the governmental level. The governmental response to cyber security has been to address legal issues and on the organizational level, where there is widespread “unawareness” ( Rosenzweig , 2009, pp. 6, 7)The private sector’s response to cyber security: The private sector’s response to cyber security The private sector’s response has been characterized as “unstructured” The private sector relies on government security on most occasions The cost of security failure in the private sector is not properly calculated so that the actors that are actually responsible for the costs aren’t held accountable so they take adequate protective measuresPowerPoint Presentation: If a cyber asset was declared a national security asset, perhaps it would be wise to assign minimum RRE standards designed by credentialed industry professionals in order to bring our critical infrastructure’s cyber defenses up to a minimum standard of response and recovery?Works Cited: Works Cited Broad, W., Markoff , J., & Sanger, D. (2011, January 11). Israeli test on worm called crucial in Iran nuclear delay. Retrieved November 15, 2011, from The New York Times: http://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html?pagewanted=all Rosenzweig , P. (2009, June 4). National security threats in cyberspace: a workshop. Retrieved November 10, 2011, from National Strategy Forum: http://www.nationalstrategy.com/Portals/0/documents/National%20Security%20Threats%20in%20Cyberspace.pdf Zonouz , S., Himanshu , K., Sanders, W., & Yardley, T. (2009). RRE: a game-theoretic intrusion response and recovery engine. Dependable Systems & Networks, 2009. DSN '09. IEEE/IFIP International Conference (pp. 439 - 448). Lisbon: IEEE/IFIP.