1 / 20

A Learning-Based Approach to Reactive Security *

A Learning-Based Approach to Reactive Security *. Ben Rubinstein Microsoft Research Silicon Valley With: Adam Barth 1 , Mukund Sundararajan 2 , John Mitchell 3 , Dawn Song 1 , Peter Bartlett 1 1 UC Berkeley 2 Google 3 Stanford. * Appeared at Financial Crypto. & Data Security 2010.

alair
Download Presentation

A Learning-Based Approach to Reactive Security *

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Learning-Based Approach to Reactive Security* Ben RubinsteinMicrosoft Research Silicon Valley With: Adam Barth1, Mukund Sundararajan2,John Mitchell3, Dawn Song1, Peter Bartlett1 1UC Berkeley 2Google 3Stanford * Appeared at Financial Crypto. & Data Security 2010

  2. Proactive vs. Reactive Security What's important is to understand the delineation between what’s considered “acceptable” and “unacceptable” spending. The goal is to prevent spending on reactive security “firefighting”.– John N. Stewart, VP (CSO), Cisco Systems • Conventional wisdom for CISOs • Adopt forward-looking, proactive, approach to managing security risks • Reactivesecurity is akin to myopic bug chasing Reactive Security

  3. Strategic Reactive Security • Good reactive security • Should be strategic and not “firefighting” • Under certain conditions keeps up with or beats proactive approaches • Machine Learning & Economics can help Reactive Security

  4. Focus on Truly Adversarial Attacker • No probabilistic assumptions on attacker • Allow attacker to be omniscient • Consider reactive defender with limited knowledge of • System vulnerabilities • Attacker’s incentives • Attacker’s rationality Reactive Security

  5. Focus on Incentives • We model attacker cost and payoff, combined as • additive profit; or multiplicative ROA An effective defense need not be perfect–but it should reduce attacker’s utility relative to attacking other systems. Reactive Security

  6. Results in a Nutshell • If… • Security budget is fungible • Attack costs linear in defense allocation • No catastrophic attacks to defender • Attacker’s utility against reactive defense approaches utility under fixed proactive • In many cases reactive is much better Reactive Security

  7. Formal Model: Attack Graph • System as directed graph • Nodes: states • Edges: state transitions • Attacks are paths • Examples • Compromised machines connected by a network • Components in a complex software system • Internet fraud “battlefield” Gateway PeeringPoints Internet DatabaseServers ApplicationServers Reactive Security

  8. Formal Model: Iterated Game • Fixed properties of graph • Node v’s reward r(v)≥0 • Edge e’s attack surface w(e) • Repeated game • Defender allocates total budgetB, with dt(e) to edge e • Attacker launches attack at • Attacker pays and receives • Attacker sees defense prior to attack • Defender sees edges/weights only once attacked Defenseallocation Attack surface Reactive Security

  9. Proactive Defender(s) • Pro’s of analysis: includes defenders who • Have perfect knowledge of the entire graph • Have perfect knowledge of the attacks • Play rationally given in/complete information • Con’s of analysis • We (mostly) assume proactive plays fixed strategy Reactive Security

  10. Strategic Reactive Defender • Based on Multiplicative Weights algorithm of Online Learning Theory • Unseen edges get no allocation • Budget is increased on attacked edges • Allocation due to “the past” is exponentially down-weighed since 0<β<1 All edges initially unseen Observe attacked edges Count #times edge attacked Multiplicative update Re-normalize in [0,1]; allocate this times budget B Reactive Security

  11. Main Theorems • Attacker’s utility • Profit = Payoff – Cost • ROA = (Total Payoff) / (Total Cost) • Compared to any proactive strategy d*, the reactive strategy achieves • for any α Reactive Security

  12. Robustness & Extensions • Robustness • Proactive not robust touncertainty in attacker’sutility; reactive is!! • Reactive can do muchbetter under uncertainpayoffs • Extensions • Hypergraphs / Datalog • Multiple attackers • Adaptive proactive defenders Reactive Security

  13. Conclusions • Incentives-based, fully-adversarial risk model • Learning-based defender performs close to or better than fixed proactive defenders • Recommendations for CISOs • Employ monitoring tools to help focus on real attacks • Make security organization more agile • Avoid overreacting to the most recent attack; consider past attacks (down-weighed exponentially) Reactive Security

  14. Thanks!!

  15. Model Case Studies • Perimeter defense • Non-zero reward at one vertex • Rational attacker will select minimum-cost path from start to reward • Rational defense is to maximize minimum-cost path: allocate budget to minimum-cut Reactive Security

  16. Model Case Studies • Defense in Depth • Allocate budget evenly to edges • ROA = 1 Reactive Security

  17. Proof Sketch • Profit when edges are known • Simple reduction to standard regret bound of Freund-Schapire for Multiplicative Update alg • Profit under hidden edges • Simulation argument shows that a slight modification to MultUp produces same allocations as MultUp on observed graph • Care taken with • Algorithms’ profits bounded by • ROA under hidden edges • Ratio of two numbers is small if numbers are large & similar. Need: Reactive Security

  18. Lower Bound w:1 • Lemma: for all reactive algorithms the competitive ratio is at least . • Implies a convergence rate in terms of α matching that of the ROA regret bound up to constants s r:1 Budget=1 w:1 Reactive Security

  19. Learning Rewards • Consider star configuration with unknown rewards • Proactive defense • Allocates budget equally • Competitive ratio for ROA is #{leaf vertices} • Reactive defense • Learns the rewards Reactive Security

  20. Robustness to Objective • Given defense budget of 9 • Proactive defender assuming profit-seeking • Allocates 9 to right-hand edge: 1 profit for all attacks • ROA for left-hand edge is infinite!! • Reactive defender’s play is invariant Reactive Security

More Related