Date post: | 15-Dec-2014 |
Category: |
Technology |
Upload: | guestfbf1e1 |
View: | 414 times |
Download: | 0 times |
October 20, 2003 Yvo Desmedt
Using economics and artificial
intelligence to identify critical
infrastructures
by Yvo Desmedt
Florida State University, USA
This presentation is based on joint works with:•Yongge Wang (University of North Carolina, Charlotte)•Mike Burmester (Florida State University)
October 20, 2003 Yvo Desmedt
Main issue
Methods to identify the most critical infrastructures:–CIAO list was clearly incomplete.
–How address this from scientific method?
–This is the focus of this presentation
October 20, 2003 Yvo Desmedt
The problems with traditional models
Using an AI model
Discussion and extensions
The economics of the enemy
October 20, 2003 Yvo Desmedt
The problems with traditional models
Why models?– describe world mathematical– abstract away details– allows us to focus
Why do models get outdated?– world changes– details are no longer details– may have focused on wrong aspects
Why we must update: otherwise:– incorrect results– waste of resources, dangerous, ...
October 20, 2003 Yvo Desmedt
The problems with traditional models
Typical aspects of outdated models:– start with linear (simpler) but often leads to incorrect results
– still used with terrible consequences– still being advocated
October 20, 2003 Yvo Desmedt
The problems with traditional models
Problems with security models:– assume insider (machine, software, user) is trusted: outdated due to (e.g.):
computer viruses/wormsease of installing new softwarelip service only to securitylarge untested operating systemsmassive hackingusers could be disgruntled, . . .bribing: makes “trusted computers” untrustworthy
October 20, 2003 Yvo Desmedt
The problems with traditional models
Problems with security models:– models that do not assume this are:
linear (cost enemy: linear in #machines)too simplistic:
– copied models of network reliability– lack impact factor and lack more global viewpoint
– lack timing aspect– parameters not necessarily known
October 20, 2003 Yvo Desmedt
The problems with traditional models
Focus on models that do not assume trusted insider:
usual model: Byzantinei.e. breaking into:
– any k-1 machines: feasible– any k machines: infeasible
October 20, 2003 Yvo Desmedt
The problems with traditional models
problems: linear aspect:– too homogeneous:
cost to break into k computers is not k * cost to break into one, due to:–automated attacks–availability of attack on WWW–same platform, ...
– not homogeneous:some computers are better protected than others
October 20, 2003 Yvo Desmedt
The problems with traditional models
problems: too simplistic– network model:
too homogeneous: computers do not play similar roles: good only for theoretical results.–Theory: general purpose computers–Practice: also e.g.
Sensors,control unit
Can be broken into
October 20, 2003 Yvo Desmedt
The problems with traditional models
problems: too simplistic– network model: Sensors, control unit
Can be broken into using new (1986!)
attack using a special worm that targets the CAD programs. Potential impact:
VLSI with trapdoors (1986)(EP)ROM: no scannersDedicated machines
Needs to be planned ahead.
October 20, 2003 Yvo Desmedt
The problems with traditional models
problems: too simplistic– lack impact factor:
what is the impact if a computer is no longer accessible/faulty:–home computer: minor–critical infrastructure: major
need to have model that integrates mechanical and computer world
October 20, 2003 Yvo Desmedt
The problems with traditional models
problems: too simplistic– lack timing aspect:
world is dynamic:–parameters change–enemy can adapt–defense must must upgrade
buffers (as food, water, computers)new attacks take time to be detectedtime to recover
October 20, 2003 Yvo Desmedt
The problems with traditional models
problems: too simplistic– parameters not necessarily known (e.g.):
even for network case. Classical algorithms to find network graph assume no untrusted insiders
#untrusted machines: what value
October 20, 2003 Yvo Desmedt
Using an AI model
Problems with the communication
model:
network model:too homogeneous: computers do not
play similar roles: good only for
theoretical results
October 20, 2003 Yvo Desmedt
Using an AI model
Network graph: reliable communication
A
B
P3
P1
P2 information : can go
via P1 or P2 or P3
October 20, 2003 Yvo Desmedt
Using an AI model
Problems with the communication
model:
network model:certain distributed computation (e.g.
transactions require that all sub-
transactions have taken place: well
known in mechanical world.
Mechanical world uses PERT graph
October 20, 2003 Yvo Desmedt
Using an AI model
PERT graph (Program Evaluation and Review Technique): Directed acyclic graph
car manufacturing system
car plant
. . .
steel plastics
screw
October 20, 2003 Yvo Desmedt
Using an AI model
Impact goes beyond computers. So we
need to have a model that integrates
mechanical and computer world.
October 20, 2003 Yvo Desmedt
Using an AI model
AND/OR graphs as a model for distributed computation– AND/OR graphs: acyclic directed graph: vertices labeled: AND or OR
– AND:PERT aspect, i.e. multiple inputs
– OR: network aspectredundancy
– allow to integrate computer and mechanical aspects
Secure distributed computation needs a different modelThe airplane’s next position s = s0 v t 1/2 a t2• P : current position• S : speed a : acceleration, here a = 0 with redundancy
Without redundancy P P P S S T
P S T
* * *
*
P The airplane’s position sensor; S The airplane’s speed sensor; T The time interval (input);
++ + +
Vote
Wang-Desmedt-Burmester use an AI concept :
AND-vertex OR-vertex
a vertex is: a sensor, or a process, or a dedicated computer
+
October 20, 2003 Yvo Desmedt
Using an AI model
Disadvantage of AND/OR graph:
– Deciding whether a given graph is k-connected is in P,– however equivalent problem in AND/OR graph is NP-complete.
October 20, 2003 Yvo Desmedt
Using an AI model
October 20, 2003 Yvo Desmedt
Using an AI model
Adding impact factor– flow:
Preliminary question:
Given: AND/OR graph G, capacity function positive integer z
Question: Is there a flow f (additive) such that the flow at the output is at least z?
Is already NP-complete for the case z=1.
October 20, 2003 Yvo Desmedt
Using an AI model
Adding impact factor:– flow: critical vertices:
– set U, |U|<k: removed from graph (no input/output vertices)– for all U’, |U’|<k:
maximal flowU =< maximal flowU’
Given: AND/OR graph G, capacity function, set U
Question: Is U critical?
Is NP-hard, and L is not in NP and not in co-NP (if P is different from NP).
October 20, 2003 Yvo Desmedt
Using an AI model
Adding impact factor:– flow: below critical flow:
Given: AND/OR graph G, capacity function, integers k and p.
Question: Does there exists a vertex set U such that:
|U| < kmaximal flowU < p
Is NP-hard, and L is not in NP and not in co-NP (if P is different from NP).
October 20, 2003 Yvo Desmedt
Discussion and extensions
Byzantine model had its time
Our models can be improved by
including:
control theory aspects, such as:
– time parameters, e.g.:between attack and detection of
attack
time to recover from an attack
time of no return
October 20, 2003 Yvo Desmedt
Discussion and extensions
– time survivability condition:
(time to repair the system) +
(time to detect an attack)
<
(the time of no return) +
(the time the stock will last)
October 20, 2003 Yvo Desmedt
Discussion and extensions
Impact
Byzantin model implies expensive
redundant hardware. However, if
the cost to attack a node is
prohibitive: no redundancy is
needed.
October 20, 2003 Yvo Desmedt
The economics of the enemy
Introduction:
– Seems hard to model since different
opponents have different goals:
war: undermine economy, military output
terrorist: visible targets or targets with
large impact
hacker: e.g. show that a system is insecure
October 20, 2003 Yvo Desmedt
The economics of the enemy
Introduction:
– Assume the enemy has a budget BE: not
necessarily expressed in $.
– Optimization of the attack: may be, may
be not
October 20, 2003 Yvo Desmedt
The economics of the enemy
Feasible attacks?
– Analysis of the Byzantine model
Breaking into:any k machines: feasible
any k+1 machines: infeasible
First economic model:
–uniform (same price to attack any
machine), implies that the cost is
linear.
October 20, 2003 Yvo Desmedt
The economics of the enemy
– Problems of the linear aspect:too linear:
–cost to break into k computers is not k * cost to break into one, due to:
automated attacks
availability of attack on WWW
same platform, ...
not homogeneous:
–some computers are better protected than others
October 20, 2003 Yvo Desmedt
The economics of the enemy
– A first alternative:To each subset S of the nodes we assign
cS,E
as the cost of the enemy E to break into all
nodes in S.
Still Byzantine iff:
– for each subset S of at most k nodes:
cS,E =< BE
– for each subset S of k+1 nodes or more:
cS,E > BE
call this the Byzantine cost assumption.
October 20, 2003 Yvo Desmedt
The economics of the enemy
– A more realistic model:
Enemy can attack nodes and links
S: a subset of these
To each subset corresponds a cost:
cS,E
Enemy can attack iff cS,E =< BE
This defines an access structure of
the enemy: Gamma.
October 20, 2003 Yvo Desmedt
The economics of the enemy
– Difficulties:Too many subsets!
How to estimate the costs?
– Possible solution:cost of attacking m+1 machines using
the same operating system (platform)
=
cost of attacking m machines using the
same operating system (platform).
– Stability?
October 20, 2003 Yvo Desmedt
The economics of the enemy
Introduction
Feasible attacks?
Optimizing the attack
The enemy can attack any subset
of computers/links in Gamma.
Good viewpoint for hacker, not for
terrorists and information
warfare.
October 20, 2003 Yvo Desmedt
The economics of the enemy
Optimizing the attack
– for an application “a” several
computers/links Ta are involved.
Natural to talk about a flow fTa.
– Maximum flow: capacity: CTa
– attacking different flow units has
a different impact. So we have an
impact factor Ia.
October 20, 2003 Yvo Desmedt
The economics of the enemy
Optimizing the attack
Total impact of the application:
fTa*Ia. This gives:
– a weighted total flow F (warning
not necessarily linear), and
– a weighted total capacity C.
October 20, 2003 Yvo Desmedt
The economics of the enemy
Optimizing the attack
BIG QUESTION: which nodes/links are
the most optimal for the enemy to
take over?
October 20, 2003 Yvo Desmedt
The economics of the enemy
Optimizing the attack
– When enemy takes over a set S in
Gamma the weighted total capacity
is reduced from C to CS
– Enemy will choose S such that:
CS is minimal, or
CS < Ccrit (winning strategy)
October 20, 2003 Yvo Desmedt
The economics of the enemy
– Analysis of the Byzantine case
under:
Byzantine cost assumption
each unit of flow has the same impact
when optimized gives: enemy
should attack k disjoint paths.
October 20, 2003 Yvo Desmedt
The economics of the enemy
Generalizations
– Hypergraphs instead of graphs
– Dynamic value of Ccrit
October 20, 2003 Yvo Desmedt
The economics of the designer
Given (at least):– BD: budget of designer
– CD: minimum required weighted
total capacity
– FT: maximum tolerable impact flow
reduction
– BE: budget of the enemy
– others: maintenance, user friendliness, etc.
October 20, 2003 Yvo Desmedt
The economics of the designer
Question: design a graph G of computers:
– cost(G) =< BD
– total impact flow >= CD
– the enemy cannot win
If possible: designer won, else the enemy will.
October 20, 2003 Yvo Desmedt
The economics of the designer
Note:– This is very general!– We need a relation between the cost of setting up computer and the cost to attack, etc.