Toward Realistic Modeling Criteria of Games in Internet Security

https://api.army.mil/e2/c/images/2020/11/03/f9cbd9bd/max1200.jpg

Posted: February 9, 2016 | By: Jonathan Spring

5 Future Work

High level simulations of the posited formalisms would help to guide the plausibility of the formalisms. Establishing some hypothetical payoff matrices and attempting to calculate a solution or preferred strategy would also be an important next step. In general, all the formalizations can be made more detailed. More detail would then allow for a more rigorous analytic treatment, which would probably reveal more subtle strategic elements of the game.

The existence of any equilibria needs to be determined in order to guide other inquiries into intelligent strategies. Nash equilibria usually exist [31], for example, and a more detailed analysis could prove their existence for this game.

There is also a gap between this abstract analysis and practical measurement of the current state of affairs on the Internet that would need to be bridged before the model could be applied directly to the Internet. The present model is not sufficiently detailed to begin such measurement. Further, there is not a good framework for measuring crime on the Internet, as discussed in [5], although the authors therein propose some improvements. Eventually, such measurement efforts would need to be compatible with abstract modeling efforts so that the two can inform each other.

Acknowledgement

Thanks to Soumyo Moitra for his help in forming these ideas.

Copyright 2013 Carnegie Mellon University

This material is based upon work funded and supported by the Department of Defense under Contract No. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center.

NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN “AS-IS” BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.

This material has been approved for public release and unlimited distribution.

Carnegie Mellon®, CERT® and CERT Coordination Center® are registered marks of Carnegie Mellon University.

DM-0000653

References

[1] : 2013 Data Breach Investigations Report (DBIR), 2014. URL http://www.verizonenterprise.com/DBIR/2013/.

[2] : Black Tulip: Report of the investigation into the DigiNotar Certificate Authority breach, 2012.

[3] Devdatta Akhawe, Adrienne Porter Felt: “Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness”, 22nd USENIX Security Symposium, 2013. URL http://www.cs.berkeley.edu/~devdatta/papers/alice-in-warningland.pdf.

[4] R. J. Anderson: Security Engineering: A guide to building dependable distributed systems. Wiley, 2008.

[5] R. Anderson, C. Barton, R. Böhme, R. Clayton, M.J.G. van Eeten, M. Levi, T. Moore, S. Savage: “Measuring the cost of cybercrime”, 11th Workshop on the Economics of Information Security, 2012. URL http://weis2012.econinfosec.org/papers/Anderson_WEIS2012.pdf.

[6] Steven J Brams: Negotiation Games: Applying game theory to bargaining and arbitration. Routledge, 2003.

[7] Huseyin Cavusoglu, Birendra Mishra, Srinivasan Raghunathan: “A model for evaluating IT security investments”, Communications of the ACM, pp. 87—92, 2004.

[8] Adam Cummings, Todd Lewellen, David McIntire, Andrew Moore, Randall Trzeciak: Insider Threat Study: Illicit Cyber Activity Involving Fraud in the U.S. Financial Services Sector, 2012. URL http://www.sei.cmu.edu/library/abstracts/reports/12sr004.cfm.

[9] David Drummond: A new approach to China. Google Official Blog, 2010.

[10] L. Dolanskỳ: “Present state of the Lanchester theory of combat”, Operations Research, pp. 344—358, 1964.

[11] Ellen Messmer: “RSA’s SecurID security breach: What should you do?”, Network World, 2011. URLhttp://www.networkworld.com/news/2011/031811-rsa-securid-breach.html.

[12] Ellen Messmer: “RSA’s SecurID security breach: What should you do?”, Network World, 2011. URLhttp://www.networkworld.com/news/2011/031811-rsa-securid-breach.html.

[13] Drew Fudenberg, Jean Tirole: Game theory. 1991. MIT Press, 1991.

[14] Herbert Gintis: Game theory evolving: A problem-centered introduction to modeling strategic behavior. Princeton University Press, 2000.

[15] Kuno JM Huisman: Technology Investment: a game theoretic real options approach. Kluwer Academic Pub, 2001.

[16] John Gilmore: DES (Data Encryption Standard) Review at Stanford University, 2005. URL http://www.toad.com/des-stanford-meeting.html.

[17] C. Kanich, N. Weaver, D. McCoy, T. Halvorson, C. Kreibich, K. Levchenko, V. Paxson, G.M. Voelker, S. Savage: “Show Me the Money: Characterizing Spam-advertised Revenue”, 20th USENIX Security Symposium, 2011. URLhttps://www.usenix.org/legacy/event/sec11/tech/full_papers/Kanich.pdf.

[18] Ioanna Kantzavelou, Sokratis Katsikas: “A game-based intrusion detection mechanism to confront internal attackers”, Computers & Security, pp. 859—874, 2010.

[19] MK Lauren: Describing Rates of Interaction between Multiple Autonomous Entities: An Example Using Combat Modelling, 2001.

[20] S.D. Moitra: Managing Risk from Cybercrime: Internet Policy and Security Management for Organizations. Max-Planck-Institut f. ausländisches und internationales Strafrecht, 2008.

[21] Tyler Moore, Richard Clayton: “Evil searching: Compromise and recompromise of internet hosts for phishing”, Financial Cryptography and Data Security, pp. 256—272, 2009.

[22] Roger B Myerson: Game theory: analysis of conflict. Harvard University Press, 1997.

[23] John F Nash Jr: “Non-cooperative games”, The Annals of Mathematics, pp. 286—295, 1951.

[24] John F Nash Jr: “The bargaining problem”, Econometrica: Journal of the Econometric Society, pp. 155—162, 1950.

[25] G. Owen: Game theory. Emerald Group Publishing, 1995.

[26] Anatol Rapoport: N-person game theory: Concepts and applications. Courier Dover Publications, 1970.

[27] Anatol Rapoport: Two-person game theory: The essential ideas. Courier Dover Publications, 1966.

[28] E. Rasmusen: Games and Information: An Introduction to Game Theory. Blackwell, 2007.

[29] R. Rasmussen, G. Aaron: Global phishing survey: trends and domain name use in 2Q2012, 2012.

[30] Sankardas Roy, Charles Ellis, Sajjan Shiva, Dipankar Dasgupta, Vivek Shandilya, Qishi Wu: “A survey of game theory as applied to network security”, System Sciences (HICSS), 2010 43rd Hawaii International Conference on, pp. 1—10, 2010.

[31] J.M. Spring: “Modeling Malicious Domain Name Take-down Dynamics: Why eCrime Pays”, IEEE eCrime Researchers Summit, 2013. URLhttp://resources.sei.cmu.edu/library/asset-view.cfm?assetID=88265.

[32] T Spyridopoulos, G Karanikas, T Tryfonas, G Oikonomoug: “A Game Theoretic Defence Framework Against DoS/DDoS Cyber Attacks”, Computers & Security, pp. 39—50, 2013.

[33] John Von Neumann, Oskar Morgenstern: The theory of games and economic behavior. Princeton university press, 1944.

[34] E Weinan, Bjorn Engquist, Xiantao Li, Weiqing Ren, Eric Vanden-Eijnden: “Heterogeneous multiscale methods: a review”, Communications in computational physics, pp. 367—450, 2007.

[35] William Casey, Jose A. Morales, Thomson Nguyen, Jonathan Spring, Rhiannon Weaver, Evan Wright, Leigh Metcalf, Bud Mishra: “Cyber Security via Signaling Games: Toward a Science of Cyber Security”, ICDCIT, pp. 34-42, 2014. URL http://dx.doi.org/10.1007/978-3-319-04483-5_4.

[36] Quanyan Zhu, Linda Bushnell, Tamer Basar: “Game-theoretic analysis of node capture and cloning attack with multiple attackers in wireless sensor networks”, Decision and Control (CDC), 2012 IEEE 51st Annual Conference on, pp. 3404—3411, 2012.

Endnotes

1An agent may both use one system and be the architect of another; most software developers fit this description. However the roles of user and architect qua roles do not overlap.

Want to find out more about this topic?

Request a FREE Technical Inquiry!