Skip to main content
main-content

Über dieses Buch

This book presents a compendium of selected game- and decision-theoretic models to achieve and assess the security of critical infrastructures. Given contemporary reports on security incidents of various kinds, we can see a paradigm shift to attacks of an increasingly heterogeneous nature, combining different techniques into what we know as an advanced persistent threat. Security precautions must match these diverse threat patterns in an equally diverse manner; in response, this book provides a wealth of techniques for protection and mitigation.

Much traditional security research has a narrow focus on specific attack scenarios or applications, and strives to make an attack “practically impossible.” A more recent approach to security views it as a scenario in which the cost of an attack exceeds the potential reward. This does not rule out the possibility of an attack but minimizes its likelihood to the least possible risk. The book follows this economic definition of security, offering a management scientific view that seeks a balance between security investments and their resulting benefits. It focuses on optimization of resources in light of threats such as terrorism and advanced persistent threats.

Drawing on the authors’ experience and inspired by real case studies, the book provides a systematic approach to critical infrastructure security and resilience. Presenting a mixture of theoretical work and practical success stories, the book is chiefly intended for students and practitioners seeking an introduction to game- and decision-theoretic techniques for security. The required mathematical concepts are self-contained, rigorously introduced, and illustrated by case studies. The book also provides software tools that help guide readers in the practical use of the scientific models and computational frameworks.

Inhaltsverzeichnis

Frontmatter

Introduction

Frontmatter

Chapter 1. Introduction

Abstract
This chapter opens the book by introducing the characteristics and particularities of critical infrastructures. Their existence and interplay forms a vital pillar of contemporary societies, and their protection is a top duty of governments and security research. Recent years have shown a paradigm shift of cyber-attacks from specific individual threat and attack scenarios, to a modern combination of various attack types and strategies to what we call an advanced persistent threat (APT) today. This term describes a diverse class of attacks that all share a set of common characteristics, which presents new challenges to security that demand urgent and continuous action by practitioners, researchers and every stakeholder of a critical infrastructure. The main focus of the book is describing game theory as a tool to establish security against APTs, and to this end, the introduction here starts with the abstract characteristics of an APT, showcasing them with a set of selected real-life documented cases of APTs that ends the chapter.
Stefan Rass, Stefan Schauer, Sandra König, Quanyan Zhu

Chapter 2. Critical Infrastructures

Abstract
This chapter refines the introduction of security in critical infrastructures by going into deeper details about how threats and countermeasures differ and are specific for the physical domain, the cyber domain and intermediate areas. Gaining an understanding of these differences is crucial for the design of effective countermeasures against the diverse nature of today’s advanced persistent threats (APTs). As even local incidents may have far-reaching consequences beyond the logical or physical boundaries of a critical infrastructure, we devote parts of the chapter to a discussion and overview of simulation methods that help to model and estimate possible effects of security incidents across interwoven infrastructures. Such simulation models form an invaluable source of information and data for the subsequent construction of game-theoretic security models discussed in the rest of the book.
Stefan Rass, Stefan Schauer, Sandra König, Quanyan Zhu

Chapter 3. Mathematical Decision Making

Abstract
Since both, decision- and game theory vitally employ optimization at their core, this chapter will provide the basic ideas, concepts and modeling aspects of optimization. It is intended to provide the mathematical basics for the further chapters. The presentation is to the point of a simple, compact and self-contained description of: (i) what is decision- and game-theory about, (ii) how do the two areas differ, and (iii) how does the practical work with these models look like when we strive for solutions. Specifically, we discuss preference relations, real and stochastic ordering relations and optimization as the most general covering framework, including single- and multi-goal optimization, with applications in being decision theory and game theory. Numeric examples accompany each section and concept. The opening of the chapter will specifically set the notation for all upcoming (mathematical) descriptions, to be consistent throughout the entire presentation (and book).
Stefan Rass, Stefan Schauer, Sandra König, Quanyan Zhu

Chapter 4. Types of Games

Abstract
This chapter introduces the most important classes of games underlying practical security models. These include Stackelberg games, Nash games, signaling games, and games with distribution-valued payoffs. The latter build upon empirical methods and data science to construct games from data, but also reveals theoretic connections to multi-criteria optimization using lexicographic goal priorities (that classical games cannot deal with, but distribution-valued games can handle). Each game description is accompanied by examples from the security domain to motivate and illustrate the use of the individual model. Each class of game is discussed in relation to the other types, highlighting pros and cons, las well as applications, detailed in later chapters.
Stefan Rass, Stefan Schauer, Sandra König, Quanyan Zhu

Chapter 5. Bounded Rationality

Abstract
This chapter revisits the concept of a utility function, first introduced in Chap. 3, from an axiomatic viewpoint. We review the fundamental principles of decision making as axioms that induce the existence of (continuous) utility functions. Since empirical research of decision situations in real life has shown considerable deviations between mathematical rationality and human behavior, we continue with a series of possible explanations by relaxing or dropping individual axioms from the set of fundamental principles, to explain the difference between human behavior and the utility maximization paradigm. This establishes valuable lessons for the construction of games, say if payoff models are constructed from subjective data (interviews, expert estimates, or similar), but also highlights the need to consider individual risk perception and attitude though the utility function design in a game theoretic model.
Stefan Rass, Stefan Schauer, Sandra König, Quanyan Zhu

Security Games

Frontmatter

Chapter 6. Risk Management

Abstract
This chapter embeds game theoretic techniques and models inside the ISO31000 risk management process, as a generic template for the general duty of risk control. We observe similarities between risk management processes and extensive form games, accompanied by the possibility of using game-theoretic algorithms and methods in various steps of a risk management process. Examples include decision making for risk prioritization, choice of best risk mitigation actions or optimal resource allocation for security. To this end, we discuss a variety of systematic methods for adversarial risk analysis (ARA), resilience management (in relation to risk management), level-k thinking, and the assessment of action spaces and utilities for games.
Stefan Rass, Stefan Schauer, Sandra König, Quanyan Zhu

Chapter 7. Insurance

Abstract
Cyber insurance provides users a valuable additional layer of protection to transfer cyber data risks to third-parties. An incentive-compatible cyber insurance policy can reduce the number of successful cyber-attacks by incentivizing the adoption of preventative measures in return for more coverage and the implementation of best practices by pricing premiums based on an insured level of self-protection. This chapter introduces a bi-level game-theoretic model that nests a zero-sum game in a moral-hazard type of principal-agent game to capture complex interactions between a user, an attacker, and the insurer. The game framework provides an integrative view of cyber insurance and enables a systematic design of incentive-compatible and attack-aware insurance policy. The chapter also introduces a new metric of disappointment rate that measures the difference between the actual damage and the expected damage.
Stefan Rass, Stefan Schauer, Sandra König, Quanyan Zhu

Chapter 8. Patrolling and Surveillance Games

Abstract
Patrolling and surveillance games both deal with a chasing-evading situation of an adversary trying to escape detection by either a mobile defender (patrolling) or a fixed defender (surveillance). Both kinds of games are played on graphs as abstract models of an infrastructure, and we review a variety of closed-form solutions for optimal patrolling in different classes of graph topologies. Applications include patrolling along lines (borders, pipelines, or similar), harbors (tree-structured graphs), and large geographic areas in general (planar graphs and maps). For surveillance and patrolling, we give hints on how to estimate the necessary resources, and how to include imperfectness and uncertainty, related to the detection capabilities, but also the chances of the adversary escaping the view of the patroller or surveillance. In complex terrain, we will discuss the use of simulation and empirical games (over real-valued and stochastic orders).
Stefan Rass, Stefan Schauer, Sandra König, Quanyan Zhu

Chapter 9. Optimal Inspection Plans

Abstract
In this chapter, we consider games for the computation of optimal strategies of how, how often, and when to inspect along a production line, or general industrial process. We review basic concepts of statistical tests, conducted whenever the defender chooses its action to “inspect”, and to understand cheating strategies for the adversary trying to escape detection along the statistical test. This non-detection game is then embedded into an outer sequential game over several stages of inspection, accounting for limited resources and possibilities of the defender to check repeatedly. We also consider inspections as a defense pattern against advanced persistent threat (APT), with two models suitable for two distinct type of APTs: the FlipIt game is discussed as a model when the APT’s goal is to gain longest possible control over an infrastructure, without wishing to damage or destroy it permanently. Complementary to this is the Cut-The-Rope game about defending against an APT whose goal is hitting a vital asset and to destroy or at least permanently damage a critical infrastructure.
Stefan Rass, Stefan Schauer, Sandra König, Quanyan Zhu

Chapter 10. Defense-in-Depth-Games

Abstract
In this chapter, we adopt a holistic cross-layer viewpoint towards a hierarchical structure of ICS and the attack models. The physical layer is comprised of devices, controllers and the plant whereas the cyber layer consists of routers, protocols, and security agents and manager. The physical layer controllers are often designed to be robust, adaptive, and reliable for physical disturbances or faults. With the possibility of malicious behavior from the network, it is also essential for us to design physical layer defense that take into account the disturbances and delay resulting from routing and network traffic as well as the unexpected failure of network devices due to cyber-attacks. On the other hand, the cyber security policies are often designed without consideration of control performances. To ensure the continuous operability of the control system, it is equally important for us to design security policies that provide maximum level of security enhancement but minimum level of system overhead on the networked system. The physical and cyber aspects of control systems should be viewed holistically for analysis and design.
Stefan Rass, Stefan Schauer, Sandra König, Quanyan Zhu

Chapter 11. Cryptographic Games

Abstract
The term “game” has substantially different meanings within the security area, depending on whether we speak about cryptographic security in particular, or system security in a more general setting that includes quantitative security with help of game theory. Game theory and cryptography are, however, of mutual value for each other, since game theory can help designing self-enforcing security of cryptographic protocols, and cryptography contributes invaluable mechanisms to implement games for security. This chapter introduces both ideas, being rational cryptography for the design of protocols that use rationality to incentivize players to follow faithfully, but also addresses the classical security goals like confidentiality, integrity, availability and authenticity by describing security games with quantitative and unconditional security guarantees. The chapter closes with a connection between network design for security and the P/NP question whose discovery is made with help from game theory.
Stefan Rass, Stefan Schauer, Sandra König, Quanyan Zhu

Chapter 12. Practicalities

Abstract
This chapter discusses the use of data and data science to choose values for model parameters, and suggests a few methods and literature pointers to techniques that can be helpful to instantiate models. Furthermore, we review a set of selected software tools that help with the setup and equilibrium analysis of practical game theoretic models. We revisit various examples throughout the book in a tutorial-like step-by-step approach describing how game models can be analyzed. The focus is herein on openly and freely available software, parts of which is open source. Where applicable, we also give closed form solutions to certain classes of games, and generic transformations to make game theoretic problems solvable with help of optimization software. This shall equip practitioners with direct tools to use in practice, and with further literature pointers.
Stefan Rass, Stefan Schauer, Sandra König, Quanyan Zhu

Backmatter

Weitere Informationen

Premium Partner