Presentation is loading. Please wait.

Presentation is loading. Please wait.

Of 33 Assane Gueye Information Technology Laboratory, National Institute of Standards and Technology Joint work with: Dr. Vladimir Marbukh (NIST) Aron.

Similar presentations


Presentation on theme: "Of 33 Assane Gueye Information Technology Laboratory, National Institute of Standards and Technology Joint work with: Dr. Vladimir Marbukh (NIST) Aron."— Presentation transcript:

1 of 33 Assane Gueye Information Technology Laboratory, National Institute of Standards and Technology Joint work with: Dr. Vladimir Marbukh (NIST) Aron Lazska (Budapest University of Technology and Economics) Prof. Jean C. Walrand, Prof. Venkat Anantharam (UC Berkeley) Applied and Computational Mathematics Division Seminar Series National Institute of Standards and Technology Gaithersburg, April 16, 2013 A Game Theoretic Framework for Evaluating Resilience of Networks Against Attacks A Game Theoretic Framework for Evaluating Resilience of Networks Against Attacks

2 of 33 1.How robust/vulnerable is the network against such attacks? 2.What are the links that are most likely to be attacked? 3.Where to put additional link? 4.… 2 Network Communication Power Grid Transportation Financial Social Attacker Operator Additional link SSI* SSI This Talk: A game-theoretic framework to answer to these questions Motivations

3 of 33 Network value model 3 Communication model Network Topology 2-Player Game Payoffs definition Nash equilibrium characterization Vulnerability metric Critical subsets of links Framework

4 of 33 Goals: Quantifying network vulnerability, identify most critical links Solution: Game Theory to capture strategic nature, equilibrium payoff for vulnerability metric – Communication models Network value models, Cost of loss of connectivity (Loss-in-Value) – Game Model Nash equilibrium characterization, Vulnerability metric – Properties of vulnerability metric Identification of critical links, Relate to known graph theory notions – Quantification of security cost/benefit tradeoff? Budget constraint – Economics of vulnerability reduction Hardening vs Redundancy Concluding Remarks and Future Work 4 Summary/Outline

5 of 33 5 Communication Models Examples Communication Models Examples

6 of 33 All-to-One Networks (e.g., Sensor Network) S LOST Cost of loss of connectivity: |V|-|V S | V S connected component containing S S There is a designated node (the gateway) to which everyone wants to connect   Network Value Function (proxy) f(G) := # of nodes (connected to S)  Communication infrastructure  (Rooted) spanning arborescence  S A. Gueye, A. Laszka, J.C. Walrand, V. Anantharam: A Polyhedral-Based Analysis of Nash Equilibria of Quasi-Zero-Sum Games and its Applications to Communication Network Security. Submitted to ACM TEAC, Examples (1/4)

7 of 33 Many-to-Many Networks (e.g., Supply-Demand) S1S1 S2S2 D1D1 D2D2 D3D3 S1S1 S2S2 D1D1 D2D2 D3D3 LOST D 2 +D 3 -S 2 (>0) A total amount of goods (Δ) is to be moved from a set of sources to a set of destinations Cost of loss of connectivity: Δ(T)- Δ(T\e) Δ(X) := amount of goods moved over X   Network Value Function f(G) := total amount of goods moved from S to D Communication infrastructure  Feasible flow (capacity constraints, conservation of flows)   S1S1 S2S2 D1D1 D2D2 D3D A. Gueye, V. Marbukh, A. Laszka, J.C. Walrand, V. Anantharam: A Polyhedral-Based Analysis of Nash Equilibria of Quasi-Zero-Sum Games and its Applications to Communication Network Security. Submitted to ACM TEAC, Examples (2/4)

8 of 33 All-to-All Networks (e.g., Bridged Ethernet—constant loss) LOST Need a path between any pair of nodes (All nodes must be connected at all time) Cost of loss of connectivity: K × (1-1 connected ) 1 connected: indicator function   Network Value Function f(G) := K (constant) Communication infrastructure  Spanning tree   A. Gueye, V. Marbukh, A. Laszka, J.C. Walrand, V. Anantharam: A Polyhedral-Based Analysis of Nash Equilibria of Quasi-Zero-Sum Games and its Applications to Communication Network Security. Submitted to ACM TEAC, Examples (3/4)

9 of 33 All-to-All Networks (e.g., Bridged Ethernet—linear loss) LOST Need a path between any two nodes (when nodes are disconnected, the decision reached by the maximum number of nodes prevails) Cost of loss of connectivity: |V|-max(|V i |) max(|V i |) = # nodes in largest connected component   Network Value Function f(G) := # of connected nodes (in largest cluster) Communication infrastructure  Spanning tree   A. Gueye, V. Marbukh, A. Laszka, J.C. Walrand, V. Anantharam, : A Polyhedral-Based Analysis of Nash Equilibria of Quasi-Zero-Sum Games and its Applications to Communication Network Security. Submitted to ACM TEAC, Examples (4/4)

10 of 33 Walrand: n 1+a a≤1 (friendship network) 10 Sarnoff: n (Broadcast Network) Metcalfe: n 2 (Peer Connecting Network) Reed: 2 n (Group Forming network) Odlyzky, Briscoe, Tilly (OBT): nlog(n) Graph G=(V, E ) |V|=n, | E |=m A. Gueye, V. Marbukh, J.C. Walrand: Towards a Metric for Communication Network Vulnerability to Attacks: A Game Theoretic Approach, In 3 rd International ICST Conference on Game Theory for Networks (GameNets), May 25-26, 2012, Vancouver, Canada Alternate Network Value Models

11 of 33 Network operator’s goal – choose a set of links to maintain “some” connectivity… Denote T: set of links 11 S – … and get some value: f(T) (=|V|) S Example 1: Sensor Network T: a (rooted) spanning arborescence When link e fails (New) network T\e, with value f(T\e)  Loss-in-Value (LiV) relative to T and e Loss-in-Value (LiV)

12 of S S1S1 S2S2 D1D1 D2D2 D3D S S1S1 S2S2 D1D1 D2D2 D3D S S1S1 S2S2 D1D1 D2D2 D3D3 Sensor NetworkSupply-Demand Ethernet: (constant loss) Ethernet (linear loss) Lost Loss-in-Value (LiV)

13 of 33 Build Loss-in-Value matrix: LiV[ E,T ] 13 LiV[T,e] Resources links Loss-in-Value (LiV) Matrix  Payoff matrix

14 of Game Model SSI

15 of Network Blocking Game Model

16 of 33 Game – One shot game – (Mixed) Strategies » Defender:  on T, to minimize » Attacker:  on E, to maximize 16 SSI Network Blocking Game Model

17 of Vulnerability Metric Theorem[Gueye et. al., 2012]

18 of Vulnerability Metric: Properties

19 of SSI Vulnerability Metric & Graph Theory

20 of 33 All-to-One Networks (e.g., Sensor Network) S Vulnerability Metric Game Operator: choose a rooted spanning arborescence Attacker: Attack a link (Inverse) Directed Strength of Graph (Cunningham 1982)    (= Average # of disconnected nodes per attacked link) S 20 Vulnerability Metric & Graph Theory (1/4)

21 of 33 Many-to-Many Networks (e.g., Supply-Demand) S1S1 S2S2 D1D1 D2D2 D3D3 Game Operator: choose a feasible flow Attacker: Attack a link Vulnerability Metric   (= Average excess demand per attacked link)  21 Vulnerability Metric & Graph Theory (2/4) X

22 of 33 All-to-All Networks (e.g., Bridged Ethernet—constant loss) Game Operator: choose a spanning tree Attacker: Attack a link Vulnerability Metric Spanning Tree Packing Number (SPT) (Tutte & Nash-Williams 1961)   (= Average # of (dis)connected components per attacked link) 22  Vulnerability Metric & Graph Theory (3/4)

23 of 33 All-to-All Networks (e.g., Bridged Ethernet—linear loss) Game Operator: choose a spanning tree Attacker: Attack a link Vulnerability Metric (inverse) Cheeger’s constant, Edge expansion factor of G   (=Average # of disconnected nodes per links) 23  Vulnerability Metric & Graph Theory (4/4) X

24 of 33 a) b) zero attack cost µ e =0 1/2 1/7 24 All-2-All (constant loss) Vulnerability Metric & Critical Links

25 of 33 All-2-All (constant loss) 25 Bridges Edges in the cloud Edges to the cloud Critical Subsets depends on network value model (f(.)) All-2-All (linear loss) All-2-All (exponential loss) Criticality depends on network topology Edges to the cloud Bridges Vulnerability Metric & Critical Links

26 of /3 > 3/5 Network in b) is more vulnerable than network in c) Additional link Network Design a)b)c) Vulnerability Metric & Network Design

27 of Vulnerability/Risk Cost ? Security Limits Vulnerability/Cost Tradeoff

28 of Cost b Vulnerability/Cost Tradeoff A.Gueye, V. Marbukh: A Game Theoretic Framework for Network Security Vulnerability Assessment and Mitigation, In 3 rd International ICST Conference on Decision and Game Theory (GameSec), November 5-6, 2012, Budapest, Hungary

29 of Vulnerability Reduction Hardening vs Redundancy (ongoing) Vulnerability Reduction Hardening vs Redundancy (ongoing) Attacker Operator Additional budget! HardeningRedundancy

30 of Vulnerability Reduction Redundancy vs Hardening (ongoing) Vulnerability Reduction Redundancy vs Hardening (ongoing) Run1Run2Run3 Relevant parameters: Network topology Current set of available “routes” Benefit function Cost of attack Budget (fixed) (random for each run) (linear for hardening) (random for each run) (varies) A.Gueye, V. Marbukh: Economics of Network Vulnerability Reduction: Hardening versus Redundancy, submitted, In Joint Workshop on Pricing and Incentives in Networks and Systems, June 21, 2013, in conjunction with ACM SIGMETRICS 2013 (Pittsburg, PA, USA)

31 of 33 Network Blocking Games – Communication model – Network value function, Loss-in-Value (LiV) – NE theorem for blocking games Application: Quantify network vulnerability in adversarial environment – Vulnerability Metric – Critical subset of links – Properties – Algorithms Security/Cost Tradeoff – Budget constraints – Tradeoff curves – Computational complexity 31 Summary Conclusion ….the ability of a malicious/selfish agent to acquire and exploit system information may alter conclusions drawn by using conventional predictive security metrics…

32 of 33 Fundamentals of adversarial relationship E.g. Game Theory Security as a design principle E.g.: System Design Predictive metrics for security of large-scale systems 32 Future Work Models for local Interaction E.g.: Game Theory, Decision Theory Identify macro parameters Predict global behavior Global level of security E.g.: Complex System Theory Statistical Inference Develop appropriate feedback control loops E.g.: Control Theory

33 of Thank You! Questions? Thank You! Questions?

34 of 33 Security & Games: Overview Principle: A security attack is a game between attacker and defender The defender anticipates the attack The attacker anticipates the defense Illustrations: 34 Network Blocking Game SSI A Framework for Analyzing Network Resilience Against Attacks

35 of 33 Blocking Pairs of Polyhedra Vulnerability Metric Definition Nash equilibrium theorem 35 Nash Equilibrium Characterization & Vulnerability Metric Nash Equilibrium Characterization & Vulnerability Metric

36 of NE Characterization Tools

37 of Nash Equilibrium Theorem

38 of 33 General 2-Player game: DIFFICULT: PPAD-complete Zero-sum 2-player game: EASY via LP (provided reasonable size) My 4 examples: payoff matrices are exponential in size! – E.g.: Network with n=15 nodes  entries – Computation and storage are big issues! NBG: solved efficiently – Bypass computation of payoff matrix (network flow theory, minimization of submodular functions) Open question: characterize the class of network value functions f for which there exists an efficient algorithm 38 Nash Equilibrium Computation PPAD = Polynomial Parity Arguments on Directed graphs) US DEBT CEILING SSI


Download ppt "Of 33 Assane Gueye Information Technology Laboratory, National Institute of Standards and Technology Joint work with: Dr. Vladimir Marbukh (NIST) Aron."

Similar presentations


Ads by Google