A Learning-Based Approach to Reactive Security * Ben Rubinstein Microsoft Research Silicon Valley With: Adam Barth 1, Mukund Sundararajan 2, John Mitchell 3, Dawn Song 1, Peter Bartlett 1 1 UC Berkeley 2 Google 3 Stanford * Appeared at Financial Crypto. & Data Security 2010

Proactive vs. Reactive Security What's important is to understand the delineation between what’s considered “acceptable” and “unacceptable” spending. The goal is to prevent spending on reactive security “firefighting”. – John N. Stewart, VP (CSO), Cisco Systems Conventional wisdom for CISOs – Adopt forward-looking, proactive, approach to managing security risks – Reactive security is akin to myopic bug chasing TRUST Conference F'10Reactive Security2

Strategic Reactive Security Good reactive security – Should be strategic and not “firefighting” – Under certain conditions keeps up with or beats proactive approaches – Machine Learning & Economics can help TRUST Conference F'10Reactive Security3

Focus on Truly Adversarial Attacker No probabilistic assumptions on attacker Allow attacker to be omniscient Consider reactive defender with limited knowledge of – System vulnerabilities – Attacker’s incentives – Attacker’s rationality TRUST Conference F'10Reactive Security4

Focus on Incentives We model attacker cost and payoff, combined as – additive profit; or multiplicative ROA TRUST Conference F'10Reactive Security5 An effective defense need not be perfect–but it should reduce attacker’s utility relative to attacking other systems.

Results in a Nutshell If… – Security budget is fungible – Attack costs linear in defense allocation – No catastrophic attacks to defender Attacker’s utility against reactive defense approaches utility under fixed proactive In many cases reactive is much better TRUST Conference F'10Reactive Security6

Formal Model: Attack Graph System as directed graph – Nodes: states – Edges: state transitions Attacks are paths Examples – Compromised machines connected by a network – Components in a complex software system – Internet fraud “battlefield” TRUST Conference F'10Reactive Security7 Peering Points Gateway Application Servers Database Servers Internet

Formal Model: Iterated Game Fixed properties of graph – Node v’s reward r(v)≥0 – Edge e’s attack surface w(e) Repeated game – Defender allocates total budget B, with d t (e) to edge e – Attacker launches attack a t – Attacker pays and receives Attacker sees defense prior to attack Defender sees edges/weights only once attacked TRUST Conference F'10Reactive Security8 Attack surface Defense allocation

Proactive Defender(s) Pro’s of analysis: includes defenders who – Have perfect knowledge of the entire graph – Have perfect knowledge of the attacks – Play rationally given in/complete information Con’s of analysis – We (mostly) assume proactive plays fixed strategy TRUST Conference F'10Reactive Security9

Strategic Reactive Defender Based on Multiplicative Weights algorithm of Online Learning Theory Unseen edges get no allocation Budget is increased on attacked edges Allocation due to “the past” is exponentially down-weighed since 0<β<1 TRUST Conference F'10Reactive Security10 All edges initially unseen Observe attacked edges Count #times edge attacked Multiplicative update Re-normalize in [0,1]; allocate this times budget B

Main Theorems Attacker’s utility – Profit = Payoff – Cost – ROA = (Total Payoff) / (Total Cost) Compared to any proactive strategy d *, the reactive strategy achieves – – for any α TRUST Conference F'10Reactive Security11

Robustness & Extensions Robustness – Proactive not robust to uncertainty in attacker’s utility; reactive is!! – Reactive can do much better under uncertain payoffs Extensions – Hypergraphs / Datalog – Multiple attackers – Adaptive proactive defenders TRUST Conference F'10Reactive Security12

Conclusions Incentives-based, fully-adversarial risk model Learning-based defender performs close to or better than fixed proactive defenders Recommendations for CISOs – Employ monitoring tools to help focus on real attacks – Make security organization more agile – Avoid overreacting to the most recent attack; consider past attacks (down-weighed exponentially) TRUST Conference F'10Reactive Security13

Thanks!!

Model Case Studies Perimeter defense – Non-zero reward at one vertex – Rational attacker will select minimum-cost path from start to reward – Rational defense is to maximize minimum-cost path: allocate budget to minimum-cut TRUST Conference F'10Reactive Security15

Model Case Studies Defense in Depth – Allocate budget evenly to edges – ROA = 1 TRUST Conference F'10Reactive Security16

Proof Sketch Profit when edges are known – Simple reduction to standard regret bound of Freund- Schapire for Multiplicative Update alg Profit under hidden edges – Simulation argument shows that a slight modification to MultUp produces same allocations as MultUp on observed graph – Care taken with – Algorithms’ profits bounded by ROA under hidden edges – Ratio of two numbers is small if numbers are large & similar. Need: TRUST Conference F'10Reactive Security17

Lower Bound TRUST Conference F'10Reactive Security18 s r:1 w:1 Budget=1

Learning Rewards Consider star configuration with unknown rewards Proactive defense – Allocates budget equally – Competitive ratio for ROA is #{leaf vertices} Reactive defense – Learns the rewards TRUST Conference F'10Reactive Security19

Robustness to Objective Given defense budget of 9 Proactive defender assuming profit-seeking – Allocates 9 to right-hand edge: 1 profit for all attacks – ROA for left-hand edge is infinite!! Reactive defender’s play is invariant TRUST Conference F'10Reactive Security20