Game-Theoretic Approaches to Critical Infrastructure Protection
This presentation is the property of its rightful owner.
Sponsored Links
1 / 19

Research Objectives PowerPoint PPT Presentation


  • 38 Views
  • Uploaded on
  • Presentation posted in: General

Game-Theoretic Approaches to Critical Infrastructure Protection Reducing the Risks and Consequences of Terrorism CREATE Conference November 18, 2004 Vicki Bier University of Wisconsin-Madison. Research Objectives. Objective:

Download Presentation

Research Objectives

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Research objectives

Game-Theoretic Approaches to Critical Infrastructure ProtectionReducing the Risks and Consequences of TerrorismCREATE ConferenceNovember 18, 2004Vicki Bier University of Wisconsin-Madison


Research objectives

Research Objectives

  • Objective:

    • Study optimal allocation of resources for protection of systems against intentional attacks

  • Part of the risk modeling area:

    • With close tie to economics

    • (Game theory is a branch of economics)

  • Potentially applicable to all case studies:

    • Aviation

    • Ports

    • Electricity


Background

Background

  • Because attackers can modify their strategies in response to our defensive investment:

    • Defense will generally be more costly when the adversary can observe the system defenses

  • “Investment in defensive measures, unlike investment in safety measures, saves a lower number of lives…than the apparent direct contribution of those measures”

    • Ravid (2002)

  • Security improvements may be less cost-effective than they would initially appear


Game theory

Game Theory

  • Determine the optimal defense against an optimal attack

  • Game theory is a useful model for security and critical infrastructure protection:

    • Appropriate when protecting against intelligent and adaptable adversaries

    • Recognizes that defensive strategies must account for attacker behavior


Game between attackers and defenders

Game between Attackers and Defenders

  • Need to make assumptions about:

    • Attacker goals and constraints

    • Defender goals and constraints

    • System design features

  • Protective investment assumed to reduce success probability of attacks


Game between attackers and defenders1

Game between Attackers and Defenders

  • Consider security of a simple series system:

    • Defending series systems against informed and determined attackers is a difficult challenge

  • If the attacker knows about the system’s defenses, the defender’s options are limited:

    • The defender is largely deprived of the ability to allocate defensive investments by their cost-effectiveness

    • Instead, defensive investments must equalize the “attractiveness” of all defended components


Importance of redundancy

Importance of Redundancy

  • Parallel systems:

    • Any component can perform the function

    • Attacker must disable all to succeed

  • Series systems:

    • Attacker has a wide choice of targets

    • Defender must protect all components!

  • Physically in series (pipelines, electric lines)

  • Multiple failure modes (e.g., multiple points of entry)


Weakest link models

Weakest Link Models

  • Defender must equalize the attractiveness of all defended components

  • This is generally consistent with the Brookings Institution recommendation to defend only the most valuable assets

  • However, terrorists also consider the probabilityof success in choice of targets:

    • So models should take the success probabilities of attacks against various targets into account


Attacker knowledge

Attacker Knowledge

  • The assumption that attackers know our defenses may not be unrealistic:

    • Due to the openness of our society

  • Public demands knowledge of our defense:

    • Even when this weakens its effectiveness!

  • This increases difficulty of defense:

    • E.g., anthrax protection

  • Defensive measures may not be effective if they can be easily observed


System design features

System Design Features

  • Redundancy reduces attacker flexibility:

    • And increases defender flexibility

  • Traditional reliability design considerations:

    • Spatial separation

    • Functional diversity

      are also important to defensive strategy

  • Examples:

    • Defenses that do not require electricity

    • Use of both land lines and satellite communications

  • Secrecy and deception can also be valuable


Extensions with hedging

Extensions with Hedging

  • Real-world decision makers will want to hedge:

    • In case they guess wrong about which targets are most attractive to attackers

  • Recent work assumes that attackers target the most attractive component:

    • But defenders are uncertain about their attractiveness

  • Attackers will in general have different values for targets than defenders:

    • For example, Al-Qaeda prefers targets that are “recognizable in the Middle East” (Woo)


Research objectives

Extensions with Hedging

  • Defending one target can deflect attacks to targets that are:

    • Less attractive to attackers (a priori)

    • But more damaging to defenders!

  • Optimal defense frequently still involves allocating zero resources to targets with a non-zero probability of successful attack, especially if:

    • Targets value widely in their values

    • Defender is highly resource-constrained


Sample application

Sample Application

  • Our results shed light on appropriate allocation of resources among targets:

    • Focus on the most attractive (and most vulnerable) targets

    • Spend less money on targets that are unlikely to be attacked

  • Some states may have relatively few targets worth much investment 


Security versus safety

Security versus Safety

  • In safety applications:

    • Natural hazards

    • Accident prevention

      the 80/20 rule works well:

    • Address the top 80% of the risks, at 20% of the cost

  • By contrast, in security applications:

    • It may not be worthwhile spending anything at all

    • Unless you address all serious vulnerabilities

  • Example:

    • Don’t bother searching purses and backpacks

    • If you don’t also search baby carriages!


Extensions in progress

Extensions in Progress

  • More complicated system structures:

    • E.g., adapting past work on least-cost diagnosis to identify “least-cost” attack strategies

    • As a building block for optimal (or near-optimal) defenses

  • Non-convex functions for attack success probability as a function of investment:

    • If minimal levels of investment are required

    • If investment beyond a threshold deters attackers

  • Secrecy and deception:

    • When are these useful?

    • How can we quantify their benefits?


Game between defenders

Game between Defenders

  • Consider effects of defensive actions on the risks faced by other defenders:

    • And therefore the strategies they adopt

  • Some defenses (e.g., car alarms) increase risk to other defenders:

    • Payoff of investing to any one individual is greater than the net payoff to society

    • Typically leads to overinvestment in security

  • Other defenses (e.g., vaccination) decrease risk to other defenders:

    • “Free riders”

    • Typically lead to underinvestment in security


Research objectives

Game between Defenders

  • Extended an earlier “static” model by Kunreuther and Heal to account for attacks over time:

    • Example--computerized supply chain partners

  • Differences in discount rates can lead some agents not to invest in security when it is otherwise in their interests:

    • If other agents choose not to invest

  • Differences in discount rates can arise due to:

    • Industries with different rates of return

    • Risk of impending bankruptcy

    • Myopia

  • This game can have multiple equilibrium solutions:

    • Creating a need for coordinating mechanisms


Sample application1

Sample Application

  • Computer security in electronic supply chains:

    • Companies may be vulnerable to weaknesses in computer security on the part of their partners

    • This can reduce their incentives to invest in their own computer security

  • Coordinating mechanisms can help to address this problem:

    • Contract terms

    • Development of international standards

    • Loans to enable partners who are not as financially stable to improve their computer security


Conclusions

Conclusions

  • Protecting against intentional attacks must account for attacker responses:

    • Most applications of risk analysis fail to take this into account

    • Most applications of game theory to security deal with individual components in isolation

  • Combining these approaches makes it possible to invest more cost-effectively:

    • Avoids wasting resources on defenses that can easily be disabled or circumvented by attackers


  • Login