strategic discovery and sharing of vulnerabilities in
play

Strategic Discovery and Sharing of Vulnerabilities in Competitive - PowerPoint PPT Presentation

Jan 21, 2023 •137 likes •277 views

Strategic Discovery and Sharing of Vulnerabilities in Competitive Environments Arman Khouzani, Viet Pham, Carlos Cid Information Security Group Royal Holloway University of London arman.khouzani@rhul.ac.uk , viet.pham.2010@live.rhul.ac.uk ,

  1. Strategic Discovery and Sharing of Vulnerabilities in Competitive Environments Arman Khouzani, Viet Pham, Carlos Cid Information Security Group Royal Holloway University of London arman.khouzani@rhul.ac.uk , viet.pham.2010@live.rhul.ac.uk , carlos.cid@rhul.ac.uk GameSec: Conference on Decision and Game Theory for Security Nov 07, 2014

  2. Research Problem Exchange of security intelligence is identified as key factors in enhancing the effectiveness of cybersecurity measures. Recognizing the need for cybersecurity, companies may invest in finding vulnerabilities. No company knows exactly how many bugs there are. More investment increases the chances of discovery, but there is always a factor of luck. Each company patches the vulnerabilities it finds. Each undiscovered bug is potentially exploitable by cyber-attackers. To improve the exchange of security intelligence, we need to understand the underlying incentives. Strategic Discovery and Sharing of Vulnerabilities Khouzani, Pham, Cid 2/ 13

  3. Research Problem When a bug is exploited, a firm incurs direct and indirect losses: On one hand, the whole sector of the economy may suffer a blow: as customers and investors may lose confidence in the whole “service” and seek alternative “safer” options. On the other hand, if a bug that a company has discovered before (and has hence taken care of), is exploited in competitor(s), customers may switch to use and investors redirect their capital to the “safer” company. In other words, discovering a bug in a common software may give a company a “competitive edge”. These effects create opposing incentives for sharing the findings: On the one hand, sharing information translates to a more effective discovery process due to the probabilistic nature of the discovery process and hence encourages investment. But on the other hand, there can be a tendency of free-riding on the discovery investments of other companies. Further complicating the problem is “uncertainty” and “information asymmetry”: uncertainties about the total number of bugs, and the other company’s number of findings Strategic Discovery and Sharing of Vulnerabilities Khouzani, Pham, Cid 3/ 13

  4. Main Contributions 1 Modellinh the interdependent security research investment and information sharing decisions of two strategic and competing firms as a two stage Bayesian game. 2 Fully determining the Perfect Bayesian Equilibria of the game in closed-form. We establish that sharing strategies are unique, dominant, and in the simple forms of “full-sharing” or “no sharing”, determined by the competitive nature of the findings. 3 Deriving the investments of the firms knowing their subsequent sharing strategies. “full sharing” leads to free-riding and inefficiently low investments; “no sharing” is also inefficient by preventing mutual benefit of sharing, double-efforts and over-investment. 4 Providing a light-weight mediation mechanism free of monetary-transfers that enable (partial) sharing of the findings when the firms fail to achieve any sharing on their own. Strategic Discovery and Sharing of Vulnerabilities Khouzani, Pham, Cid 4/ 13

  5. Model B ¬ i, ¬ j N j N i B i, ¬ j B ¬ i,j B N ij s j ( N j ) s i ( N i ) B i,j Figure : Venn diagram illustration of the sets of bugs Strategic Discovery and Sharing of Vulnerabilities Khouzani, Pham, Cid 5/ 13

  6. Model Parameter Definition B , b Random variable for the total number of bugs, and a realisation N i , n i Random variable for the number of bugs discovered by i , & a realisation N ij Random variable for the number of common bugs discovered by both a i Action of player i : how many discovered bugs to share λ Expected number of the total number of bugs p i , p j Probability that each bug is discovered by player i , j u i , u j Expected utilities of player i , j c i , c j Discovery investment cost of player i , j l Direct loss upon exploitation of an (undiscovered) bug by attackers δ Loss (gain) in utility of the player who is the only one attacked (not attacked) – the market competition effect τ Loss in utility of both players if a bug is exploited in either one of them – the market section shrinkage effect p = π ( c ) The relation relating the level of investment c to the discovery probability of a bug p ; we use p = π ( c ) = 1 − e − θ c . Strategic Discovery and Sharing of Vulnerabilities Khouzani, Pham, Cid 6/ 13

  7. Analysis of the game – Second stage: Sharing the bug discoveries The expected utility of player i given a realisation of the state of the world ω = ( b , n i , n j , n ij ) , σ i = ( p i , s i ) and σ j = ( p j , s j ) : u i ( ω, σ i , σ j ) = − c i ( p i ) + 0 · E ( B i , j ) + ( δ − τ ) · E ( B i , ¬ j ) + ( − δ − τ − l ) · E ( B ¬ i , j ) + ( − τ − l ) · E ( B ¬ i , ¬ j ) Proposition If δ < τ , the unique dominant pure B.N.E. of the second stage of the game is sharing all the discovered bugs . If δ > τ , it is sharing no information at all . When δ = τ , any strategy pair becomes a B.N.E. These hold irrespective of the distribution of the total number of bugs. Strategic Discovery and Sharing of Vulnerabilities Khouzani, Pham, Cid 7/ 13

  8. Analysis of the game – First stage: Investment for bug discovery i = 1 − 1 p ∗ 1 θ i = 0 . 04 1 κθ i 0 . 8 0 . 8 0 . 6 0 . 6 θ j = 0 . 0056 θ j = 0 . 02 p i p i 0 . 4 0 . 4 θ i = 0 . 0052 p BR ( p j ) 0 . 2 0 . 2 p BR ( p i ) p j p j 0 0 0 0 . 2 0 . 4 0 . 6 0 . 8 1 0 0 . 2 0 . 4 0 . 6 0 . 8 1 Figure : (a) Example best response curves for the case of δ < τ . In the figure θ i > θ j . (b) ∼ for the case of δ < τ and different θ i s and θ j s. Strategic Discovery and Sharing of Vulnerabilities Khouzani, Pham, Cid 8/ 13

  9. Analysis of the game – First stage: Investment for bug discovery Proposition If δ < τ and θ i > θ j , the Perfect Baysesian Equilibrium (PBE) of the two-stage game is that only the more efficient firm invests in discovery of the bugs – to achieve discovery probability of [ 1 − ( κθ i ) − 1 ] + – and all the findings are then shared. Proposition When δ > τ , the Perfect Bayesian Equilibrium (PBE) of the security information sharing game is unique, in which both of the firms may invest – to achieve discovery probabilities ( p ∗ i , p ∗ j ) provided in closed form – and none of the consequent findings are shared. Strategic Discovery and Sharing of Vulnerabilities Khouzani, Pham, Cid 9/ 13

  10. Analysis of the game – Comparative Statics p BR ( p i , δ ′ ) 1 p i j p BR ( p j , δ ′ ) 0 . 8 i 0 . 6 p BR ( p j , δ ) i 0 . 4 p BR ( p i , δ ) j 0 . 2 p j 0 . 2 0 . 4 0 . 6 0 . 8 1 Figure : Example illustration of the comparative statics for the case of δ > τ . The value of δ is increased. Notice the shift in the equilibrium value towards “up” and “right” as a result. Strategic Discovery and Sharing of Vulnerabilities Khouzani, Pham, Cid 10/ 13

  11. Mediation: Encouraging Information Sharing Our “Matched Sharing” operates in two steps: 1 Each player/firm submit its set of found bugs to the mediator, along with a specification of a “threshold” as the maximum number of bugs it is willing to exchange with the other. 2 Subsequently, the mediator marks the bugs that are exclusive to each player, i.e., that the other player has not discovered them. Then the information of a bug is transferred from player i to player j iff a) there is an exclusive bug to match , i.e., to transfer from player j to i , and b) if the total number of bugs transferred so far does not exceed either one of the players’ requested maximum threshold. Note that the mediator is not a strategic player, and its behaviour is known to and trusted by both players. Strategic Discovery and Sharing of Vulnerabilities Khouzani, Pham, Cid 11/ 13

  12. Mediation: Encouraging Information Sharing Proposition The weakly dominant pure Bayesian Nash Equilibrium of the second stage of the game is asking the mediator to share the maximum number of exclusive bugs. This holds irrespective of the distribution of the total number of bugs, or correlation in the discovery of bugs. Strategic Discovery and Sharing of Vulnerabilities Khouzani, Pham, Cid 12/ 13

  13. Future Directions Considering “features” for the found bugs, such as severity (seriousness of the potential damage), sophistication (exploitability), etc., and hence letting the sharing strategies depend on the type of the found bug as well. Investigating the behaviour of risk-averse players – as opposed to risk-neutral in this work Other types of “security information” to share, e.g., past incidents of attacks and losses If the firms are using a common protocol but with their private implementations of it, then “some” of the discovered bugs may be just exclusive to that party’s implementation. Sharing found bugs now requires a modified analysis. Investigating other means of encouraging sharing. Examples like “bargaining”, a generalisation of the “matched sharing”’, “joint research ventures”, “exchange market”, etc. Strategic Discovery and Sharing of Vulnerabilities Khouzani, Pham, Cid 13/ 13

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101

Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101

Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101 Agenda GEEKZONE Overview of fuzzing techniques Tutorials on specific open-source fuzzers Demonstrations DIY fuzzing! Who

825 views • 50 slides
Automated Discovery of Cross - Plane Event - Based Vulnerabilities in Software - Defined Networking

Automated Discovery of Cross - Plane Event - Based Vulnerabilities in Software - Defined Networking

Automated Discovery of Cross - Plane Event - Based Vulnerabilities in Software - Defined Networking Benjamin E. Ujcich 1 , Samuel Jero 2 , Richard Skowyra 2 , Steven R. Gomez 2 , Adam Bates 1 , William H. Sanders 1 , and Hamed Okhravi 2 1 University

605 views • 46 slides
Automatic Discovery of Evasion Vulnerabilities Using Targeted Protocol Fuzzing

Automatic Discovery of Evasion Vulnerabilities Using Targeted Protocol Fuzzing

Automatic Discovery of Evasion Vulnerabilities Using Targeted Protocol Fuzzing antti.levomaki@forcepoint.com opi@forcepoint.com WHO? ANTTI LEVOMKI OLLI-PEKKA NIEMI Research Scientist Director of Research WHAT? NETWORK EVASIONS +

463 views • 18 slides
A Million Boluses: Discovery and Disclosure of Vulnerabilities in an Insulin Pump Julian Suleder,

A Million Boluses: Discovery and Disclosure of Vulnerabilities in an Insulin Pump Julian Suleder,

A Million Boluses: Discovery and Disclosure of Vulnerabilities in an Insulin Pump Julian Suleder, Dr. Dina Truxius 1 About Us Julian Suleder o Security Analyst &amp; Researcher o ERNW Research GmbH o jsuleder@ernw.de o Twitter:

832 views • 41 slides
Haldane Discovery Process and Strategic Planning Meeting with the Garrison Board of Education

Haldane Discovery Process and Strategic Planning Meeting with the Garrison Board of Education

Haldane Discovery Process and Strategic Planning Meeting with the Garrison Board of Education February 4, 2015 The Discovery Process The Haldane School District considered three different questions related to College and Career Readiness during

638 views • 14 slides
Strategic/Policy Implications of Measurement Data Sharing Under the OIO nee, The Road to an

Strategic/Policy Implications of Measurement Data Sharing Under the OIO nee, The Road to an

Strategic/Policy Implications of Measurement Data Sharing Under the OIO nee, The Road to an Open Internet is Paved With Pragmatic Disclosure &amp; Transparency Policies Bill Lehr Erin Kenneally Steve Bauer MIT CAIDA/UCSD MIT 1

222 views • 9 slides
Strategy and Self Assessment Complete and Update a Strategic Plan Conduct a

Strategy and Self Assessment Complete and Update a Strategic Plan Conduct a

M ERGER , A FFILIATION , OR I NDEPENDENCE Steven J Tringale Estes Park Institute January 27, 2015 Strategy and Self Assessment Complete and Update a Strategic Plan Conduct a vulnerabilities and gap assessment against identified strategic

186 views • 7 slides
NECESSARY BACKGROUND ON MEMORY EXPLOITS AND WEB APPLICATION VULNERABILITIES Outline 2

NECESSARY BACKGROUND ON MEMORY EXPLOITS AND WEB APPLICATION VULNERABILITIES Outline 2

1 NECESSARY BACKGROUND ON MEMORY EXPLOITS AND WEB APPLICATION VULNERABILITIES Outline 2 Memory safety attacks Buffer overruns Format string vulnerabilities Web application vulnerabilities SQL injections Cross-site

901 views • 39 slides
Strategic Self-presentation in the Sharing Economy: Implications for Host Branding Chapter

Strategic Self-presentation in the Sharing Economy: Implications for Host Branding Chapter

See discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/291972267 Strategic Self-presentation in the Sharing Economy: Implications for Host Branding Chapter January 2016 DOI:

178 views • 13 slides
vulnerabilities CVE, Common Vulnerabilities and Exposures CWE, Common Weakness Enumeration

vulnerabilities CVE, Common Vulnerabilities and Exposures CWE, Common Weakness Enumeration

Security &amp; Knowledge Management a.a. 2019/20 There are a set of sources that provide updated information about security vulnerabilities CVE, Common Vulnerabilities and Exposures CWE, Common Weakness Enumeration CAPEC,

197 views • 8 slides
Strategy and Self Assessment Complete and Update a Strategic Plan Conduct a

Strategy and Self Assessment Complete and Update a Strategic Plan Conduct a

Strategy and Self Assessment Complete and Update a Strategic Plan Conduct a vulnerabilities and gap assessment M ERGER , A FFILIATION , OR against identified strategic imperatives I NDEPENDENCE Develop competitive intelligence

140 views • 3 slides
Operating System Hardening Vulnerabilities Unique vulnerabilities for: Different

Operating System Hardening Vulnerabilities Unique vulnerabilities for: Different

Operating System Hardening Vulnerabilities Unique vulnerabilities for: Different operating systems Different vendors Client and server systems Vendors try to correct Attackers try to exploit Security professionals must

620 views • 11 slides
Strategic Information Sharing Justice and Mental Health Collaboration Program Training Summit Law

Strategic Information Sharing Justice and Mental Health Collaboration Program Training Summit Law

Strategic Information Sharing Justice and Mental Health Collaboration Program Training Summit Law Enforcement Grantees September 18, 2015 CSG Justice Center 22 Cortlandt St, 22 nd Floor NY, NY 10007 Whats wrong with this statement? The

772 views • 38 slides
TRENDS IN DATA SHARING Cathy Giffi Director, Strategic Market Analysis July 7, 2015 About Me

TRENDS IN DATA SHARING Cathy Giffi Director, Strategic Market Analysis July 7, 2015 About Me

TRENDS IN DATA SHARING Cathy Giffi Director, Strategic Market Analysis July 7, 2015 About Me Catherine (Cathy) Giffi is Director, Strategic Market Analysis, for Wiley. Her team of talented analysts are charged with producing groundbreaking

255 views • 22 slides
Sharing the story of our journey towards change Emma Hanson Head of Strategic Commissioning

Sharing the story of our journey towards change Emma Hanson Head of Strategic Commissioning

Sharing the story of our journey towards change Emma Hanson Head of Strategic Commissioning Kent County Council The largest county 350m in savings over 4 council in England years whilst continuing to provide effective services

482 views • 20 slides
Significant strategic progress transforming the Group Enabling the capture and sharing of

Significant strategic progress transforming the Group Enabling the capture and sharing of

The Vitec Group plc Half Year Results 2017 10 August 2017 Significant strategic progress transforming the Group Enabling the capture and sharing of exceptional images The Vitec Group plc Important notice Forward-looking statements This

821 views • 45 slides
Stephen King www.monash.edu.au Key points from talk Legacy v new/innovative infrastructure

Stephen King www.monash.edu.au Key points from talk Legacy v new/innovative infrastructure

Comments on Regulation incentives for investment and technological change Stephen King www.monash.edu.au Key points from talk Legacy v new/innovative infrastructure investment Legacy: Intermediate price regulation best

478 views • 3 slides
Reproductive Health Policy in 2017: Whats Changed, What Hasnt? Michael S. Policar, MD, MPH

Reproductive Health Policy in 2017: Whats Changed, What Hasnt? Michael S. Policar, MD, MPH

10/20/2017 2017 ObGyn Update: What Does the Evidence Tell Us? October 20, 2017 No commercial disclosures for this lecture Reproductive Health Policy in 2017: Whats Changed, What Hasnt? Michael S. Policar, MD, MPH Clinical Professor of

288 views • 13 slides
Higher order proof reconstruction from paramodulation-based refutations: the unit equality case

Higher order proof reconstruction from paramodulation-based refutations: the unit equality case

Higher order proof reconstruction from paramodulation-based refutations: the unit equality case Andrea Asperti and Enrico Tassi Department of Computer Science, University of Bologna 28-30 June 2007 Context What we had: Matita is an ITP

651 views • 37 slides
Resilient Housing Conference Delivering low-risk, long-life housing using concrete and masonry

Resilient Housing Conference Delivering low-risk, long-life housing using concrete and masonry

14/11/2016 Resilient Housing Conference Delivering low-risk, long-life housing using concrete and masonry The Modern Masonry Alliance is a body that seeks to ensure developers and designers, customers and occupants understand the benefits of

432 views • 5 slides
INEQUALITY INTRODUCE THE ORGANISATION, SITUATE ITS WORK IN RELATION TO INEQUALITY WHAT WE DO

INEQUALITY INTRODUCE THE ORGANISATION, SITUATE ITS WORK IN RELATION TO INEQUALITY WHAT WE DO

INEQUALITY INTRODUCE THE ORGANISATION, SITUATE ITS WORK IN RELATION TO INEQUALITY WHAT WE DO EE collectively identifies systemic and localised problems affecting the quality of education being provided to learners throughout South African

472 views • 18 slides
Liquidity and Inefficient Investment Oliver Hart Harvard University &amp; NBER and Luigi Zingales

Liquidity and Inefficient Investment Oliver Hart Harvard University &amp; NBER and Luigi Zingales

Liquidity and Inefficient Investment Oliver Hart Harvard University &amp; NBER and Luigi Zingales University of Chicago, NBER &amp; CEPR The Great Recession and the ensuing policy debate have spurred a renewed interest in some basic

556 views • 33 slides
Discussion of The Role of Credit, House Prices, Non-Core Liabilities, and Exuberance Measures

Discussion of The Role of Credit, House Prices, Non-Core Liabilities, and Exuberance Measures

Summary of Paper Leverage and Recessions Some Comments Discussion of The Role of Credit, House Prices, Non-Core Liabilities, and Exuberance Measures for Predicting Financial Crises by A. Anundsen, K. Gerdrup, F. Hansen, and K.

376 views • 14 slides
Seminar 5 ECON4921- Institutions and Economic Systems Elias Braunfels (Oslo Economics) November

Seminar 5 ECON4921- Institutions and Economic Systems Elias Braunfels (Oslo Economics) November

Part I - State capacity Part II - Favoritism Seminar 5 ECON4921- Institutions and Economic Systems Elias Braunfels (Oslo Economics) November 9, 2017 Elias Braunfels (Oslo Economics) Seminar 5 Part I - State capacity Part II - Favoritism

423 views • 40 slides

More recommend