presenter: charles kamhoua, ph.d. - university of...

1 Approved for Public Release; Distribution Unlimited: 88ABW-2013-5145 Dated 9 DEC 2013

Integrity « Service « Excellence

Game Theoretic Modeling of Security and Interdependency in a Public Cloud

Presenter: Charles Kamhoua, Ph.D. Air Force Research Laboratory Cyber Assurance Branch

April 2, 2014

Collaborators: Kevin Kwiat (AFRL/RIGA) Joon S. Park (Syracuse Univ.) Ming Zhao (FIU) Manuel Rodriguez (NRC)


Outline

§  Public Cloud Computing §  Challenges §  Cross-side Channel Attack §  Game Theory §  System Model §  Game Model §  Game Analysis §  Numerical Results §  Conclusions §  Reference


Game Theory in the Cloud?

Source: http://www.free-pictures-photos.com/


What is Cloud Computing? NIST Five Essential Characteristics

§  On-demand self-service

Ø  A consumer can provision computing capabilities as needed. §  Broad network access

Ø  Capabilities are available over the network. §  Resource pooling

Ø  The provider's computing resources are pooled to serve multiple consumers according to consumer demand.

§  Rapid elasticity

Ø  Capabilities can be elastically provisioned and released to scale rapidly outward and inward commensurate with demand.

§  Measured service

Ø  Resource usage can be monitored, controlled, and reported. Peter Mell, Timothy Grance, “The NIST Definition of Cloud Computing”, NIST Special Publication 800-145, 2011


Benefit of Cloud Computing

§  Faster deployment

§  Infrastructure flexibility

§  No up-front Investment

§  Fine-grained billing (e.g. hourly)

§  Pay-as-you-go

§  Improved productivity


Risks of Adopting Cloud Computing

§  Availability of services and data

§  Reliability

§  Complexity

§  Performance

§  Privacy

§  Security

§  Interdependency

§  Negative externalities


Cause of Cyber Security Interdependency in a Public Cloud

§  No perfect isolation of different user.

§  Sharing of common resources.

§  Some of the resources can be partitioned. Ø  CPU cycles, memory capacity, and I/O bandwidth.

§  Some of the resources cannot be well partitioned. Ø  last-level cache (LLC), memory bandwidth, IO buffers and the hypervisor.

§  The shared resources can be exploited by attackers to launch cross-side channel attack.


Cross-side Channel Attack

§  A malicious user can analyze the cache to detect a co-resident VM’s keystroke activities and map the internal cloud infrastructure and then launch a side-channel attack on a co-resident VM. T. Ristenpart, E. Tromer, H. Shacham, S. Savage. “Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds,” In the proceedings of the 16th ACM Conference on Computer and Communications Security, CCS’09, Chicago, IL, USA, October 2009.

§  An attacker can initiate a covert channel of 4 bits per second, and confirm co-residency with a target VM instance in less than 10 seconds. A. Bates, B. Mood, J. Pletcher, H. Pruse, M. Valafar, K. Butler “Detecting Co-Residency with Active Traffic Analysis Techniques,” in the proceedings of the 2012 ACM Cloud Computing Security Workshop (CCSW) in conjunction with the 19th ACM Conference on Computer and Communications Security, October 2012, Raleigh, North Carolina, USA.


Our Approach

§  Favorable: Small organizations find that the benefit of joining a public cloud outweigh the risk.

Ø  Quick adoption of public cloud by small organizations

§  Problems: Cross-side channel attack, cyber security interdependency and negative externalities prevent big organizations from joining a public cloud.

Ø  SLAs are only about service up time Ø  SLAs do not address negative externalities

§  Objective: Perform a cost-benefit analysis that help big organizations decide to join a public cloud or not.

§  Approach: Apply game theory to analyze cyber security interdependency in a public cloud.


Apply Game Theory in Public Cloud Interdependency

§  Game Theory is the study of mathematical models of conflict and cooperation between intelligent rational decision-makers (by Myerson).

§  The attackers and the public cloud users are intelligent and rational.

§  Cyber security interdependency create a conflict among the users of a public cloud.

§  Cyber security interdependency can be modeled as a game.


Game Theory Optimum Decision loop

Iden%fy all the players, their strategies, And payoffs.

Informa%on: Does each player know about

others’ strategies and payoffs?

Nash Equilibrium: Play your best response to other players’ strategies

Monitoring: Observe other ac%on, Update your belief


The Nash Equilibrium

§  Every game has at least one Nash Equilibrium (NE) in either pure or mixed strategies.

§  A strategy profile is a NE if no player can unilaterally change its strategy and increase his payoff.

Ø  Each player is playing its best response to other player’s strategies

§  The NE of a security game can be used to: Ø  Predict attacker strategy Ø  Allocate cyber security resources Ø  Protect against worse-case scenario Ø  Develop cyber defense algorithms Ø  Form the basis for formal decision making


App

licat

ion

1

Operating System 1 Operating System 2 Operating System n

Virtual Machine 1

Hardware

Hypervisor

Virtual Machine 2 Virtual Machine n

App

licat

ion

1

App

licat

ion

k

App

licat

ion

k

App

licat

ion

1

App

licat

ion

k

User 1 User 2 User n

System Model

§  Need to know your neighbors.

§  User 1 gives easy access to the hypervisor by not investing in self-protection.

§  A compromised hypervisor make all users vulnerable.

§  Each user can only decide on his own investment but not on his neighbors’ investment.

§  For each user, the best strategy (Invest or Not invest) depend on other users’ actions.


Attack i User j

I N User i

I

{ 𝑅−𝑒− 𝑞↓𝐼 𝐿↓𝑖 ; 𝑅−𝑒− 𝑞↓𝐼 𝜋𝐿↓𝑗 ; 𝑞↓𝐼  𝐿↓𝑖 + 𝑞↓𝐼 𝜋𝐿↓𝑗 }

{ 𝑅−𝑒− 𝑞↓𝐼 𝐿↓𝑖 ; 𝑅− 𝑞↓𝐼 𝜋𝐿↓𝑗 ; 𝑞↓𝐼  𝐿↓𝑖 + 𝑞↓𝐼 𝜋𝐿↓𝑗 }

N

{ 𝑅− 𝑞↓𝑁 𝐿↓𝑖 ; 𝑅−𝑒− 𝑞↓𝑁  𝜋𝐿↓𝑗 ; 𝑞↓𝑁  𝐿↓𝑖 + 𝑞↓𝑁 𝜋𝐿↓𝑗 }

{ 𝑅 − 𝑞 ↓ 𝑁 𝐿↓𝑖 ; 𝑅− 𝑞 ↓ 𝑁  𝜋𝐿↓𝑗 ; 𝑞↓𝑁  𝐿↓𝑖  + 𝑞↓𝑁 𝜋𝐿↓𝑗 }

Attack j User j

I N User i

I

{ 𝑅−𝑒− 𝑞↓𝐼  𝜋𝐿↓𝑖 ; 𝑅−𝑒− 𝑞↓𝐼 𝐿↓𝑗 ; 𝑞↓𝐼  𝜋 𝐿↓𝑖 + 𝑞↓𝐼 𝐿↓𝑗 }

{ 𝑅−𝑒− 𝑞↓𝑁  𝜋𝐿↓𝑖 ; 𝑅− 𝑞↓𝑁 𝐿↓𝑗 ; 𝑞↓𝑁 𝜋𝐿↓𝑖 + 𝑞↓𝑁 𝐿↓𝑗 }

N

{ 𝑅− 𝑞↓𝐼 𝜋𝐿↓𝑖 ; 𝑅−𝑒− 𝑞↓𝐼 𝐿↓𝑗 ; 𝑞↓𝐼  𝜋 𝐿↓𝑖 + 𝑞↓𝐼 𝐿↓𝑗 }

{ 𝑅− 𝑞↓𝑁 𝜋𝐿↓𝑖 ; 𝑅− 𝑞↓𝑁 𝐿↓𝑗 ; 𝑞↓𝑁 𝜋𝐿↓𝑖 + 𝑞↓𝑁 𝐿↓𝑗 }

Symbol Notation

𝑞↓𝐼  Probability of a successful attack on a user given that he has invested in security

𝑞↓𝑁 

Probability of a successful attack on a user given that he has not invested in security

π Probability that the hypervisor is compromised given a successful attack on a user R User reward from using the cloud computing services e Total expense required to invest in security i User i j User j

𝐿↓𝑖  User i’s expected loss from a security breach

𝐿↓𝑗 

User j’s expected loss from a security breach

I User’s strategy “Invest” N User’s strategy “Not invest”

𝐴↓𝑖  Attacker’s strategy “launch an attack on User i”

𝐴↓𝑗 

Attacker’s strategy “launch an attack on User j”

𝑈↓𝑖 

User i’s payoff

𝑈↓𝑗 

User j’s payoff

𝑈↓𝑎 

Attacker’s payoff

Game Model


Game Analysis

Theorem: If 𝜋≤ 𝜋↓0 = 𝑞↓𝐼 𝐿↓𝑗 − 𝑞↓𝑁 𝐿↓𝑖 /𝑞↓𝑁 𝐿↓𝑗 − 𝑞↓𝐼 𝐿↓𝑖  , then the game admits a pure strategy Nash equilibrium profile (𝑁, 𝐼, 𝐴↓𝑗 ).

If 𝜋> 𝜋↓0  , there are three possible mixed strategy Nash equilibria (Case M1, M2, M3) depending on the required expense for security e. Case M1: If 𝑒= 𝑒↓0 = (𝑞↓𝑁 − 𝑞↓𝐼 )𝐿↓𝑖 𝐿↓𝑗 /𝐿↓𝑖 + 𝐿↓𝑗  , then the mixed strategy Nash eq. profile is {𝛼𝐼+(1−𝛼)𝑁;𝛽𝐼+(1−𝛽)𝑁;𝜆↓𝑗 𝐴↓𝑗 +(1− 𝜆↓𝑗 )𝐴↓𝑖 }, with 𝛼 and 𝛽 such that 𝛽(𝐿↓𝑗 +𝜋𝐿↓𝑖 )−𝛼(𝐿↓𝑖 +𝜋𝐿↓𝑗 )=(𝑞↓𝑁 /𝑞↓𝑁 − 𝑞↓𝐼  )[(𝐿↓𝑗 +𝜋𝐿↓𝑖 )−(𝐿↓𝑖 +𝜋𝐿↓𝑗 )] Case M2: If 𝑒< 𝑒↓0 = (𝑞↓𝑁 − 𝑞↓𝐼 )𝐿↓𝑖  𝐿↓𝑗 /𝐿↓𝑖 + 𝐿↓𝑗   , then the mixed strategy Nash eq. profile is {𝛼↓0 𝐼+(1− 𝛼↓0 )𝑁;𝐼;𝜆↓𝑖 𝐴↓𝑗 +(1− 𝜆↓𝑖 )𝐴↓𝑖 }, with 𝛼↓0 = 𝑞↓𝑁 (𝐿↓𝑖 +𝜋𝐿↓𝑗 )− 𝑞↓𝐼 (𝐿↓𝑗 +𝜋𝐿↓𝑖 )/(𝑞↓𝑁 − 𝑞↓𝐼 )(𝐿↓𝑖 +𝜋𝐿↓𝑗 ) . Case M3: If ( 𝑞↓𝑁 − 𝑞↓𝐼  ) 𝐿↓𝑖  𝐿↓𝑗  / 𝐿↓𝑖 + 𝐿↓𝑗   <𝑒<( 𝑞↓𝑁 − 𝑞↓𝐼  ) 𝐿↓𝑖  ,then the mixed strategy Nash eq. is {𝑁;𝛽↓0 𝐼+(1− 𝛽↓0 )𝑁;𝜆↓𝑗 𝐴↓𝑗 +(1− 𝜆↓𝑗 )𝐴↓𝑖 } with 𝛽↓0 = 𝑞↓𝑁 [(𝐿↓𝑗 +𝜋𝐿↓𝑖 )−(𝐿↓𝑖 +𝜋𝐿↓𝑗 )]/(𝑞↓𝑁 − 𝑞↓𝐼 )(𝐿↓𝑗 +𝜋𝐿↓𝑖 ) .


Numerical Results

0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1-0.1

-0.05

0

0.05

0.1

0.15

0.2

0.25

0.3Changes in User j's Payoff with Probability pi

Probability pi

Use

r j's

Pay

off

Mixed Nash equilibrium

Pure Nash equilibrium

Changes in User j’s payoff with probability 𝜋 with 𝑒< 𝑒↓0 

0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1-0.2

-0.1

0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

Probability pi

Use

r j's

Pay

off

Changes in User j's Payoff with Probability pi



Parameters: 𝑞↓𝑁 =0.5,𝑞↓𝐼 =0.1,𝑅=1.2,𝐿↓𝑖 =1,𝐿↓𝑗 =10. Then 𝜋↓0 =0.102, and 𝑒↓0 =0.3636.

Changes in User j’s payoff with probability 𝜋 with 𝑒> 𝑒↓0 

M2 M3


Numerical Results

Changes of User j’s payoff with the expense in security e with 𝜋< 𝜋↓0 .

Changes of User j’s payoff with the expense in security e with 𝜋> 𝜋↓0 .

0 0.05 0.1 0.15 0.2 0.25 0.3 0.35 0.4-0.2

-0.1

0

0.1

0.2Changes in User j's Payoff with the Expense in Security e

Expense in Security e

User

j's P

ayoff

0 0.05 0.1 0.15 0.2 0.25 0.3 0.35 0.4-0.8

-0.6

-0.4

-0.2

0

0.2

0.4

0.6

0.8Changes in User j's Payoff with the Expense on Security e

Expense on Security e

Use

r j's

Pay

off Changes in mixed Nash equilibrium

P

M2

M1

M3


Numerical Results

Changes in User j’s payoff with his loss from security breach 𝐿↓𝑗 .

Changes in User j’s payoff with his reward from using the cloud.

2 4 6 8 10 12 14-3

-2.5

-2

-1.5

-1

-0.5

0

0.5

1Changes in User j's Payoff with his Loss from Security Breach Lj

User j's Loss from Security Breach Lj

Use

r j's

Pay

off




2 4 6 8 10 12 14-3

-2

-1

0

1

2

3

4

Changes in User j's Payoff with his Reward from Using the Cloud

User j's Loss from Security Breach Lj

User

j's

Payo

ff

Reward=4.4Reward=1.2

M2

M3

M1


Conclusions

Ø  This research shows that each user decision to Invest or Not invest depend on the potential loss from the neighbors after a security breach.

Ø  VMs should be allocated in a public cloud to minimize negative externality.

Ø  VMs that have similar potential loss from a security breach should be on the same physical machine.

Ø  We have introduced a game-theoretic approach to analyze cyber security interdependency in a public cloud.


Future Work

Ø  Model extension to more than two users .

Ø  Model extension to multiple attackers.

Ø  Incomplete information.

Ø  Repeated interaction.


Reference

To appear in the proceedings of IEEE CLOUD 2014, Anchorage, Alaska, June 2014.


Q & A

Thank You!

presenter: charles kamhoua, ph.d. - university of...

Documents