A Learning-Based Approach to Reactive Security

Adam Barth; John C. Mitchell; Dawn Song; Benjamin I.P. Rubinstein; Mukund Sundararajan; Peter L. Bartlett

doi:10.1109/TDSC.2011.42

Publication
2012
Issue No. 4 - July-Aug.
Abstract - A Learning-Based Approach to Reactive Security

	This Article
	Subscribers, please Login Purchase article: $19 PDF HTML RSS feed
	Share
	Email this Article to a friend
	Bibliographic References
	ASCII Text BibTex RefWorks Procite/RefMan/EndNote
	Add to:
	Digg Furl Spurl Blink Simpy Google Del.icio.us Y!MyWeb
	Search
	Similar Articles Articles by Adam Barth Articles by Benjamin I.P. Rubinstein Articles by Mukund Sundararajan Articles by John C. Mitchell Articles by Dawn Song Articles by Peter L. Bartlett

A Learning-Based Approach to Reactive Security

July-Aug. 2012 (vol. 9 no. 4)

pp. 482-493

	ASCII Text	x
	Adam Barth, Benjamin I.P. Rubinstein, Mukund Sundararajan, John C. Mitchell, Dawn Song, Peter L. Bartlett, "A Learning-Based Approach to Reactive Security," IEEE Transactions on Dependable and Secure Computing, vol. 9, no. 4, pp. 482-493, July-Aug., 2012.

	BibTex	x
	@article{ 10.1109/TDSC.2011.42, author = {Adam Barth and Benjamin I.P. Rubinstein and Mukund Sundararajan and John C. Mitchell and Dawn Song and Peter L. Bartlett}, title = {A Learning-Based Approach to Reactive Security}, journal ={IEEE Transactions on Dependable and Secure Computing}, volume = {9}, number = {4}, issn = {1545-5971}, year = {2012}, pages = {482-493}, doi = {http://doi.ieeecomputersociety.org/10.1109/TDSC.2011.42}, publisher = {IEEE Computer Society}, address = {Los Alamitos, CA, USA}, }

	RefWorks Procite/RefMan/Endnote	x
	TY - JOUR JO - IEEE Transactions on Dependable and Secure Computing TI - A Learning-Based Approach to Reactive Security IS - 4 SN - 1545-5971 SP482 EP493 EPD - 482-493 A1 - Adam Barth, A1 - Benjamin I.P. Rubinstein, A1 - Mukund Sundararajan, A1 - John C. Mitchell, A1 - Dawn Song, A1 - Peter L. Bartlett, PY - 2012 KW - Reactive security KW - risk management KW - attack graphs KW - online learning KW - adversarial learning KW - game theory. VL - 9 JA - IEEE Transactions on Dependable and Secure Computing ER -

Adam Barth, Google Inc., Mountain View

Benjamin I.P. Rubinstein, Microsoft Research, Mountain View

Mukund Sundararajan, Google Inc., Mountain View

John C. Mitchell, Stanford University, Stanford

Dawn Song, University of California Berkeley, Berkeley

Peter L. Bartlett, University of California Berkeley, Berkeley

DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/TDSC.2011.42

Despite the conventional wisdom that proactive security is superior to reactive security, we show that reactive security can be competitive with proactive security as long as the reactive defender learns from past attacks instead of myopically overreacting to the last attack. Our game-theoretic model follows common practice in the security literature by making worst case assumptions about the attacker: we grant the attacker complete knowledge of the defender's strategy and do not require the attacker to act rationally. In this model, we bound the competitive ratio between a reactive defense algorithm (which is inspired by online learning theory) and the best fixed proactive defense. Additionally, we show that, unlike proactive defenses, this reactive strategy is robust to a lack of information about the attacker's incentives and knowledge.

[1] J.P. Pironti, “Key Elements of an Information Security Program,” Information Systems Control J., vol. 1, 2005.
[2] K. Kark, J. Penn, and A. Dill, “2008 CISO Priorities: The Right Objectives but the Wrong Focus,” Le Magazine de la Sécurité Informatique, Apr. 2009.
[3] C. Beard, “Introducing Test Pilot,” http://labs.mozilla.com/2008/03introducing-test-pilot /, Mar. 2008.
[4] M. Cremonini, “Evaluating Information Security Investments from Attackers Perspective: The Return-On-Attack (ROA),” Proc. Fourth Workshop the Economics of Information Security, 2005.
[5] A. Barth, B.I.P. Rubinstein, M. Sundararajan, J.C. Mitchell, D. Song, and P.L. Bartlett, “A Learning-Based Approach to Reactive Security,” Proc. 14th Int'l Conf. Financial Cryptography and Data Security (FC '10), pp 192-206, 2010.
[6] D. Fisher, “Multi-Process Architecture,” http://dev.chromium. org/developers/design-documents multi-process-architecture, July 2008.
[7] J. Friedberg, “Internet Fraud Battlefield,” http://www.ftc.gov/bcp/workshops/proofpositive Battlefield_Overview.pdf, Apr. 2007.
[8] C. Kanich, C. Kreibich, K. Levchenko, B. Enright, G.M. Voelker, V. Paxson, and S. Savage, “Spamalytics: An Empirical Analysis of Spam Marketing Conversion,” Proc. ACM Conf. Computer and Comm. Security, pp. 3-14, 2008.
[9] B. Warner, “Home PCs Rented Out in Sabotage-for-Hire Racket,” Reuters, July 2004.
[10] J. Franklin, V. Paxson, A. Perrig, and S. Savage, “An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants,” Proc. ACM Conf. Computer and Comm. Security, pp. 375-388, 2007.
[11] M. Howard, “Attack Surface: Mitigate Security Risks by Minimizing the Code You Expose to Untrusted Users,” MSDN Magazine, http://msdn.microsoft.com/en-us/magazine cc163882.aspx, Nov. 2004.
[12] E. Rescorla, “Is Finding Security Holes a Good Idea?,” IEEE Security and Privacy, vol. 3, no. 1, pp. 14-19, Jan./Feb. 2005.
[13] D. Chakrabarty, A. Mehta, and V.V. Vazirani, “Design is As Easy As Optimization,” Proc. 33rd Int'l Colloquium Automata, Languages and Programming (ICALP), pp. 477-488, 2006.
[14] E. Ordentlich and T.M. Cover, “The Cost of Achieving the Best Portfolio in Hindsight,” Math. of Operations Research, vol. 23, no. 4, pp. 960-982, 1998.
[15] Y. Freund and R.E. Schapire, “Adaptive Game Playing Using Multiplicative Weights,” Games and Economic Behavior, vol. 29, pp. 79-103, 1999.
[16] Y. Freund and R. Schapire, “A Short Introduction to Boosting,” J. Japanese Soc. for Artificial Intelligence, vol. 14, no. 5, pp. 771-780, 1999.
[17] N. Cesa-Bianchi, Y. Freund, D. Haussler, D.P. Helmbold, R.E. Schapire, and M.K. Warmuth, “How to Use Expert Advice,” J. Assoc. for Computing Machinery, vol. 44, no. 3, pp. 427-485, May 1997.
[18] N. Cesa-Bianchi, Y. Freund, D.P. Helmbold, D. Haussler, R.E. Schapire, and M.K. Warmuth, “How to Use Expert Advice,” Proc. 25th Ann. ACM Symp. Theory of Computing, pp. 382-391, 1993.
[19] X. Ou, W.F. Boyer, and M.A. McQueen, “A Scalable Approach to Attack Graph Generation,” Proc. 13th ACM Conf. Computer and Comm. Security, pp. 336-345, 2006.
[20] M. Herbster and M.K. Warmuth, “Tracking the Best Expert,” Machine Learning, vol. 32, no. 2, pp. 151-178, 1998.
[21] R. Anderson, “Why Information Security Is Hard—An Economic Perspective,” Proc. 17th Ann. Computer Security Applications Conf., pp. 358-365, 2001.
[22] H.R. Varian, “Managing Online Security Risks,” New York Times, June 1 2000.
[23] T. August and T.I. Tunca, “Network Software Security and User Incentives,” Management Science, vol. 52, no. 11, pp. 1703-1720, 2006.
[24] L.A. Gordon and M.P. Loeb, “The Economics of Information Security Investment,” ACM Trans. Information and System Security, vol. 5, no. 4, pp. 438-457, 2002.
[25] K. Hausken, “Returns to Information Security Investment: The Effect of Alternative Information Security Breach Functions on Optimal Investment and Sensitivity to Vulnerability,” Information Systems Frontiers, vol. 8, no. 5, pp. 338-349, 2006.
[26] H. Varian, “System Reliability and Free Riding,” Economics of Information Security, vol. 12, pp. 1-16, 2001.
[27] J. Grossklags, N. Christin, and J. Chuang, “Secure or Insure?: A Game-Theoretic Analysis of Information Security Games,” Proc. 17th Int'l Conf. World Wide Web, pp. 209-218, 2008.
[28] R.A. Miura-Ko, B. Yolken, J. Mitchell, and N. Bambos, “Security Decision-Making among Interdependent Organizations,” Proc. 21st IEEE Computer Security Foundations Symp., pp. 66-80, 2008.
[29] R. Miura-Ko and N. Bambos, “SecureRank: A Risk-Based Vulnerability Management Scheme for Computing Infrastructures,” Proc. IEEE Int'l Conf. Comm., pp. 1455-1460, June 2007.
[30] V. Kumar, R. Telang, and T. Mukhopadhyay, “Optimal Information Security Architecture for the Enterprise,” http://ssrn.comabstract=1086690, 2011.
[31] N. Fultz and J. Grossklags, “Blue Versus Red: Towards a Model of Distributed Security Attacks,” Proc. 13th Int'l Conf. Financial Cryptography and Data Security, 2009.
[32] H. Cavusoglu, S. Raghunathan, and W. Yue, “Decision-Theoretic and Game-Theoretic Approaches to IT Security Investment,” J. Management Information Systems, vol. 25, no. 2, pp. 281-304, 2008.
[33] K.-w. Lye and J.M. Wing, “Game Strategies in Network Security,” Proc. Foundations of Computer Security Workshop, pp. 13-22, 2002.

Index Terms:

Reactive security, risk management, attack graphs, online learning, adversarial learning, game theory.

Citation:

Adam Barth, Benjamin I.P. Rubinstein, Mukund Sundararajan, John C. Mitchell, Dawn Song, Peter L. Bartlett, "A Learning-Based Approach to Reactive Security," IEEE Transactions on Dependable and Secure Computing, vol. 9, no. 4, pp. 482-493, July-Aug. 2012, doi:10.1109/TDSC.2011.42

Peer Review Notice | Give Us Feedback

Usage of this product signifies your acceptance of the Terms of Use.