SLIDE 1
1
Approved for Public Release; Distribution Unlimited: 88ABW-2013-5145 Dated 9 DEC 2013
2
Approved for Public Release; Distribution Unlimited: 88ABW-2013-5145 Dated 9 DEC 2013
Presenter: Charles Kamhoua, Ph.D. Air Force Research Laboratory - - PowerPoint PPT Presentation
Presenter: Charles Kamhoua, Ph.D. Air Force Research Laboratory - - PowerPoint PPT Presentation
Game Theoretic Modeling of Security and Interdependency in a Public Cloud Presenter: Charles Kamhoua, Ph.D. Air Force Research Laboratory Cyber Assurance Branch April 2, 2014 Collaborators: Kevin Kwiat (AFRL/RIGA) Joon S. Park (Syracuse
SLIDE 2
SLIDE 3
3
Approved for Public Release; Distribution Unlimited: 88ABW-2013-5145 Dated 9 DEC 2013
Game Theory in the Cloud?
Source: http://www.free-pictures-photos.com/
SLIDE 4
4
Approved for Public Release; Distribution Unlimited: 88ABW-2013-5145 Dated 9 DEC 2013
What is Cloud Computing? NIST Five Essential Characteristics
§ On-demand self-service
Ø A consumer can provision computing capabilities as needed.
§ Broad network access
Ø Capabilities are available over the network.
§ Resource pooling
Ø The provider's computing resources are pooled to serve multiple consumers according to consumer demand.
§ Rapid elasticity
Ø Capabilities can be elastically provisioned and released to scale rapidly outward and inward commensurate with demand.
§ Measured service
Ø Resource usage can be monitored, controlled, and reported.
Peter Mell, Timothy Grance, “The NIST Definition of Cloud Computing”, NIST Special Publication 800-145, 2011
SLIDE 5
5
Approved for Public Release; Distribution Unlimited: 88ABW-2013-5145 Dated 9 DEC 2013
Benefit of Cloud Computing
§ Faster deployment § Infrastructure flexibility § No up-front Investment § Fine-grained billing (e.g. hourly) § Pay-as-you-go § Improved productivity
SLIDE 6
6
Approved for Public Release; Distribution Unlimited: 88ABW-2013-5145 Dated 9 DEC 2013
Risks of Adopting Cloud Computing
§ Availability of services and data § Reliability § Complexity § Performance § Privacy § Security § Interdependency § Negative externalities
SLIDE 7
7
Approved for Public Release; Distribution Unlimited: 88ABW-2013-5145 Dated 9 DEC 2013
Cause of Cyber Security Interdependency in a Public Cloud
§ No perfect isolation of different user. § Sharing of common resources. § Some of the resources can be partitioned.
Ø CPU cycles, memory capacity, and I/O bandwidth.
§ Some of the resources cannot be well partitioned.
Ø last-level cache (LLC), memory bandwidth, IO buffers and the hypervisor.
§ The shared resources can be exploited by attackers to launch cross-side channel attack.
SLIDE 8
8
Approved for Public Release; Distribution Unlimited: 88ABW-2013-5145 Dated 9 DEC 2013
Cross-side Channel Attack
§ A malicious user can analyze the cache to detect a co- resident VM’s keystroke activities and map the internal cloud infrastructure and then launch a side-channel attack on a co-resident VM.
- T. Ristenpart, E. Tromer, H. Shacham, S. Savage. “Hey, You, Get Off of My Cloud: Exploring Information
Leakage in Third-Party Compute Clouds,” In the proceedings of the 16th ACM Conference on Computer and Communications Security, CCS’09, Chicago, IL, USA, October 2009.
§ An attacker can initiate a covert channel of 4 bits per second, and confirm co-residency with a target VM instance in less than 10 seconds.
- A. Bates, B. Mood, J. Pletcher, H. Pruse, M. Valafar, K. Butler “Detecting Co-Residency with Active Traffic
Analysis Techniques,” in the proceedings of the 2012 ACM Cloud Computing Security Workshop (CCSW) in conjunction with the 19th ACM Conference on Computer and Communications Security, October 2012, Raleigh, North Carolina, USA.
SLIDE 9
9
Approved for Public Release; Distribution Unlimited: 88ABW-2013-5145 Dated 9 DEC 2013
Our Approach
§ Favorable: Small organizations find that the benefit of joining a public cloud outweigh the risk. Ø Quick adoption of public cloud by small organizations § Problems: Cross-side channel attack, cyber security interdependency and negative externalities prevent big
- rganizations from joining a public cloud.
Ø SLAs are only about service up time Ø SLAs do not address negative externalities § Objective: Perform a cost-benefit analysis that help big
- rganizations decide to join a public cloud or not.
§ Approach: Apply game theory to analyze cyber security interdependency in a public cloud.
SLIDE 10
10
Approved for Public Release; Distribution Unlimited: 88ABW-2013-5145 Dated 9 DEC 2013
Apply Game Theory in Public Cloud Interdependency
§ Game Theory is the study of mathematical models of conflict and cooperation between intelligent rational decision-makers (by Myerson). § The attackers and the public cloud users are intelligent and rational. § Cyber security interdependency create a conflict among the users of a public cloud. § Cyber security interdependency can be modeled as a game.
SLIDE 11
11
Approved for Public Release; Distribution Unlimited: 88ABW-2013-5145 Dated 9 DEC 2013
Game Theory Optimum Decision loop
Iden%fy ¡all ¡the ¡players, ¡ their ¡strategies, ¡ And ¡payoffs. ¡ Informa%on: ¡
Does ¡each ¡player ¡know ¡about ¡
- thers’ ¡strategies ¡and ¡
payoffs? ¡
Nash ¡Equilibrium: ¡ Play ¡your ¡best ¡response ¡to ¡
- ther ¡players’ ¡strategies ¡
Monitoring: ¡ Observe ¡other ¡ac%on, ¡ Update ¡your ¡belief ¡
SLIDE 12
12
Approved for Public Release; Distribution Unlimited: 88ABW-2013-5145 Dated 9 DEC 2013
The Nash Equilibrium
§ Every game has at least one Nash Equilibrium (NE) in either pure or mixed strategies. § A strategy profile is a NE if no player can unilaterally change its strategy and increase his payoff. Ø Each player is playing its best response to other player’s strategies § The NE of a security game can be used to:
Ø Predict attacker strategy Ø Allocate cyber security resources Ø Protect against worse-case scenario Ø Develop cyber defense algorithms Ø Form the basis for formal decision making
SLIDE 13
13
Approved for Public Release; Distribution Unlimited: 88ABW-2013-5145 Dated 9 DEC 2013 Application 1 Operating System 1 Operating System 2 Operating System n Virtual Machine 1 Hardware Hypervisor Virtual Machine 2 Virtual Machine n Application 1 Application k Application k Application 1 Application k User 1 User 2 User n
System Model
§ Need to know your neighbors. § User 1 gives easy access to the hypervisor by not investing in self-protection. § A compromised hypervisor make all users vulnerable. § Each user can only decide on his own investment but not on his neighbors’ investment. § For each user, the best strategy (Invest or Not invest) depend on other users’ actions.
SLIDE 14
14
Approved for Public Release; Distribution Unlimited: 88ABW-2013-5145 Dated 9 DEC 2013
Attack i User j I N User i I { ¡𝑆−𝑓−𝑟↓𝐽 𝑀↓𝑗 ;
𝑆−𝑓−𝑟↓𝐽 𝜌𝑀↓𝑘 ; 𝑟↓𝐽 𝑀↓𝑗 +𝑟↓𝐽 𝜌 𝑀↓𝑘 }
{ ¡ 𝑆−𝑓− 𝑟↓𝐽
𝑀↓𝑗 ; 𝑆−𝑟↓𝐽 𝜌𝑀↓𝑘 ; 𝑟↓𝐽 𝑀↓𝑗 +𝑟↓𝐽 𝜌𝑀↓𝑘 }
N { ¡𝑆−𝑟↓𝑂 𝑀↓𝑗 ;
𝑆−𝑓− 𝑟↓𝑂 𝜌 𝑀↓𝑘 ; 𝑟↓𝑂 𝑀↓𝑗 +𝑟↓𝑂 𝜌𝑀↓𝑘 }
{ ¡ 𝑆 − 𝑟 ↓ 𝑂
𝑀↓𝑗 ; 𝑆 − 𝑟 ↓ 𝑂 𝜌 𝑀↓𝑘 ; 𝑟↓𝑂 𝑀↓𝑗 + 𝑟↓𝑂 𝜌𝑀↓𝑘 }
Attack j User j I N User i I { ¡ 𝑆−𝑓− 𝑟↓𝐽 𝜌
𝑀↓𝑗 ; 𝑆−𝑓−𝑟↓𝐽 𝑀↓𝑘 ; 𝑟↓𝐽 𝜌 𝑀↓𝑗 + 𝑟↓𝐽 𝑀↓𝑘 }
{ ¡ 𝑆−𝑓− 𝑟↓𝑂 𝜌
𝑀↓𝑗 ; 𝑆−𝑟↓𝑂 𝑀↓𝑘 ; 𝑟↓𝑂 𝜌𝑀↓𝑗 +𝑟↓𝑂 𝑀↓𝑘 }
N { ¡𝑆−𝑟↓𝐽 𝜌𝑀↓𝑗 ;
𝑆−𝑓−𝑟↓𝐽 𝑀↓𝑘 ; 𝑟↓𝐽 𝜌 𝑀↓𝑗 + 𝑟↓𝐽 𝑀↓𝑘 }
{ ¡𝑆−𝑟↓𝑂 𝜌𝑀↓𝑗 ;
𝑆−𝑟↓𝑂 𝑀↓𝑘 ; 𝑟↓𝑂 𝜌𝑀↓𝑗 +𝑟↓𝑂 𝑀↓𝑘 }
Symbol Notation
𝑟↓𝐽
Probability of a successful attack on a user given that he has invested in security
𝑟↓𝑂
Probability of a successful attack on a user given that he has not invested in security π Probability that the hypervisor is compromised given a successful attack on a user R User reward from using the cloud computing services e Total expense required to invest in security i User i j User j
𝑀↓𝑗
User i’s expected loss from a security breach
𝑀↓𝑘
User j’s expected loss from a security breach I User’s strategy “Invest” N User’s strategy “Not invest”
𝐵↓𝑗
Attacker’s strategy “launch an attack on User i”
Game Model
SLIDE 15
15
Approved for Public Release; Distribution Unlimited: 88ABW-2013-5145 Dated 9 DEC 2013
Game Analysis
Theorem: If ¡𝜌≤𝜌↓0 =𝑟↓𝐽 𝑀↓𝑘 −𝑟↓𝑂 𝑀↓𝑗 /𝑟↓𝑂 𝑀↓𝑘 −𝑟↓𝐽 𝑀↓𝑗 , then the game admits a pure strategy Nash equilibrium profile (𝑂, ¡𝐽, ¡𝐵↓𝑘 ). If ¡𝜌>𝜌↓0 , there are three possible mixed strategy Nash equilibria (Case M1, M2, M3) depending on the required expense for security e. Case M1: If ¡𝑓=𝑓↓0 =(𝑟↓𝑂 −𝑟↓𝐽 )𝑀↓𝑗 𝑀↓𝑘 /𝑀↓𝑗 +𝑀↓𝑘 , then the mixed strategy Nash
- eq. profile is ¡{𝛽𝐽+(1−𝛽)𝑂;𝛾𝐽+(1−𝛾)𝑂;𝜇↓𝑘 𝐵↓𝑘 +(1−𝜇↓𝑘 )𝐵↓𝑗 }, with 𝛽 and 𝛾 such that
𝛾(𝑀↓𝑘 +𝜌𝑀↓𝑗 )−𝛽(𝑀↓𝑗 +𝜌𝑀↓𝑘 )=(𝑟↓𝑂 /𝑟↓𝑂 −𝑟↓𝐽 )[(𝑀↓𝑘 +𝜌𝑀↓𝑗 )−(𝑀↓𝑗 +𝜌𝑀↓𝑘 )]
Case M2: If ¡𝑓<𝑓↓0 =(𝑟↓𝑂 −𝑟↓𝐽 )𝑀↓𝑗 𝑀↓𝑘 /𝑀↓𝑗 +𝑀↓𝑘 , then the mixed strategy Nash
- eq. profile is ¡{𝛽↓0 𝐽+(1−𝛽↓0 )𝑂;𝐽;𝜇↓𝑗 𝐵↓𝑘 +(1−𝜇↓𝑗 )𝐵↓𝑗 }, with 𝛽↓0 =𝑟↓𝑂 (𝑀↓𝑗 +𝜌𝑀↓𝑘 )−
𝑟↓𝐽 (𝑀↓𝑘 +𝜌𝑀↓𝑗 )/(𝑟↓𝑂 −𝑟↓𝐽 )(𝑀↓𝑗 +𝜌𝑀↓𝑘 ) . ¡
Case M3: If ¡ (𝑟↓𝑂 −𝑟↓𝐽 )𝑀↓𝑗 𝑀↓𝑘 /𝑀↓𝑗 +𝑀↓𝑘 <𝑓<(𝑟↓𝑂 −𝑟↓𝐽 )𝑀↓𝑗 ,then the mixed strategy Nash eq. is ¡{𝑂;𝛾↓0 𝐽+(1−𝛾↓0 )𝑂;𝜇↓𝑘 𝐵↓𝑘 +(1−𝜇↓𝑘 )𝐵↓𝑗 } with 𝛾↓0 =𝑟↓𝑂 [(𝑀↓𝑘
+𝜌𝑀↓𝑗 )−(𝑀↓𝑗 +𝜌𝑀↓𝑘 )]/(𝑟↓𝑂 −𝑟↓𝐽 )(𝑀↓𝑘 +𝜌𝑀↓𝑗 ) . ¡
SLIDE 16
16
Approved for Public Release; Distribution Unlimited: 88ABW-2013-5145 Dated 9 DEC 2013
Numerical Results
0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1
- 0.1
- 0.05
0.05 0.1 0.15 0.2 0.25 0.3 Changes in User j's Payoff with Probability pi Probability pi User j's Payoff Mixed Nash equilibrium Pure Nash equilibrium
Changes in User j’s payoff with probability 𝜌 with ¡𝑓<𝑓↓0 ¡
0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1
- 0.2
- 0.1
0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 Probability pi User j's Payoff Changes in User j's Payoff with Probability pi Mixed Nash equilibrium Pure Nash equilibrium
Parameters: 𝑟↓𝑂 =0.5,𝑟↓𝐽 =0.1,𝑆=1.2,𝑀↓𝑗 =1,𝑀↓𝑘 =10. ¡ Then 𝜌↓0 =0.102, and 𝑓↓0 =0.3636.
Changes in User j’s payoff with probability 𝜌 with ¡𝑓>𝑓↓0 ¡
M2 ¡ M3 ¡
SLIDE 17
17
Approved for Public Release; Distribution Unlimited: 88ABW-2013-5145 Dated 9 DEC 2013
Numerical Results
Changes of User j’s payoff with the expense in security e with 𝜌<𝜌↓0 . ¡ Changes of User j’s payoff with the expense in security e with 𝜌>𝜌↓0 . ¡
0.05 0.1 0.15 0.2 0.25 0.3 0.35 0.4
- 0.2
- 0.1
0.1 0.2 Changes in User j's Payoff with the Expense in Security e Expense in Security e User j's Payoff
0.05 0.1 0.15 0.2 0.25 0.3 0.35 0.4
- 0.8
- 0.6
- 0.4
- 0.2
0.2 0.4 0.6 0.8 Changes in User j's Payoff with the Expense on Security e Expense on Security e User j's Payoff Changes in mixed Nash equilibrium
P M2 ¡ M1 ¡ M3 ¡
SLIDE 18
18
Approved for Public Release; Distribution Unlimited: 88ABW-2013-5145 Dated 9 DEC 2013
Numerical Results
Changes in User j’s payoff with his loss from security breach 𝑀↓𝑘 . ¡ Changes in User j’s payoff with his reward from using the cloud. ¡
2 4 6 8 10 12 14
- 3
- 2.5
- 2
- 1.5
- 1
- 0.5
0.5 1 Changes in User j's Payoff with his Loss from Security Breach Lj User j's Loss from Security Breach Lj User j's Payoff Mixed Nash equilibrium Pure Nash equilibrium Mixed Nash equilibrium
2 4 6 8 10 12 14
- 3
- 2
- 1
1 2 3 4 Changes in User j's Payoff with his Reward from Using the Cloud User j's Loss from Security Breach Lj User j's Payoff Reward=4.4 Reward=1.2
M2 ¡ M3 ¡ M1 ¡
SLIDE 19
19
Approved for Public Release; Distribution Unlimited: 88ABW-2013-5145 Dated 9 DEC 2013
Conclusions
Ø This research shows that each user decision to Invest or Not invest depend on the potential loss from the neighbors after a security breach. Ø VMs should be allocated in a public cloud to minimize negative externality. Ø VMs that have similar potential loss from a security breach should be on the same physical machine. Ø We have introduced a game-theoretic approach to analyze cyber security interdependency in a public cloud.
SLIDE 20
20
Approved for Public Release; Distribution Unlimited: 88ABW-2013-5145 Dated 9 DEC 2013
Future Work
Ø Model extension to more than two users . Ø Model extension to multiple attackers. Ø Incomplete information. Ø Repeated interaction.
SLIDE 21
21
Approved for Public Release; Distribution Unlimited: 88ABW-2013-5145 Dated 9 DEC 2013
Reference
To appear in the proceedings of IEEE CLOUD 2014, Anchorage, Alaska, June 2014.
SLIDE 22
22
Approved for Public Release; Distribution Unlimited: 88ABW-2013-5145 Dated 9 DEC 2013