A Game Theoretic Model of Strategic Conflict in Cyberspace
Operations Research DepartmentNaval Postgraduate School, Monterey, CA
80th MORS12 June, 2012
Harrison C. SchrammDavid L. Alderson
W. Matthew CarlyleNedialko B. Dimitrov
2
Cyber Conflict - definitions
• Defining characteristic: how weapons in cyberspace (cyber weapons) are discovered, developed, and employed
• Our model is a high-level, strategic look at the problem of Cyber conflict
• Key question: How long should a belligerent in cyber conflict hold
an exploit in development before attacking?
3
Cyber Conflict – Approach
• Cyber conflict may be viewed as a game• Players discover and develop attacks, which
they then exercise at a time of their choosing• Analysis is abstracted away from specific
technologies, systems, and exploits.– Similar to other models of combat.
4
Related Work
• JASON (2010) The Science of Cybersecurity– DOD report, recommends game theory as an analytic
method• Shiva et al (2010) Game theoretic approaches to protect
cyberspace– Presents a taxonomy of game theoretic methods in
cyberspace• Lye & Wing (2002) Game strategies in network security• Shen et al (2007) A Markov game theoretic approach
for cyber situational awareness
5
Cyber munition life-cycle
Discovery
Development
Obsolescence Employment
Adversary Patch
6
Cyber Game Mechanics
• Discovery of Exploit– Game state indexed as , where T is the
age of the game, represents the length of time player i has known the exploit
• Development of Munition– After a player has discovered the exploit, they may
develop the exploit in accordance with some known function,
1 2, ,TS
i
( )i ia
7
Game Mechanics II
• Employment– Once a player has the exploit, he may choose to
use it. His action set is defined as:
• Obsolesce– If either player discovers and patches the exploit
before an attack is executed, all munitions are worthless and the game ends.
ait; the default action if 0:Attack, and end the game.: iW W
A
State Transitions
This state is recurrent until the first
discovery is made
9
Our Analysis
• Zero Sum• Two Players• Identical Systems• One zero-day Exploit• Perfect Information
10
Solving the game relies on building on cases based on knowledge
NoPlayers
One player
Both Players
Solution Hierarchy; solving the case where neither player has the exploit depends on the one-player case, which in turn depends on the case where both players have the exploit.
11
The Base: Both Players know the Exploit
If both players know the exploit, “Attack, Attack” is the optimum solution by iterated elimination of dominated strategies
Player 2 plays: W Player 2 plays: A Player 1 plays: W 1 21, 1, 1V T 2 2a
Player 1 plays: A 1 1a 1 1 2 2a a
We may compute the value of the game for cases where 1 2, ,T 1 20)( ( 0)
State Transitions
This state is recurrent until the first
discovery is made
Not Reachable for optimal players with
perfect knowledge
Absorbing
13
Situation II – One player knows the exploit
• Under what circumstances should Player 1 wait (and possibly gain attack value?
• For monotone functions, this is straightforward, but the general case is solved as well.
Player 2 Plays: Wait Player 1 Plays: Wait Y Player 1 Plays: Attack 1a
We may compute the value of the game for cases where 1 2, ,T 1 20)( ( 0)
State Transitions
Not Reachable
StartingHere
Will Player 2 Reach a better state on the
axis?
Before Player 1 Discovers the
Exploit?
15
The general case – neither player knows the exploit…
1
1 2 1 2
2
1 2 1 2
1
21,
2
1 2 1
02 1
10,1
2 1
1,11 22
)next state is) )
)next state is) )
next state is) )
(1Pr ,1,0(1 (1
(1Pr ,0,1(1 (1
Pr ,1,1 ,(1 (1
p pTp p p p p p
p pTp p p p p p
p pTp p p p p p
1,0 0,1 1,1
1 * *1,0 0 1 0,1 0 2 1
2,1 1 2
,0,0 ,1,0 ,0,1 ,1,1
( ( 1) 1 ,)
V T V T V T V T
v k v k a a
we can compute the value of the game from any state, including ,0,0T
State Transitions
Not Reachable for optimal players with
perfect knowledge
Absorbing
StartingHere
Who wins?
17
Numerical Analysis
Basic CaseIf the players have constant probability of detection, and constant attack value functions, then Player 1 will expect to win if:
ip
)(i ia c
1 1 2 2(1) (1)p a p a
Example IISuppose Players 1 and 2 have attack functions such that:
1
1
2 2 2 2
(0) 0( ) 1 5( ) 5 5
( ) 1
iaaa
a c
.
1 2 3 4 5 6 70.5
1
1.5
2
2.5
3
turns to wait, h
v(h)
, val
ue o
f wai
ting
h tu
rns
Here, we have to compute the optimum number of turns to wait before attacking, which turns out to be 5, matching our intuition
20
Example II – the effect of varying 1p
0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1-1
-0.5
0
0.5
1
1.5
2
2.5
p1: Player 1's probability of detection
Val
ue (P
laye
r 1's
poi
nt o
f vie
w)
Example II
1 2 3 4 5 6 71
1.5
2
2.5
3
3.5
4
4.5
5
5.5
6
Holding time,
a1( )
Suppose Players 1 and 2 have attack functions such that:
2 2
1
(1) 1 .3( ) [1,2,3,4,5,3,6]
a pa
Note that since Player 1 has the exploit, Is irrelevant
1p
Example II
1 2 3 4 5 6 7
0.8
1
1.2
1.4
1.6
1.8
2
waiting time, h
Val
ue
Value function associated with example two. We see that the maximum value of occurs at Therefore, in this case, it is not ‘worth it’ to wait.
V 5h
23
Extensions
Waiting Times
• What happens if we introduce non-productive waiting times?– Such as administrative approval chains– Or other reasons
• Conclusion: If you are slow to act, you can make it up (a little bit) by increasing capability in other areas, but only to a point.
State Transitions
Discovers Here
Cannot progress until w time periods pass
Waiting Times
0 1 2 3 4 5 6 7 8 9 10-5
-4.5
-4
-3.5
-3
-2.5
-2
-1.5
-1
-0.5
0
Waiting time, w
Pla
yer 1
's e
xpec
ted
payo
ff
Payoff to Player 1 of an otherwise ‘even’ cyber game, where player 1 is forced to wait w time periods after discovery before any action may be taken.
Waiting Times II
0 1 2 3 4 5 6 7 8 90.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
Waiting time, w
Req
uire
d p 1
Player 1’s Required probability of detection, to ‘break even’ as a function of wait time. Note in this scenario that after 9 time periods, perfect detection is required; further advancements are not possible
1p
28
Conclusion
• We present a lexicon and framework for analyzing cyber conflict
• Future work:– Multiple Attacks– Imperfect Information– Incorporating issues outside of cyber (i.e. kinetic)
NPS OR Cyber interest points of contact:
• CDR Harrison Schramm – [email protected]– 831 656 2358
• Professor Matt Carlyle– [email protected]
• Professor Dave Alderson– [email protected]– 831 656 1814
• Professor Ned Dimitrov– [email protected]– 831 656 3647
30
Backup
State Transitions