$\mathtt{FlipIn}$ : A Game-Theoretic Cyber Insurance Framework for Incentive-Compatible Cyber Risk Management of Internet of Things

Internet of Things (IoT) is highly vulnerable to emerging Advanced Persistent Threats (APTs) that are often operated by well-resourced adversaries. Achieving perfect security for IoT networks is often cost-prohibitive if not impossible. Cyber insurance is a valuable mechanism to mitigate cyber risks for IoT systems. In this work, we propose a bi-level game-theoretic framework called FlipIn to design incentive-compatible and welfare-maximizing cyber insurance contracts. The framework captures the strategic interactions among APT attackers, IoT defenders, and cyber insurance insurers, and incorporates influence networks to assess the systemic cyber risks of interconnected IoT devices. The FlipIn framework formulates a game over networks within a principal-agent problem of moral-hazard type to design a cyber risk-aware insurance contract. We completely characterize the equilibrium solutions of the bi-level games for a network of distributed defenders and a semi-homogeneous centralized defender and show that the optimal insurance contracts cover half of the defenders’ losses. Our framework predicts the risk compensation of defenders and the Peltzman effect of insurance. We study a centralized security management scenario and its decentralized counterpart, and leverage numerical experiments to show that network connectivity plays an important role in the security of the IoT devices and the insurability of both distributed and centralized defenders.

[1]  Rainer Böhme,et al.  Modeling Cyber-Insurance: Towards a Unifying Framework , 2010, WEIS.

[2]  Ming Zhang,et al.  A Game Theoretic Model for Defending Against Stealthy Attacks with Limited Resources , 2015, GameSec.

[3]  Eric Cole,et al.  Advanced Persistent Threat: Understanding the Danger and How to Protect Your Organization , 2012 .

[4]  Sailik Sengupta,et al.  Moving Target Defense for Web Applications using Bayesian Stackelberg Games: (Extended Abstract) , 2016, AAMAS.

[5]  Dhavy Gantsou,et al.  On the use of security analytics for attack detection in vehicular ad hoc networks , 2015, 2015 International Conference on Cyber Security of Smart Cities, Industrial Control System and Communications (SSIC).

[6]  Parinaz Naghizadeh Ardabili,et al.  Designing cyber insurance policies in the presence of security interdependence , 2017, NetEcon@EC.

[7]  Fabio Martinelli,et al.  Cyber-insurance survey , 2017, Comput. Sci. Rev..

[8]  Lida Xu,et al.  The internet of things: a survey , 2014, Information Systems Frontiers.

[9]  Ranjan Pal,et al.  IMPROVING NETWORK SECURITY THROUGH CYBER-INSURANCE , 2014 .

[10]  Ralph Langner,et al.  Stuxnet: Dissecting a Cyberwarfare Weapon , 2011, IEEE Security & Privacy.

[11]  Ronald L. Rivest,et al.  Defending against the Unknown Enemy: Applying FlipIt to System Security , 2012, GameSec.

[12]  Imran A. Zualkernan,et al.  Internet of things (IoT) security: Current status, challenges and prospective measures , 2015, 2015 10th International Conference for Internet Technology and Secured Transactions (ICITST).

[13]  Ehsan Ghotbi,et al.  A bilevel game theoretic approach to optimum design of flywheels , 2012 .

[14]  Quanyan Zhu,et al.  Game-Theoretic Methods for Robustness, Security, and Resilience of Cyberphysical Control Systems: Games-in-Games Principle for Optimal Cross-Layer Resilient Control Systems , 2015, IEEE Control Systems.

[15]  Quanyan Zhu,et al.  GADAPT: A Sequential Game-Theoretic Framework for Designing Defense-in-Depth Strategies Against Advanced Persistent Threats , 2016, GameSec.

[16]  Theodore Tryfonas,et al.  Game Theoretic Approach for Cost-Benefit Analysis of Malware Proliferation Prevention , 2013, SEC.

[17]  F. Richard Yu,et al.  A Mean Field Game Theoretic Approach for Security Enhancements in Mobile Ad hoc Networks , 2014, IEEE Transactions on Wireless Communications.

[18]  Liang Xiao,et al.  Defense Against Advanced Persistent Threats with Expert System for Internet of Things , 2017, WASA.

[19]  Quanyan Zhu,et al.  Security as a Service for Cloud-Enabled Internet of Controlled Things Under Advanced Persistent Threats: A Contract Design Approach , 2017, IEEE Transactions on Information Forensics and Security.

[20]  Lawrence A. Gordon,et al.  A framework for using insurance for cyber-risk management , 2003, Commun. ACM.

[21]  N. Bambos,et al.  Security investment games of interdependent organizations , 2008, 2008 46th Annual Allerton Conference on Communication, Control, and Computing.

[22]  Quanyan Zhu,et al.  Strategic Defense Against Deceptive Civilian GPS Spoofing of Unmanned Aerial Vehicles , 2017, GameSec.

[23]  Marimuthu Palaniswami,et al.  Internet of Things (IoT): A vision, architectural elements, and future directions , 2012, Future Gener. Comput. Syst..

[24]  William Yurcik,et al.  The Evolution of Cyberinsurance , 2006, ArXiv.

[25]  Walid Saad,et al.  Dynamic Psychological Game Theory for Secure Internet of Battlefield Things (IoBT) Systems , 2018, IEEE Internet of Things Journal.

[26]  Quanyan Zhu,et al.  Flip the Cloud: Cyber-Physical Signaling Games in the Presence of Advanced Persistent Threats , 2015, GameSec.

[27]  Amin Hassanzadeh,et al.  Towards effective security control assignment in the Industrial Internet of Things , 2015, 2015 IEEE 2nd World Forum on Internet of Things (WF-IoT).

[28]  Minghui Zhu,et al.  Stackelberg-game analysis of correlated attacks in cyber-physical systems , 2011, Proceedings of the 2011 American Control Conference.

[29]  Chong Kuan Chen,et al.  IoT Security: Ongoing Challenges and Research Opportunities , 2014, 2014 IEEE 7th International Conference on Service-Oriented Computing and Applications.

[30]  Ronald L. Rivest,et al.  FlipIt: The Game of “Stealthy Takeover” , 2012, Journal of Cryptology.

[31]  Alejandro Quintero,et al.  VANET security surveys , 2014, Comput. Commun..

[32]  S. Shavell On Moral Hazard and Insurance , 1979 .

[33]  George E. Rejda,et al.  Insurance and risk , 1964 .

[34]  Prasant Mohapatra,et al.  Dynamic defense strategy against advanced persistent threat with insiders , 2015, 2015 IEEE Conference on Computer Communications (INFOCOM).

[35]  Ken Choi,et al.  Game theory-based Security Vulnerability Quantification for Social Internet of Things , 2017, Future Gener. Comput. Syst..

[36]  Graham D. Burchell,et al.  The Foucault Effect: Studies in Governmentality , 1991 .

[37]  Walid Saad,et al.  Dynamic Connectivity Game for Adversarial Internet of Battlefield Things Systems , 2017, IEEE Internet of Things Journal.

[38]  Liang Xiao,et al.  Defense Against Advanced Persistent Threats in Dynamic Cloud Storage: A Colonel Blotto Game Approach , 2018, IEEE Internet of Things Journal.

[39]  Jiafu Wan,et al.  Security in the Internet of Things: A Review , 2012, 2012 International Conference on Computer Science and Electronics Engineering.

[40]  Quanyan Zhu,et al.  Game theory meets network security and privacy , 2013, CSUR.

[41]  Georgios Kambourakis,et al.  DDoS in the IoT: Mirai and Other Botnets , 2017, Computer.

[42]  Geir M. Køien,et al.  Cyber Security and the Internet of Things: Vulnerabilities, Threats, Intruders and Attacks , 2015, J. Cyber Secur. Mobil..

[43]  Tansu Alpcan,et al.  Network Security , 2010 .

[44]  Walid Saad,et al.  Jamming in the Internet of Things: A Game-Theoretic Perspective , 2016, 2016 IEEE Global Communications Conference (GLOBECOM).

[45]  Daniel Grosu,et al.  A Game Theoretic Investigation of Deception in Network Security , 2009, 2009 Proceedings of 18th International Conference on Computer Communications and Networks.

[46]  Zhu Han,et al.  Game Theory for Next Generation Wireless and Communication Networks , 2019 .

[47]  A. Singh Exponential Distribution: Theory, Methods and Applications , 1996 .

[48]  Walid Saad,et al.  A colonel blotto game for interdependence-aware cyber-physical systems security in smart cities , 2017, SCOPE@CPSWeek.

[49]  Athanasios V. Vasilakos,et al.  Security of the Internet of Things: perspectives and challenges , 2014, Wireless Networks.

[50]  Mingyan Liu,et al.  Designing Cyber Insurance Policies: The Role of Pre-Screening and Security Interdependence , 2018, IEEE Transactions on Information Forensics and Security.

[51]  Henrik Sandberg,et al.  Security of smart distribution grids: Data integrity attacks on integrated volt/VAR control and countermeasures , 2014, 2014 American Control Conference.

[52]  Colin Tankard,et al.  Advanced Persistent threats and how to monitor and deter them , 2011, Netw. Secur..

[53]  Gábor Horváth,et al.  FlipThem: Modeling Targeted Attacks with FlipIt for Multiple Resources , 2014, GameSec.

[54]  Quanyan Zhu,et al.  Analysis and Computation of Adaptive Defense Strategies Against Advanced Persistent Threats for Cyber-Physical Systems , 2018, GameSec.

[55]  D. Kushner,et al.  The real story of stuxnet , 2013, IEEE Spectrum.

[56]  Liam M. D. Bailey,et al.  Mitigating Moral Hazard in Cyber-Risk Insurance , 2020 .

[57]  Tansu Alpcan,et al.  Stochastic games for security in networks with interdependent nodes , 2009, 2009 International Conference on Game Theory for Networks.

[58]  Konstantinos Psounis,et al.  Security Pricing as Enabler of Cyber-Insurance A First Look at Differentiated Pricing Markets , 2016, IEEE Transactions on Dependable and Secure Computing.

[59]  Theodore Tryfonas,et al.  A game theoretic defence framework against DoS/DDoS cyber attacks , 2013, Comput. Secur..

[60]  Yi Zhou,et al.  Understanding the Mirai Botnet , 2017, USENIX Security Symposium.

[61]  Mark V. Pauly,et al.  Readings in the economics of contract law: The economics of moral hazard: comment , 1982 .

[62]  Luigi Alfredo Grieco,et al.  Security, privacy and trust in Internet of Things: The road ahead , 2015, Comput. Networks.

[63]  Nigel P. Smart,et al.  Multi-rate Threshold FlipThem , 2017, ESORICS.

[64]  Paul Embrechts,et al.  Martingales and insurance risk , 1989 .

[65]  S. Peltzman The Effects of Automobile Safety Regulation , 1975, Journal of Political Economy.

[66]  Rolf H. Weber,et al.  Internet of Things - New security and privacy challenges , 2010, Comput. Law Secur. Rev..

[67]  W. Härdle,et al.  Statistical Tools for Finance and Insurance , 2003 .

[68]  Viliam Lisý,et al.  Game-Theoretic Foundations for the Strategic Use of Honeypots in Network Security , 2015, Cyber Warfare.

[69]  Dzmitry Kliazovich,et al.  Game-Theoretic Recruitment of Sensing Service Providers for Trustworthy Cloud-Centric Internet-of-Things (IoT) Applications , 2016, 2016 IEEE Globecom Workshops (GC Wkshps).

[70]  Y. Smeers,et al.  Bi-Level Game Approaches for Coordination of Generation and Transmission Expansion Planning Within a Market Environment , 2013, IEEE Transactions on Power Systems.

[71]  Iman Vakilinia,et al.  A Coalitional Cyber-Insurance Framework for a Common Platform , 2019, IEEE Transactions on Information Forensics and Security.

[72]  Quanyan Zhu,et al.  A Game-Theoretic Approach to Design Secure and Resilient Distributed Support Vector Machines , 2018, IEEE Transactions on Neural Networks and Learning Systems.

[73]  Quanyan Zhu,et al.  A Bi-Level Game Approach to Attack-Aware Cyber Insurance of Computer Networks , 2017, IEEE Journal on Selected Areas in Communications.

[74]  Parinaz Naghizadeh Ardabili,et al.  Designing Cyber Insurance Policies: Mitigating Moral Hazard Through Security Pre-Screening , 2017, GAMENETS.

[75]  Kai Zhao,et al.  A Survey on the Internet of Things Security , 2013, 2013 Ninth International Conference on Computational Intelligence and Security.

[76]  Chase Qishi Wu,et al.  A Survey of Game Theory as Applied to Network Security , 2010, 2010 43rd Hawaii International Conference on System Sciences.

[77]  Konstantinos Psounis,et al.  Will cyber-insurance improve network security? A market analysis , 2014, IEEE INFOCOM 2014 - IEEE Conference on Computer Communications.

[78]  Nigel P. Smart,et al.  Threshold FlipThem: When the Winner Does Not Need to Take All , 2015, GameSec.

[79]  Mohamed Hamdi,et al.  Game-based adaptive security in the Internet of Things for eHealth , 2014, 2014 IEEE International Conference on Communications (ICC).

[80]  H. Vincent Poor,et al.  Cloud Storage Defense Against Advanced Persistent Threats: A Prospect Theoretic Study , 2017, IEEE Journal on Selected Areas in Communications.

[81]  Ling Shi,et al.  Jamming Attacks on Remote State Estimation in Cyber-Physical Systems: A Game-Theoretic Approach , 2015, IEEE Transactions on Automatic Control.