presenter: charles kamhoua, ph.d. - university of...
TRANSCRIPT
1 Approved for Public Release; Distribution Unlimited: 88ABW-2013-5145 Dated 9 DEC 2013
Integrity « Service « Excellence
Game Theoretic Modeling of Security and Interdependency in a Public Cloud
Presenter: Charles Kamhoua, Ph.D. Air Force Research Laboratory Cyber Assurance Branch
April 2, 2014
Collaborators: Kevin Kwiat (AFRL/RIGA) Joon S. Park (Syracuse Univ.) Ming Zhao (FIU) Manuel Rodriguez (NRC)
2 Approved for Public Release; Distribution Unlimited: 88ABW-2013-5145 Dated 9 DEC 2013
Outline
§ Public Cloud Computing § Challenges § Cross-side Channel Attack § Game Theory § System Model § Game Model § Game Analysis § Numerical Results § Conclusions § Reference
3 Approved for Public Release; Distribution Unlimited: 88ABW-2013-5145 Dated 9 DEC 2013
Game Theory in the Cloud?
Source: http://www.free-pictures-photos.com/
4 Approved for Public Release; Distribution Unlimited: 88ABW-2013-5145 Dated 9 DEC 2013
What is Cloud Computing? NIST Five Essential Characteristics
§ On-demand self-service
Ø A consumer can provision computing capabilities as needed. § Broad network access
Ø Capabilities are available over the network. § Resource pooling
Ø The provider's computing resources are pooled to serve multiple consumers according to consumer demand.
§ Rapid elasticity
Ø Capabilities can be elastically provisioned and released to scale rapidly outward and inward commensurate with demand.
§ Measured service
Ø Resource usage can be monitored, controlled, and reported. Peter Mell, Timothy Grance, “The NIST Definition of Cloud Computing”, NIST Special Publication 800-145, 2011
5 Approved for Public Release; Distribution Unlimited: 88ABW-2013-5145 Dated 9 DEC 2013
Benefit of Cloud Computing
§ Faster deployment
§ Infrastructure flexibility
§ No up-front Investment
§ Fine-grained billing (e.g. hourly)
§ Pay-as-you-go
§ Improved productivity
6 Approved for Public Release; Distribution Unlimited: 88ABW-2013-5145 Dated 9 DEC 2013
Risks of Adopting Cloud Computing
§ Availability of services and data
§ Reliability
§ Complexity
§ Performance
§ Privacy
§ Security
§ Interdependency
§ Negative externalities
7 Approved for Public Release; Distribution Unlimited: 88ABW-2013-5145 Dated 9 DEC 2013
Cause of Cyber Security Interdependency in a Public Cloud
§ No perfect isolation of different user.
§ Sharing of common resources.
§ Some of the resources can be partitioned. Ø CPU cycles, memory capacity, and I/O bandwidth.
§ Some of the resources cannot be well partitioned. Ø last-level cache (LLC), memory bandwidth, IO buffers and the hypervisor.
§ The shared resources can be exploited by attackers to launch cross-side channel attack.
8 Approved for Public Release; Distribution Unlimited: 88ABW-2013-5145 Dated 9 DEC 2013
Cross-side Channel Attack
§ A malicious user can analyze the cache to detect a co-resident VM’s keystroke activities and map the internal cloud infrastructure and then launch a side-channel attack on a co-resident VM. T. Ristenpart, E. Tromer, H. Shacham, S. Savage. “Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds,” In the proceedings of the 16th ACM Conference on Computer and Communications Security, CCS’09, Chicago, IL, USA, October 2009.
§ An attacker can initiate a covert channel of 4 bits per second, and confirm co-residency with a target VM instance in less than 10 seconds. A. Bates, B. Mood, J. Pletcher, H. Pruse, M. Valafar, K. Butler “Detecting Co-Residency with Active Traffic Analysis Techniques,” in the proceedings of the 2012 ACM Cloud Computing Security Workshop (CCSW) in conjunction with the 19th ACM Conference on Computer and Communications Security, October 2012, Raleigh, North Carolina, USA.
9 Approved for Public Release; Distribution Unlimited: 88ABW-2013-5145 Dated 9 DEC 2013
Our Approach
§ Favorable: Small organizations find that the benefit of joining a public cloud outweigh the risk.
Ø Quick adoption of public cloud by small organizations
§ Problems: Cross-side channel attack, cyber security interdependency and negative externalities prevent big organizations from joining a public cloud.
Ø SLAs are only about service up time Ø SLAs do not address negative externalities
§ Objective: Perform a cost-benefit analysis that help big organizations decide to join a public cloud or not.
§ Approach: Apply game theory to analyze cyber security interdependency in a public cloud.
10 Approved for Public Release; Distribution Unlimited: 88ABW-2013-5145 Dated 9 DEC 2013
Apply Game Theory in Public Cloud Interdependency
§ Game Theory is the study of mathematical models of conflict and cooperation between intelligent rational decision-makers (by Myerson).
§ The attackers and the public cloud users are intelligent and rational.
§ Cyber security interdependency create a conflict among the users of a public cloud.
§ Cyber security interdependency can be modeled as a game.
11 Approved for Public Release; Distribution Unlimited: 88ABW-2013-5145 Dated 9 DEC 2013
Game Theory Optimum Decision loop
Iden%fy all the players, their strategies, And payoffs.
Informa%on: Does each player know about
others’ strategies and payoffs?
Nash Equilibrium: Play your best response to other players’ strategies
Monitoring: Observe other ac%on, Update your belief
12 Approved for Public Release; Distribution Unlimited: 88ABW-2013-5145 Dated 9 DEC 2013
The Nash Equilibrium
§ Every game has at least one Nash Equilibrium (NE) in either pure or mixed strategies.
§ A strategy profile is a NE if no player can unilaterally change its strategy and increase his payoff.
Ø Each player is playing its best response to other player’s strategies
§ The NE of a security game can be used to: Ø Predict attacker strategy Ø Allocate cyber security resources Ø Protect against worse-case scenario Ø Develop cyber defense algorithms Ø Form the basis for formal decision making
13 Approved for Public Release; Distribution Unlimited: 88ABW-2013-5145 Dated 9 DEC 2013
App
licat
ion
1
Operating System 1 Operating System 2 Operating System n
Virtual Machine 1
Hardware
Hypervisor
Virtual Machine 2 Virtual Machine n
App
licat
ion
1
App
licat
ion
k
App
licat
ion
k
App
licat
ion
1
App
licat
ion
k
User 1 User 2 User n
System Model
§ Need to know your neighbors.
§ User 1 gives easy access to the hypervisor by not investing in self-protection.
§ A compromised hypervisor make all users vulnerable.
§ Each user can only decide on his own investment but not on his neighbors’ investment.
§ For each user, the best strategy (Invest or Not invest) depend on other users’ actions.
14 Approved for Public Release; Distribution Unlimited: 88ABW-2013-5145 Dated 9 DEC 2013
Attack i User j
I N User i
I
{ 𝑅−𝑒− 𝑞↓𝐼 𝐿↓𝑖 ; 𝑅−𝑒− 𝑞↓𝐼 𝜋𝐿↓𝑗 ; 𝑞↓𝐼 𝐿↓𝑖 + 𝑞↓𝐼 𝜋𝐿↓𝑗 }
{ 𝑅−𝑒− 𝑞↓𝐼 𝐿↓𝑖 ; 𝑅− 𝑞↓𝐼 𝜋𝐿↓𝑗 ; 𝑞↓𝐼 𝐿↓𝑖 + 𝑞↓𝐼 𝜋𝐿↓𝑗 }
N
{ 𝑅− 𝑞↓𝑁 𝐿↓𝑖 ; 𝑅−𝑒− 𝑞↓𝑁 𝜋𝐿↓𝑗 ; 𝑞↓𝑁 𝐿↓𝑖 + 𝑞↓𝑁 𝜋𝐿↓𝑗 }
{ 𝑅 − 𝑞 ↓ 𝑁 𝐿↓𝑖 ; 𝑅− 𝑞 ↓ 𝑁 𝜋𝐿↓𝑗 ; 𝑞↓𝑁 𝐿↓𝑖 + 𝑞↓𝑁 𝜋𝐿↓𝑗 }
Attack j User j
I N User i
I
{ 𝑅−𝑒− 𝑞↓𝐼 𝜋𝐿↓𝑖 ; 𝑅−𝑒− 𝑞↓𝐼 𝐿↓𝑗 ; 𝑞↓𝐼 𝜋 𝐿↓𝑖 + 𝑞↓𝐼 𝐿↓𝑗 }
{ 𝑅−𝑒− 𝑞↓𝑁 𝜋𝐿↓𝑖 ; 𝑅− 𝑞↓𝑁 𝐿↓𝑗 ; 𝑞↓𝑁 𝜋𝐿↓𝑖 + 𝑞↓𝑁 𝐿↓𝑗 }
N
{ 𝑅− 𝑞↓𝐼 𝜋𝐿↓𝑖 ; 𝑅−𝑒− 𝑞↓𝐼 𝐿↓𝑗 ; 𝑞↓𝐼 𝜋 𝐿↓𝑖 + 𝑞↓𝐼 𝐿↓𝑗 }
{ 𝑅− 𝑞↓𝑁 𝜋𝐿↓𝑖 ; 𝑅− 𝑞↓𝑁 𝐿↓𝑗 ; 𝑞↓𝑁 𝜋𝐿↓𝑖 + 𝑞↓𝑁 𝐿↓𝑗 }
Symbol Notation
𝑞↓𝐼 Probability of a successful attack on a user given that he has invested in security
𝑞↓𝑁
Probability of a successful attack on a user given that he has not invested in security
π Probability that the hypervisor is compromised given a successful attack on a user R User reward from using the cloud computing services e Total expense required to invest in security i User i j User j
𝐿↓𝑖 User i’s expected loss from a security breach
𝐿↓𝑗
User j’s expected loss from a security breach
I User’s strategy “Invest” N User’s strategy “Not invest”
𝐴↓𝑖 Attacker’s strategy “launch an attack on User i”
𝐴↓𝑗
Attacker’s strategy “launch an attack on User j”
𝑈↓𝑖
User i’s payoff
𝑈↓𝑗
User j’s payoff
𝑈↓𝑎
Attacker’s payoff
Game Model
15 Approved for Public Release; Distribution Unlimited: 88ABW-2013-5145 Dated 9 DEC 2013
Game Analysis
Theorem: If 𝜋≤ 𝜋↓0 = 𝑞↓𝐼 𝐿↓𝑗 − 𝑞↓𝑁 𝐿↓𝑖 /𝑞↓𝑁 𝐿↓𝑗 − 𝑞↓𝐼 𝐿↓𝑖 , then the game admits a pure strategy Nash equilibrium profile (𝑁, 𝐼, 𝐴↓𝑗 ).
If 𝜋> 𝜋↓0 , there are three possible mixed strategy Nash equilibria (Case M1, M2, M3) depending on the required expense for security e. Case M1: If 𝑒= 𝑒↓0 = (𝑞↓𝑁 − 𝑞↓𝐼 )𝐿↓𝑖 𝐿↓𝑗 /𝐿↓𝑖 + 𝐿↓𝑗 , then the mixed strategy Nash eq. profile is {𝛼𝐼+(1−𝛼)𝑁;𝛽𝐼+(1−𝛽)𝑁;𝜆↓𝑗 𝐴↓𝑗 +(1− 𝜆↓𝑗 )𝐴↓𝑖 }, with 𝛼 and 𝛽 such that 𝛽(𝐿↓𝑗 +𝜋𝐿↓𝑖 )−𝛼(𝐿↓𝑖 +𝜋𝐿↓𝑗 )=(𝑞↓𝑁 /𝑞↓𝑁 − 𝑞↓𝐼 )[(𝐿↓𝑗 +𝜋𝐿↓𝑖 )−(𝐿↓𝑖 +𝜋𝐿↓𝑗 )] Case M2: If 𝑒< 𝑒↓0 = (𝑞↓𝑁 − 𝑞↓𝐼 )𝐿↓𝑖 𝐿↓𝑗 /𝐿↓𝑖 + 𝐿↓𝑗 , then the mixed strategy Nash eq. profile is {𝛼↓0 𝐼+(1− 𝛼↓0 )𝑁;𝐼;𝜆↓𝑖 𝐴↓𝑗 +(1− 𝜆↓𝑖 )𝐴↓𝑖 }, with 𝛼↓0 = 𝑞↓𝑁 (𝐿↓𝑖 +𝜋𝐿↓𝑗 )− 𝑞↓𝐼 (𝐿↓𝑗 +𝜋𝐿↓𝑖 )/(𝑞↓𝑁 − 𝑞↓𝐼 )(𝐿↓𝑖 +𝜋𝐿↓𝑗 ) . Case M3: If ( 𝑞↓𝑁 − 𝑞↓𝐼 ) 𝐿↓𝑖 𝐿↓𝑗 / 𝐿↓𝑖 + 𝐿↓𝑗 <𝑒<( 𝑞↓𝑁 − 𝑞↓𝐼 ) 𝐿↓𝑖 ,then the mixed strategy Nash eq. is {𝑁;𝛽↓0 𝐼+(1− 𝛽↓0 )𝑁;𝜆↓𝑗 𝐴↓𝑗 +(1− 𝜆↓𝑗 )𝐴↓𝑖 } with 𝛽↓0 = 𝑞↓𝑁 [(𝐿↓𝑗 +𝜋𝐿↓𝑖 )−(𝐿↓𝑖 +𝜋𝐿↓𝑗 )]/(𝑞↓𝑁 − 𝑞↓𝐼 )(𝐿↓𝑗 +𝜋𝐿↓𝑖 ) .
16 Approved for Public Release; Distribution Unlimited: 88ABW-2013-5145 Dated 9 DEC 2013
Numerical Results
0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1-0.1
-0.05
0
0.05
0.1
0.15
0.2
0.25
0.3Changes in User j's Payoff with Probability pi
Probability pi
Use
r j's
Pay
off
Mixed Nash equilibrium
Pure Nash equilibrium
Changes in User j’s payoff with probability 𝜋 with 𝑒< 𝑒↓0
0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1-0.2
-0.1
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
Probability pi
Use
r j's
Pay
off
Changes in User j's Payoff with Probability pi
Mixed Nash equilibrium
Pure Nash equilibrium
Parameters: 𝑞↓𝑁 =0.5,𝑞↓𝐼 =0.1,𝑅=1.2,𝐿↓𝑖 =1,𝐿↓𝑗 =10. Then 𝜋↓0 =0.102, and 𝑒↓0 =0.3636.
Changes in User j’s payoff with probability 𝜋 with 𝑒> 𝑒↓0
M2 M3
17 Approved for Public Release; Distribution Unlimited: 88ABW-2013-5145 Dated 9 DEC 2013
Numerical Results
Changes of User j’s payoff with the expense in security e with 𝜋< 𝜋↓0 .
Changes of User j’s payoff with the expense in security e with 𝜋> 𝜋↓0 .
0 0.05 0.1 0.15 0.2 0.25 0.3 0.35 0.4-0.2
-0.1
0
0.1
0.2Changes in User j's Payoff with the Expense in Security e
Expense in Security e
User
j's P
ayoff
0 0.05 0.1 0.15 0.2 0.25 0.3 0.35 0.4-0.8
-0.6
-0.4
-0.2
0
0.2
0.4
0.6
0.8Changes in User j's Payoff with the Expense on Security e
Expense on Security e
Use
r j's
Pay
off Changes in mixed Nash equilibrium
P
M2
M1
M3
18 Approved for Public Release; Distribution Unlimited: 88ABW-2013-5145 Dated 9 DEC 2013
Numerical Results
Changes in User j’s payoff with his loss from security breach 𝐿↓𝑗 .
Changes in User j’s payoff with his reward from using the cloud.
2 4 6 8 10 12 14-3
-2.5
-2
-1.5
-1
-0.5
0
0.5
1Changes in User j's Payoff with his Loss from Security Breach Lj
User j's Loss from Security Breach Lj
Use
r j's
Pay
off
Mixed Nash equilibrium
Pure Nash equilibrium
Mixed Nash equilibrium
2 4 6 8 10 12 14-3
-2
-1
0
1
2
3
4
Changes in User j's Payoff with his Reward from Using the Cloud
User j's Loss from Security Breach Lj
User
j's
Payo
ff
Reward=4.4Reward=1.2
M2
M3
M1
19 Approved for Public Release; Distribution Unlimited: 88ABW-2013-5145 Dated 9 DEC 2013
Conclusions
Ø This research shows that each user decision to Invest or Not invest depend on the potential loss from the neighbors after a security breach.
Ø VMs should be allocated in a public cloud to minimize negative externality.
Ø VMs that have similar potential loss from a security breach should be on the same physical machine.
Ø We have introduced a game-theoretic approach to analyze cyber security interdependency in a public cloud.
20 Approved for Public Release; Distribution Unlimited: 88ABW-2013-5145 Dated 9 DEC 2013
Future Work
Ø Model extension to more than two users .
Ø Model extension to multiple attackers.
Ø Incomplete information.
Ø Repeated interaction.
21 Approved for Public Release; Distribution Unlimited: 88ABW-2013-5145 Dated 9 DEC 2013
Reference
To appear in the proceedings of IEEE CLOUD 2014, Anchorage, Alaska, June 2014.