A Bayesian Multi-armed Bandit Approa ci for Identifying Human - PowerPoint PPT Presentation

A Bayesian Multi-armed Bandit Approa ci for Identifying Human Vulnerabilities Erik Miehling, Baicen Xiao, Radha Poovendran, and Tamer Ba ş ar October 31, 2018 GameSec 2018 — Sea tu le, WA

Social Engineering Atta cl s Social engineering a tu acks involve the persuasion of a user into unknowingly aiding the • a tu acker, whether through divulging sensitive information or opening a backdoor to the system. Many of the largest cyber breaches in recent history have started with an a tu ack on the • user: Target brea ci of 2013 — the fu of credentials via phishing emails from one of its • contractor companies (cc numbers of 40M customers; cost to Target: $148M) Ukrainian power grid ha cl of 2015 — backdoor opened via phishing emails • containing a malicious Word document (~250K people without power) Humans are o fu en the most vulnerable • “Only amateurs atta cl ma ci ines; professionals target people” component of the system — Bruce Schneier � 2

Related Work — Social Engineering Atta cl s Dodge et al. 1 — proposed an empirical testing strategy for evaluating “a user’s propensity • to respond to email phishing a tu acks in an unannounced test” Cialdini 2 — studied how the principles of persuasion in fl uence one’s behavior • Kumaraguru et al. 3 — identi fi ed key challenges in educating users about social • engineering a tu acks; developed training system Crossler et al. 4 — provides insight into important problems in security from a behavioral • information security perspective 1 Dodge et al. 2007 - Phishing for user security awareness 2 Cialdini 2009 - In fl uence: Science and practice 3 Kumaraguru et al. 2010 - Tea ci ing Johnny not to fall for fi sh 4 Crossler et al. 2013 - Future directions for behavioral information security resear ci � 3

General Approa ci We propose a formal testing strategy, based on the theory of multi-armed bandits , for • identifying users in an organization who are most likely to respond to fall victim to social engineering a tu acks Ti e strategy involves sending fake malicious messages to users in a sequence of • unannounced tests Based on their responses, the system administrator constructs estimates that guide future • user queries with the end goal of identifying the high-risk users Note : we are only concerned with identifying the users e ffi ciently, we do not address the • problem of how this information can be used to secure the system � 4

Multi-armed Bandits 1 Models the con fl icting objectives of exploration and exploitation • Reward distributions are unknown; the decision maker wants to pull arms in order to • maximize the cumulative reward Pure exploration 2 : only concerned with ensuring that some terminal estimate is as • accurate as possible ( e.g. accurately identifying the top arm given a fi nite budget of pulls) 1 Robbins 1952 - Some aspects of the sequential design of experiments 2 Bubeck 2009 - Pure exploration in multi-armed bandit problems � 5

Ti e Testing Environment system administrator query feedback testing strategy users response model responses 1 0 � 6

Ti e Response Model We model the diversity in responses by considering a set of message types • (a tu ack features; di ff erent a tu ack classes: email, voice, etc. ) users Each user responds to • each test message according to a message types Bernoulli distribution with an unknown mean We assume a beta prior for the unknown means • Bernoulli response non-response prior posterior trials counts counts � 7

Ti e Testing Strategy A testing strategy is a collection of functions • maps es7mates to query set maps es7mates to iden7fica7on set Ti e system administrator is constrained in its query selection • no user should be queried more than once per trial exactly b users queried per trial Given n testing trials , the system administrator aims to identify the high-risk users, that • is, for every � 8

Ti e Testing Strategy We wish to fi nd the identi fi cation set that maximizes the following • Ti e high-risk users can be recovered from the optimal identi fi cation set via • Lemma: where and is the normalized incomplete beta function. � 9

An Optimal Testing Strategy — MDP Ti e system administrator’s objective is • De fi ne state as , where • : counts of responses : counts of non-responses Dynamics of the MDP are dictated by the responses received from the users • iden7fica7on set query set � 10

An Optimal Testing Strategy — MDP transi7on probability state update func7ons where Issue: Must compute for every possible combination of user responses; leads to an • intractable problem � 11

A Heuristic Testing Strategy We propose a heuristic algorithm based on the top-two Ti ompson sampling algorithm of • Russo 1 function S ample S econdary S et ( f , P , τ ) function S ample S et ( f , P , τ ) function E stimate T hreshold S et ( Q , P , α 0 , β 0 , n , τ ) P τ S ample S et ( f , P , τ ) f 0 ( θ mk ) = Beta( α mk , 0 , β mk , 0 ), ( m , k ) 2 P for ( m , k ) 2 P do P 0 for t = 0 , . . . , n � 1 do τ P τ ϑ mk ⇠ f ( θ mk ) while P τ 4 P 0 P S ample S econdary S et ( f t , P , τ ) τ = ∅ do end for P 0 τ S ample S et ( f , P , τ ) Q 2 O ( Q , P ) return argmax J ( ϑ , P ; τ ) P ✓ P end while x mk , t ⇠ f t ( θ mk ), ( m , k ) 2 Q end function � ( m , k ) � x mk , t , ( m , k ) 2 P return P τ 4 P 0 α mk , t + 1 α mk , t + Q τ � ( m , k ) � (1 � x mk , t ), ( m , k ) 2 P β mk , t + 1 β mk , t + end function Q f t + 1 ( θ mk ) Beta( α mk , t + 1 , β mk , t + 1 ) end for ϑ mk ⇠ f n ( θ mk ) return argmax J ( ϑ , P ; τ ) P ✓ P end function 1 Russo 2016 - Simple Bayesian algorithms for best arm identi fi cation � 12

A Heuristic Testing Strategy Compare with threshold posteriors at tes7ng trial t Sample posteriors Resample Qv ery users � 13

Experiments … … … � 14

Experiments underes7ma7on error overes7ma7on error Experiment 1 Experiment 2 1 1 users users 0.8 0.8 message type message type 0.107 0.227 0.268 0.196 0.139 0.224 0.236 0.319 1 1 0.6 0.6 0.4 0.4 0.459 0.439 0.158 0.145 2 0.330 0.298 0.230 0.222 2 0.2 0.2 1 2 3 4 1 2 3 4 0 0 100 200 300 400 500 600 100 200 300 400 500 600 � 15

Experiments Ti e performance gain over uniform sampling increases as the problem dimension grows • Experiment 3 Experiment 4 1 1 0.8 0.8 0.6 0.6 0.4 0.4 0.2 0.2 0 0 100 200 300 400 500 600 400 600 800 1000 � 16

In Summary Social engineering a tu acks underpin many of the most damaging modern-day security • breaches As robustness to a tu acks on the system increases, humans will increasingly become a • target → the human element to security deserves more research a tu ention We’ve proposed an initial model for formally describing how to identify vulnerable users • � 17

Future Directions Performance guarantee for the approximate testing strategy ( e.g. bound on probability of • error) Closed-form solution of MDP by leveraging properties 1 of the incomplete beta function • Model modi fi cations: • Feature extraction for social engineering a tu acks (perhaps user dependent?) • Qv ery response delay • Response correlation (across message types; across users) • Contextual e ff ects (user location, browsing behavior, etc. ) • Construction of a database of social engineering a tu acks • Deployment of testing strategy in a real test environment • Ti ank you! 1 Karp 2016 - Normalized incomplete beta function: Log-concavity in parameters and other properties � 18