Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Download
Standard view
Full view
of .
Save to My Library
Look up keyword
Like this
6Activity
0 of .
Results for:
No results containing your search query
P. 1
Cyber Security

Cyber Security

Ratings: (0)|Views: 46 |Likes:
Published by dj gangster

More info:

Published by: dj gangster on Jun 04, 2009
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

11/08/2010

pdf

text

original

 
CybersecurityStrategies:The QuERIESMethodology
Lawrence Carin
Duke University
George Cybenko
Dartmouth College
 Jeff Hughes
Air Force Research Laboratory
QuERIES ffers a nvel multiisciplinary apprach tquantifying risk assciate with security technlgiesresulting in investment-efficient cybersecurity strategies.
O
rganizations in both the private and public sectors have strug-gled to determine the appropriate investments to make for pro-tecting their critical intellectual property. As a result, they havetypically implemented cybersecurity investment strategies with-out useful guidance from a rigorous, quantitative risk-assess-ment and -mitigation methodology. Simple questions such as how much toinvest, which security measures will have the most impact, and gauging thelevel of improvement in security currently prove difficult to answer.
1
Designed to answer these questions, Quantitative Evaluation of Risk forInvestment Efficient Strategies (QuERIES) offers a novel computationalapproach to quantitative cybersecurity risk assessment. We based thisapproach on rigorous quantitative techniques drawn from computer sci-ence, game theory, control theory, and economics. Preliminary experimentshave corroborated the QuERIES methodology, suggesting that it providesa broadly applicable alternative to red teaming (which involves attackerswho have little or no knowledge of a system’s internal protection), black-hatanalysis (which involves attackers who have access to design details of theinternal protection), and other decision-support methodologies previouslytried in cybersecurity-related risk assessment.To date, QuERIES has focused on the problem of protecting critical USDepartment of Defense (DoD) intellectual property, in which the loss of one IP copy is catastrophic, as opposed to consumer IP, in which the lossof multiple copies can be tolerated if sufficient revenue can be maintained.Weapons systems designs, chip designs, complex computer software, anddatabases containing personal and financial information are examples of the former. Digital music, video, consumer-grade software, and electronicbooks are examples of the latter. Cybersecurity experts can apply QuERIES
Computing praCtiCes
20
Computer
Published by the IEEE Computer Society
0018-9162/08/$25.00©2008IEEE
 
August 2008
21
to other attack or protect scenarios by appropriatelychanging the underlying economic model.
How It woRkS
To illustrate the QuERIES methodology and howdevelopers can apply it in a given software protectioncontext, consider the challenge of assessing the strengthof protections applied to a particular software asset. Theprotections are meant to prevent reverse-engineeringattacks in which an adversary seeks to obtain critical IPfrom the software. The QuERIES methodology in thiscase involves the following elements.
Me he secri srae
This element develops an attack/protect economicmodel cast in game-theoretic terms. Parameters in thismodel represent objective quantities such as the eco-nomic value of the IP (the protected software asset) tothe IP owner; what it would cost an adversary to developthe IP; and the cost of obtaining the IP through otherpossible means. Another critical ingredient of the modelis the protection map (a detailed security plan) of thespecific protections applied to the IP asset.
Me he aacs
This element uses the protection map and knowledgeof reverse-engineering methodologies to build an attackgraph represented as a Partially Observable MarkovDecision Process (POMDP).
2
Qai bh mes
This element quantifies parameters used in both mod-els by performing a controlled red-team attack againstthe protected IP, then using another red- or black-hatteam to conduct an information market
3
for estimat-ing the POMDP’s parameters. It then computes thePOMDP’s optimal policies and uses those policies in theattack/protect economic model. Once the system hasevaluated both models, synthesizing multiple derivedquantities relevant to risk assessment becomes possible.For example, given a class of adversaries, the left plotin Figure 1 shows one such derived quantity, namely theprobability distribution of the time in man-hours requiredto successfully reverse-engineer protected software. Wecall this distribution the Probability of Reverse Engineer-ing or
P
R
. This distribution assumes that the attacker doesnot have an a priori model of the protection scheme. Theattacker therefore learns the protection scheme throughtrial and error. The probability distribution is a samplingof multiple independent attacks under this assumption.The right plot in Figure 1 shows the results of two dif-ferent analyses an attacker could use to decide when tostop an attack, namely open- and closed-loop decisionalgorithms. The results of different analyses can be quitedifferent. Using the closed-loop decision algorithm, if theattacker has not succeeded after about 151 hours, the opti-mal decision is to stop the attack because it has reachedthe tail of the distribution. The probability of defeatingthe protections using that strategy is about 0.25, and themaximum cost (defined as the expected cost of a success-ful attack before time
< 151 plus the expected cost of failure at time
= 151) is about $7,895 compared with theassumed $30,000 initial value of the IP in this example.The right plot also shows the difference between theexpected costs and expected benefits (expected IP valueover time) of conducting an attack up to the specifiedtime plotted on the horizontal axis. This is an “openloop’’ analysis in that it does not factor in the attacker’sstopping the attack even after passing the “fat’’ part of the probability distribution and thereby working witha diminished likelihood of returns. That analysis sug-gests that the attack’s cost exceeds its benefits after 1,300hours. In this example, we model cost by a constant $60per man-hour of effort.The probability distribution
P
R
that QuERIES obtainscan be the basis for different kinds of analyses. Because
40020006008001,0001,2001,4001,600Benefit minus cost for open-loop decisionBenefit minus cost for closed-loop decisionTime (man hours)05,00010,000–5,000
    C   o   s   t  -    b   e   n   e   f    i   t   t   r   a    d   e   o   f   f   o   f   a   t   t   a   c    k    i   n   g   u   n   t    i    l   t    i   m   e
             t
40020006008001,0001,2001,4001,600Time (man hours)0.0060.0040.0020.0080.0100.0120.0140.0160.0180
    P   r   o    b   a    b    i    l    i   t   y   o   f   s   u   c   c   e   s   s
151 hours1,300 hoursThe optimal time to stop if theattack has not yet succeededusing an “open loop”decision strategy.The optimal time to stop if theattack has not yet succeededusing a “closed loop”decision strategy.
Probability Distribution for the Time of a Successful AttackComparison of Expected Benefit-Cost Values at Time
Figure 1. These plots show (left) the probability distribution for the time to achieve a successful attack and (right) the associated cost-benefit analysis.
 
22
Computer
QuERIES is agnostic about how a decision makeractually uses
P
R
, we introduced the above derivativeanalyses solely to illustrate the fundamental role thatit plays.We believe that a major innovation of QuERIES isa methodology for estimating the fundamental distri-bution
P
R
. Traditional approaches for evaluating thestrength of cybersecurity technologies have not beenable to effectively produce the probability distributionof the time to defeat a protection.
4
For example, formalmethods—logical analyses of a design—can only verifythat a design has certain desirable properties; they aresilent on an actual implementation’s properties and itsdeployment in a complex operational environment. Red-team attacks as traditionally conducted result in a verysparse sampling of the distribution
P
R
, often producingonly a single costly sample—namely that the attack tookso much time, so many resources, and used a certainapproach. Black-hat analyses typically suggest multiplepossible attack paths and the associated tools required,with gross estimates of attack times and costs.
5
QuERIES MEtHodology
QuERIES methodology users must first identify theircritical IP assets and the threats against them throughanalysis of their various missions and strategic plans.We use a relatively objective measure of such an asset’svalue—the cost to develop it. Those costs usually canbe estimated reliably using programmatic information,although in many cases the development of advancedsystems leverages a broad technology base that mightalready have been expensed elsewhere. Our notation forthe owner’s cost of developing the IP is
C
IP
.By definition, an adversary values critical IP at
C
IP
aswell, but the development cost to an adversary, denotedby
C
D
, could be smaller if generally available enablingtechnology has made it more economical to developtoday as opposed to in the past.Hence the first step of the QuERIES method identifiesthe following:
C
IP
: the value of the IP to the asset owner and adver-sary;
C
P
: the cost of protecting the IP, per unit, togetherwith a possible amortization of the protection tech-nology’s cost over the number of units to be pro-tected;
C
D
: the cost to the adversary of developing the IPfrom inception;
P
S
: the probability of stealing the unprotected IP,based, for example, on historical data for similarIP; and
C
S
: the cost of stealing the unprotected IP, based onhistorical data for similar IP.The developer could estimate these quantities for dif-ferent adversaries who have different technology basesfrom which to recreate the IP and different capabilitiesfor stealing the unprotected IP.
Csrci he Aac/Prececmic me
The QuERIES attack/protect economic model is agame with two players: the protector and the attacker.Game theory is a mature discipline originally developedto support strategic decision making, but now widelyused for business and economic applications as well.
6
As Figure 2 shows, the two basic game moves avail-able to the protector are protect or do not protect criticalIP. Different protection technologies are possible for agiven IP, so in practice the protector has several possiblemoves, one for each protection type considered. In thisexample, we model three possible attacker moves: NoAction, Develops IP, and Steals IP.By the definition of critical IP, the adversary will tryto either develop or steal the IP. For each combinationof moves by the protector and attacker, we write downan expression for the resulting loss or gain in the corre-sponding game table cell. When an adversary attemptsto steal or reverse-engineer critical IP, the probability of success is
P
S
and
P
R
, respectively.
game accs aasis
The QuERIES game analysis accounts for severalplayer objectives. The IP asset owner wants to maximize
Figure 2. In this example, the QuERIES economic model isbased on a simple game-theoretic formulation. In the game,the IP owner can protect or not protect and the adversary candevelop the IP ab initio or attempt to steal or reverse-engineer it. Although the case in which the adversary chooses to do nothingis listed, the definition of critical IP is that the adversary will try to obtain the IP.
You(Y)NoIPprotectionIPprotectionAdversary
Y:
IP
Y:
IP 
 
-
 
takesnoaction
A: 0 A: 0
Adversary
Y: C
IP
-
P
Y: C
IP
-
 
developsIP
A:
IP 
 
-
D
A: -
IP 
 
-
Adversary
Y: C
IP
Y: C
IP
-
 
stealsIPwith
A:
S
A: -
 
Prob=
Prob = 1 -
S
Prob = 1 -
or
 
and
Y: C
IP
Y: C
IP
-
 
Cost=
A:
IP
-
S
A:
IP 
-
or
A
Prob =
S
Prob =
Y: C
IP
Y: C
IP
-
 A:
IP 
-C 
S
A:
IP 
-
R
        F      a        i        l      u      r      e        S      u      c      c      e      s      s        E      x      p      e      c        t      e        d

Activity (6)

You've already reviewed this. Edit your review.
1 hundred reads
Mahesh Chowdary liked this
Mahesh Chowdary liked this
ashwinisathya liked this
mitik liked this
povhare liked this

You're Reading a Free Preview

Download
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->