of 33

Assane Gueye Information Technology Laboratory,

National Institute of Standards and Technology

Joint work with:Dr. Vladimir Marbukh (NIST)Aron Lazska (Budapest University of Technology and Economics)Prof. Jean C. Walrand, Prof. Venkat Anantharam (UC Berkeley)

Applied and Computational Mathematics Division Seminar SeriesNational Institute of Standards and Technology

Gaithersburg, April 16, 2013

A Game Theoretic Framework for Evaluating Resilience of Networks Against Attacks

of 332

1. How robust/vulnerable is the network against such attacks?

2. What are the links that are most likely to be attacked?

3. Where to put additional link?

4. …

Network

CommunicationPower GridTransportation FinancialSocial

AttackerOperator

Additional link

SSI*SSI

This Talk: A game-theoretic framework to answer to these questions

Motivations

of 33

Network value model

3

+Communication model

Network Topology

2-Player Game Payoffs definition Nash equilibrium characterization

Vulnerability metric

Critical subsets of links

Framework

of 334

• Goals: Quantifying network vulnerability, identify most critical links• Solution: Game Theory to capture strategic nature, equilibrium payoff for vulnerability

metric

– Communication models • Network value models, Cost of loss of connectivity (Loss-in-Value)

– Game Model• Nash equilibrium characterization, Vulnerability metric

– Properties of vulnerability metric• Identification of critical links, Relate to known graph theory notions

– Quantification of security cost/benefit tradeoff? • Budget constraint

– Economics of vulnerability reduction• Hardening vs Redundancy

• Concluding Remarks and Future Work

Summary/Outline

of 335

Communication Models

Examples

of 336

All-to-One Networks (e.g., Sensor Network)S

LOSTCost of loss of connectivity: |V|-|VS| VS connected component containing S

S

There is a designated node (the gateway) to which everyone wants to connect

Network Value Function (proxy)f(G) := # of nodes (connected to S)

Communication infrastructure (Rooted) spanning arborescence

S

A. Gueye, A. Laszka, J.C. Walrand, V. Anantharam: A Polyhedral-Based Analysis of Nash Equilibria of Quasi-Zero-Sum Games and its Applications to Communication Network Security. Submitted to ACM TEAC, 2012

Examples (1/4)

of 337

Many-to-Many Networks (e.g., Supply-Demand)

S1

S2

D1

D2

D3

S1

S2

D1

D2

D3

LOSTD2+D3-S2 (>0)

A total amount of goods (Δ) is to be movedfrom a set of sources to a set of destinations

Cost of loss of connectivity: Δ(T)- Δ(T\e) Δ(X) := amount of goods moved over X

Network Value Function f(G) := total amount of goods moved from S to D

Communication infrastructure Feasible flow (capacity constraints, conservation of flows)

S1

S2

D1

D2

D3

21

3

1

11

1

1

13

2

3

A. Gueye, V. Marbukh, A. Laszka, J.C. Walrand, V. Anantharam: A Polyhedral-Based Analysis of Nash Equilibria of Quasi-Zero-Sum Games and its Applications to Communication Network Security. Submitted to ACM TEAC, 2012

Examples (2/4)

of 338

All-to-All Networks (e.g., Bridged Ethernet—constant loss)

LOST

Need a path between any pair of nodes(All nodes must be connected at all time)

Cost of loss of connectivity: K × (1-1connected) 1connected: indicator function

Network Value Function f(G) := K (constant)

Communication infrastructure Spanning tree

A. Gueye, V. Marbukh, A. Laszka, J.C. Walrand, V. Anantharam: A Polyhedral-Based Analysis of Nash Equilibria of Quasi-Zero-Sum Games and its Applications to Communication Network Security. Submitted to ACM TEAC, 2012

Examples (3/4)

of 339

All-to-All Networks (e.g., Bridged Ethernet—linear loss)

LOST

Need a path between any two nodes(when nodes are disconnected, the decision reached by the maximum number of nodes prevails)

Cost of loss of connectivity: |V|-max(|Vi|) max(|Vi|) = # nodes in largest connected component

Network Value Function f(G) := # of connected nodes (in largest cluster)

Communication infrastructure Spanning tree

A. Gueye, V. Marbukh, A. Laszka, J.C. Walrand, V. Anantharam, : A Polyhedral-Based Analysis of Nash Equilibria of Quasi-Zero-Sum Games and its Applications to Communication Network Security. Submitted to ACM TEAC, 2012

Examples (4/4)

of 3310

• Walrand: n1+a a≤1 (friendship network)

• Sarnoff: n (Broadcast Network)

• Metcalfe: n2 (Peer Connecting Network)

• Reed: 2n (Group Forming network)

• Odlyzky, Briscoe, Tilly (OBT): nlog(n)

Graph G=(V,E)|V|=n, |E|=m

A. Gueye, V. Marbukh, J.C. Walrand: Towards a Metric for Communication Network Vulnerability to Attacks: A Game Theoretic Approach, In 3rd International ICST Conference on Game Theory for Networks (GameNets), May 25-26, 2012, Vancouver, Canada

Alternate Network Value Models

of 3311

• Network operator’s goal– choose a set of links to maintain “some” connectivity… Denote T: set of links

S

– … and get some value: f(T) (=|V|)

S

Example 1: Sensor Network

= f(T)- f(T\e)

T: a (rooted) spanning arborescence

• When link e fails• (New) network T\e, with value f(T\e) Loss-in-Value (LiV) relative to T and e

Loss-in-Value (LiV)

of 3312

S S1

S2

D1

D2

D3

21

3

1

11

1

1

13

2

3

= 3# of nodes disconnected from S (when connection is over T and e fails)

= 3amount of goods that T carries over e

= Kx1eTtotal network value ( if e T)

= 3size of smallest connected component (when connection is over T and e fails)

S S1

S2

D1

D2

D3

21

3

1

11

1

1

13

2

3

SS1

S2

D1

D2

D3

Sensor Network Supply-DemandEthernet:

(constant loss)Ethernet

(linear loss)

LostLost Lost

Lost

Loss-in-Value (LiV)

of 3313

Build Loss-in-Value matrix: LiV[E,T]

LiV[T,e]

Reso

urce

s

links

Loss-in-Value (LiV) Matrix

Payoff matrix

of 3314

Game Model

SSI

of 3315

• Graph G=(V,E)

– Players• (Network) Manager• Attacker

– (Pure) Strategies:• Manager: resources (TT) • Attacker: links (eE)

– Payoff• Manager: - • Attacker: – μ(e) (possible attack cost)

Network Blocking Game Model

of 3316

• Game– One shot game

– (Mixed) Strategies

» Defender: on T, to minimize

» Attacker: on E, to maximize

𝐿 (𝜶 ,𝜷 )= ∑𝑇∈𝒯 𝜶𝑇 ∑

𝑒∈ℰ𝜷𝑒 𝐿𝑖𝑉 (𝑇 ,𝑒)

𝑅 (𝜶 ,𝜷 )=∑𝑒∈ℰ

𝜷𝑒( ∑𝑇∈𝒯 𝜶𝑇 𝐿𝑖𝑉 (𝑇 ,𝑒)−𝜇(𝑒))

SSI

Network Blocking Game Model

of 3317

• Nash equilibrium always exists [Nash 1950]

– Expected Loss (defender):

– Vulnerability metric ( = attacker’s expected reward)

𝐿∗(𝜶𝑵𝑬 ,𝜷𝑵𝑬 )= ∑𝑇∈𝒯 𝜶𝑇

𝑁𝐸 ∑𝑒∈ℰ

𝜷𝑒𝑁𝐸𝐿𝑖𝑉 (𝑇 ,𝑒)

𝝁=∑𝑒∈ℰ

𝜷𝑒𝑵𝑬𝜇(𝑒 )

Vulnerability Metric

Theorem[Gueye et. al., 2012]• is uniquely defined (there might exist multiple equilibria)

• If , • Attacker’s best choice is to never launch an attack• Defender will randomize communication (e.g., multipath routing)

• If ,• There exists a critical subset of links (possibly multiple)• Attacker will target a critical subset of links• Defender will randomize and minimally use critical links

of 3318

• is uniquely defined

• reflects defender’s loss as well as attacker’s desire to attack• closely depends on network structure (topology, amount of goods to be moved, etc…) metric for vulnerability to attack (strategic failures ≠reliability metric which is based on random failure)• indicates attacker’s behavior

• If <0 attacker does not attack• If 0 attacker always attack

• corresponds to “vulnerability” of most critical links () identify most critical (vulnerable) links

Vulnerability Metric: Properties

of 3319

SSISSI

Vulnerability Metric & Graph Theory

of 3320

All-to-One Networks (e.g., Sensor Network)S

Vulnerability Metric

Game• Operator: choose a rooted spanning arborescence• Attacker: Attack a link

by removing links in E

𝜽∗=𝒎𝒂𝒙 {𝝀 (𝑬 )|𝑬|

: 𝑬⊆𝓔 (𝑮 )}

Critical subset of links: E* achieves Uniform attack in each critical subset

(Inverse) Directed Strength of Graph (Cunningham 1982)

= # of nodes disconnected from S associated with T and e

(= Average # of disconnected nodes per attacked link)

S

=4

=2

Vulnerability Metric & Graph Theory (1/4)

of 3321

Many-to-Many Networks (e.g., Supply-Demand)

S1

S2

D1

D2

D3

Game• Operator: choose a feasible flow• Attacker: Attack a link

Vulnerability Metric

𝜽∗=𝒎𝒂𝒙 ¿

(= Average excess demand per attacked link)

= amount of goods T carries over e

Critical subset of links: E* achieves Uniform attack in each critical subset

Vulnerability Metric & Graph Theory (2/4)

X 𝐗𝜹(𝑿 ) = = total demand in = Total supply in = excess demand in

of 3322

All-to-All Networks (e.g., Bridged Ethernet—constant loss) Game

• Operator: choose a spanning tree• Attacker: Attack a link

Vulnerability Metric

𝜽∗=𝐦𝐚𝐱 ¿ Spanning Tree Packing Number (SPT)(Tutte & Nash-Williams 1961)

= total value ( if e T)

(= Average # of (dis)connected components per attacked link)

Critical subset of links: E* achieves Uniform attack in each critical subset

Vulnerability Metric & Graph Theory (3/4)

E = Set of edges going across the partitions = number of connected components

of 3323

All-to-All Networks (e.g., Bridged Ethernet—linear loss)Game

• Operator: choose a spanning tree• Attacker: Attack a link

Vulnerability Metric

𝜽∗=𝐦𝐚𝐱 ¿ (inverse) Cheeger’s constant, Edge expansion factor of G

nfinite number of graphs

= size of smallest connected component

(=Average # of disconnected nodes per links)

Critical subset of links: E* achieves Uniform attack in each critical subset

Vulnerability Metric & Graph Theory (4/4)

X 𝐗𝜹(𝑿 )

=

of 33

Vulnerability = 1/2

= 4/7>1/2

a)

b)

zero attack cost µe=0

1/2

1/2

1/7

1/7

1/7

1/7

1/71/7

1/7

24

All-2-All (constant loss)

Vulnerability Metric & Critical Links

of 3325

All-2-All (constant loss)

Bridges Edges in the cloud Edges to the cloud

Critical Subsets depends on network value model (f(.))All-2-All

(linear loss) All-2-All

(exponential loss)

Criticality depends on network topology

Edges to the cloudBridges

Vulnerability Metric & Critical Links

of 3326

= 3/4 = 2/3 = 3/5

2/3 > 3/5

Network in b) is more vulnerable than network in c)Additional link

Network Design

a) b) c)

Vulnerability Metric & Network Design

of 3327

Vuln

erab

ility

/Risk

Cost

?

Security LimitsVulnerability/Cost Tradeoff

of 3328

• Each subset of resources T (e.g., feasible flow, spanning tree) has a cost w(T)

• Defender has a “maximum” budget b

• Can use only resources that satisfy budget constraint b≤w(T) Set of pure strategies

(Buying out more randomness)

• Define games parameterized by budget b

• Vulnerability metric is a function of b:

• Study function 4 6 8 10 12 14 16 18

1

1.5

2

2.5

3

3.5

4

4.5

(Maximum) Flow Cost

Vul

nera

bilit

y *

Cost b

𝒯(𝑏)= {𝑇∈𝒯∨𝑤 (𝑇 )≤𝑏 }

Vulnerability/Cost Tradeoff

A. Gueye, V. Marbukh: A Game Theoretic Framework for Network Security Vulnerability Assessment and Mitigation, In 3rd International ICST Conference on Decision and Game Theory (GameSec), November 5-6, 2012, Budapest, Hungary

of 3329

Vulnerability ReductionHardening vs Redundancy (ongoing)

AttackerOperator

Additional budget!

Hardening Redundancy

of 3330

Vulnerability ReductionRedundancy vs Hardening (ongoing)

Run1 Run2 Run3

Relevant parameters:

• Network topology• Current set of available “routes”• Benefit function• Cost of attack• Budget

(fixed)(random for each run)(linear for hardening)(random for each run)(varies)

A. Gueye, V. Marbukh: Economics of Network Vulnerability Reduction: Hardening versus Redundancy, submitted, In Joint Workshop on Pricing and Incentives in Networks and Systems, June 21, 2013, in conjunction with ACM SIGMETRICS 2013 (Pittsburg, PA, USA)

of 3331

• Network Blocking Games– Communication model– Network value function, Loss-in-Value (LiV)– NE theorem for blocking games

• Application: Quantify network vulnerability in adversarial environment– Vulnerability Metric– Critical subset of links– Properties– Algorithms

• Security/Cost Tradeoff– Budget constraints – Tradeoff curves– Computational complexity

Summary

Conclusion….the ability of a malicious/selfish agent to acquire and exploit system information may alter conclusions drawn by using conventional predictive security metrics…

of 3332

• Fundamentals of adversarial relationship E.g. Game Theory• Security as a design principle E.g.: System Design• Predictive metrics for security of large-scale systems

Future Work

• Models for local Interaction E.g.: Game Theory, Decision Theory

• Identify macro parameters• Predict global behavior• Global level of security E.g.: Complex System Theory Statistical Inference

• Develop appropriate feedback control loops E.g.: Control Theory

1.

2.

3.

of 3333

Thank You!

Questions?