A Game Theoretic Model of Strategic Conflict in Cyberspace

Operations Research DepartmentNaval Postgraduate School, Monterey, CA

80th MORS12 June, 2012

Harrison C. SchrammDavid L. Alderson

W. Matthew CarlyleNedialko B. Dimitrov

2

Cyber Conflict - definitions

• Defining characteristic: how weapons in cyberspace (cyber weapons) are discovered, developed, and employed

• Our model is a high-level, strategic look at the problem of Cyber conflict

• Key question: How long should a belligerent in cyber conflict hold

an exploit in development before attacking?

3

Cyber Conflict – Approach

• Cyber conflict may be viewed as a game• Players discover and develop attacks, which

they then exercise at a time of their choosing• Analysis is abstracted away from specific

technologies, systems, and exploits.– Similar to other models of combat.

4

Related Work

• JASON (2010) The Science of Cybersecurity– DOD report, recommends game theory as an analytic

method• Shiva et al (2010) Game theoretic approaches to protect

cyberspace– Presents a taxonomy of game theoretic methods in

cyberspace• Lye & Wing (2002) Game strategies in network security• Shen et al (2007) A Markov game theoretic approach

for cyber situational awareness

5

Cyber munition life-cycle

Discovery

Development

Obsolescence Employment

Adversary Patch

6

Cyber Game Mechanics

• Discovery of Exploit– Game state indexed as , where T is the

age of the game, represents the length of time player i has known the exploit

• Development of Munition– After a player has discovered the exploit, they may

develop the exploit in accordance with some known function,

1 2, ,TS

i

( )i ia

7

Game Mechanics II

• Employment– Once a player has the exploit, he may choose to

use it. His action set is defined as:

• Obsolesce– If either player discovers and patches the exploit

before an attack is executed, all munitions are worthless and the game ends.

ait; the default action if 0:Attack, and end the game.: iW W

A

State Transitions

This state is recurrent until the first

discovery is made

9

Our Analysis

• Zero Sum• Two Players• Identical Systems• One zero-day Exploit• Perfect Information

10

Solving the game relies on building on cases based on knowledge

NoPlayers

One player

Both Players

Solution Hierarchy; solving the case where neither player has the exploit depends on the one-player case, which in turn depends on the case where both players have the exploit.

11

The Base: Both Players know the Exploit

If both players know the exploit, “Attack, Attack” is the optimum solution by iterated elimination of dominated strategies

Player 2 plays: W Player 2 plays: A Player 1 plays: W 1 21, 1, 1V T 2 2a

Player 1 plays: A 1 1a 1 1 2 2a a

We may compute the value of the game for cases where 1 2, ,T 1 20)( ( 0)

State Transitions

This state is recurrent until the first

discovery is made

Not Reachable for optimal players with

perfect knowledge

Absorbing

13

Situation II – One player knows the exploit

• Under what circumstances should Player 1 wait (and possibly gain attack value?

• For monotone functions, this is straightforward, but the general case is solved as well.

Player 2 Plays: Wait Player 1 Plays: Wait Y Player 1 Plays: Attack 1a

We may compute the value of the game for cases where 1 2, ,T 1 20)( ( 0)

State Transitions

Not Reachable

StartingHere

Will Player 2 Reach a better state on the

axis?

Before Player 1 Discovers the

Exploit?

15

The general case – neither player knows the exploit…

1

1 2 1 2

2

1 2 1 2

1

21,

2

1 2 1

02 1

10,1

2 1

1,11 22

)next state is) )

)next state is) )

next state is) )

(1Pr ,1,0(1 (1

(1Pr ,0,1(1 (1

Pr ,1,1 ,(1 (1

p pTp p p p p p

p pTp p p p p p

p pTp p p p p p

1,0 0,1 1,1

1 * *1,0 0 1 0,1 0 2 1

2,1 1 2

,0,0 ,1,0 ,0,1 ,1,1

( ( 1) 1 ,)

V T V T V T V T

v k v k a a

we can compute the value of the game from any state, including ,0,0T

State Transitions

Not Reachable for optimal players with

perfect knowledge

Absorbing

StartingHere

Who wins?

17

Numerical Analysis

Basic CaseIf the players have constant probability of detection, and constant attack value functions, then Player 1 will expect to win if:

ip

)(i ia c

1 1 2 2(1) (1)p a p a

Example IISuppose Players 1 and 2 have attack functions such that:

1

1

2 2 2 2

(0) 0( ) 1 5( ) 5 5

( ) 1

iaaa

a c

.

1 2 3 4 5 6 70.5

1

1.5

2

2.5

3

turns to wait, h

v(h)

, val

ue o

f wai

ting

h tu

rns

Here, we have to compute the optimum number of turns to wait before attacking, which turns out to be 5, matching our intuition

20

Example II – the effect of varying 1p

0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1-1

-0.5

0

0.5

1

1.5

2

2.5

p1: Player 1's probability of detection

Val

ue (P

laye

r 1's

poi

nt o

f vie

w)

Example II

1 2 3 4 5 6 71

1.5

2

2.5

3

3.5

4

4.5

5

5.5

6

Holding time,

a1( )

Suppose Players 1 and 2 have attack functions such that:

2 2

1

(1) 1 .3( ) [1,2,3,4,5,3,6]

a pa

Note that since Player 1 has the exploit, Is irrelevant

1p

Example II

1 2 3 4 5 6 7

0.8

1

1.2

1.4

1.6

1.8

2

waiting time, h

Val

ue

Value function associated with example two. We see that the maximum value of occurs at Therefore, in this case, it is not ‘worth it’ to wait.

V 5h

23

Extensions

Waiting Times

• What happens if we introduce non-productive waiting times?– Such as administrative approval chains– Or other reasons

• Conclusion: If you are slow to act, you can make it up (a little bit) by increasing capability in other areas, but only to a point.

State Transitions

Discovers Here

Cannot progress until w time periods pass

Waiting Times

0 1 2 3 4 5 6 7 8 9 10-5

-4.5

-4

-3.5

-3

-2.5

-2

-1.5

-1

-0.5

0

Waiting time, w

Pla

yer 1

's e

xpec

ted

payo

ff

Payoff to Player 1 of an otherwise ‘even’ cyber game, where player 1 is forced to wait w time periods after discovery before any action may be taken.

Waiting Times II

0 1 2 3 4 5 6 7 8 90.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

Waiting time, w

Req

uire

d p 1

Player 1’s Required probability of detection, to ‘break even’ as a function of wait time. Note in this scenario that after 9 time periods, perfect detection is required; further advancements are not possible

1p

28

Conclusion

• We present a lexicon and framework for analyzing cyber conflict

• Future work:– Multiple Attacks– Imperfect Information– Incorporating issues outside of cyber (i.e. kinetic)

NPS OR Cyber interest points of contact:

• CDR Harrison Schramm – hcschram@nps.edu– 831 656 2358

• Professor Matt Carlyle– mcarlyle@nps.edu

• Professor Dave Alderson– dalders@nps.edu– 831 656 1814

• Professor Ned Dimitrov– ndimitrov@nps.edu– 831 656 3647

30

Backup

State Transitions