Modeling trade-offs between false positives and negatives Tyler - - PDF document

Modeling trade-offs between false positives and negatives

Tyler Moore

Computer Science & Engineering Department, SMU, Dallas, TX

October 2, 2012

Homework 1 Optimal filter configuration

Outline

1

Homework 1 Summary statistics Logistical notes Feedback on particular questions

2

Optimal filter configuration ROC curves An economic model of optimal filter configuration

2 / 32 Homework 1 Optimal filter configuration Summary statistics Logistical notes Feedback on particular questions

Summary statistics on grades for HW1

A B C D 2 4 6 8

Grade with 4pt curve

Mean: 81% Median: 77.5%

4 / 32 Homework 1 Optimal filter configuration Summary statistics Logistical notes Feedback on particular questions

Summary statistics on time required

• 5

10 15 20 25 70 80 90 100 hours spent on assignment Score (curved)

Time spent on the assignment not correlated with grade Time spent

Mean: 9.3 hours Median: 6.5 hours

Take as much time as you need My goal for most assignments: 5-7 hour median

5 / 32

Notes Notes Notes Notes

Homework 1 Optimal filter configuration Summary statistics Logistical notes Feedback on particular questions

Remember to put your name on the assignment

Please put your name on the assignment Future assignments: on-campus students turn in to Debra McDowell; off-campus submit scanned PDF as before I observed a correlation between students submitting their assignment as a Word file and forgetting to put their name on the assignment No name Name Word 4 3 PDF 1 10

6 / 32 Homework 1 Optimal filter configuration Summary statistics Logistical notes Feedback on particular questions

Brevity matters

Writing with brevity is an important skill ⇒ Blaise Pascal (1657): “I have made this letter longer than usual because I lack the time to make it shorter.” When questions specify the length of answers, it is important to respect the guidelines

3 paragraphs does not mean 3 pages 1 example means 1 example

It can be OK if you go slightly longer than guided, provided that you make a worthwhile point as concise as possible I am not interested in a brain dump of all relevant facts on the question’s topic Including extraneous facts can get you into trouble, particularly if you make a mistake in the extra information

7 / 32 Homework 1 Optimal filter configuration Summary statistics Logistical notes Feedback on particular questions

Questions about the assignment

Come see me if you’re still unsure about how to solve a problem Questions about your grade?

If you think I made a mistake (e.g., your answer is correct according to the answer key), please let me know If you think I took off too many points, please do not let me know I don’t negotiate grades out of fairness to all students

8 / 32 Homework 1 Optimal filter configuration Summary statistics Logistical notes Feedback on particular questions

Collaboration and attribution

Recall from the syllabus:

I encourage collaboration between students on assignments and when studying. Collaboration is an essential skill for engineering, not to mention life in general. Unless I say

• therwise, feel free to discuss assignments and the project with

your classmates, including ideas for how to solve problems. Please do not, however, share code, equations, or written answers that solve an assignment directly with other

• students. Solutions to homeworks should be written from

scratch and must not be pieced together from other students. It is also important to give credit to others when appropriate. If you implement an idea that you got from another student (or students), please say so. Furthermore, if you consult a web resource that directly assists you, please say so. As a reminder, it is also not acceptable to copy code or equations directly from a web resource that solves a problem

• n an assignment.

9 / 32

Notes Notes Notes Notes

Homework 1 Optimal filter configuration Summary statistics Logistical notes Feedback on particular questions

Collaboration and attribution

It is OK to discuss problems from the assignment with other students It is not OK to share your solutions with other students If you discuss problems at length with other students (especially if you discuss any ideas for how to solve problems), make a note of it on your assignment for each question that you collaborated

10 / 32 Homework 1 Optimal filter configuration Summary statistics Logistical notes Feedback on particular questions

Question score distribution

Q1 Q2 Q3 Q4 Q5 Q6 Q7 mean median % correct 20 40 60 80 100

11 / 32 Homework 1 Optimal filter configuration Summary statistics Logistical notes Feedback on particular questions

Q4

(15 points) Bruce Schneier maintains a security blog (http://www.schneier.com/blog/) that describes lots of interesting attacks on real-world systems. The site has archives dating to 2004 that are browsable and searchable (see right-hand side under his picture). Your task is to find a post linking to an attack on an information system (i.e., not an attack on a physical system such as terrorism). In 3 paragraphs, describe in your own words the following

1 the threat model of the system that was attacked; 2 how the attack worked; 3 whether and how the attack bypassed the system’s threat

model. Be sure to include the URL of the relevant post. Answer varies by response.

12 / 32 Homework 1 Optimal filter configuration Summary statistics Logistical notes Feedback on particular questions

Threat models

All security is relative, but relative to what?

⇒ Threat models codify assumed adversary behavior

Threat models articulate assumed adversary behavior

1

Goal: disrupting defender’s protection goals, make money, wreak havoc

2

Knowledge: does the attacker know how the defense works?

3

Capabilities: Computational power available, time available to target defenders, local vs. global eavesdropping, active vs. passive

13 / 32

Notes Notes Notes Notes

Homework 1 Optimal filter configuration Summary statistics Logistical notes Feedback on particular questions

Threat models

Sarah Palin’s email: http://www.schneier.com/blog/ archives/2008/09/sarah_palins_e-.html Matt Honan’s cloud deletion: http://www.schneier.com/ blog/archives/2008/09/sarah_palins_e-.html Middleperson bank fraud: http://www.schneier.com/ blog/archives/2012/09/man-in-the-midd_5.html

14 / 32 Homework 1 Optimal filter configuration Summary statistics Logistical notes Feedback on particular questions

Q7

One of the primary motivations for the failed Cybersecurity Act

• f 2012 was the view that many critical infrastructure
• perators weren’t investing enough to protect against the risk
• f attack. In particular, there were concerns that the industrial

control systems used to manage heavy industry such as power plants and refineries are inadequately protected against attacks seeking to disrupt operations. Your task is to briefly (in approximately 300 words) present both sides of the argument. First, present any available evidence that industrial control systems are being adequately

• protected. Second, present an economic argument that the

systems are not being protected enough. In particular, explain which market failures, if any, might explain why there has been underinvestment in security. Finally, conclude by briefly explaining which argument you find more convincing and why.

15 / 32 Homework 1 Optimal filter configuration Summary statistics Logistical notes Feedback on particular questions

Q7

Points in favor of adequate security:

1 Very few realized attacks 2 Reputational damage of an attack would be harsh

Points against adequate security:

1 Security is difficult for consumers to observe (even if they are

willing to pay for it)

2 Security as public good 3 Externalities (firm doesn’t pay the full cost) 4 Often critical infrastructures are run by natural monopolists

(water supply, electricity grid, etc.)

16 / 32 Homework 1 Optimal filter configuration Summary statistics Logistical notes Feedback on particular questions

Q5

false positive rate α false negative rate β

1 1 #1 #2 #3

Indifference curves

Suppose you are in charge

• f tuning the settings of

an intrusion detection system to balance false positives and false

• negatives. The false

negative rate is given by β ∈ (0, 1], while the false positive rate is given by α ∈ (0, 1].

17 / 32

Notes Notes Notes Notes

Homework 1 Optimal filter configuration Summary statistics Logistical notes Feedback on particular questions

Utility

Rational choice theory defines utility as a way of quantifying consumer preferences Definition (Utility function) A utility function U maps a set of outcomes onto real-valued numbers, that is, U : O → R. U is defined such that U(o1) > U(o2) ⇐ ⇒ o1 ≻ o2 .

18 / 32 Homework 1 Optimal filter configuration Summary statistics Logistical notes Feedback on particular questions

Example utility functions

U(o1, o2) = u · o1 + v · o2

Useful when outcomes are substitutes Example substitutes: processor speed and RAM

U(o1, o2) = min{u · o1, v · o2}

Useful when outcomes are complements Example complements: operating system and third-party software

19 / 32 Homework 1 Optimal filter configuration Summary statistics Logistical notes Feedback on particular questions

Utility functions

We need a utility function that takes α and β as inputs U(α, β) = α + β won’t work since bigger values of α and β increase utility (e.g., U(0.1, 0.1) = 0.1 + 0.1 = 0.2, while U(0.2, 0.1) = 0.2 + 0.1 = 0.3 We instead need the function to increase as α and β get smaller: U(α, β) = 1 α + 1 β Try it out: U(0.1, 0.1) = 1

.1 + 1 .1 = 20, while

U(0.2, 0.1) = 1

.2 + 1 .1 = 15

Question: would this function work? U(α, β) = (1 − α) + (1 − β)

20 / 32 Homework 1 Optimal filter configuration Summary statistics Logistical notes Feedback on particular questions

Utility functions

5(c): Suppose that while false negatives are a concern, it is more important to limit false positives than false negatives. Modify the utility function you created in part B to reflect these preferences. We need to value small α values higher than small β values Would this work? U(α, β) = 1 5 · α + 1 β How about this? U(α, β) = 5 ∗ 1 α + 1 β

21 / 32

Notes Notes Notes Notes

Homework 1 Optimal filter configuration ROC curves An economic model of optimal filter configuration

Domain-specific models

Up to now we have modeled security investment at a very high level Map costs to benefits, assume diminishing marginal returns to investment, etc. Useful for when justifying security budgets compared to non-security expenditures Not useful for deciding how best to allocate a given security budget Today, we discuss a model for a tactical security investment decision: configuring a filter to balance false positives and negatives

23 / 32 Homework 1 Optimal filter configuration ROC curves An economic model of optimal filter configuration

Binary classification is a recurring problem in CS

Common task: distill many observations to a binary signal

{0, 1}: communications theory S = {undervalued, overvalued}: stock trading S = {reject, accept}: research hypothesis S = {benign, malicious}: security filter

Such simplification inevitably leads to errors compared to reality (aka ground truth)

24 / 32 Homework 1 Optimal filter configuration ROC curves An economic model of optimal filter configuration

Filter defense mechanism

Reality Signal no attack attack benign 1 − α β malicious α 1 − β α: false positive rate, β: false negative rate

25 / 32 Homework 1 Optimal filter configuration ROC curves An economic model of optimal filter configuration

Receiver operating characteristic

Detection rate 1 − β 1 False positive rate α 1

45◦ 26 / 32

Notes Notes Notes Notes

Homework 1 Optimal filter configuration ROC curves An economic model of optimal filter configuration

Receiver operating characteristic

Detection rate 1 − β 1 False positive rate α 1

45◦

α = β

EERsolid EERdashed

26 / 32 Homework 1 Optimal filter configuration ROC curves An economic model of optimal filter configuration

Model for optimal filter configuration

Binary classifiers are imperfect Finding the optimal trade-off, say for an IDS or spam filter, is hard Can be framed as an economic trade-off between opportunity cost of false positives and losses incurred by false negatives

27 / 32 Homework 1 Optimal filter configuration ROC curves An economic model of optimal filter configuration

Model for optimal filter configuration

We can see from ROCs that β can be expressed as a function

• f α.

β : [0, 1] → [0, 1] defines the false negative rate as a function

• f the false positive rate α

β(0) = 1, β(1) = 0 We assume β′(x) < 0 and β′′(x) ≥ 0

28 / 32 Homework 1 Optimal filter configuration ROC curves An economic model of optimal filter configuration

Model for optimal filter configuration

Suppose we rely on a filter to scan incoming email attachments for malware a: cost of false positive (blocking a benign email) b: cost of false negative (delivering malicious email) p: probability of email containing malware Cost C(α) = p · β(α) · b + (1 − p) · α · a

29 / 32

Notes Notes Notes Notes

Homework 1 Optimal filter configuration ROC curves An economic model of optimal filter configuration

Model for optimal filter configuration

α∗ = arg min

α p · β(α) · b + (1 − p) · α · a

which has first-order condition (FOC) 0 = δα

• p · β(α∗) · b + (1 − p) · α∗ · a
• after rearranging, we obtain:

β′(α∗) = −1 − p p · a b .

30 / 32 Homework 1 Optimal filter configuration ROC curves An economic model of optimal filter configuration

Optimal filter configuration (continuous ROC curves)

Detection rate 1 − β 1 False positive rate α 1

Indifference curves

(1−p)a p·b

α∗

B

α∗

A

31 / 32 Homework 1 Optimal filter configuration ROC curves An economic model of optimal filter configuration

Optimal filter configuration (continuous ROC curves)

Detection rate 1 − β 1 False positive rate α 1

45◦

B A α = β EERA = EERB AUCA = AUCB

31 / 32 Homework 1 Optimal filter configuration ROC curves An economic model of optimal filter configuration

Optimal filter configuration (continuous ROC curves)

Detection rate 1 − β 1 False positive rate α 1

45◦

B A

(1−p)a p·b

α∗

B

α∗

A

31 / 32

Notes Notes Notes Notes

Homework 1 Optimal filter configuration ROC curves An economic model of optimal filter configuration

Optimal filter configuration (discrete ROC curves)

Detection rate 1 − β 1 False positive rate α 1

45◦

(1−p)a p·b

C F E α∗D

32 / 32

Notes Notes Notes Notes