Games of Timing for Security in Dynamic Environments

Increasing concern about insider threats, cyber-espionage, and other types of attacks which involve a high degree of stealthiness has renewed the desire to better understand the timing of actions to audit, clean, or otherwise mitigate such attacks. However, to the best of our knowledge, the modern literature on games shares a common limitation: the assumption that the cost and effectiveness of the players’ actions are time-independent. In practice, however, the cost and success probability of attacks typically vary with time, and adversaries may only attack when an opportunity is present (e.g., when a vulnerability has been discovered).

[1]  Marc Lelarge,et al.  Economic Incentives to Increase Security in the Internet: The Case for Insurance , 2009, IEEE INFOCOM 2009.

[2]  Kai Chen,et al.  An Exploratory Study of White Hat Behaviors in a Web Vulnerability Disclosure Program , 2014, SIW '14.

[3]  Jens Grossklags,et al.  A Behavioral Investigation of the FlipIt Game , 2013 .

[4]  Rainer Böhme,et al.  Security Games with Market Insurance , 2011, GameSec.

[5]  Aron Laszka,et al.  The Complexity of Estimating Systematic Risk in Networks , 2014, 2014 IEEE 27th Computer Security Foundations Symposium.

[6]  Prasant Mohapatra,et al.  Stealthy attacks meets insider threats: A three-player game model , 2015, MILCOM 2015 - 2015 IEEE Military Communications Conference.

[7]  Michael P. Wellman,et al.  Empirical Game-Theoretic Analysis of an Adaptive Cyber-Defense Scenario (Preliminary Report) , 2014, GameSec.

[8]  Ramayya Krishnan,et al.  Correlated Failures, Diversification, and Information Security Risk Management , 2011, MIS Q..

[9]  Jens Grossklags,et al.  Blue versus Red: Towards a Model of Distributed Security Attacks , 2009, Financial Cryptography.

[10]  Tadeusz Radzik RESULTS AND PROBLEMS IN GAMES OF TIMING , 1996 .

[11]  David Reitter,et al.  How Task Familiarity and Cognitive Predispositions Impact Behavior in a Security Game of Timing , 2014, 2014 IEEE 27th Computer Security Foundations Symposium.

[12]  Rainer Böhme,et al.  Modeling Cyber-Insurance: Towards a Unifying Framework , 2010, WEIS.

[13]  Nicolas Christin,et al.  Secure or insure?: a game-theoretic analysis of information security games , 2008, WWW.

[14]  Julian Williams,et al.  Investments and Trade-offs in the Economics of Information Security , 2009, Financial Cryptography.

[15]  Carlos Cid,et al.  Are We Compromised? Modelling Security Assessment Games , 2012, GameSec.

[16]  Levente Buttyán,et al.  A Survey of Interdependent Information Security Games , 2014, ACM Comput. Surv..

[17]  Lawrence A. Gordon,et al.  The economics of information security investment , 2002, TSEC.

[18]  Aron Laszka,et al.  Mitigation of Targeted and Non-targeted Covert Attacks as a Timing Game , 2013, GameSec.

[19]  Prasant Mohapatra,et al.  Dynamic defense strategy against advanced persistent threat with insiders , 2015, 2015 IEEE Conference on Computer Communications (INFOCOM).

[20]  Jens Grossklags,et al.  Risk-Seeking in a Continuous Game of Timing , 2013 .

[21]  Andy Ozment,et al.  The Likelihood of Vulnerability Rediscovery and the Social Utility of Vulnerability Hunting , 2005, WEIS.

[22]  Peng Liu,et al.  An Empirical Study of Web Vulnerability Discovery Ecosystems , 2015, CCS.

[23]  Ronald L. Rivest,et al.  FlipIt: The Game of “Stealthy Takeover” , 2012, Journal of Cryptology.

[24]  Stuart E. Schechter,et al.  Milk or Wine: Does Software Security Improve with Age? , 2006, USENIX Security Symposium.

[25]  Michael D. Smith,et al.  How Much Security Is Enough to Stop a Thief?: The Economics of Outsider Theft via Computer Systems and Networks , 2003, Financial Cryptography.

[26]  Hal R. Varian,et al.  System Reliability and Free Riding , 2004, Economics of Information Security.

[27]  Quanyan Zhu,et al.  Game theory meets network security and privacy , 2013, CSUR.

[28]  Eric Rescorla,et al.  Is finding security holes a good idea? , 2005, IEEE Security & Privacy.

[29]  H. Kunreuther,et al.  Interdependent Security , 2003 .

[30]  Ronald L. Rivest,et al.  Defending against the Unknown Enemy: Applying FlipIt to System Security , 2012, GameSec.

[31]  Aron Laszka,et al.  Mitigating Covert Compromises - A Game-Theoretic Model of Targeted and Non-Targeted Covert Attacks , 2013, WINE.

[32]  Ming Zhang,et al.  Stealthy attacks and observable defenses: A game theoretic model under strict resource constraints , 2014, 2014 IEEE Global Conference on Signal and Information Processing (GlobalSIP).

[33]  Chris Hankin,et al.  Cybersecurity Games and Investments: A Decision Support Approach , 2014, GameSec.

[34]  Gábor Horváth,et al.  FlipThem: Modeling Targeted Attacks with FlipIt for Multiple Resources , 2014, GameSec.