Out-learning
Attackers: A Game Theoretic Approach to Cyber Defense
John Musacchio (johnm@soe.ucsc.edu) UC Santa Cruz,
Greg
Frazier BAE Systems
February 2009 project start
Supported by the AFOSR Information
Operations and Security Program
The
conventional approach to cyber defense against attackers is to: i) make systems difficult to infiltrate, ii) detect
infiltrations as soon as possible, and iii) expel the attackers when they are
detected. A fundamental problem with this approach is that it encourages
attackers to try again, and in subsequent attempts, they are likely to have
learned more about the defender's systems than the defender has
learned about the attacker. Consequently, each attack is more likely to achieve
the attacker's objectives. From this perspective, a cyber defense strategy
should not only keep attackers out, but should also enable a defender to learn
about an attacker's methods and intentions faster than the attacker can learn about
the defender.
The
approach of "out-learning" an attacker is particularly appropriate for Air
Force systems. Attackers of Air Force systems have a wide range of objectives,
from espionage, to attacks motivated by financial gain or satisfaction of ego.
Attackers of Air Force systems are also likely to be persistent in trying
different forms of attack until they achieve success. This combination of
attacker diversity and persistence makes it urgent that the Air Force develop
both techniques for learning about attackers by classifying their objectives
and methods, as well as models for deciding how to react to detected attackers
in a way that balances the opportunity to learn with the risk of allowing an
attacker to remain in the system.
Our
project, which just began this year, addresses this urgent need by undertaking
the following three interrelated tasks: 1) develop game theoretic models for
optimizing defender strategy in the presence of learning effects, 2) design
algorithms to learn about an attacker by classifying his objectives, 3) combine
the classification and strategy optimization methods of tasks 1 and 2 to
develop integrated strategies for defending secure systems.