UIUC. Application of Game Theory to High Assurance Cloud Computing. 20 September 2016

Transcription

1 UIUC Application of Game Theory to High Assurance Cloud Computing 20 September 2016 Integrity Service Excellence Charles Kamhoua, Ph.D. Research Electronics Engineer Air Force Research Laboratory Cyber Assurance Branch 1

2 Project involvement PI: AFOSR STORM project FY 13 FY 16 PI: AFOSR Window on the World at Oxford University Feb 2015 April 2015 PM: AFRL Cloud Security Center of Excellence at University of Illinois at Urbana Champaign FY 11 FY 17 PM: DoD Cyber Security Center of Excellence for HBCU/MI at Norfolk State university, Old Dominion University and Tennessee State University FY 15 FY 20 Advisor: National Research Council Research Associateship Program Air Force Summer Faculty Fellowship Program 2

3 Outline Cyber Playing Field Public Cloud Computing Challenges Game Theory Multi-layers of Defense Open Implementation Cloud Security-aware Virtual Machine Allocation in the Cloud Game Theory with Learning for Cloud Monitoring Conclusions 3

4 Cyber in the news (2015) Breach at Office of Personnel Management Hacked Ashley Madison site reveals >15,000.gov/.mil addresses; leads to blackmail Reported JPMorgan Chase, Target, Home Depot Sony vs North Korea South Korea blames North Korea for cyber attacks against Korean Hydro & Nuclear power Russia: Ukraine, Georgia and Cyber Crime U.S. Military command officials overseeing Middle East operations experience Twitter and YouTube account hacking Cyber is a highly contested domain! 4

5 Source: 2012 AF CV2025 5

6 Game Theory in the Cloud? Source: 6

7 Benefits Faster deployment Infrastructure flexibility No up-front Investment Fine-grained billing (e.g. hourly) Pay-as-you-go Improved productivity Benefits and Risks of Public Cloud Computing Risks Availability of services and data Complexity Performance Trust Privacy Security Interdependency Negative externalities Difficult to monitor Quick adoption from small users, i.e., low risks High risk applications with sensitive data require high assurance 7

8 Game Theory in Public Cloud Game Theory is the study of mathematical models of conflict and cooperation between intelligent rational decision-makers [Myerson, R. Game theory: analysis of conflict, Harvard University Press, 1997] The attackers, the cloud providers and all cloud users are intelligent and rational Rational attackers, cloud providers and users interact in a way that can be predicted and modeled Game Theory allows for reasoning quantitatively about cyber-attacks An increased level of sophistication of cyber attacks demonstrates intelligent behaviors 8

9 Decision Loop in Game Theory Identify all the players, their strategies, and payoffs. Monitoring: Observe others actions, Update your belief Information: Does each player know about others strategies and payoffs? Nash Equilibrium: Play your best response to other players strategies 9

10 Nash Equilibrium Every game has at least one Nash Equilibrium (NE) in either pure or mixed strategies A strategy profile is an NE if no player can unilaterally change its strategy and increase its payoff Each player plays its best response to other players strategies The NE of a security game can be used to: Predict attacker strategy Allocate cyber security resources Protect against worse-case scenarios Develop cyber defense algorithms Form the basis for formal decision making 10

11 Multi-layers of Defense ATTACKS Trust & Verification Layers of Defense VM Allocation Cloud Monitoring Mathematical abstractions provide a rigorous scientific basis for cyber security Manage cloud security on an end-to-end basis An attack may be able to cross a layer of defense But crossing all layers is less likely 11

12 Outline Cyber Playing Field Public Cloud Computing Challenges Game Theory Multi-layers of Defense Open Implementation Cloud Security-aware Virtual Machine Allocation in the Cloud Game Theory with Learning for Cloud Monitoring Conclusions 12

13 Traditional Cloud Closed Implementation Hides the implementation and configuration details Difficult to discover vulnerabilities Limitations: Difficult to audit Difficult to establish trust between users & providers Difficult to share cyber threat information [Kamhoua et al. On the Feasibility of an Open-Implementation Cloud Infrastructure: A Game Theoretic Analysis IEEE UCC 2015.] 13

14 Trusted Cloud Open implementation Detailed implementations and configurations of all its software components can be examined by any third parties Including competitors, system s users and potential attackers Mis-configurations or out-of-date security patches are easier to be identified All its users are able to examine its correctness Security breaches are easier to identify and prove Demerits: Facilitate targeted attacks Extra cost to providers Contrast is similar to Open vs. Closed source software [Kamhoua et al. On the Feasibility of an Open-Implementation Cloud Infrastructure: A Game Theoretic Analysis IEEE UCC 2015.] 14

15 Remote Attestations [Kamhoua et al. On the Feasibility of an Open-Implementation Cloud Infrastructure: A Game Theoretic Analysis IEEE UCC 2015.] Trusted Platform Module (TPM) is a hardware module serve as a Root of Trust for a platform Measure all loaded executables by hashing each piece of software into the TPM before loading it The platform is bootstrapped by the CRTM (Core Root of Trust for Measurement), which is trusted by Default CRTM measures the BIOS and the boot loader to construct a chainof-trust After loading the kernel, this chain is extended through every operating system components up to the applications and their configuration files 15

16 Trusted Cloud Model Kamhoua et al. On the Feasibility of an Open-Implementation loud Infrastructure: A Game Theoretic Analysis IEEE UCC 2015.] To attest to a VM, the attester should examine: Attestations to a virtualized platform require the supports from the virtualized TPMs (vtpm) vtpm are managed by the vtpm Manager, an additional hypervisor component Chain-of-trust for the software system in a VM is rooted from the hardware TPM The properties of the software in supporting for bootstrapping the VM: the CRTM, BIOS, bootloader, and the hypervisor The properties of the software loaded inside the VM Attesters cannot attest to the VMs sharing the same hypervisor 16

17 Game Model Determine when both the users & provider find Trusted Cloud in their best interest Our Subgame Perfect Nash Equilibrium shows when an Open implementation is feasible in cloud computing [Kamhoua et al. On the Feasibility of an Open-Implementation Cloud Infrastructure: A Game Theoretic Analysis IEEE UCC 2015.] 17

18 Game Analysis Theorem 1: The strategy profile (TC, TC) is a Subgame Perfect Nash Equilibrium if the cloud provider charges per user for using a Trusted Cloud ff TT and the charges per user for using a non-trusted Cloud ff NN are such that: rr TT dd TT rr NN dd NN LL + cc + dd TT gg + ll ff TT ff NN rr NN 1 dd NN rr TT 1 dd TT LL + dd TT gg II Otherwise, the cloud provider will play Non-TC. [Kamhoua et al. On the Feasibility of an Open-Implementation Cloud Infrastructure: A Game Theoretic Analysis IEEE UCC 2015.] 18

19 Cyber-threats Monitoring Notations p: Probability to discover a given vulnerability in a Trusted Cloud q: Probability to discover a given vulnerability in a Non-Trusted Cloud Assumption: qq < pp n: Total Number of users m: Number of malicious users The rate of successful attack in a Trusted Cloud rr TT = 1 1 pp mm 1 pp nn mm+1 The rate of successful attack in a Non-Trusted Cloud rr NN = 1 1 qq mm 1 pp [Kamhoua et al. On the Feasibility of an Open-Implementation Cloud Infrastructure: A Game Theoretic Analysis IEEE UCC 2015.] 19

20 Results Proposition 1: The strategy profile (TC, TC) cannot be a Subgame Perfect Nash Equilibrium if the rate of successful attack in a Trusted Cloud rr TT is not lower than the rate of successful attack in a Non-Trusted Cloud rr NN Proposition 2: A Trusted Cloud can only be of interest to a user when the potential loss from a cyber security breach is greater than or equal to a threshold LL TTTTTTTTT = cc + II + ll rr NN rr TT Proposition 3: Cyber threat monitoring and sharing decreases the rate of successful attack in a Trusted Cloud rr TT as the number of users increases [Kamhoua et al. On the Feasibility of an Open-Implementation Cloud Infrastructure: A Game Theoretic Analysis IEEE UCC 2015.] 20

21 Numerical Results Rate of successful attack vs. probability of vulnerability discovery in a Trusted Cloud 0.25 Rate of successful attack Probability of vulnerability discovery in a trusted cloud Total number of Users: nn = 10 Number of malicious users: mm = 5 rr TTmmmmmm = pp = [Kamhoua et al. On the Feasibility of an Open-Implementation Cloud Infrastructure: A Game Theoretic Analysis IEEE UCC 2015.] 21

22 Trusted Cloud vs. Non-Trusted Cloud Rate of successful attack Trusted Cloud vs. Non-Trusted Cloud Trusted Cloud Non-Trusted Cloud pp = nn = 10 mm = Probability of vulnerability discovery in a Non-Trusted Cloud Non-Trusted Cloud can be preferable if closed implementation will make vulnerability discovery really difficult. [Kamhoua et al. On the Feasibility of an Open-Implementation Cloud Infrastructure: A Game Theoretic Analysis IEEE UCC 2015.] 22

23 Increase in the number of users Rate of successful attack Rate of successful attack vs. number of users Trusted Cloud Non-Trusted Cloud mm = Number of users As the number of users increases, the security of Trusted Cloud improves and outperforms Non-Trusted Cloud [Kamhoua et al. On the Feasibility of an Open-Implementation Cloud Infrastructure: A Game Theoretic Analysis IEEE UCC 2015.] 23

24 Decrease in threshold 1000 L threshold vs. number of users L threshold Number of users As the number of users increases, the loss threshold to adopt Trusted Cloud decreases [Kamhoua et al. On the Feasibility of an Open-Implementation Cloud Infrastructure: A Game Theoretic Analysis IEEE UCC 2015.] 24

25 Data Validation Real data to validate our model Challenge: Trusted Cloud not yet widely deployed Dr. Anbang Ruan, new PhD graduate from Oxford currently works with a Trusted Cloud Service Provider Real data to come 25

26 Summary An Open Implementation Cloud is feasible Mutual benefit to cloud providers and Users Increased benefit with the number of users Higher payoff from cyber threat monitoring and sharing REFERENCE: Charles A. Kamhoua, Anbang Ruan, Andrew Martin, Kevin Kwiat, On the Feasibility of an Open-Implementation Cloud Infrastructure: A Game Theoretic Analysis in proceedings of the 2015 IEEE/ACM International Conference on Utility and Cloud Computing. 26

27 Outline Cyber Playing Field Public Cloud Computing Challenges Game Theory Multi-layers of Defense Open Implementation Cloud Security-aware Virtual Machine Allocation in the Cloud Game Theory with Learning for Cloud Monitoring Conclusions 27

28 System Model Two hypervisors: One with higher security than the other, but more costly to use. [Kwiat et al. Security-aware Virtual Machine Allocation in the Cloud: A Game Theoretic Approach IEEE CLOUD 2015] For each user, the best strategy (Invest or Not invest) depends on other users actions. A compromised hypervisor makes all users vulnerable on that hypervisor. Model extendable to m hypervisors 28

29 Externality Reduction Our Nash allocation minimizes the impact of side-channel attack [Kwiat et al. Security-aware Virtual Machine Allocation in the Cloud: A Game Theoretic Approach IEEE CLOUD 2015] 29

30 Summary Previous research shows that each user s decision to Invest or Not Invest depends on the potential loss from the neighbors after a security breach VMs that have similar potential loss from a security breach should be on the same physical machine The allocation method based on Nash Equilibrium was shown to reduce externalities compared to other allocation methods The expense factor e can be set by cloud provider to achieve desirable VM allocation preferences REFERENCE: Luke Kwiat, Charles A. Kamhoua, Kevin Kwiat, Jian Tang, Andrew Martin Security-aware Virtual Machine Allocation in the Cloud: A Game Theoretic Approach in proceedings of the IEEE International Conference on Cloud Computing, (IEEE CLOUD 2015), New York, June

31 Outline Cyber Playing Field Public Cloud Computing Challenges Game Theory Multi-layers of Defense Open Implementation Cloud Security-aware Virtual Machine Allocation in the Cloud Game Theory with Learning for Cloud Monitoring Conclusions 31

32 Summary Motivated the need for an automated decision making process Discussed the advantage and limitation of machine learning approaches for the intrusion response problem Proposed Q-Learning for a more realistic decision making model under limited information Naïve Q-Learning Study on impact of parameters Future Work: Application of the response model to Security analytics framework for real-time evaluation on real incident data REFERENCE: Keywhan Chung, Charles A. Kamhoua, Kevin A. Kwiat, Zbigniew Kalbarczyk, Ravishankar K. Iyer, Game Theory with Learning for Cyber Security Monitoring in the proceedings of the 2016 IEEE High Assurance Systems Engineering Symposium (HASE), Orlando, Florida, January

33 Outline Cyber Playing Field Public Cloud Computing Challenges Game Theory Multi-layers of Defense Open Implementation Cloud Security-aware Virtual Machine Allocation in the Cloud Game Theory with Learning for Cloud Monitoring Conclusions 33

34 Conclusion Motivated the application of game theory to address cyber security problem Game Theory as a mature mathematical framework to advance the scientific foundation of cyber security Learning can complement game theory when limited information is available 34

35 Reference Charles A. Kamhoua, Anbang Ruan, Andrew Martin, Kevin Kwiat, On the Feasibility of an Open-Implementation Cloud Infrastructure: A Game Theoretic Analysis in proceedings of the 2015 IEEE/ACM International Conference on Utility and Cloud Computing. Luke Kwiat, Charles A. Kamhoua, Kevin Kwiat, Jian Tang, Andrew Martin Security-aware Virtual Machine Allocation in the Cloud: A Game Theoretic Approach in proceedings of the IEEE International Conference on Cloud Computing, (IEEE CLOUD 2015), New York, June Keywhan Chung, Charles A. Kamhoua, Kevin A. Kwiat, Zbigniew Kalbarczyk, Ravishankar K. Iyer, Game Theory with Learning for Cyber Security Monitoring in the proceedings of the 2016 IEEE High Assurance Systems Engineering Symposium (HASE), Orlando, Florida, January

36 36