A Bayesian Multi-armed Bandit Approa ci for Identifying Human - - PowerPoint PPT Presentation

a bayesian multi armed bandit approa ci for identifying
SMART_READER_LITE
LIVE PREVIEW

A Bayesian Multi-armed Bandit Approa ci for Identifying Human - - PowerPoint PPT Presentation

Mar 12, 2023 156 likes •344 views

A Bayesian Multi-armed Bandit Approa ci for Identifying Human Vulnerabilities Erik Miehling, Baicen Xiao, Radha Poovendran, and Tamer Ba ar October 31, 2018 GameSec 2018 Sea tu le, WA Social Engineering Atta cl s Social engineering a tu

slide-1
SLIDE 1

A Bayesian Multi-armed Bandit Approaci for Identifying Human Vulnerabilities

Erik Miehling, Baicen Xiao, Radha Poovendran, and Tamer Başar October 31, 2018

GameSec 2018 — Seatule, WA

slide-2
SLIDE 2

2

Social Engineering Attacls

  • Social engineering atuacks involve the persuasion of a user into unknowingly aiding the

atuacker, whether through divulging sensitive information or opening a backdoor to the system.

  • Ukrainian power grid hacl of 2015 — backdoor opened via phishing emails

containing a malicious Word document (~250K people without power)

  • Humans are ofuen the most vulnerable

component of the system

“Only amateurs attacl maciines; professionals target people” — Bruce Schneier

  • Target breaci of 2013 — thefu of credentials via phishing emails from one of its

contractor companies (cc numbers of 40M customers; cost to Target: $148M)

  • Many of the largest cyber breaches in recent history have started with an atuack on the

user:

slide-3
SLIDE 3

3

Related Work — Social Engineering Attacls

  • Dodge et al.1 — proposed an empirical testing strategy for evaluating “a user’s propensity

to respond to email phishing atuacks in an unannounced test”

1Dodge et al. 2007 - Phishing for user security awareness 2Cialdini 2009 - Influence: Science and practice

  • Cialdini2 — studied how the principles of persuasion influence one’s behavior

3Kumaraguru et al. 2010 - Teaciing Johnny not to fall for fish

  • Kumaraguru et al.3 — identified key challenges in educating users about social

engineering atuacks; developed training system

4Crossler et al. 2013 - Future directions for behavioral information security researci

  • Crossler et al.4 — provides insight into important problems in security from a behavioral

information security perspective

slide-4
SLIDE 4

4

General Approaci

  • We propose a formal testing strategy, based on the theory of multi-armed bandits, for

identifying users in an organization who are most likely to respond to fall victim to social engineering atuacks

  • Tie strategy involves sending fake malicious messages to users in a sequence of

unannounced tests

  • Based on their responses, the system administrator constructs estimates that guide future

user queries with the end goal of identifying the high-risk users

  • Note: we are only concerned with identifying the users efficiently, we do not address the

problem of how this information can be used to secure the system

slide-5
SLIDE 5

5

Multi-armed Bandits1

  • Models the conflicting objectives of exploration and exploitation
  • Reward distributions are unknown; the decision maker wants to pull arms in order to

maximize the cumulative reward

  • Pure exploration2: only concerned with ensuring that some terminal estimate is as

accurate as possible (e.g. accurately identifying the top arm given a finite budget of pulls)

2Bubeck 2009 - Pure exploration in multi-armed bandit problems 1Robbins 1952 - Some aspects of the sequential design of experiments

slide-6
SLIDE 6

6

Tie Testing Environment

system administrator

testing strategy response model users responses query feedback 1

slide-7
SLIDE 7

7

Tie Response Model

  • We model the diversity in responses by considering a set of message types

(atuack features; different atuack classes: email, voice, etc.)

  • Each user responds to

each test message according to a Bernoulli distribution with an unknown mean

users message types

  • We assume a beta prior for the unknown means

non-response counts posterior response counts prior Bernoulli trials

slide-8
SLIDE 8

exactly b users queried per trial no user should be queried more than once per trial maps es7mates to iden7fica7on set maps es7mates to query set

  • A testing strategy is a collection of functions

8

Tie Testing Strategy

  • Tie system administrator is constrained in its query selection
  • Given n testing trials, the system administrator aims to identify the high-risk users, that

is, for every

slide-9
SLIDE 9

9

Tie Testing Strategy

Lemma: where and is the normalized incomplete beta function.

  • Tie high-risk users can be recovered from the optimal identification set via
  • We wish to find the identification set that maximizes the following
slide-10
SLIDE 10

10

An Optimal Testing Strategy — MDP

query set

  • Tie system administrator’s objective is

iden7fica7on set

  • Dynamics of the MDP are dictated by the responses received from the users
  • Define state as , where

: counts of responses : counts of non-responses

slide-11
SLIDE 11

state update func7ons transi7on probability

where

11

An Optimal Testing Strategy — MDP

  • Issue: Must compute for every possible combination of user responses; leads to an

intractable problem

slide-12
SLIDE 12

12

  • We propose a heuristic algorithm based on the top-two Tiompson sampling algorithm of

Russo1

A Heuristic Testing Strategy

1Russo 2016 - Simple Bayesian algorithms for best arm identification

function EstimateThresholdSet(Q, P, α0, β0, n, τ) f0(θmk) = Beta(αmk,0, βmk,0), (m, k) 2 P for t = 0, . . . , n 1 do P SampleSecondarySet(ft, P, τ) Q 2 O(Q, P) xmk,t ⇠ ft(θmk), (m, k) 2 Q αmk,t+1 αmk,t +

Q

(m, k)xmk,t, (m, k) 2 P βmk,t+1 βmk,t +

Q

(m, k)(1 xmk,t), (m, k) 2 P ft+1(θmk) Beta(αmk,t+1, βmk,t+1) end for ϑmk ⇠ fn(θmk) return argmax

P✓P

J(ϑ, P; τ) end function function SampleSecondarySet( f, P, τ) Pτ SampleSet( f, P, τ) P0

τ Pτ

while Pτ 4 P0

τ = ∅ do

P0

τ SampleSet( f, P, τ)

end while return Pτ 4 P0

τ

end function function SampleSet( f, P, τ) for (m, k) 2 P do ϑmk ⇠ f(θmk) end for return argmax

P✓P

J(ϑ, P; τ) end function

slide-13
SLIDE 13

13

Sample posteriors Compare with threshold Resample

posteriors at tes7ng trial t

Qvery users

A Heuristic Testing Strategy

slide-14
SLIDE 14

14

Experiments

… … …

slide-15
SLIDE 15

underes7ma7on error

  • veres7ma7on error

15

100 200 300 400 500 600 0.2 0.4 0.6 0.8 1

Experiment 1

100 200 300 400 500 600 0.2 0.4 0.6 0.8 1

Experiment 2

Experiments

users message type 0.107 0.227 0.268 0.196 0.459 0.439 0.158 0.145 1 2 3 4 1 2 users message type 1 2 3 4 1 0.139 0.224 0.236 0.319 0.330 0.298 0.230 0.222 2

slide-16
SLIDE 16

16

  • Tie performance gain over uniform sampling increases as the problem dimension grows

Experiments

100 200 300 400 500 600 0.2 0.4 0.6 0.8 1

Experiment 3

400 600 800 1000 0.2 0.4 0.6 0.8 1

Experiment 4

slide-17
SLIDE 17

17

In Summary

  • Social engineering atuacks underpin many of the most damaging modern-day security

breaches

  • As robustness to atuacks on the system increases, humans will increasingly become a

target → the human element to security deserves more research atuention

  • We’ve proposed an initial model for formally describing how to identify vulnerable users
slide-18
SLIDE 18

18

Future Directions Tiank you!

  • Performance guarantee for the approximate testing strategy (e.g. bound on probability of

error)

  • Closed-form solution of MDP by leveraging properties1 of the incomplete beta function
  • Model modifications:
  • Feature extraction for social engineering atuacks (perhaps user dependent?)
  • Qvery response delay
  • Response correlation (across message types; across users)
  • Contextual effects (user location, browsing behavior, etc.)
  • Construction of a database of social engineering atuacks
  • Deployment of testing strategy in a real test environment

1Karp 2016 - Normalized incomplete beta function: Log-concavity in parameters and other properties