Trust in a microelectronics-based system can be characterized as the level of confidence that a system is free of subversive alterations made during system development, or that the development process of a system has not been manipulated by a malicious adversary. Trust in systems has become an increasing concern over the past decade. This article presents a novel game-theoretic framework, called GPLADD (Graph-based Probabilistic Learning Attacker and Dynamic Defender), for analyzing and quantifying system trustworthiness at the end of the development process, through the analysis of risk of development-time system manipulation. GPLADD represents attacks and attacker-defender contests over time. It treats time as an explicit constraint and allows incorporating the informational asymmetries between the attacker and defender into analysis. GPLADD includes an explicit representation of attack steps via multi-step attack graphs, attacker and defender strategies, and player actions at different times. GPLADD allows quantifying the attack success probability over time and the attacker and defender costs based on their capabilities and strategies. This ability to quantify different attacks provides an input for evaluation of trust in the development process. We demonstrate GPLADD on an example attack and its variants. We develop a method for representing success probability for arbitrary attacks and derive an explicit analytic characterization of success probability for a specific attack. We present a numeric Monte Carlo study of a small set of attacks, quantify attack success probabilities, attacker and defender costs, and illustrate the options the defender has for limiting the attack success and improving trust in the development process.
This project evaluates the effectiveness of moving target defense (MTD) techniques using a new game we have designed, called PLADD, inspired by the game FlipIt [28]. PLADD extends FlipIt by incorporating what we believe are key MTD concepts. We have analyzed PLADD and proven the existence of a defender strategy that pushes a rational attacker out of the game, demonstrated how limited the strategies available to an attacker are in PLADD, and derived analytic expressions for the expected utility of the game’s players in multiple game variants. We have created an algorithm for finding a defender’s optimal PLADD strategy. We show that in the special case of achieving deterrence in PLADD, MTD is not always cost effective and that its optimal deployment may shift abruptly from not using MTD at all to using it as aggressively as possible. We believe our effort provides basic, fundamental insights into the use of MTD, but conclude that a truly practical analysis requires model selection and calibration based on real scenarios and empirical data. We propose several avenues for further inquiry, including (1) agents with adaptive capabilities more reflective of real world adversaries, (2) the presence of multiple, heterogeneous adversaries, (3) computational game theory-based approaches such as coevolution to allow scaling to the real world beyond the limitations of analytical analysis and classical game theory, (4) mapping the game to real-world scenarios, (5) taking player risk into account when designing a strategy (in addition to expected payoff), (6) improving our understanding of the dynamic nature of MTD-inspired games by using a martingale representation, defensive forecasting, and techniques from signal processing, and (7) using adversarial games to develop inherently resilient cyber systems.
FlipIt is a game theoretic framework published in 2012[1] to investigate optimal strategies for managing security resources in response to Advanced Persistent Threats. It is a two-player game wherein a resource is controlled by exactly one player at any time. A player may move at any time to capture the resource, incurring a move cost, and is informed of the last time their opponent has moved only upon completing their move. Thus, moves may be wasted and takeover is considered \stealthy", with regard to the other player. The game is played for an unlimited period of time, and the goal of each player is to maximize the amount of time they are in control of the resource minus their total move cost, normalized by the current length of play. Marten Van Dijk and others[1] provided an analysis of various player strategies and proved optimal results for certain subclasses of players. We extend their work by providing a reformulation of the original game, wherein the optimal player strategies can be solved exactly, rather than only for certain subclasses. We call this reformulation Dominion, and place it within a broader framework of stealthy move games. We de ne Dominion to occur over a nite time scale (from 0 to 1), and give each player a certain number of moves to make within the time frame. Their expected score in this new scenario is the expected amount of time they have control, and the point of the game is to dominate as much of the unit interval as possible. We show how Dominion can be treated as a two player, simultaneous, constant sum, unit square game, where the gradient of the bene t curves for the players are linear and possibly discontinuous. We derive Nash equilibria for a basic version of Dominion, and then further explore the roles of information asymmetry in its variants. We extend these results to FlipIt and other cyber security applications.
Loki-Infect 3 is a desktop application intended for use by community-level decision makers. It allows rapid construction of small-scale studies of emerging or hypothetical infectious diseases in their communities and evaluation of the potential effectiveness of various containment strategies. It was designed with an emphasis on modularity, portability, and ease of use. Our goal is to make this program freely available to community workers across the world.