Adversarial Dynamics - Conficker case study

Cad49e6ffc6048dc9c53c77a907632dc?s=47 Daniel Bilar
January 09, 2013

Adversarial Dynamics - Conficker case study

Game theory is too weak a framework to capture the adversarial dynamics of real life where the game is created, the rules evolve, the goals and moves are unknown

Cad49e6ffc6048dc9c53c77a907632dc?s=128

Daniel Bilar

January 09, 2013
Tweet

Transcript

  1. Oscilla'ons  through  Co-­‐evolu'on:  A   Manifesta'on  of  Moving  Target  Defense

      Conficker  Case  Study   Daniel  Bilar  (Siege  Technologies)   George  Cybenko  (Dartmouth  College)   John  Murphy  (ProQueSys)     CSIIRW  8,  ONRL  (Oak  Ridge,  TN)   January  9,  2013   5/5/14 1
  2. Support   •  Research  par'ally  supported  by  DARPA  I2O,  

    DHS,  AFRL,  DOD,  OSD,  and  AFOSR  with  UTEP,   Ball  Aerospace,  Pikewerks,  Siege       – All  opinions  and  results  expressed  are  those  of   authors  and  not  necessarily  those  of  the  funding   agencies   •  Thanks  also  to  V.  Berk,  I.  Gregoriou-­‐de  Souza,   J.T  House,  D.  Sicilia,  G.  Stocco,  P.  Sweeney   5/5/14 2
  3. Outline  of  talk  1/2   •  Background:  Studied  public  data

     in  various  domains   –  US  border  security,  computer  vulnerability  databases,  offensive   &  defensive  coevolu'on  of  worms  (Conficker)   –  Modeled  as  players  in  adversarial  situa'on   •  Findings:    Performance  metrics  oscillate  over  Bme   –  No  asympto'c  convergence,  not  monotonic     •  Claim:  In  majority  of  (adversarial)  games,  players  do  not   compute  Nash  Equilibriums  over  (sta'c)  strategy  sets  but   use  myopically  perceived  best  responses  at  each  'me  step   –  ‘Classical’  game  theory  is  not  the  best  fit   •  Why:  Not  a  sta'onary  environment!  Ongoing  sequences  of   moves,  countermoves,  decep'on  and  strategic  adapta'on   –  Explains  exhibited  oscilla'ons  and  consistent  with  data   5/5/14 3
  4. Outline  of  talk  2/2   •  Problem:  Oscilla'ons  modeled  by

     replicator  equa'ons   –  Typically  3rd  degree,  non-­‐linear,  analy'cally  difficult   –  Inverse  problem  of  es'ma'ng  RE  parameters  from  observa'ons  of   behavior  computa'onally  tractable   •  Claim:  Possible  to  infer  players  mo'ves,  costs  and  move  op'ons   by  observa'on  of  oscilla'on   –  Not  discussed  in  this  talk   •  ContribuBons  of  authors   –  Detailed  empirical  analysis  of  players  Conficker  &  environment  (Bilar   &  Murphy)   –  Abstrac'on  of  game  through  Quan'ta've  Adack  Graph  (Bilar  &   Cybenko  &  Murphy)   –  “Asympto'c”  cut  set  theorem  (Cybenko)  for  op'mal  defense   alloca'on   5/5/14 4
  5. You  know  you  are  working  in  an  adversarial  domain  when

     you  want  to   see  this  kind  of  progress…   Better “performance” here means fewer deaths/mile Limit  ?   5/5/14 5
  6. ...but  instead,  you  see  this  …   Better “performance” here

    means fewer deaths/mile Limit  ?   Internet Crime Complaint Center, http://www.ic3.gov/default.aspx 5/5/14 6
  7. ...or  this  …   From OSVDB by P. Sweeney 5/5/14

    7
  8. Border security... 1992 1994 1996 1998 2000 2002 2004 2006

    2008 2010 Time 0 0.5 1 1.5 2 Human Apprehensions (Entire SWB) x 1,000,000 1992 1994 1996 1998 2000 2002 2004 2006 2008 2010 0 0.5 1 1.5 2 5/5/14 8
  9. War on drugs... 1994 1996 1998 2000 2002 2004 2006

    2008 2010 Time 0 0.5 1 1.5 2 2.5 3 Drug Apprehensions (Entire SWB) x 1,000,000 1994 1996 1998 2000 2002 2004 2006 2008 2010 0 0.5 1 1.5 2 2.5 3 5/5/14 9
  10. Comments   •  “Performance”  measures  may  oscillate  (not   monotonic)

      –  Depends  partly  on  normaliza'on  of  metrics  (see  Fig  3.1  in   BMC  (2012))   •  Opera'ng  against  human  adversaries  is  different  than   opera'ng  against  nature   •  Games  not  defined  a  priori,  game  details  not  known   –  Players  do  not  know  who  the  other  players  are,  what  their   possible  moves  might  be  and,  perhaps  most  importantly,   what  their  preferred  outcomes  or  objec'ves  are   •  Result:  Co-­‐evoluBon,  adaptaBon  as  evinced  through   oscillaBons   5/5/14 10
  11. Conficker   •  AKA  Downup,  Downadup,  Kido   •  Detected

     November  2008   •  Largest  worm/botnet  infec'on  since  2003   •  Infected  million’s  of  machines   •  Evolved  through  5  versions  in  several  months   •  Affected  military  systems  in  France,  UK  etc   •  Used  many  vulnerabili'es  and  techniques   5/5/14 11
  12. Conficker Versions A-E Host States Adversarial Dynamics: The Conficker Case

    Study. Daniel Bilar, George Cybenko and John Murphy In Moving Target Defenses II, edited by S. Jajodia, Springer, 2012 5/5/14 12
  13. Conficker  Timeline   5/5/14 13

  14. Examples  of  Conficker  Analysis   5/5/14 14

  15. Abstrac'on  of  Adack/Defend  Game   •  AMackers  aMacks  “weakest”  paths

     to  achieve  goals   –  Weakest  according  to  adackers’  understanding   –  Paths  consist  of  one  or  more  technical  steps   –  Can  create  completely  new  paths  and/or  steps   •  Defenders  make  some  step(s)  of  the  most  common/ damaging  paths  harder  to  traverse   –  Most  common/damaging  according  to  defenders’   understanding   –  Users/boss  want  to  create  new  services  so  new  paths   emerge   •  Iterate  the  above  over  'me   5/5/14 15
  16. Adack  Graph  for  a  Cri'cal  System   State  1  

    State  2   Start   Goal   An attacker must traverse a path from the start state to the goal state to succeed Note: This is an actual attack graph on a real but proprietary system Each step is a technical means to achieve a subgoal 5/5/14 16
  17. State  1   State  2   Start   Goal  

    Adack  Graph  for  a  Cri'cal  System   An attacker must traverse a path from the start state to the goal state to succeed Attacker uses his “shortest” path Each step is a technical means to achieve a subgoal 5/5/14 17
  18. State  1   State  2   Start   Goal  

    Adack  Graph  for  a  Cri'cal  System   An attacker must traverse a path from the start state to the goal state to succeed Each step is a technical means to achieve a subgoal Attacker uses his “shortest” path Defender protects a step by increasing its cost 5/5/14 18
  19. State  1   State  2   Start   Goal  

    Adack  Graph  for  a  Cri'cal  System   An attacker must traverse a path from the start state to the goal state to succeed Attacker changes some edges in attack path Each step is a technical means to achieve a subgoal 5/5/14 19
  20. State  1   State  2   Start   Goal  

    Adack  Graph  for  a  Cri'cal  System   An attacker must traverse a path from the start state to the goal state to succeed Each step is a technical means to achieve a subgoal Or the attacker picks a completely new path 5/5/14 20
  21. State  1   State  2   Start   Goal  

    Adack  Graph  for  a  Cri'cal  System   An attacker must traverse a path from the start state to the goal state to succeed Each step is a technical means to achieve a subgoal Or the attacker creates a new path 5/5/14 21
  22. Comments   •  Adacks  graphs  are  old  technique  but  hard

     to  build  and   quan'fy   –  State  space  explosions,  how  to  assign  edge  costs,  blind   spots,  etc   –  Maybe  like  democracy,  worst  way  except  for  all  others   •  Predic'on  markets:  QuERIES  provides  a  technique  for   quan'fying  the  adack  graphs  by  cost,  difficulty,  etc     •  We  will  adapt,  invest  and  perform  beder  if  we  quan'fy   –  Pursuit-­‐evasion  –  go  to  where  the  prey  will  be   –  Flu  shots  an'cipate  the  flu,  not  respond  to  current  ones   –  Wayne  Gretzky  –  “A  good  hockey  player  plays  where  the   puck  is.  A  great  hockey  player  plays  where  the  puck  is   going  to  be.”   5/5/14 22
  23. Adack-­‐Defend  Game   •  Op'miza'on  problem  –  maximize  the  cost

     of  the  shortest   path  from  Start  to  Goal  states   •  Can  formulate  this  as  a  linear  programming  problem  –   solu'on  is  the  investment  allocaBon  that  makes  the  least   cost  aMack  as  expensive  as  possible     § Es'mate  costs  to  adacker  of  traversing  adack  graph  edges  –   shortest  path  is  the  most  adrac've  for  an  adacker  to  take   Start   Goal   Cost = 2 4 1 5 2 Simple Example – Shortest path in yellow Real Problem – What is/are the shortest path(s)? State  1   State  2   Start   Goal   5/5/14 23
  24. Linear  Programming  Formula'on   Start   Goal   A B

    C D E 1 1 0 0 0 1 0 1 0 1 0 0 0 1 1 M = 5 edges 3 paths One column per edge One row per path u = A B C D E x = Vector of initial edge costs a b c d e Vector of allocated costs max z such that M*(u+x) ≥ z ≥ 0 1* x = K > 0, x ≥ 0 5/5/14 24
  25. Example  strategies   §  Which  edges  are  “best”  to  invest

     in?    Suppose  budget  =  1.       §  Analysis  has  shown  that  op'mal  investments  are  ul'mately  in  a  “cut  set”   Start   Goal   Cost = 2 4 1 5 2 Simple Example – Shortest path in yellow Start   Goal   Cost = 2 4 1+1=2 5 2 “Harden” the weakest link? Start   Goal   Cost = 2 4 1 5 2 Simple Example – Shortest path in yellow If possible, invest in minimal cut set edges Start   Goal   2+1=3 4 1 5 2 “Harden” selected cut set edges cut set 5/5/14 25
  26. Back  to  Real  System   Start   Goal   37

    edges 180 paths 12 nodes Multiple edges mean multiple attack steps possible Matrix M has 37 columns and 180 rows 5/5/14 26
  27. •  Result shows benefit from hardening multiple paths according to

    iterative algorithm •  X-axis shows total budget, Y-axis shows investment in hardening specific paths •  As budget increases, the defensive strategy is diversified, but investment into minimal cut edges continues •  Once the inputs to state 2 are hardened, investment begins in edges 20 and 37 Edges 1,2 Edges 20,37 Total Defense Investment Start   Goal   Linear  Programming  Results  Iden'fy  High  Value   Protec'on  Paths  for  Different  Investment  Levels     5/5/14 27
  28. Minimal  cost  paths  for  adacker   •  Graph  shows  total

     cost  of   minimum-­‐cost  path   resul'ng  from  investment   strategy   •  Minimum  effort  required  by   adacker   •  Includes  ini'al  edge  costs   along  path   •  Slope  decreases  as   investment  strategy   diversifies  into  hardening   mul'ple  paths   •  “Diminishing  rate  of   return”,  ROI   5/5/14 28 Total Defense Investment
  29. Role  of  minimal  cut  sets   Start   Goal  

    Each edge has cost 1 You have a budget of 1 5/5/14 29
  30. Role  of  minimal  cut  sets   Start   Goal  

    Invest that 1 unit here But this is the minimal cut set 5/5/14 30 Each edge has cost 1 You have a budget of 1
  31. Role  of  minimal  cut  sets   Start   Goal  

    Now invest in the minimal cut set 2 5/5/14 31
  32. “Asympto'c”  Adack  Graph  Theorem  (Cybenko)   If  we  are  given

     an  adack  graph  with   •  a  minimal  cut  set  that  has  e  edges   •  a  large  investment  budget,  K   then   •  the  op'mal  budget  alloca'on  assigns  ≈  K/e  to   each  edge  in  the  cut  set  and;   •  the  minimal  cost  path  grows  like  c  +  K/e   where  c  is  a  constant   5/5/14 32
  33. •  Theorem states that optimal investment is eventually K/e in

    minimal cut set edges •  Initially, optimal investments can occur in other edges Edges 1,2 Edges 20,37 Total Defense Investment Linear Programming Results Identify High Value Protection Paths for Different Investment Levels Start   Goal   5/5/14 33
  34. Back  to  Real  System   Start   Goal   37

    edges 180 paths 12 nodes e = 6, cut set Multiple edges mean multiple attack steps possible Matrix M has 37 columns and 180 rows 5/5/14 34
  35. Adversarial  Dynamics  Takeaways  1/2   •  “Big  data”  needed  

    –  Red  and  blue  forces’  data  sets  are  needed   –  New,  non-­‐sta'onary  sta's'cs  and  es'ma'on  are  key   –  Adapta'on,  not  sta'c  equilibria,  describe  “solu'ons”   •  “Hidden  data”  needed   –  Need  to  capture  what  players/agents  think,  not  just   the  outcomes   •  An'cipa'ng  moves  is  the  way  to  gain  advantage   –  Kasparov  who  can  think  5-­‐6  moves  ahead   5/5/14 35
  36. References   1.  Cybenko,  Landwehr,  “Security  Analy'cs  and   Measurements”,

     IEEE  S&P  ,  May-­‐June  2012   hdp://'nyurl.com/securityanaly'cs     2.  Bilar,  Murphy,  Cybenko,  “Conficker  Case  Study”,  in  MTD  II   (ed.  Jajodia),  2012  hdp://'nyurl.com/confickerQAG     3.  Saltaformaggio,  Bilar  “ABCD-­‐ACP”,  ICCC3  NATO  CCD  COE,   2011  hdp://'nyurl.com/ICCC3     4.  Stocco,  Cybenko,  “Inverse  game  theory”,  SPIE  8359,    2012   hdp://'nyurl.com/inversegame     5.  Carin,  Cybenko,  Hughes,  “Queries  methodology”,  IEEE   Computer,  2008  hdp://'nyurl.com/queries2008     6.  Ohtsuki,  Novaw,  “Replicator  equa'ons”,  Journal  of   Theore'cal  Biology  243  (2006)  86–97   hdp://'nyurl.com/replica'onequ     5/5/14 36
  37. Thank  you     Thank  you  for  the  kind  considera'on

     of  these  ideas     We  are  happy  to  answer  ques'ons  /  field  comments  J       Contact:   •  Daniel  Bilar:  dbilar@acm.org   •  George  Cybenko:  gvc@dartmouth.edu     •  John  Murphy:  jmurphy@proquesys.com     5/5/14 37
  38. Addi'onal  Slides   5/5/14 38

  39. Oscilla'ons  as  Manifesta'on  of   Adversarial  Dynamics   •  Evolu'on

     is  a  response  to  compe''on   •  Compe''on  exists  among  adversaries   •  How  do  you  know  you  are  opera'ng  in  an  “adversarial”   domain?   –   Oscilla'ons  of  performance  metrics   •  Dynamics  can  be  modeled  by  replicator  equa'ons   –  Typically  3rd  order,  non-­‐linear  (analy'cally  difficult)   •  Inverse  problem  of  observing  behavior  and  es'ma'ng   parameters  of  replicator  equa'on  that  guide  behavior  is   tractable   •  Possible  to  observe  game  play  and  strategy  evolu'on  and   then  make  inferences  about  player’s  mo'ves,  costs  and   move  op'ons   5/5/14 39