NSF Opportunities

Download Report

Transcript NSF Opportunities

Game-Theoretic Approaches to
Critical Infrastructure Protection
Workshop on Statistics and
Counterterrorism
November 20, 2004
Vicki Bier
University of Wisconsin-Madison
Research Objectives

Objective:
– Study optimal allocation of resources for
protection of systems against intentional
attacks

Related to risk analysis:
– With close tie to economics
– (Game theory is a branch of economics)

Potentially applicable in many areas
Background

Because attackers can modify their strategies in
response to our defensive investment:
– Defense will generally be more costly when the adversary
can observe the system defenses

“Investment in defensive measures, unlike
investment in safety measures, saves a lower
number of lives…than the apparent direct
contribution of those measures”
– Ravid (2002)

Security improvements may be less cost-effective
than they would initially appear
Game Theory


Determine the optimal defense against an
optimal attack
Game theory is a useful model for security and
critical infrastructure protection:
– Appropriate when protecting against intelligent and
adaptable adversaries
– Recognizes that defensive strategies must account for
attacker behavior
Game between Attackers
and Defenders

Need to make assumptions about:
– Attacker goals and constraints
– Defender goals and constraints
– System design features

Protective investment assumed to
reduce success probability of attacks
Game between Attackers
and Defenders

Consider security of a simple series system:
– Defending series systems against informed and
determined attackers is a difficult challenge

If the attacker knows about the system’s defenses,
the defender’s options are limited:
– The defender is largely deprived of the ability to allocate
defensive investments by their cost-effectiveness
– Instead, defensive investments must equalize the
“attractiveness” of all defended components
Importance of
Redundancy

Parallel systems:
– Any component can
perform the function
– Attacker must disable all
to succeed

Series systems:
– Attacker has a wide
choice of targets
– Defender must protect
all components!
 Physically in series
(pipelines, electric lines)
 Multiple failure modes (e.g.,
multiple points of entry)
Weakest Link Models



Defender must equalize the attractiveness of all
defended components
This is generally consistent with the Brookings
Institution recommendation to defend only the
most valuable assets
However, terrorists also consider the probability
of success in choice of targets:
– So models should take the success probabilities of
attacks against various targets into account
Attacker Knowledge

The assumption that attackers know our
defenses may not be unrealistic:
– Due to the openness of our society

Public demands knowledge of our defense:
– Even when this weakens its effectiveness!

This increases difficulty of defense:
– E.g., anthrax protection

Defensive measures may not be effective if
they can be easily observed
System Design Features
Redundancy reduces attacker flexibility:

–
Traditional reliability design considerations:

–
–
Spatial separation
Functional diversity
are also important to defensive strategy
Examples:

–
–

And increases defender flexibility
Defenses that do not require electricity
Use of both land lines and satellite communications
Secrecy and deception can also be valuable
Extensions with Hedging

Real-world decision makers will want to hedge:
– In case they guess wrong about which targets are most
attractive to attackers

Recent work assumes that attackers target the
most attractive component:
– But defenders are uncertain about their attractiveness

Attackers will in general have different values for
targets than defenders:
– For example, Al-Qaeda prefers targets that are
“recognizable in the Middle East” (Woo)
Extensions with Hedging

Defending one target can deflect attacks
to targets that are:
– Less attractive to attackers (a priori)
– But more damaging to defenders!

Optimal defense frequently still involves
allocating zero resources to targets with a
non-zero probability of successful attack,
especially if:
– Targets value widely in their values
– Defender is highly resource-constrained
Sample Application

Our results shed light on appropriate
allocation of resources among targets:
– Focus on the most attractive (and most
vulnerable) targets
– Spend less money on targets that are
unlikely to be attacked

Some states may have relatively few
targets worth much investment
Security versus Safety

In safety applications:
– Natural hazards
– Accident prevention
the 80/20 rule works well:
– Address the top 80% of the risks, at 20% of the cost

By contrast, in security applications:
– It may not be worthwhile spending anything at all
– Unless you address all serious vulnerabilities

Example:
– Don’t bother searching purses and backpacks
– If you don’t also search baby carriages!
Extensions in Progress

More complicated system structures:
– E.g., adapting past work on least-cost diagnosis to identify
“least-cost” attack strategies
– As a building block for optimal (or near-optimal) defenses

Non-convex functions for attack success probability
as a function of investment:
– If minimal levels of investment are required
– If investment beyond a threshold deters attackers

Secrecy and deception:
– When are these useful?
– How can we quantify their benefits?
Game between Defenders

Consider effects of defensive actions on the risks
faced by other defenders:
– And therefore the strategies they adopt

Some defenses (e.g., car alarms) increase risk to
other defenders:
– Payoff of investing to any one individual is greater than
the net payoff to society
– Typically leads to overinvestment in security

Other defenses (e.g., vaccination) decrease risk to
other defenders:
– “Free riders”
– Typically lead to underinvestment in security
Game between Defenders

Extended an earlier “static” model by Kunreuther and Heal to
account for attacks over time:
– Example--computerized supply chain partners

Differences in discount rates can lead some agents not to
invest in security when it is otherwise in their interests:
– If other agents choose not to invest

Differences in discount rates can arise due to:
– Industries with different rates of return
– Risk of impending bankruptcy
– Myopia

This game can have multiple equilibrium solutions:
– Creating a need for coordinating mechanisms
Sample Application

Computer security in electronic supply chains:
– Companies may be vulnerable to weaknesses in
computer security on the part of their partners
– This can reduce their incentives to invest in their
own computer security

Coordinating mechanisms can help to address
this problem:
–
–
–
–
Contract terms
Government regulation
Development of international standards
Loans to enable partners who are not as financially
stable to improve their computer security
Conclusions

Protecting against intentional attacks must
account for attacker responses:
– Most applications of risk analysis fail to take this
into account
– Most applications of game theory to security deal
with individual components in isolation

Combining these approaches makes it
possible to invest more cost-effectively:
– Avoids wasting resources on defenses that can
easily be disabled or circumvented by attackers