Presenter: Charles Kamhoua, Ph.D. Air Force Research Laboratory - PowerPoint PPT Presentation

Game Theoretic Modeling of Security and Interdependency in a Public Cloud Presenter: Charles Kamhoua, Ph.D. Air Force Research Laboratory Cyber Assurance Branch April 2, 2014 Collaborators: Kevin Kwiat (AFRL/RIGA) Joon S. Park (Syracuse Univ.) Ming Zhao (FIU) Integrity « « Service « « Excellence Manuel Rodriguez (NRC) Approved for Public Release; Distribution Unlimited: 88ABW-2013-5145 Dated 9 DEC 2013 1

Outline § Public Cloud Computing § Challenges § Cross-side Channel Attack § Game Theory § System Model § Game Model § Game Analysis § Numerical Results § Conclusions § Reference Approved for Public Release; Distribution Unlimited: 88ABW-2013-5145 Dated 9 DEC 2013 2

Game Theory in the Cloud? Source: http://www.free-pictures-photos.com/ Approved for Public Release; Distribution Unlimited: 88ABW-2013-5145 Dated 9 DEC 2013 3

What is Cloud Computing? NIST Five Essential Characteristics § On-demand self-service Ø A consumer can provision computing capabilities as needed. § Broad network access Ø Capabilities are available over the network. § Resource pooling Ø The provider's computing resources are pooled to serve multiple consumers according to consumer demand. § Rapid elasticity Ø Capabilities can be elastically provisioned and released to scale rapidly outward and inward commensurate with demand. § Measured service Ø Resource usage can be monitored, controlled, and reported. Peter Mell, Timothy Grance, “The NIST Definition of Cloud Computing”, NIST Special Publication 800-145, 2011 Approved for Public Release; Distribution Unlimited: 88ABW-2013-5145 Dated 9 DEC 2013 4

Benefit of Cloud Computing § Faster deployment § Infrastructure flexibility § No up-front Investment § Fine-grained billing (e.g. hourly) § Pay-as-you-go § Improved productivity Approved for Public Release; Distribution Unlimited: 88ABW-2013-5145 Dated 9 DEC 2013 5

Risks of Adopting Cloud Computing § Availability of services and data § Reliability § Complexity § Performance § Privacy § Security § Interdependency § Negative externalities Approved for Public Release; Distribution Unlimited: 88ABW-2013-5145 Dated 9 DEC 2013 6

Cause of Cyber Security Interdependency in a Public Cloud § No perfect isolation of different user. § Sharing of common resources. § Some of the resources can be partitioned. Ø CPU cycles, memory capacity, and I/O bandwidth. § Some of the resources cannot be well partitioned. Ø last-level cache (LLC), memory bandwidth, IO buffers and the hypervisor. § The shared resources can be exploited by attackers to launch cross-side channel attack. Approved for Public Release; Distribution Unlimited: 88ABW-2013-5145 Dated 9 DEC 2013 7

Cross-side Channel Attack § A malicious user can analyze the cache to detect a co- resident VM’s keystroke activities and map the internal cloud infrastructure and then launch a side-channel attack on a co-resident VM. T. Ristenpart, E. Tromer, H. Shacham, S. Savage. “Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds,” In the proceedings of the 16th ACM Conference on Computer and Communications Security, CCS’09, Chicago, IL, USA, October 2009. § An attacker can initiate a covert channel of 4 bits per second, and confirm co-residency with a target VM instance in less than 10 seconds. A. Bates, B. Mood, J. Pletcher, H. Pruse, M. Valafar, K. Butler “Detecting Co-Residency with Active Traffic Analysis Techniques,” in the proceedings of the 2012 ACM Cloud Computing Security Workshop (CCSW) in conjunction with the 19th ACM Conference on Computer and Communications Security, October 2012, Raleigh, North Carolina, USA. Approved for Public Release; Distribution Unlimited: 88ABW-2013-5145 Dated 9 DEC 2013 8

Our Approach § Favorable: Small organizations find that the benefit of joining a public cloud outweigh the risk. Ø Quick adoption of public cloud by small organizations § Problems: Cross-side channel attack, cyber security interdependency and negative externalities prevent big organizations from joining a public cloud. Ø SLAs are only about service up time Ø SLAs do not address negative externalities § Objective : Perform a cost-benefit analysis that help big organizations decide to join a public cloud or not. § Approach : Apply game theory to analyze cyber security interdependency in a public cloud. Approved for Public Release; Distribution Unlimited: 88ABW-2013-5145 Dated 9 DEC 2013 9

Apply Game Theory in Public Cloud Interdependency § Game Theory is the study of mathematical models of conflict and cooperation between intelligent rational decision-makers (by Myerson). § The attackers and the public cloud users are intelligent and rational. § Cyber security interdependency create a conflict among the users of a public cloud. § Cyber security interdependency can be modeled as a game. Approved for Public Release; Distribution Unlimited: 88ABW-2013-5145 Dated 9 DEC 2013 10

Game Theory Optimum Decision loop Iden%fy ¡all ¡the ¡players, ¡ their ¡strategies, ¡ And ¡payoffs. ¡ Informa%on: ¡ Monitoring: ¡ Does ¡each ¡player ¡know ¡about ¡ Observe ¡other ¡ac%on, ¡ others’ ¡strategies ¡and ¡ Update ¡your ¡belief ¡ payoffs? ¡ Nash ¡Equilibrium: ¡ Play ¡your ¡best ¡response ¡to ¡ other ¡players’ ¡strategies ¡ Approved for Public Release; Distribution Unlimited: 88ABW-2013-5145 Dated 9 DEC 2013 11

The Nash Equilibrium § Every game has at least one Nash Equilibrium (NE) in either pure or mixed strategies. § A strategy profile is a NE if no player can unilaterally change its strategy and increase his payoff. Ø Each player is playing its best response to other player’s strategies § The NE of a security game can be used to: Ø Predict attacker strategy Ø Allocate cyber security resources Ø Protect against worse-case scenario Ø Develop cyber defense algorithms Ø Form the basis for formal decision making Approved for Public Release; Distribution Unlimited: 88ABW-2013-5145 Dated 9 DEC 2013 12

System Model § Need to know your neighbors. User 2 User 1 User n § User 1 gives easy access to Application 1 Application 1 Application k Application 1 Application k Application k the hypervisor by not investing in self-protection. § A compromised hypervisor make all users vulnerable. Operating System 1 Operating System 2 Operating System n § Each user can only decide on Virtual Machine 1 Virtual Machine 2 Virtual Machine n his own investment but not on his neighbors’ investment. Hypervisor § For each user, the best strategy (Invest or Not invest) Hardware depend on other users’ actions. Approved for Public Release; Distribution Unlimited: 88ABW-2013-5145 Dated 9 DEC 2013 13

Game Model Attack i Attack j User j User j I N I N { ¡ 𝑆 − 𝑓 − ​𝑟↓𝐽 ​𝑀↓𝑗 ; { ¡ 𝑆 − 𝑓 − ​ 𝑟↓𝐽 ​ { ¡ 𝑆 − 𝑓 − ​ 𝑟↓𝐽 𝜌​ { ¡ 𝑆 − 𝑓 − ​ 𝑟↓𝑂 𝜌​ I I 𝑆 − 𝑓 − ​𝑟↓𝐽 𝜌​𝑀↓𝑘 ; 𝑀↓𝑗 ; 𝑀↓𝑗 ; 𝑀↓𝑗 ; ​𝑟↓𝐽 ​𝑀↓𝑗 + ​𝑟↓𝐽 𝜌​ 𝑆 − ​𝑟↓𝐽 𝜌​𝑀↓𝑘 ; 𝑆 − 𝑓 − ​𝑟↓𝐽 ​𝑀↓𝑘 ; 𝑆 − ​𝑟↓𝑂 ​𝑀↓𝑘 ; User i User i 𝑀↓𝑘 } ​𝑟↓𝐽 ​𝑀↓𝑗 + ​𝑟↓𝐽 ​ 𝑟↓𝐽 𝜌​ 𝑀↓𝑗 + ​ 𝑟↓𝐽 ​ ​𝑟↓𝑂 𝜌​𝑀↓𝑗 + ​𝑟↓𝑂 ​ 𝜌​𝑀↓𝑘 } 𝑀↓𝑘 } 𝑀↓𝑘 } { ¡ 𝑆 − ​𝑟↓𝑂 ​𝑀↓𝑗 ; { ¡ 𝑆 − ​ 𝑟 ↓ 𝑂 ​ { ¡ 𝑆 − ​𝑟↓𝐽 𝜌​𝑀↓𝑗 ; { ¡ 𝑆 − ​𝑟↓𝑂 𝜌​𝑀↓𝑗 ; Symbol Notation N N 𝑆 − 𝑓 − ​ 𝑟↓𝑂 𝜌​ 𝑀↓𝑗 ; 𝑆 − 𝑓 − ​𝑟↓𝐽 ​𝑀↓𝑘 ; 𝑆 − ​𝑟↓𝑂 ​𝑀↓𝑘 ; ​ Probability of a successful attack on a user given that he has invested in security 𝑀↓𝑘 ; 𝑟↓𝐽 𝑆 − ​ 𝑟 ↓ 𝑂 𝜌​ ​ 𝑟↓𝐽 𝜌​ 𝑀↓𝑗 + ​ 𝑟↓𝐽 ​ ​𝑟↓𝑂 𝜌​𝑀↓𝑗 + ​𝑟↓𝑂 ​ ​𝑟↓𝑂 ​𝑀↓𝑗 + ​𝑟↓𝑂 ​ 𝑀↓𝑘 ; Probability of a successful attack on a user given that he has not invested in security 𝑀↓𝑘 } 𝑀↓𝑘 } 𝑟↓𝑂 𝜌​𝑀↓𝑘 } ​ 𝑟↓𝑂 ​ 𝑀↓𝑗 + ​ π Probability that the hypervisor is compromised given a successful attack on a user 𝑟↓𝑂 𝜌​𝑀↓𝑘 } R User reward from using the cloud computing services e Total expense required to invest in security i User i j User j ​ User i’ s expected loss from a security breach 𝑀↓𝑗 ​ User j ’s expected loss from a security breach 𝑀↓𝑘 I User’s strategy “Invest” Approved for Public Release; Distribution Unlimited: 88ABW-2013-5145 Dated 9 DEC 2013 N User’s strategy “Not invest” 14 ​ Attacker’s strategy “launch an attack on User i ” 𝐵↓𝑗 ​