A Learning-Based Approach to Reactive Security

Despite the conventional wisdom that proactive security is superior to reactive security, we show that reactive security can be competitive with proactive security as long as the reactive defender learns from past attacks instead of myopically overreacting to the last attack. Our game-theoretic model follows common practice in the security literature by making worst case assumptions about the attacker: we grant the attacker complete knowledge of the defender's strategy and do not require the attacker to act rationally. In this model, we bound the competitive ratio between a reactive defense algorithm (which is inspired by online learning theory) and the best fixed proactive defense. Additionally, we show that, unlike proactive defenses, this reactive strategy is robust to a lack of information about the attacker's incentives and knowledge.

[1]  David Haussler,et al.  How to use expert advice , 1993, STOC.

[2]  Erik Ordentlich,et al.  The Cost of Achieving the Best Portfolio in Hindsight , 1998, Math. Oper. Res..

[3]  Y. Freund,et al.  Adaptive game playing using multiplicative weights , 1999 .

[4]  Yoav Freund,et al.  A Short Introduction to Boosting , 1999 .

[5]  Ross J. Anderson Why information security is hard - an economic perspective , 2001, Seventeenth Annual Computer Security Applications Conference.

[6]  Lawrence A. Gordon,et al.  The economics of information security investment , 2002, TSEC.

[7]  Mark Herbster,et al.  Tracking the Best Expert , 1995, Machine Learning.

[8]  Hal R. Varian,et al.  System Reliability and Free Riding , 2004, Economics of Information Security.

[9]  Jeannette M. Wing,et al.  Game strategies in network security , 2005, International Journal of Information Security.

[10]  Marco Cremonini,et al.  Evaluating Information Security Investments from Attackers Perspective: the Return-On-Attack (ROA) , 2005, WEIS.

[11]  Eric Rescorla,et al.  Is finding security holes a good idea? , 2005, IEEE Security & Privacy.

[12]  Terrence August,et al.  Network Software Security and User Incentives , 2006, Manag. Sci..

[13]  Kjell Hausken,et al.  Returns to information security investment: The effect of alternative information security breach functions on optimal investment and sensitivity to vulnerability , 2006, Inf. Syst. Frontiers.

[14]  Aranyak Mehta,et al.  Design is as Easy as Optimization , 2006, SIAM J. Discret. Math..

[15]  Xinming Ou,et al.  A scalable approach to attack graph generation , 2006, CCS '06.

[16]  Stefan Savage,et al.  An inquiry into the nature and causes of the wealth of internet miscreants , 2007, CCS '07.

[17]  Nicholas Bambos,et al.  SecureRank: A Risk-Based Vulnerability Management Scheme for Computing Infrastructures , 2007, 2007 IEEE International Conference on Communications.

[18]  Huseyin Cavusoglu,et al.  Decision-Theoretic and Game-Theoretic Approaches to IT Security Investment , 2008, J. Manag. Inf. Syst..

[19]  Nicholas Bambos,et al.  Security Decision-Making among Interdependent Organizations , 2008, 2008 21st IEEE Computer Security Foundations Symposium.

[20]  Rahul Telang,et al.  Optimal Information Security Architecture for the Enterprise , 2008 .

[21]  Nicolas Christin,et al.  Secure or insure?: a game-theoretic analysis of information security games , 2008, WWW.

[22]  Jens Grossklags,et al.  Blue versus Red: Towards a Model of Distributed Security Attacks , 2009, Financial Cryptography.

[23]  Chris Kanich,et al.  Spamalytics: an empirical analysis of spam marketing conversion , 2009, CACM.

[24]  Dawn Xiaodong Song,et al.  A Learning-Based Approach to Reactive Security , 2009, IEEE Transactions on Dependable and Secure Computing.