Physical Security and Vulnerability Modeling for Infrastructure Facilities


 Kerry Cannon
 1 years ago
 Views:
Transcription
1 Proceedngs of the 39th Hawa Internatonal Conference on System Scences Physcal Securty and Vulnerablty Modelng for Infrastructure Facltes Dean A. Jones Chad E. Davs Sanda Natonal Laboratores Albuquerque, NM Mark A. Turnqust Lnda K. Nozck Cornell Unversty Ithaca, NY Abstract A model of malcous ntrusons n nfrastructure facltes s developed, usng a network representaton of the system structure together wth Markov models of ntruder progress and strategy. Ths structure provdes an explct mechansm to estmate the probablty of successful breaches of physcal securty, and to evaluate potental mprovements. An example of an ntruder attemptng to place an explosve devce on an arplane at an arport gate llustrates the structure and potental applcaton of the model. 1. Introducton There s wdespread nterest n protecton of crtcal nfrastructures from malcous attack. The attacks mght be ether physcal ntrusons (e.g., to steal vtal materal, plant a bomb, etc.) or cyber ntrusons (e.g., to dsrupt nformaton systems, steal data, etc.). The attackers may be nternatonal terrorsts, homegrown hackers, or ordnary crmnals. In 1997, the report of the U.S. Presdent s Commsson on Crtcal Infrastructure Protecton dentfed eght crtcal nfrastructures whose ncapacty or destructon would have a debltatng mpact on our defense and economc securty [11]. In subsequent years, ths lst of crtcal nfrastructures was expanded and a set of 13 crtcal nfrastructure sectors are ncluded n the Natonal Strategy for Homeland Securty [3]. These 13 are: agrculture, food processng, water, publc health, government, emergency servces, bankng and fnance, telecommuncatons, energy, transportaton, the chemcal ndustry, postal and shppng servces, and the defense ndustral base. In ths analyss, we focus prmarly on transportaton facltes, but the approach we suggest could also be used n other nfrastructure contexts. For example, a smlar type of analyss has been appled to nformaton systems [2]. The objectve of the analyss presented here s to provde gudance to system owners and operators regardng effectve ways to reduce vulnerabltes of specfc facltes. To accomplsh ths, we develop a Markov Decson Process (MDP) model of how an ntruder mght try to penetrate the varous barrers desgned to protect the faclty. Ths ntruder model provdes the bass for consderaton of possble strateges to reduce the probablty of a successful attack on the faclty. We represent the system of nterest as a network of nodes and arcs. Nodes represent barrers that an ntruder must penetrate, and arcs represent movements between barrers that an ntruder can make wthn the system. The adversares frst must penetrate entry ponts to the system, and f an attempted penetraton at a partcular entry node s successful, they can traverse edges from the successfully breached node to other nodes n the network that are connected to the one breached. Traversng an edge entals a rsk of detecton. The adversary s assumed to make the decson that maxmzes the probablty of successful attack. Several prevous authors have used graphbased methods to represent attackers or defenders n securty analyses. Phllps and Swler [10] ntroduced the concept of an attack graph to represent sets of system states and paths for an attacker to pursue an objectve n dsruptng an nformaton system. Several subsequent papers (e.g., [4], [13], [15]) have extended these ntal deas. A number of authors have used Markov models /06/$20.00 (C) 2006 IEEE 1
2 Proceedngs of the 39th Hawa Internatonal Conference on System Scences to represent uncertantes n system state n the face of attacks, especally n computer systems (e.g., [4], [7], [13], [14]). In partcular, Hdden Markov Models (HMM) focus on ntruder detecton usng ndcators that ndrectly reflect potental attacker actvtes (see, for example, [8], [14], [16]). Jha et al. [4] ntroduced the dea of usng Markov Decson Processes (MDP) for stuatons n whch the ntruder s path s probablstc. By nterpretng attack graphs as Markov Decson Processes they computed a probablty of ntruder success for each attack represented by the graph. In the current work, we also use the dea of computng the probablty of a successful attack by characterzng the problem as an MDP. However, our graph structure s dfferent from the normal attack graph structure used n nformaton systems, and thus the underlyng network over whch the MDP s formulated s dfferent from that used n [4]. Our prmary attenton s on a class of adversares that s ratonal and well nformed. By ratonal, we mean that the adversares follow a strategy that maxmzes the probablty of ther attack beng successful. By well nformed, we mean that the adversares know the probabltes of detecton, success, etc. at varous stages of the attack, so they can effectvely optmze ther attacks. Our focus on wellnformed adversares s useful because t leads to an estmate of the probablty of successful ntruson that s lkely to be an upper bound on the actual value. Ths, n turn, leads us to be conservatve n estmatng how wellprotected the system s. Less wellnformed ntruders mght also be successful, but ther probabltes of success wll be smaller. Further exploraton of the lkely strateges of less nformed ntruders s, however, an mportant area for addtonal work. We frst construct an HMM to represent an ntruder s actons at a sngle node (barrer) n a system. Then we develop an aggregated representaton of that snglenode model for ncluson n an MDP model of ntruder strategy wthn a network representaton of the entre system. 2. Intruson attempts at a node An attempt to penetrate a system barrer (node) and the nteracton between the ntruder and the ntrusondetecton system s modeled usng a Hdden Markov Model (HMM). The general concept of such a model s represented n Fgure 1. The ntruder s actons (the lower porton of the dagram) are assumed to progress through a set of states as a Markov process. The dagram n Fgure 1 shows a smplfed representaton n whch transtons are only to sequental states, but the transton matrx used can be more general. Occupancy of varous states may result n emanatons that are observable by the system operator (represented by the sgnals n Fgure 1). For example, the ntruder may be attemptng to pck the lock of a door where there s vdeo survellance. Pckng the lock requres an uncertan amount of tme, represented by transton through a seres of Markov states. Whle the ntruder occupes those states (.e., durng the tme that the ntruder s attemptng to pck the lock), there s a probablty that hs/her presence wll be detected by the vdeo survellance system. The general structure of the HMM allows consderable flexblty n defnng varous types of sgnals and resultng actons by the system operator. For example, some sgnals may cause an ncreased level of survellance wthout an alarm beng rased. For our current purposes, we use a straghtforward defnton that a recognzed sgnal from any state consttutes detecton and the end of the attempted ntruson. If the ntruder reaches a breach state wthout beng detected, we say that the node (barrer) has been breached, and no further emanatons wll cause the system to detect the ntruder at that node. We also nclude a retreat state that corresponds to an unsuccessful, but undetected, attempt to penetrate the barrer. In that outcome, the ntruder can wthdraw wthout rasng an alarm. Sgnals a b c Intruder States k Breach Retreat Fgure 1. A hdden Markov model characterzng an attack at a system node. We use a dscretetme, dscretestate HMM characterzed by the followng equatons: X = A X T n+1 n (1) Y n = BX n (2) for transton steps n = 1, 2,,. The state of the system (.e., presence of the ntruder n some node n 2
3 Proceedngs of the 39th Hawa Internatonal Conference on System Scences the lower porton of Fgure 1) s represented by the (column) probablty vector, X. The dynamcs of the system are governed by (1), where A s a transton matrx (.e., t satsfes the propertes aj 0 and j a j 1.) The states of the system are not observed drectly. The process Y s observed, whch s a functon of the state of the underlyng Markov process, X. Each column of B specfes a condtonal probablty dstrbuton over the possble observatons, gven that the underlyng (hdden) system s n a partcular state. The estmated values for B n a gven applcaton should reflect any efforts that mght be taken by an ntruder to reduce the lkelhood of detecton (e.g., attemptng to defeat sensors, create dversons, etc.). For our purposes, we assume that A and B are known (or have been estmated). We want to use the estmated HMMs at varous nodes as the bass for a networklevel model of ntruder strategy. In large networks, t s useful to abstract the HMM at node v to a smpler representaton, as shown n Fgure 2. An ntruder enters an Attempt state for that barrer (node). The ntruder contnues to occupy that state untl the attempted penetraton s detected (and an alarm s rased), the penetraton s successful and the barrer s breached, or the ntruder retreats. penetraton n the orgnal HMM. In the nterests of space, the detals are not gven here, but they are provded n [5]. The value of the aggregated representaton s that t allows us to construct a Markov Decson Process (MDP) of the ntruder s strategy at the system level, wthout carryng along all the detal of states wthn each node. Ths s the focus of the followng secton. 3. Expandng to the system level At the system level, we represent a network of barrers and potental movements as shown n the smple example n Fgure 3. Each node can be expanded usng a representaton lke the one n Fgure 2. If the ntruder s successful at breachng a partcular barrer, he/she has choces about where to go next (whch arc to cross). Crossng arc j entals a probablty of detecton j, and ths s represented n the transton matrx. Fgure 3. Smple systemlevel network. Fgure 2. Aggregated abstracton of the HMM at a node. To make the abstracton n Fgure 2 useful, we must be able to derve the transton probabltes p, s, d and r from the underlyng A and B matrces of the HMM. The transton probabltes s, d and r are specfed so that the probabltes of detecton, successful breach and retreat match those from the orgnal HMM. The transton probablty p s specfed so the expected length of resdence n the attempt state matches the duraton of the attempted We can pose the problem of fndng the ntruder s optmal strategy as an MDP over an nfnte horzon. We defne the expected reward to the ntruder as a value assocated wth reachng the success state of a goal node (such as node 8 n the example n Fgure 3), whch represents an undetected ext from the system after accomplshng a desred acton (such as placng a bomb, etc.). If we defne ths reward value as 1, then the expected rewards calculated at all earler nodes n the network can be nterpreted as probabltes of success, gven that the ntruder has reached that node. We assume that the objectve of the ntruder s to maxmze hs/her expected reward (probablty of successful attack), and we examne the problem of fndng the optmal strategy for ths objectve. Solvng ths problem postons us to adopt the perspectve of the system operator and consder the actons that can have the largest mpact on reducng the probablty of successful ntrusons. 3
4 Proceedngs of the 39th Hawa Internatonal Conference on System Scences If the ntruder s n state and chooses acton a, we denote the expected value of the future stream of rewards by w(,a ). Each possble acton a mples a change n the transton probabltes that govern the process. We denote the elements of the transton matrx resultng from choosng acton a as P j (a ). The MDP we defne for ths problem s postve bounded, and we can fnd the optmal polcy through ether polcy teraton or lnear programmng. From a computatonal standpont, polcy teraton s generally preferable to lnear programmng for fndng solutons, but the lnear programmng formulaton can yeld nsghts that are sgnfcant for our current purposes. Puterman [12] descrbes the lnear programmng formulaton for postve bounded expected total reward models. The formulaton seeks the decson polcy (choce of a ) that maxmzes the expected value of the reward stream, w(,a ). We denote the resultng optmal expected value as w*(). As [12] descrbes n detal, the set of w*() s the smallest set of values of w() for whch the followng nequaltes hold for all states, : w ( ) R ( a ) + Pj ( a ) w( j) (3) j where R ( a ) s the mmedate reward for selectng acton a when the system state s. In our applcaton, R ( a ) = 0 for all states other than the goal state, g, and R ( a g g ) = 1 for the dummy acton, a g, after achevng the goal state. If we then ntroduce an arbtrary set of postve scalars, β, wth the requrement that β = 1, the lnear program can be wrtten as follows: subject to: mn β w ( ) (4) x( a) Pj( a) x( a) β (8) a j a x ( a ) 0, a (9) In our case, because all but one of the R ( a ) values are zero, the dual objectve functon can be smplfed to: max x ( a ) (7 ) g g The prmal lnear program has many more constrants than varables, so t s more effectve to solve the dual problem. In addton, t can be shown (see [12]) that n an optmal soluton to the dual problem (7) (9), there s no more than one nonzero x (a ) for each state. The a for whch x (a ) s nonzero ndcates the optmal acton a for each. The shadow prces on * the dual constrants (8) are the values of w*(), ndcatng the probablty of successful attack, gven that the ntruder has reached state. 4. An llustratve applcaton As an example of systemlevel analyss for a specfc nfrastructure faclty, consder an ntruder who s attemptng to place an explosve devce aboard an arcraft whle t s sttng at an arport gate, wth the ntent that t wll explode later after the arcraft s n flght. A smplfed representaton of the barrer network and possble ntruder actons s shown n Fgure 4 (the network structure s the same as n Fgure 3, but the nodes and lnks have now been labeled as specfc barrers and movements). w ( ) P ( a ) w( j) R ( a ), a (5) j j w( ) 0 (6) Ths lnear program has a dual that can be expressed as follows: subject to: max R( a) x( a) (7) a 4
5 Proceedngs of the 39th Hawa Internatonal Conference on System Scences Fgure 4. Illustratve network for analyzng an attempted placement of an explosve devce on an arcraft. The ntruder must frst gan access to the apron area of the termnal. We postulate that ths can occur ether by ganng llct access through the employee gate (e.g., by stealng an employee ID and usng t to enter the area), or by enterng n a servce vehcle at a gate (e.g., n a caterng truck). If the ntruder s successful n gettng access to the area, he/she must then mpersonate a legtmate worker n the arcraft gate area ether an arlne employee or a servce contractor. The crossover arcs between entry and mpersonaton n Fgure 4 ndcate that even f the ntruder gans access to the apron area usng an employee ID, he/she may swtch ID s and mpersonate a servce contractor wthn the area (or vce versa). Ths mpersonaton must be successful for the perod of tme requred to get from the entrance to the arcraft tself. Approachng the arcraft carres a rsk of detecton, and the approachable areas on the arcraft f the ntruder s mpersonatng an employee may be dfferent from those that are approachable f he/she s mpersonatng a servce contractor. For example, a person who appears to be an arlne mantenance employee mght not attract attenton approachng the underwng area around the landng gear, whereas a person who appears to be a caterng contractor would. For purposes of ths example, we consder n Fgure 4 three areas of the arcraft where an explosve devce mght be hdden nsde the wng around the landng gear, n the cargo hold, or n the caterng supples delvered to the galley. If access to the arcraft s ganed, the devce must be placed wthout arousng suspcon. Ths s represented by the arcs connectng the arcraft area nodes to the ext node. Each of these arcs has a probablty of detecton. Fnally, f the ntruder succeeds n ganng access to the arcraft and placng the devce, he/she must ext wthout detecton, and ths represents the last barrer. Our modelng premse s that f the ntruder s detected after placng the devce, t wll trgger a thorough search of the arcraft and the devce wll be dscovered, so that the attempted attack wll be foled. Table 1 summarzes the node data used for the example analyss, and Table 2 shows the probabltes of detecton used for the arcs n the example network. These data are all nputs to the analyss and the values shown n Tables 1 and 2 are strctly hypothetcal. In practce, these nput values would lkely be a mxture of estmates based on testng specfc elements of the system and subjectve estmates (.e., expert judgment). Table 1. Example data for network nodes. Node (see Fgure 4) Expected Tme for Attempted Breach (mn) Prob. of Success Prob. of Detecton Prob. of Retreat Employee Gate Servce Vehcle Impersonate Employee Impersonate Contractor Landng Gear Cargo Hold Galley Undetected Ext Table 2. Probablty of detecton for possble moves. Arc Prob. of Detecton Empl. Gate Impersonate Employee 0 Empl. Gate Impersonate Contractor 0 Servce Vehcle Impersonate Empl. 0 Servce Vehcle Impersonate Contr. 0 Impersonate Empl. Landng Gear 0.3 Impersonate Empl. Cargo Hold 0.2 Impersonate Contr. Cargo Hold 0.5 Impersonate Contr. Galley 0.1 Landng Gear Ext 0.4 Cargo Hold Ext 0.2 Galley Ext 0.3 5
6 Proceedngs of the 39th Hawa Internatonal Conference on System Scences In the example data, we assume there s no retreat at the stage of extng after placng the devce at that stage ether the attack s successful or t s detected. Also note that the probablty of detecton on the arcs leadng to the mpersonaton nodes s zero. Ths s because we are treatng mpersonaton process (and tme) as a barrer (node), so the probablty of detecton s lumped at the nodes, rather than on the arcs. For ths set of nput data, the soluton for the optmal ntruder strategy can be summarzed as shown n Fgure 5. To the left of each node s the probablty of successful attack, gven that the ntruder s arrvng at that barrer. To the rght of each node s the probablty of success, gven that the ntruder has successfully negotated that barrer. There s only one value shown for the ext node (.e., the approachng probablty), because once that node s successfully negotated, the attack has been a success, by defnton. Fgure 5. Summary of ntruder strategy and probablty of success. The dashed lne ndcates the optmal path for an ntruder (.e., the path that maxmzes the probablty of success). Ths s the path of greatest vulnerablty to the system. In our smple example, we would compute a probablty of successful attack of 0.11 for an ntruder whose strategy s to gan entry to the apron area through the employee gate, then swtch ID s and mpersonate a contractor (probably a caterng servce worker) to access the arcraft galley and place the devce there before extng. The exstence of ths strategy does not mean that all ntruders wll always proceed n exactly the way ndcated. It does mean that f all ntruders were ratonal and well nformed (n the sense descrbed at the begnnng of the paper), ths would be a strategy through whch they could maxmze the probablty of a successful attack. The actual probablty of successful attack s lkely to be less than ths maxmum value because ntruders wll have lessthancomplete nformaton and may not optmze ther strategy. The soluton to the MDP model also provdes useful nformaton on the condtonal probablty of success for an attacker that reaches a certan pont n the network, regardless of whether or not he/she followed the optmal strategy. For example, f an ntruder succeeds n reachng the cargo hold of the arcraft (despte the fact that ths s not an optmal strategy), the probablty of a successful attack from that pont on s Ths nformaton can be extended to represent a vulnerablty tree as shown n Fgure 6. Ths tree ndcates the optmal strategy for contnung an attack by an ntruder who reaches a gven node, regardless of how he/she arrved there. Ths nformaton adds value to system securty studes over and above the dentfcaton of the sngle most vulnerable path for a system ntruder. Havng establshed a basecase vulnerablty assessment for the system, we can proceed to a seres of what f analyses to examne the mpact of potental changes to mprove securty. For example, what f an attempt were made to reduce the lkelhood of successful attack along the most vulnerable path by more carefully checkng contractors movng n the arcraft gate area and delverng food to the galley? We wll represent ths change n operatonal polcy by ncreasng the probablty of detecton of someone mpersonatng a contractor movng n the gate area to 0.5 (and correspondngly decreasng the probablty of successful mpersonaton to 0.4). We wll represent the effect of ncreasng the vglance on contractors enterng the galley area of the arcraft by ncreasng the probablty of detecton on that access arc to 0.3. Fgure 6. Vulnerablty tree. Fgure 7 summarzes the results of those changes. The wellnformed ntruder adapts by changng 6
7 Proceedngs of the 39th Hawa Internatonal Conference on System Scences hs/her strategy, and now mpersonates an arlne employee, makng an attempt to place the explosve devce n the cargo hold of the arcraft rather than n the galley. The overall probablty of success has declned, but only margnally, to Of course, the change mght have somewhat greater shortterm effectveness (.e., before the potental ntruder can learn of t and change strategy), but t s unlkely to produce very sgnfcant mprovements n securty over a longer perod. arcs n the cut set shown n Fgure 8. The resultng soluton for ntruder strategy s shown n Fgure 9. The optmal ntruder strategy has shfted from the galley to the cargo hold n response to ths change, and the overall probablty of successful attack has decreased to 0.075, a 32% decrease from the orgnal value of Fgure 7. Revsed ntruder strategy after ncreases n montorng levels for contractors. One strategy for achevng greater longterm mprovement n securty s to focus on cut sets n the ntruson network. Ths dea s llustrated n Fgure 8, whch shows a cut set constructed across the arcs representng access to the arcraft. If smultaneous mprovements n detecton rates for ntruders are made n all arcs of the cut set, t s more dffcult for the ntruder to change strategy to avod the hghersecurty paths because all paths must cross the cut set. Fgure 8. Illustraton of cut set. As an example, suppose that nstead of focusng just on contractors, as n our frst experment, the probablty of detecton were ncreased to 0.6 on all Fgure 9. Intruder strategy and probablty of success after ncreasng detecton probablty on cut set arcs to 0.6. The model structure developed here can also be used to answer a varety of other questons. For example, suppose we were to focus our attenton on the cut set n Fgure 8. We have seen that an ncrease n the detecton probablty on those arcs to 0.6 results n a notceable reducton n overall success probablty for the ntruder. How hgh would the detecton probablty on those cut set arcs have to be n order to reduce the overall ntruson success probablty to 0.01? We can determne that the requred detecton probablty s We can also use the model to examne combnatons of strateges. For example, suppose we thought t would be feasble to ncrease the detecton rate on the arcraft access arcs to 0.9, but not to If 0.9 were acheved on those arcs, how much better would the detecton probablty have to be at the mpersonaton nodes precedng those arcs n order to acheve an overall success probablty of no more than 0.01? We can do a quck search wth the model and determne that the answer to ths queston s That s, we would have to be able to mantan a 68% chance of detecton of mpersonators (of both employees and contractors), along wth a 90% chance of detecton of ntruders approachng an arcraft, n order to reduce the probablty of a successful attack to
8 Proceedngs of the 39th Hawa Internatonal Conference on System Scences Optmzng resource allocaton for securty mprovement The llustratve analyss n Secton 4 leads us to an obvous queston: If t were possble to estmate a cost functon for changes wthn the network that would reduce the lkelhood of a successful ntruson, could we dentfy the most effectve (.e., mnmum cost) way of achevng a desred (small) probablty of successful ntruson? Ths queston can be answered usng a blevel optmzaton formulaton. At the upper level we have an optmzaton that determnes changes at nodes and arcs n the network so as to mnmze cost, subject to a constrant that the resultng probablty of successful attack s no greater than a specfed value. However, the probablty of successful attack s determned as the soluton to a lower level optmzaton (optmzng the ntruder s strategy, gven the characterstcs of the network he/she s facng). To be more specfc about ths optmzaton, consder agan the model of the ntruder s strategy expressed n equatons (4)(6). There are at least fve ways that the system operator (or defender ) can act to reduce the lkelhood that the ntruder wll be successful: Increase the probablty of detecton at barrer (node) ; ths mght be accomplshed ether by ncreasng the senstvty of the detecton process, or by ncreasng the tme requred to penetrate the barrer, allowng the exstng detecton mechansms more tme to be effectve. Increase the probablty of detecton on movement arcs j between nodes. Add new barrers that must be negotated; ths s represented by a new node n the network, wth reconnecton of exstng arcs to force some (or all) ntruders paths to go through the new node. Remove exstng arcs n the network; ths represents some addtonal constrants (ether physcal or vrtual) on movement wthn the system. Reduce the level of nformaton that potental ntruders have about the system structure and detecton probabltes, creatng addtonal uncertanty for the ntruders, and perhaps some level of dsnformaton that would lead them to make poor choces n ther attack strategy. From the standpont of the model we have defned, the thrd and fourth strateges lsted can be consdered to be specal (extreme) cases of the frst two strateges (for more detaled dscusson of ths, see [5]). The ffth strategy s qute dfferent from the frst two, and needs to be analyzed n a separate way. Ths s descrbed further n the followng secton as an extenson of the work n the current paper. For our current analyss, we wll focus on the frst two strateges for reducng the vulnerablty of the system (mplctly ncludng the thrd and fourth as well). Suppose that the ntal detecton probablty at node s denoted d 0, and the ncrease n that probablty s denoted Δ, so that the actual detecton probablty n effect s d = d 0 + Δ. Smlarly, we wll assume that the ntal detecton probablty on arc j s δ 0, and the ncrease n that j probablty s γ j, so the actual detecton probablty n effect s δ j = δ 0 j + γ. j Increases n the detecton probabltes are assumed to requre expendtures C ( Δ ) and K j ( γ j ). In the current formulaton, the cost functons are separable by node and arc, but a more general cost functon could be used wthout changng the structure of the blevel optmzaton formulaton. We wll use E to denote the set of entry nodes to the system network, and then express the upper level problem as follows: subject to: Mn C ( Δ ) + Kj ( γ j ) (10) j * * w ( ) W E (11) d = d 0 + Δ (12) 0 δ = δ + γ j (13) j j j Δ 0 (14) γ j 0 j (15) In (11), the w * ( ) values are the optmal soluton to the lower level problem, specfed as follows: 8
9 Proceedngs of the 39th Hawa Internatonal Conference on System Scences subject to: j j mn β w ( ) (16) j w ( ) P ( a d, δ ) w( j) 0 g, a 17) w( g) P ( a d, δ ) w( j) 1 a (18) j gj g g gj w( ) 0 (19) In (17) and (18), the transton matrx s wrtten as Pj ( a d, δ j ) to reflect the fact that t depends on the values of d and δ determned n the upper problem. j The lower problem n (16)(19) s the same problem as n (4)(6), but s rewrtten to reflect the specfc knowledge of R ( a ) values that relevant to ths problem, and to emphasze ts connecton to the upper problem n (10)(15). A soluton procedure for ths blevel optmzaton searches over possble values of Δ andγ j, and for each set of values, solves the lower problem to fnd w * ( ) (after translatng the d and δ values nto a new j transton matrx Pj ( a d, δ j ) ). A general ssue (whch s endemc to blevel models) s that t s dffcult to guarantee convergence of soluton algorthms to true optmal solutons n the upper model. Bard [1] descrbes ths general dffculty. 6. Extensons Several extensons to the model descrbed here are possble and desrable. In addton to further development of the blevel optmzaton deas dscussed n the prevous secton, there are two extensons that seem partcularly mportant. Frst, t s useful to ncorporate mperfect nformaton on the part of the ntruders. Ths allows us to begn exploraton of the ffth defender strategy mentoned n secton 5. One very drect way to do ths s to embed the MDP model n a smulaton where uncertanty n the perceptons of the detecton probabltes s reflected. Ths s one type of lmtaton on the nformaton assumed to be avalable to the attackers. Varatons n the perceptons of the detecton probabltes can lead to dfferent strateges for dfferent ntruders, and the effect (from the system operator s perspectve) s that potental attacks appear g to be followng a mxed (or randomzed) strategy. Ths form of smulaton s a step n the general drecton of consderng the system to be a partally observable Markov decson process (POMDP) from the perspectve of the ntruder. The smulaton approach can also be used to analyze other types of mperfect nformaton on the part of ntruders for example, mperfect knowledge of what arcs exst n the network for movement among nodes, or even mperfect nformaton as to what nodes exst. A second useful extenson s to create semmarkov models for the processes of attempted penetraton of barrers. Ths would allow more accurate representaton of the uncertan tme requred to penetrate a gven barrer, as well as offer a broader range of opportuntes for modelng varous types of tmedependent detecton probabltes. Ths extenson could mprove the range of applcablty of the model. 7. Conclusons The objectve of the analyss presented here s to provde gudance to system owners and operators regardng effectve ways to reduce vulnerabltes of specfc nfrastructure facltes. To accomplsh ths, we have developed a Markov Decson Process (MDP) model of how an ntruder mght try to penetrate the varous barrers desgned to protect the faclty. The soluton to ths MDP model provdes nsght nto the level of vulnerablty of the faclty (the probablty of successful ntruson) and ndcates where the vulnerabltes are (the most lkely paths for the ntruder). The ntruder model also provdes the bass for consderaton of possble strateges to reduce the probablty of a successful attack on the faclty. Illustratons of usng the model n ths way are provded n the case study analyss n secton 4. The process of searchng for costeffectve strateges to reduce system vulnerablty can be formally cast as a blevel optmzaton problem, as dscussed n secton 5. Ths provdes a promsng drecton for further work. Successful mplementaton of the model descrbed n ths paper depends very drectly on two mportant tasks: 1) constructng largescale networks that represent the varous barrers and movement possbltes n a system; and 2) estmatng the varous probabltes embedded n the A and B matrces that are elements of the HMM s at each network node. Qute clearly, f the constructed network does not reflect accurately the barrers to ntruson and possble 9
10 Proceedngs of the 39th Hawa Internatonal Conference on System Scences paths for ntruders, the resultng computatons from the model wll be flawed. Constructng an accurate network representaton requres sgnfcant system knowledge and also the ablty to thnk lke an attacker. Estmatng the probabltes s also a challengng task. There are tools that have been created for estmatng HMM matrces n other applcaton contexts, and the experence ganed n those other contexts should provde mportant nsght for ths task. The process of testng, mplementng and enhancng the model s an ongong one, wth the expectaton that ths approach wll become an mportant new tool for the protecton of crtcal nfrastructure facltes. References [1] Bard, J.F., Some Propertes of the Blevel Programmng Problem, Journal of Optmzaton Theory and Applcatons, 68:2, 1991, [2] Carlson, R.E., Turnqust, M.A. and Nozck, L.K., Expected Losses, Insurablty and Benefts from Reducng Vulnerablty to Attacks, Report SAND , Sanda Natonal Laboratores, Albuquerque, NM, [3] Executve Offce of the Presdent, Natonal Strategy for Homeland Securty, July 2002, avalable on lne at [4] Jha, S., Sheyner, O., and Wng, J.M. Two Formal Analyses of Attack Graphs, 15th IEEE Computer Securty Foundatons Workshop, June 2002, Cape Breton, NS, Canada, Complexty, Journal of Computer Securty, 12:2, 2004, [10] Phllps, C.A., and Swler, L.P., A GraphBased System for Network Vulnerablty Analyss, Proceedngs of the 1998 New Securty Paradgms Workshop, Assocaton for Computng Machnery, 1998, [11] Presdent s Commsson on Crtcal Infrastructure Protecton, Crtcal Foundatons: Protectng Amerca s Infrastructures, The Whte House, Washngton, DC, [12] Puterman, M.L. Markov Decson Processes. Wley, New York, [13] Sheyner, O., Hanes, J., Jha, S., Lppmann, R., and Wng, J.M., Automated Generaton and Analyss of Attack Graphs, Proceedngs of the IEEE Computer Socety Symposum on Research n Securty and Prvacy, Berkeley, CA, May 2002, [14] Soh, B.C., and Dllon, T.S. Settng Optmal Intruson Detecton Thresholds, Computers & Securty, 14:7, 1995, [15] Swler, L.P., Phllps, C.A., Ells, D., and Chakeran, S., Computer Attack Graph Generaton Tool, Proceedngs of the 2nd DARPA Informaton Survvablty Conference and Exposton, 2001, [16] Warrender, C., Forrest, S. and Pearlmutter, B. Detectng Intrusons Usng System Calls: Alternatve Data Models, Proceedngs of the 1999 IEEE Symposum on Securty and Prvacy, 1999, [5] Jones, D.A., Turnqust, M.A. and Nozck, L.K., Physcal Securty and Vulnerablty Modelng for Infrastructure Facltes, Report SAND2005xxxx,Sanda Natonal Laboratores, Albuquerque, NM, [6] Katskas, S.K., Grtzals, D., and Spraks, P., Attack Modellng n Open Network Envronments, Communcatons and Multmeda Securty II, 1996, [7] Katskas, S.K., Spyrou, T., Grtzals, D., and Darzentas, J., Model for Network Behavour under Vral Attack, Computer Communcatons, 19:2, 1996, [8] Ourston, D., Matzner, S., Stump, W., and Hopkns, B., Applcatons of Hdden Markov Models to Detectng Multstage Network Attacks, 36 th Hawa Internatonal Conference on Systems Scence, IEEE Computer Socety, Hawa, 2003, CDROM, 10p. [9] Ourston, D., Matzner, S., Stump, W., and Hopkns, B. Coordnated Internet Attacks: Respondng to Attack 10
Documentation for the TIMES Model PART I
Energy Technology Systems Analyss Programme http://www.etsap.org/tools.htm Documentaton for the TIMES Model PART I Aprl 2005 Authors: Rchard Loulou Uwe Remne Amt Kanuda Antt Lehtla Gary Goldsten 1 General
More informationOptimal Call Routing in VoIP
Optmal Call Routng n VoIP Costas Courcoubets Department of Computer Scence Athens Unversty of Economcs and Busness 47A Evelpdon Str Athens 11363, GR Emal: courcou@aueb.gr Costas Kalogros Department of
More informationSequential DOE via dynamic programming
IIE Transactons (00) 34, 1087 1100 Sequental DOE va dynamc programmng IRAD BENGAL 1 and MICHAEL CARAMANIS 1 Department of Industral Engneerng, Tel Avv Unversty, Ramat Avv, Tel Avv 69978, Israel Emal:
More informationDo Firms Maximize? Evidence from Professional Football
Do Frms Maxmze? Evdence from Professonal Football Davd Romer Unversty of Calforna, Berkeley and Natonal Bureau of Economc Research Ths paper examnes a sngle, narrow decson the choce on fourth down n the
More informationDistributed Optimization and Statistical Learning via the Alternating Direction Method of Multipliers
Foundatons and Trends R n Machne Learnng Vol. 3, No. 1 (2010) 1 122 c 2011 S. Boyd, N. Parkh, E. Chu, B. Peleato and J. Ecksten DOI: 10.1561/2200000016 Dstrbuted Optmzaton and Statstcal Learnng va the
More informationThe Effects of Increasing Openness and Integration to the MERCOSUR on the Uruguayan Labour Market: A CGE Modeling Analysis 1.
The Effects of Increasng Openness and Integraton to the MERCOSUR on the Uruguayan Labour Market: A CGE Modelng Analyss 1. María Inés Terra 2, Marsa Buchel 2, Slva Laens 3, Carmen Estrades 2 November 2005
More informationAdverse selection in the annuity market when payoffs vary over the time of retirement
Adverse selecton n the annuty market when payoffs vary over the tme of retrement by JOANN K. BRUNNER AND SUSANNE PEC * July 004 Revsed Verson of Workng Paper 0030, Department of Economcs, Unversty of nz.
More informationSectorSpecific Technical Change
SectorSpecfc Techncal Change Susanto Basu, John Fernald, Jonas Fsher, and Mles Kmball 1 November 2013 Abstract: Theory mples that the economy responds dfferently to technology shocks that affect the producton
More informationDP5: A Private Presence Service
DP5: A Prvate Presence Servce Nkta Borsov Unversty of Illnos at UrbanaChampagn, Unted States nkta@llnos.edu George Danezs Unversty College London, Unted Kngdom g.danezs@ucl.ac.uk Ian Goldberg Unversty
More informationMaxMargin Early Event Detectors
MaxMargn Early Event Detectors Mnh Hoa Fernando De la Torre Robotcs Insttute, Carnege Mellon Unversty Abstract The need for early detecton of temporal events from sequental data arses n a wde spectrum
More informationEnergy Conserving Routing in Wireless Adhoc Networks
Energy Conservng Routng n Wreless Adhoc Networks JaeHwan Chang and Leandros Tassulas Department of Electrcal and Computer Engneerng & Insttute for Systems Research Unversty of Maryland at College ark
More informationRECENT DEVELOPMENTS IN QUANTITATIVE COMPARATIVE METHODOLOGY:
Federco Podestà RECENT DEVELOPMENTS IN QUANTITATIVE COMPARATIVE METHODOLOGY: THE CASE OF POOLED TIME SERIES CROSSSECTION ANALYSIS DSS PAPERS SOC 302 INDICE 1. Advantages and Dsadvantages of Pooled Analyss...
More informationDISCUSSION PAPER. Is There a Rationale for OutputBased Rebating of Environmental Levies? Alain L. Bernard, Carolyn Fischer, and Alan Fox
DISCUSSION PAPER October 00; revsed October 006 RFF DP 03 REV Is There a Ratonale for OutputBased Rebatng of Envronmental Leves? Alan L. Bernard, Carolyn Fscher, and Alan Fox 66 P St. NW Washngton, DC
More informationBoosting as a Regularized Path to a Maximum Margin Classifier
Journal of Machne Learnng Research 5 (2004) 941 973 Submtted 5/03; Revsed 10/03; Publshed 8/04 Boostng as a Regularzed Path to a Maxmum Margn Classfer Saharon Rosset Data Analytcs Research Group IBM T.J.
More informationMultiProduct Price Optimization and Competition under the Nested Logit Model with ProductDifferentiated Price Sensitivities
MultProduct Prce Optmzaton and Competton under the Nested Logt Model wth ProductDfferentated Prce Senstvtes Gullermo Gallego Department of Industral Engneerng and Operatons Research, Columba Unversty,
More informationAlgebraic Point Set Surfaces
Algebrac Pont Set Surfaces Gae l Guennebaud Markus Gross ETH Zurch Fgure : Illustraton of the central features of our algebrac MLS framework From left to rght: effcent handlng of very complex pont sets,
More informationShould Countries Promote Foreign Direct Investment?
UNITED NATIONS CONFERENCE ON TRADE AND DEVELOPMENT UNITED NATIONS CENTER FOR INTERNATIONAL DEVELOPMENT HARVARD UNIVERSITY G24 Dscusson Paper Seres Should Countres Promote Foregn Drect Investment? Gordon
More informationThe Relationship between Exchange Rates and Stock Prices: Studied in a Multivariate Model Desislava Dimitrova, The College of Wooster
Issues n Poltcal Economy, Vol. 4, August 005 The Relatonshp between Exchange Rates and Stock Prces: Studed n a Multvarate Model Desslava Dmtrova, The College of Wooster In the perod November 00 to February
More informationMean Field Theory for Sigmoid Belief Networks. Abstract
Journal of Artæcal Intellgence Research 4 è1996è 61 76 Submtted 11è95; publshed 3è96 Mean Feld Theory for Sgmod Belef Networks Lawrence K. Saul Tomm Jaakkola Mchael I. Jordan Center for Bologcal and Computatonal
More informationCREDIT RISK AND EFFICIENCY IN THE EUROPEAN BANKING SYSTEMS: A THREESTAGE ANALYSIS*
CREDIT RISK AD EFFICIECY I THE EUROPEA BAKIG SYSTEMS: A THREESTAGE AALYSIS* José M. Pastor WPEC 998 Correspondenca a: José M. Pastor: Departamento de Análss Económco, Unverstat de Valènca, Campus dels
More informationAn agent architecture for network support of distributed simulation systems
An agent archtecture for network support of dstrbuted smulaton systems Robert Smon, Mark Pullen and Woan Sun Chang Department of Computer Scence George Mason Unversty Farfax, VA, 22032 U.S.A. smon, mpullen,
More informationA Study of the Cosine DistanceBased Mean Shift for Telephone Speech Diarization
TASL046013 1 A Study of the Cosne DstanceBased Mean Shft for Telephone Speech Darzaton Mohammed Senoussaou, Patrck Kenny, Themos Stafylaks and Perre Dumouchel Abstract Speaker clusterng s a crucal
More informationVerification by Equipment or EndUse Metering Protocol
Verfcaton by Equpment or EndUse Meterng Protocol May 2012 Verfcaton by Equpment or EndUse Meterng Protocol Verson 1.0 May 2012 Prepared for Bonnevlle Power Admnstraton Prepared by Research Into Acton,
More informationP2P/ Gridbased Overlay Architecture to Support VoIP Services in Large Scale IP Networks
PP/ Grdbased Overlay Archtecture to Support VoIP Servces n Large Scale IP Networks We Yu *, Srram Chellappan # and Dong Xuan # * Dept. of Computer Scence, Texas A&M Unversty, U.S.A. {weyu}@cs.tamu.edu
More informationDropout: A Simple Way to Prevent Neural Networks from Overfitting
Journal of Machne Learnng Research 15 (2014) 19291958 Submtted 11/13; Publshed 6/14 Dropout: A Smple Way to Prevent Neural Networks from Overfttng Ntsh Srvastava Geoffrey Hnton Alex Krzhevsky Ilya Sutskever
More informationWho are you with and Where are you going?
Who are you wth and Where are you gong? Kota Yamaguch Alexander C. Berg Lus E. Ortz Tamara L. Berg Stony Brook Unversty Stony Brook Unversty, NY 11794, USA {kyamagu, aberg, leortz, tlberg}@cs.stonybrook.edu
More informationDISCUSSION PAPER. Should Urban Transit Subsidies Be Reduced? Ian W.H. Parry and Kenneth A. Small
DISCUSSION PAPER JULY 2007 RFF DP 0738 Should Urban Transt Subsdes Be Reduced? Ian W.H. Parry and Kenneth A. Small 1616 P St. NW Washngton, DC 20036 2023285000 www.rff.org Should Urban Transt Subsdes
More informationPerson Reidentification by Probabilistic Relative Distance Comparison
Person Redentfcaton by Probablstc Relatve Dstance Comparson WeSh Zheng 1,2, Shaogang Gong 2, and Tao Xang 2 1 School of Informaton Scence and Technology, Sun Yatsen Unversty, Chna 2 School of Electronc
More informationAssessing health efficiency across countries with a twostep and bootstrap analysis *
Assessng health effcency across countres wth a twostep and bootstrap analyss * Antóno Afonso # $ and Mguel St. Aubyn # February 2007 Abstract We estmate a semparametrc model of health producton process
More informationModels and Algorithms for Ground Staff Scheduling on Airports
Models and Algorthms for Ground Staff Schedulng on Arports Von der Fakulta t fu r Mathematk, Informatk und Naturwssenschaften der RhenschWestfa lschen Technschen Hochschule Aachen zur Erlangung des akademschen
More information