Algorithmic Game Theory for Critical Infrastructure Security and Resilience

Critical Infrastructure Security and Resilience Network-level Model Node-Level Model Connections Challenge and Solution
Algorithmic Game Theory for Critical Infrastructure
Security and Resilience
Linan Huang Quanyan Zhu
Department of Electrical and Computer Engineering
New York University, USA
Game Solving: Theory and Practice, Prague, Czech Republic
Monday, July 9, 2018
July 9, 2018 1 / 54

Critical Infrastructure
Presidential Policy Directive 21 (PPD-21) identiﬁes 16 sectors.
Critical infrastructure sectors must be secure and resilient from all natural
hazards and human attacks.
Source: http://www.sandia.gov/nisac
July 9, 2018 2 / 54

Catastrophe and Cyber-physical Threats
Hurricane Sandy (NJ), Harvey (Texas), Irma (Florida).
Large-scale power cut.
Flooding subway stations.
Collapsed and submerged roads.
July 9, 2018 3 / 54

Hurricane Sandy
Source: New York Times
July 9, 2018 4 / 54

Resilience
Figure: Resilience of PSE&G Electric Power System during Hurricane Sandy. Source:
New York Times.
July 9, 2018 5 / 54

Resilience
Figure: Resilience of ConEd Electric Power System during Hurricane Sandy. Source: New
York Times.
July 9, 2018 6 / 54

Catastrophe and Cyber-physical Threats
Advanced persistent threats: Stuxnet
Speciﬁcally targeted v.s. spray-and-pray
Long-term persistent v.s. smash-and-grab
Methodical v.s. opportunistic
Source: https://www.extremetech.com/computing/200898-windows-pcs-vulnerable-to-stuxnet-attack-
ﬁve-years-after-patches
July 9, 2018 7 / 54

Security and Resilience
Security: Deter attackers from reaching and sabotaging their targets.
Resilience: What if an attack succeeds?
Guarantee essential services.
Reduce economic loss.
Recover wholly and quickly from failures.
Security Resilience
Deter attacks
from success
Mitigate
attack
impact
Recover quickly
and entirely
July 9, 2018 8 / 54

Network-level Security and Resilience
Connected infrastructure sectors to enhance information, energy and material
exchanges.
Multi-layer networks model the interdependent infrastructure sectors.
Nodes are abstractions of systems or network components.
Links represent logical, physical or geographical dependencies.
http://energyskeptic.com/2011/em/
July 9, 2018 9 / 54

Interdependencies among diﬀerent critical infrastructures
Source: Gao et al. Natl. Sci. Rev. 2014.
July 9, 2018 10 / 54

Cascading Failures
Interdependencies cause cross-infrastructure cascading failures.
Demos of cascading failures and recovery
https://drive.google.com/drive/u/0/folders/0B6-Q8-SnvO6lYmlxX2FuN3ZuV1U
Mitigate cascading failures through
Agile response to disasters and attacks
Dynamic long-term planning of resources
July 9, 2018 11 / 54

Node-level Security and Resilience
Zooming-in: From high-level network models to node-level models.
Modeling the attack path of APTs for a facility.
Initial entry: compromise, but not breach the network.
Privilege escalation: control the (C&C) servers to receive additional
instructions and malicious code.
Lateral movement: establish additional points of compromise so that the
attack can continue if one point is closed.
Leave backdoors and the network remains compromised.
Developing cost-eﬀective proactive defense strategies.
July 9, 2018 12 / 54

Game-theoretic Framework
Advantages of game-theoretic framework
Worst-case analysis of natural failures with unknown statistics
Modeling attackers and defenders with distinctive objectives
Security from a strategic perspective
Computational challenges
NE computation of stochastic games over large-scale networks
PBNE computation of dynamic games under incomplete information
July 9, 2018 13 / 54

Part I:
Network-Level Infrastructure Protection
Multi-layer networks under cyber-physical attacks
Game-theoretic modeling of cascading failures and resilient
policies
Approximation algorithm to tackle the curse of
dimensionality
July 9, 2018 14 / 54

Cyber and Physical Attacks
Natural disasters or attacks cause a component failure
Cyber, physical, and logical interdependence
Negative eﬀects on other components
Systematic failures
July 9, 2018 15 / 54

Related Work
Modeling and understanding large-scale interdependent infrastructure
network.
Physical, cyber, geographic, logical dependency [Rinaldi et al. 2001].
Risk management based on network ﬂows [Lee et al. 2007], numerical
simulation [Korkali et al. 2014], and interacting dynamic coupling [Rosato et
al. 2008].
CASCADE [Dobson et al. 2005]: High-level probabilistic model.
Game-theoretic methods for security and resilience of cyberphysical control
systems [Zhu and Ba¸sar 2015] and decentralized decision-making [Chen and Zhu
2016].
Scalable methods for curse of dimensionality: constraint sampling in
approximate dynamic programming [Farias and Roy 2004] and factored MDP
[Guestrin et al. 2003].
July 9, 2018 16 / 54

Multi-layer Networks
Nodes represent components and links represent dependencies: G = (N, E).
The jth
node at layer i has a state of being normal xi
j = 1 or faulty xi
j = 0.
The jth
node at layer i can be attacked (resp. defended) ai
j = 1 (resp.
di
j = 1) or not ai
j = 0 (resp. di
j = 0).
July 9, 2018 17 / 54

Single-layer Network
A global index l to unify the 2D index (i, j), e.g., Ω1,1 = {n1
1, n1
2, n2
1, n3
7} as
Ω1 = {n1, n2, n6, n17}.
System state x = [xl]l=1,··· ,17 ∈ X.
System action of defender d ∈ D and attacker a ∈ A.
Exponential growth of the state size.
July 9, 2018 18 / 54

Stationary Policy
Defender policy µ : X → D := l Dl.
Attacker policy ν : X → A := l Al.
Information structure Fl of node l.
July 9, 2018 19 / 54

Zero-sum Stochastic Markov Game
A dynamic game with probabilistic transitions.
Generalization of both Markov decision processes and repeated games.
Markov transition probability Pr(xt+1
|xt
, a, d).
Node l’s utility cl(xl, dl, al).
System utility at state x, c(x, d, a) = l cl.
Long-term objective J(x0
,µ, νµ, νµ, ν) :=
∞
t=0 γt
Eµ,νµ,νµ,ν,x0 [c(Xt, d, a)].
July 9, 2018 20 / 54

Zero-Sum Stochastic Markov Game
Goal: ﬁnd secure strategy µ∗
, ν∗µ∗
, ν∗
µ∗
, ν∗
and the value function of the game
J∗
(x0
) = min
µµµ∈U
max
ννν∈V
J(x0
,µ, νµ, νµ, ν) = J(x0
,µ∗
, ν∗
µ∗
, ν∗
µ∗
, ν∗
).
Risk quantiﬁcation: J∗
(x0
) : X → R provides a security measure of state x0
.
Saddle-point equilibrium:
J(x0
,µ, ν∗
µ, ν∗
µ, ν∗
) ≥ J(x0
,µ∗
, ν∗
µ∗
, ν∗
µ∗
, ν∗
) ≥ J(x0
,µ∗
, νµ∗
, νµ∗
, ν), ∀ννν,µµµ, ∀x0
Minimax theorem:
min
µµµ∈U
max
ννν∈V
J(x0
,µ, νµ, νµ, ν) = max
ννν∈V
min
µµµ∈U
J(x0
,µ, νµ, νµ, ν).
Feasible stationary mixed strategy:
µ∗
µ∗
µ∗
(x) ∈ Ux
:= {φd
(x, d) ∈ R≥0
:
d
φd
(x, d) = 1}, ∀x
φd
(x, d) is the probability of taking action d at the global state x for a
defender.
July 9, 2018 21 / 54

Dynamic Programming
Bellman Equation J∗
(x) = c(x, d∗
, a∗
) + γ x Pr(x |x, a∗
, d∗
)J∗
(x ), ∀x.
The ﬁrst term is the reward of current stage x.
The second term is the expectation of the value function over all the
possible next stage x .
Mixed-strategy generalization
J∗
(x) =
a∈A
φa∗
(x, a) ×
f(x,a)
d∈D

c(x, d, a) + γ
x ∈ I
i=1 Xi
Pr(x |x, a, d)J∗
(x )

 φd∗
(x, d), ∀x.
July 9, 2018 22 / 54

Bilinear Programming
min
J∗(x),φd(x,d)
x
α(x)J∗
(x)
subject to :
J∗
(x) ≥
d
c(x, d, a) + γ
x
Pr(x |x, a, d)J∗
(x ) φd
(x, d), ∀x, ∀a
d∈D
φd
(x, d) = 1, ∀x
φd
(x, d) ≥ 0, ∀x, d.
Bilinear programming is nonlinear and the current computation tools do not
succeed in providing the global optimal.
The direct computation of J∗
(x) is hard, but we can use value iteration
Jt+1
(x) := min
φd
max
φa
a∈A
φa
(x, a)
d∈D
[c(x, d, a) + γ
x
Pr(x |x, a, d)Jt
(x )]φd
(x, d).
July 9, 2018 23 / 54

Value Iteration
Deﬁne z(x) :=
maxφa
a∈A φa
(x, a) d∈D[c(x, d, a) + γ
x
Pr(x |x, a, d)Jt
(x )]φd
(x, d).
Solve iteratively for the following linear programming with initial guess J0
(x).
min
z(x),φd(x,d)
x
α(x)z(x)
subject to :
z(x) ≥
d
c(x, d, a) + γ
x
Pr(x |x, a, d)Jt
(x ) φd
(x, d), ∀x, ∀a
d∈D
φd
(x, d) = 1, ∀x
φd
(x, d) ≥ 0, ∀x, d.
The optimal value of variable z(x) is the Jt+1
(x).
Replace Jt
(x) with Jt+1
(x) and iterate.
July 9, 2018 24 / 54

Single controller
Single controller assumption Pr(x |x, a, d) = Pr(x |x, a) results in the
following linear program.
Prime LP:
min
J∗(x),φd(x,d)
x
α(x )J∗
(x )
subject to :
J∗
(x) ≥
d∈D
c(x, d, a)φd
(x, d) + γ
x
Pr(x |x, a)J∗
(x ), ∀x, a
d∈D
φd
(x, d) = 1, ∀x
φd
(x, d) ≥ 0, ∀x, d.
Large-scale network with system state x.
LP variables J∗
(x) and φd
(x, d).
LP constraints ∀x ∈ X, ∀a ∈ A.
July 9, 2018 25 / 54

Approximation
Approximate LP: J∗
(x) =
k
j=1 wjhj(x).
Restricted information structure of the defender
φd
(x, d) =
n
l=1
φd
l (x, dl) =
n
l=1
φd
l (Fl, dl)
and Fl is the set of nodes which node l can observe, e.g., Fl = xl.
Factored graph to exploit the sparsity of dependencies:
P(x |x, a) =
i∈N
P(xi|x, a) =
i∈N
P(xi|xi, xΩi
, ai).
Variable elimination: sum and max → max and sum.
July 9, 2018 26 / 54

Example of Variable Elimination
(1 − γ)w0 ≥ max
x1,...,x4
e1(x1) + e2(x1, x2) + e3(x2, x3, x4) + e4(x3, x4).
With an elimination order O = {x3, x2, x4, x1}, the RHS
max
x1,x2,x4
e1(x1) + e2(x1, x2) + max
x3
e3(x2, x3, x4) + e4(x3, x4)
= max
x1,x2,x4
e1(x1) + e2(x1, x2) + E1(x2, x4).
A new constraint is generated, i.e.,
E1(x2, x4) ≥ e3(x2, x3, x4) + e4(x3, x4), ∀x2, x3, x4.
21 3 4
Unattackable a2 ≡ 0
xΩ1 = ∅ xΩ2 = [x1] xΩ2 = [x2, x4] xΩ2 = [x3]
July 9, 2018 27 / 54

Computation Reduction
ALP in red is insensitive to network size.
Exact LP in blue grows exponentially1
.
1Huang et al., MSCPES, CPS-Week, 2017; Huang et al., GameSec 2017
July 9, 2018 28 / 54

Acceptable Approximate Error
Small absolute errors in green and red.
Relative error in blue decreases as the network size increases.
July 9, 2018 29 / 54

High-Level Connections Between Two Models:
Connections between Network-Level and Node-Level Models
The node-level model provides a zoomed-in model of nodes at the
network-level model.
The node-level analysis provides ways to estimate parameters for the
network-level analysis.
Transition probability Pr(xt+1
|xt
, a, d).
Node l’s utility cl(xl, dl, al).
July 9, 2018 30 / 54

Part II:
Node-Level Infrastructure Protection
Industrial control systems under multi-stage multi-phase
APTs
Game-theoretic modeling of their dynamic, stealthy, and
deceptive nature
Adaptive Bayesian learning for incomplete information
Proactive and reactive information structures for insider and
outsider threats
July 9, 2018 31 / 54

Multistage Infiltration
APTs infiltrate stage by stage.
The attack graph has a tree structure without loops.
The stages are discrete and the horizon T is finite.
Defender
Stage 0 Stage 1 Stage t Stage T
Attacker
σ0
2 = R2(σ0
1) σ1
2 = R2(σ1
1) σt
2 = R2(σt
1) σT
2 = R2(σT
1 )
σ0
1 σ1
1 σt
1 σT
1
h0
= Ø h0
= {a0
1, a0
2} ht
= {ht−1
, at−1
1 , at−1
2 } hT
= {a0
1, ..., aT −1
1 , a0
2, ..., aT −1
2 }
a0
1 a1
1 at
1 aT
1
a0
2 a1
2 at
2 aT
2
July 9, 2018 32 / 54

Game-theoretic Modeling of Strategic Attackers2
Acknowledge the entry: Traditional intrusion prevention can be ineﬀective for
APTs.
Steal full cryptographic key by zero-day vulnerabilities.
Bridge the air gap, e.g., infect other insecure clients of the same services
provider and propagate through USB.
Strategic attackers: APTs operated by human experts can analyze system
responses and learn the detection rule, thus evade traditional intrusion
detection.
2Huang and Zhu, CINS, Sigmetrics, 2018
July 9, 2018 33 / 54

Related Work
Identiﬁcation of APTs [Cole 2012].
Dynamic game-theoretic framework for APTs in CIs.
A security game plus an information-trading game for insider threats [Hu
et al. 2015].
Multi-layer and multi-phase game model of APTs [Zhu and Rass 2018].
Flip-It game [Dijk et al. 2013]: APTs steal the private key so that they
stealthily take over the system alternately with the defender.
Incomplete information and deception.
Use random variable to model the incomplete information in a game
[Harsanyi 1967].
Cyber denial and deception [Stech et al. 2016]: Reverse deceptions from
defenders to counter the deceptive and stealthy nature of APTs.
Bayesian learning and conjugate prior assumptions [Ryzhov 2012].
July 9, 2018 34 / 54

Type as the Incomplete Information
A random variable models the incomplete information caused by the
deceptive and stealthy nature of APTs.
The realization of the random variable is the type of attackers.
Attacker’s type θ2 ∈ Θ2 distinguishes between legitimate users and APTs
with diﬀerent targets.
Defender does not know the realization of the type, and needs to form a
belief Bt
1(θ2).
July 9, 2018 35 / 54

Action and History
Discrete actions for player i ∈ {1, 2} at stage t: at
i ∈ At
i.
The feasible action set At
i is stage-dependent.
Observable history and perfect recall:
ht
:= [a0
1, · · · , at−1
1 , a0
2, · · · , at−1
2 ] ∈ Ht
.
Observing history is not sufficient for strategic decision making.
Behaviors do not directly reveal the type.
Different defensive methods work for different types of attacks.
Defender
Stage 0 Stage 1 Stage t Stage T
Attacker
σ0
2 = R2(σ0
1) σ1
2 = R2(σ1
1) σt
2 = R2(σt
1) σT
2 = R2(σT
1 )
σ0
1 σ1
1 σt
1 σT
1
h0
= Ø h0
= {a0
1, a0
2} ht
= {ht−1
, at−1
1 , at−1
2 } hT
= {a0
1, ..., aT −1
1 , a0
2, ..., aT −1
2 }
a0
1 a1
1 at
1 aT
1
a0
2 a1
2 at
2 aT
2
July 9, 2018 36 / 54

Markov State Transition
The cardinality of the history is increasing with stages.
History update: ht
= ht−1
∪ {at
1, at
2}.
State xt
shows the current system status, e.g., pressure, location of APTs,
compromised sensors, etc.
Initial state x0
and the history ht
determine state xt
∈ Xt
at stage t.
Markov state transition: xt+1
= ft
(xt
, at
1, at
2).
0 TT − 1t − 1 tStage
V T −1
i (hT −1
, θi)
V T
i (hT
, θi)
V t−1
i (ht−1
, θi)
Cost-to-go from stage t − 1
V T
i (hT
, θi)V t
i (ht
, θi)V t−1
i (ht−1
, θi)
DP
n0
3
nT
1
nT
2
nT
3
nT
4
nT
5
July 9, 2018 37 / 54

Dynamic Bayesian Bimatrix Game
Stage-dependent type belief: Bt
1 : Ht
→ Θ2.
P1 forms belief according to the current observation Ht
.
Θ2 is a probability distribution over the type space Θ2.
Behavioral mixed strategy: σt
i (·|ht
, θi) : Ht
× Θi → At
i
Probability measure: at
i∈At
i
σt
i (at
i|ht
, θi) = 1.
Action at
i is a realization of the policy σt
i .
July 9, 2018 38 / 54

Adaptive Belief Update
Multistage Bayesian update:
Pr(Par|data, M) =
Pr(Par|M) × Pr(Par, data|M)
Pr(data|M)
.
Type belief depends on the mixed strategy σt
2 which serves as the likelihood
function of the new observation at
2.
Bt+1
1 (θ2|[ht
, at
1, at
2]) =
Bt
1(θ2|ht
)σt
2(at
2|ht
, θ2)
1
0
Bt
1(ˆθ2|ht)σt
2(at
2|ht, ˆθ2)dˆθ2
.
One action may not directly reveal the type, e.g., behavioral analysis rather
than signature analysis for encrypted outbound traﬃc.
Length of the connection.
Number of packets.
Amount of data.
Destination IP.
Adversarial objective is gradually learned via the multistage transition.
July 9, 2018 39 / 54

Utility Function
Stage utility: Jt
i (xt
, at
1, at
2, θ1, θ2).
State-dependent: Increasing rotor’s speed under pressure state xt
leads
to different utilities for both players.
Type-related: Same action can result in different utilities for different
types.
Cumulative utility for complete information:
Ût :T
1 (σt :T
1 , σt :T
2 , hT +1
, θ1, θ2) =
T
t=t
Eσt
1,σt
2
[Jt
1(xt
, σt
1, σt
2, θ1, θ2)]
=
T
t=t at
1∈At
1
σt
1(at
1|ht
, θ1)
at
2∈At
2
σt
2(at
2|ht
, θ2)Jt
1(xt
, at
1, at
2, θ1, θ2).
Expected cumulative utility for incomplete information:
Ut :T
1 (σt :T
1 , σt :T
2 , hT +1
, θ1) :=
1
0
Bt
1(θ2|ht
) Ût :T
1 dθ2.
July 9, 2018 40 / 54

Proactive Perfect Bayesian Nash Equilibrium (P-PBNE)
Proactive information structure for insider threats.
The attacker P2 as the agent perceives policy σt
1 via insiders and chooses
policy σt
2 = R2(σt
1) as the best response to σt
1, i.e., to maximize his own
accumulated utility Ut :T
2 :
σ∗,t :T
2 = arg max
σt :T
2 ∈Σt :T
2
Ut :T
2 (σ∗,t :T
1 , σt :T
2 ) := U∗,t :T
2 .
APTs have to follow rules to evade detection and defender P1 considers the
worst-case policy.
U∗,t :T
1 := inf
σt :T
2 ∈R2(σ∗,t :T
1 )
Ut :T
1 (σ∗,t :T
1 , σt :T
2 )
= sup
σt :T
1 ∈Σt :T
1
inf
σt :T
2 ∈R2(σt :T
1 )
Ut :T
1 (σt :T
1 , σt :T
2 ).
Such equilibrium is called Proactive Perfect Bayesian Nash Equilibrium
(P-PBNE).
July 9, 2018 41 / 54

Reactive Perfect Bayesian Nash Equilibrium (R-PBNE)
Reactive information structure for outsider threats.
Each player does not know the policy of the other player at every stage.
A sequence of strategies σ∗,t :T
i ∈ Σt :T
i is called the ε-reactive perfect
Bayesian Nash equilibrium for player Pi if, for a given ε ≥ 0, i ∈ {1, 2}:
Ut:T
i (σ∗,t:T
i , σ∗,t:T
−i , hT +1
, θi) ≥ sup
σt:T
i ∈Σt:T
i
Ut:T
i (σt:T
i , σ∗,t:T
−i , hT +1
, θi) − ε.
If ε = 0, we have a Reactive Perfect Bayesian Nash Equilibrium (R-PBNE).
Each player cannot gain if deviating unilaterally at any stage.
July 9, 2018 42 / 54

Forward and Backward Process
Optimality principle and dynamic programming: Value function V t
i is the
optimal utility-to-go from stage t for player i.
Incomplete information: Forward belief update coupled with backward PBNE
policy computation.
Stage 0 Stage 1 Stage T
V T
i
V 1
i
V 0
i
B0
i B1
i BT
i
Forward Belief Update
Backward Policy Computation
Bt+1
1 (θ2|[ht
, at
1, at
2]) =
Bt
1(θ2|ht
)σt
2(at
2|ht
,θ2)
1
0
Bt
1(ˆθ2|ht)σt
2(at
2|ht,ˆθ2)dˆθ2
Conjugate prior assumption.
July 9, 2018 43 / 54

Bayesian Games with Two-Sided Incomplete Information
Type θ1 ∈ Θ1
Belief formation
Bayesian update
Utility optimization
Player 1: defender
Bt
2 ∈ △Θ1
Type belief
Type belief
Bt
1 ∈ △Θ2
History ht
=
ht−1
∪ {at−1
1 , at−1
2 }
Belief formation
Bayesian update
Perfect Bayesian
Nash equilibrium
Utility optimization
Mixed strategy σt
1 ∈ △At
1
Mixed strategy σt
2 ∈ △At
2
Action at
1 ∈ At
1
Action at
2 ∈ At
2
Implementation
Implementation
Observable history and perfect recall
Type θ2 ∈ Θ2
Player 2: attacker
Observable history and perfect recall
July 9, 2018 44 / 54

One-sided Incomplete Information
Beta-binomial conjugate prior assumption to change the distribution update
into the parameter update.
Dynamic programming with an expanded state yt
= {xt
, αt
1, βt
1} to unify two
processes.
July 9, 2018 45 / 54

Benchmark of Complete Information: Mitigate Attack
Economically
We study defender and attacker’s policies under diﬀerent types of attackers.
For benign users who do not attack and inﬂict damages, the defender will not
take defensive actions and the system will operate normally.
When the type value increases:
P1 defends with a higher probability because an attack with a larger
type value incurs more loss once succeeds.
The increasing probability of defensive actions reduces the probability of
attacks to a relatively low level.
Defender's policy
Attacker's policy
0.0 0.4 0.6 0.8 1.0 1.2
Type
0.2
0.4
0.6
0.8
1.0
Probability
July 9, 2018 46 / 54

Complete v.s. Incomplete Information
The deception of APTs creates (one-sided) uncertainties for defenders and
decreases defenders’ utilities.
NE and SE are obtained under complete information.
R-PBNE and P-PBNE are obtained under incomplete information.
More information yields better defender’s utilities for stronger types of
attacker. (Information is valuable.)
NE
R-PBNE
0.2 0.4 0.6 0.8 1.0
Type
0.2
0.4
0.6
0.8
1.0
P-PBNE
SE
Overlap
0.2 0.4 0.6 0.8 1.0
Type
0.7
0.8
0.9
1.0
July 9, 2018 47 / 54

Proactive v.s. Reactive Information Structure
SE and P-PBNE are proactive solutions.
NE and R-PBNE are reactive solutions.
P-PBNE may not exist. Use supremum as the upper bound for P-PBNE.
Proactive solutions yield a higher level of utility for stronger attackers.
NE
SE
0.2 0.4 0.6 0.8 1.0
Type
0.85
0.90
0.95
1.00
R-PBNE
Supremum P-PBNE
0.2 0.4 0.6 0.8 1.0
Type
0.2
0.4
0.6
0.8
1.0
1.2
Acquiring the best-response set of the attacker via analysis of the attack tree
and honeypots can eﬀectively confront the insider threat of APTs.
July 9, 2018 48 / 54

Connections Between Two Models
Attack at the network-level aims to propagate over the network.
Attack at the node-level aims to compromise the facility.
An intelligent attacker can create both node level and network level damages
using coordinated attacks to maximize the attack impact at the network level.
July 9, 2018 49 / 54

Connections Between Two Models
Defense at the network-level aims to allocate network-level resources to
prevent the spreading of the failures and recover the failures.
Defense at the node-level aims to proactively deter the attacker from
reaching the target and mitigate the damage on the facility.
July 9, 2018 50 / 54

Think Fast and Slow
At the slow time scale: The equilibrium analysis of the ﬁne-grained node-level
game model provides parameter inputs to the network-level model for
high-level resiliency planning.
At the slow time scale: The online behavior at each node determines the
real-time spreading rates (or probabilities).
July 9, 2018 51 / 54

Challenges
Large-scale interdependent network
Incomplete information of attacks
Composition of attacks on diﬀerent layers of network
Human behavior modeling and human-in-the-loop cyber-physical system
July 9, 2018 52 / 54

Impacts of Solution
Mechanism design to deter or engage attackers in the system
Prediction of the attack policies by analyzing the game equilibrium
Proactive defense to deter attacks rather than remedy actions
Long-term dynamic resilience planning
July 9, 2018 53 / 54

Thank You!
July 9, 2018 54 / 54

Algorithmic Game Theory for Critical Infrastructure Security and Resilience

Recomendados

Recomendados

Más contenido relacionado

Similar a Algorithmic Game Theory for Critical Infrastructure Security and Resilience

Similar a Algorithmic Game Theory for Critical Infrastructure Security and Resilience (20)

Último

Último (20)

Algorithmic Game Theory for Critical Infrastructure Security and Resilience