The average home computer user needs help in reducing the security risk of their home computer. We are working on an alternative approach from current home security software in which a software agent helps a user manage his/her security risk. Planning is integral to the design of this agent in several ways. First, planning can be used to make the underlying security model manageable by generating attack paths to identify vulnerabilities that are not a problem for a particular user/home computer. Second, planning can be used to identify interventions that can either avoid the vulnerability or mitigate the damage should it occur. In both cases, a central capability is that of generating alternative plans so as to find as many possible ways to trigger the vulnerability and to provide the user with options should the obvious not be acceptable. We describe our security model and our state-based approach to generating alternative plans. We show that the state-based approach can generate more diverse plans than a heuristic-based approach. However, the state-based approach sometimes generates this diversity with better quality at higher search cost. Planning for a Personalized Security Agent The average home computer user has little understanding of security and limited time to become educated and to take action to protect their computers. Current security approach es, e.g., anti-virus software, OS patches, malware detectors, require time, money and knowledge to be effectively used. Moreover, the software is designed to be one-size-fits-all which does not accommodate the different needs and preferences that have been observed in studies of home users (Howe et al. 2012). For example, a study of 31 undergraduates hypothetically installing software on a friend’s machine concluded that many participants considered file shar ing software to be indispensable, even accounting for the risks (Good et al. 2005). Our research project takes a different approach: develop an agent that can monitor security related activities on a home computer and propose interventions to the user to avoid or recover from security threats. The agent will be per sonalized to the preferences and experience of the user as well as to the configuration of the home computer. The security model underlying the agent is being developed based on psychological studies to identify factors that influence a home user’s decisions about security threats (e.g., percep tions of risk and threats) (Byrne et al. 2012). A home computer security agent would need to perform all of the following tasks: monitor the user/system for new behavior/state, incorporate new security knowledge from a common security database, adapt to newly installed software, prioritize its actions so as to block the most critical vulnerabilities first, offer suggestions of actions to the u s r to support achieving his/her goals while not breaching secu rity/privacy, and intervene independently to the extent th at the user’s trust allows. Several of these tasks involve plan ning. In this paper, we describe how planning has been used for security, how we have started to extend existing plannin g techniques to support the security agent and our future plan s for further extensions. The Personalized Security Agent The two core goals behind our security agent are that its design should be motivated and supported by psychological studies of users and that its behavior should be personalize d to a particular user. In support of these goals, we have developed a new security model that is based in part on studies from the literature and part on our on-going studies. The Security Model: A Personalized Attack Graph Researchers have modeled security for networked systems usingattack graphs(Phillips and Swiler 1998; Sheyner et al. 2002) andattack trees(Moore, Ellison, and Linger 2001; Dewri et al. 2007). These models capture dependencies among different system attributes such as vulnerabilities and network connectivity and facilitate security risk analysi s and management. But these models focus on networked systems rather than home computer users. We developed the Personalized Attack Graph (PAG) security model to characterize the ways that ahome systemcan be compromised and add actions for the user as well as the attacker. The PAG is a state-transition system that is instantiated with the stat e of a particular home computer and user. Figure 1 shows a PAG for a Denial of Service (DoS) exploit that is a subtree of a much larger PAG with 7 exploits, 25 user actions, 38 system states or actions (of which 11 are system vulnerabilities), and 19 attack actions. A complete PAG consists of a set of many such exploit subtrees and paths from leaf nodes to the root represent potential attack paths.
[1]
Somesh Jha,et al.
Automated generation and analysis of attack graphs
,
2002,
Proceedings 2002 IEEE Symposium on Security and Privacy.
[2]
Matthias Scheutz,et al.
Planning for human-robot teaming in open worlds
,
2010,
TIST.
[3]
Subbarao Kambhampati,et al.
Domain Independent Approaches for Finding Diverse Plans
,
2007,
IJCAI.
[4]
Zinta S. Byrne,et al.
The Psychology of Security for the Home Computer User
,
2012,
2012 IEEE Symposium on Security and Privacy.
[5]
Andrew P. Moore,et al.
Attack Modeling for Information Security and Survivability
,
2001
.
[6]
Silvia Richter,et al.
The LAMA Planner: Guiding Cost-Based Anytime Planning with Landmarks
,
2010,
J. Artif. Intell. Res..
[7]
Soumya K. Ghosh,et al.
A planner-based approach to generate and analyze minimal attack graph
,
2010,
Applied Intelligence.
[8]
Raquel Fuentetaja.
The CBP planner
,
2011
.
[9]
Deirdre K. Mulligan,et al.
Stopping spyware at the gate: a user study of privacy, notice and spyware
,
2005,
SOUPS '05.
[10]
Indrajit Ray,et al.
Optimal security hardening using multi-objective optimization on attack tree models of networks
,
2007,
CCS '07.
[11]
Cynthia A. Phillips,et al.
A graph-based system for network-vulnerability analysis
,
1998,
NSPW '98.
[12]
Malte Helmert,et al.
The Fast Downward Planning System
,
2006,
J. Artif. Intell. Res..
[13]
Indrajit Ray,et al.
Personalized Vulnerability Analysis through Automated Planning
,
2011
.
[14]
P. Haslum.
h m ( P ) = k 1 ( P m ): alternative characterisations of the generalisation from h max to h m
,
2009,
ICAPS 2009.
[15]
M. Ehrgott.
Multiobjective Optimization
,
2008,
AI Mag..
[16]
Yixin Chen,et al.
Long-Distance Mutual Exclusion for Propositional Planning
,
2007,
IJCAI.
[17]
Alexandra Coman,et al.
Generating Diverse Plans Using Quantitative and Qualitative Plan Distance Metrics
,
2011,
AAAI.
[18]
Mark S. Boddy,et al.
Course of Action Generation for Cyber Security Using Classical Planning
,
2005,
ICAPS.
[19]
Maria Fox,et al.
PDDL2.1: An Extension to PDDL for Expressing Temporal Planning Domains
,
2003,
J. Artif. Intell. Res..
[20]
Matthias Scheutz,et al.
Finding and exploiting goal opportunities in real-time during plan execution
,
2009,
2009 IEEE/RSJ International Conference on Intelligent Robots and Systems.
[21]
Ivan Serina,et al.
Plan Stability: Replanning versus Plan Repair
,
2006,
ICAPS.
[22]
Subbarao Kambhampati,et al.
G-Value Plateaus: A Challenge for Planning
,
2010,
ICAPS.
[23]
Silvia Richter,et al.
Landmark-Based Heuristics and Search Control for Automated Planning (Extended Abstract)
,
2013,
IJCAI.
[24]
Carlos Sarraute,et al.
Attack Planning in the Real World
,
2013,
ArXiv.
[25]
Wheeler Ruml,et al.
The Joy of Forgetting: Faster Anytime Search via Restarting
,
2010,
ICAPS.