Formulating Cyber-Security as Convex Optimization Problems

Formulaing Cyber-Securiy a Convex Opimizaion Problem Kyriako G. Vamvoudaki, João P. Hepanha, Richard A. Kemmerer, and Giovanni Vigna Univeriy of California, Sana Barbara Abrac. Miion-cenric cyber-ecuriy analy require a complee overview and underanding of he ae of a miion and any poenial hrea o heir compleion. To faciliae hi, we propoe opimizaionbaed algorihm ha can be ued o predic in real-ime how an aacker may ry o compromie a cyber-miion wih a limied amoun of reource, baed on a model ha ake ino accoun poenial damage o he miion and probabiliic uncerainy. Two differen opimizaion cheme are conidered: one where all he miion daa i known a priori o he aacker and anoher where yem idenificaion and a moving horizon opimizaion i ued o produce he eimae baed on hiorical daa. Our cheme are compared wih real aack carried our by human player in he 20 inernaional Capure The Flag (ictf) hacking compeiion. Keyword: Cyber-Securiy, Convex Opimizaion, Syem Idenificaion, ictf Inroducion Guaraneeing he ecuriy of cyber-miion i a complex, muli-dimenional challenge ha demand a muli-faceed, raegic oluion. The erminology cyber-miion refer o a e of compuer ranacion aimed a accomplihing a pecific purpoe or ak, uch a placing an online hopping order, ubmiing a paper o a conference hrough an online ubmiion yem, or prining a bank aemen a an ATM machine. Cyber-miion ypically require a large number of compuer ervice, including encrypion ervice, auhenicaion erver, daabae engine, web erver. We are epecially inereed in cyber-miion Thi maerial i baed upon work uppored by ARO MURI Gran number W9NF090553. K. G. Vamvoudaki, and J. P. Hepanha are wih he Cener for Conrol, Dynamicalyem and Compuaion (CCDC), Univeriy of California, Sana Barbara, CA 9306-9560 USA e-mail: kyriako@ece.ucb.edu, hepanha@ece.ucb.edu R. A. Kemmerer, and G. Vigna are wih he Compuer Securiy Lab, Univeriy of California, Sana Barbara, CA 9306-9560 USA e-mail: kemm@c.ucb.edu, vigna@c.ucb.edu

2 Vamvoudaki, Hepanha, Kemmerer, Vigna ha go hrough everal ae, each of which may require one or more compuer ervice. Cyber-miion are epecially vulnerable o aack becaue i may be poible o preven he miion compleion by compromiing ju one of he muliple ervice required by he miion, provided ha he righ ervice i compromied a he righ ime. Cyber-miion are pervaive and can be found in rading, banking, power yem managemen, road raffic managemen, healhcare, online hopping, buine-o-buine ranacion, ec. The dirupion o cyber-miion can hu reul in cyber or phyical conequence ha hreaen Naional and economic ecuriy, criical infrarucure, public healh, and welfare. Moreover, ealhy cyber-aacker can lay a hidden foundaion for fuure exploiaion or aack, which hey can laer execue a a ime of greae advanage. Securing cyberpace require a layered ecuriy approach acro he public and privae ecor. In he cyber-miion ecuriy domain, he ecuriy analy i inereed in making deciion baed on he poenial damage ha aack can inflic o he miion and alo on he probabiliy ha he poenial damage i realized. To focu heir aenion and coordinae defenive acion, ecuriy profeional mu be able o deermine which aack preen he bigge hrea and prioriize which ervice o defend, a problem ofen referred o a cyber iuaion awarene. Siuaion awarene [3] i a common feaure of many cyber-ecuriy oluion bu mo of hem are fragmened. In hi paper, we preen a model ha can be ued o predic how an aacker may ry o compromie a cyber-miion wih a limied amoun of reource, baed on a model ha ake ino accoun poenial damage o he miion and probabiliic uncerainy. Thi approach followed here moivaed by he need o avoid flooding he ecuriy analy wih raw daa abou complex miion and deailed log from inruion deecion yem (IDS). Inead, an auomaed or emi-auomaed yem hould proce hi daa and preen he analy wih high-level informaion abou he compuer ervice ha are currenly mo crucial for miion compleion and hu mo likely o be he arge of aack, baed on he curren ae of he miion and i fuure expeced evoluion. To achieve hi we propoe a relaively general model o decribe he damage o a cyber-miion caued by poenial aack. Thi model can be uilized in opimizaion cheme o dicover opimal policie o diribue aack reource over ime and over he differen compuer ervice relevan o he miion o a o maximize damage o he cyber miion. The model propoed, need miion parameer ha ypically vary wih ime according o complex dynamic, which are difficul o deermine in an analyic fahion. To avoid hi difficuly, we learn uch parameer uing yem idenificaion of low-order ae-pace model ha are ued o make predicion of he parameer evoluion for a reaonable fuure ime horizon. Securiy compeiion are excepional venue for reearcher o dicover and validae novel ecuriy oluion. The inernaional Capure The Flag (ictf) [5] i a diribued wide-area ecuriy exercie whoe goal i o e he ecuriy kill of he paricipan. The ictf cone i organized by he Securiy Lab of he Deparmen of Compuer Science a UCSB and i held once a year. The Capure

Formulaing Cyber-Securiy a Convex Opimizaion Problem 3 he Flag cone i a muli-ie, muli-eam hacking cone in which a number of eam compee independenly again each oher. The 20 ediion of ictf wa aimed a Cyber-Siuaion Awarene and, o our knowledge, produced he fir experimenal daae ha include miion decripion a well a aack log and he aue of compuer ervice required by miion [2, 5]. We have ued hi daa o validae he algorihm preened in hi paper and how heir efficacy in predicing aack o cyber miion by he human paricipan in he exercie. The reul preened in hi paper were alo ued in he deign of a highlevel viualizaion ool o help ecuriy analy o proec he compuer yem under aack in he 20 ictf compeiion [4]. We are in he proce of developing human ubjec experimen o demonrae he benefi of uing he predicion generaed by he mehodology propoed in hi paper, inead of earching hrough miion race and ecuriy log. The remainder of he paper i rucured a follow. Secion 2 develop he general mahemaical framework for cyber-ecuriy and hen decribe how one can ue claical yem idenificaion echnique o idenify he compleely unknown or parially known ime-varying procee. Secion 3 decribe an opimizaion problem o dicover how an aacker would opimally allocae her reource hrough all he ervice a ime evolve for wo differen cenario. The fir aume ha he all he miion daa i known o he aacker, wherea he econd one ue a moving horizon opimizaion cheme ha eimae hi daa online o predic when and where o aack. In Secion 4, he algorihm propoed are applied o daa from he 20 ictf compeiion. Comparion reul beween how he eam in he compeiion aacked and he reul obained by he opimizaion cheme are preened in Secion 5. Finally, Secion refe:concluion conclude and dicue abou fuure work. 2 General Framework for Cyber-Securiy Thi ecion preen a general framework o model miion-criical cyber-ecuriy cenario. 2. Cyber-Miion Damage Model Suppoe ha he (poenial) damage ha an aacker can inflic o a cyber miion i quanified by a calar x PD 0 ha i a funcion of he level of aack reource 0 devoed o he aack. The mapping from aack reource o poenial damage i expreed by he o called poenial damage equaion ha we approximae by a linear map: x PD fp q a b, () where a P IR can be viewed a he zero-reource damage level, and b P IR he marginal damage per uni of aack reource.

4 Vamvoudaki, Hepanha, Kemmerer, Vigna Wheher or no he poenial damage o he miion x PD i realized i aumed o be a ochaic even ha occur wih a given probabiliy ρ P r0, ha alo depend on he aack reource P IR, according o he o-called uncerainy equaion ha we approximae by a linear map projeced o he inerval r0, : ρ gp q Π r0, pc d q (2) where Π r0, : IR Ñ IR denoe he projecion funcion $ '& 0 x 0 Π r0, pxq x x P r0, '% x, he calar c 0 correpond o a zero-reource probabiliy of damage, and he calar d 0 o he marginal decreae in he probabiliy of damage per uni of aack reource. We noe ha an increae in aack reource lead o an increae in he poenial damage x PD [expreed by he ign before he b erm in ()], bu may acually decreae he probabiliy ha he poenial damage will acually be realized [expreed by he ign before he d erm in (2)], which i moivaed by he fac ha a large-cale aack i more likely o rigger defene mechanim ha can preven he poenial damage from being realized. The oal expeced damage y TD o he miion can be found by muliplying equaion () and (2), leading o he expeced damage equaion y TD fp qgp q. (3) In he conex of cyber-miion ha evolve over ime and require muliple compuer ervice, he poenial damage equaion () and he uncerainy equaion (2) need o be augmened wih an index P, 2,..., T u ha parameerize miion ime and an index P, 2,..., Su ha parameerize he required compuer ervice, a in x PD f p q a b, (4) ρ g p q Π r0, pc d q (5) where denoe he aack reource commied o aack ervice a ime, x PD he poenial damage a ime due o an aack o he ervice, and P he probabiliy of realizing hi damage. The correponding expeced damage equaion hen become: 3 Opimizaion y TD f p qg p q. (6) An inelligen aacker would eek o opimally allocae her available reource o maximize he oal expeced miing damage. We hall conider here everal

Formulaing Cyber-Securiy a Convex Opimizaion Problem 5 opion for hi opimizaion ha differ on he informaion ha i available o he aacker. 3. Opimizaion Scheme wih Known Miion Damage Daa When all he daa a, b, c, d : @, u ha define he poenial damage and uncerainy equaion i known a-priori, opimal aack reource allocaion can be deermined by olving he following opimizaion. maximize ubjec o w.r.. f p qg p q U TR P r0, 8q, @, @, where U TR denoe he oal budge of aack reource available o he aacker. A aed in he following propoiion, hi opimizaion can be convered ino he following concave maximizaion. Propoiion. When he funcion f, g are of he form (4) (5) wih a, b, c, d 0, @,. The value and opimum of (7) can be obained hrough he following concave maximizaion problem: maximize ubjec o w.r.. pa P b qpc d σ q U TR, 0, c d, σ 0, @, @. c d σ, @, @ When c P r0,, one can e he correponding σ 0 in (8). Moreover, when c P r0,, @, and all he conrain on he are inacive, he oluion o hi opimizaion can be found in cloed form and i equal o ) ū µ max!0, ū U TR, ū b c a d 2b d (7) (8), µ 2b d S Noe ha, if any of he conrain on he aack reource are acive, a cloed-form oluion may no be eay and one ha o olve he opimizaion problem (8) inead. Proof. To prove ha (7) and (8) are equivalen, we ar by noing ha $ 0 c '& d 0 ô c d g p q c d c ô u AR d '% c d c P. d, c d 2b d.

6 Vamvoudaki, Hepanha, Kemmerer, Vigna Suppoe, by conradicion, ha (8) could lead o a larger maximum han (7). The condiion P 0, c d guaranee ha he ame e of u AR aify he conrain of (7) and ha # g c d c ô u AR d p q c d c d ô c d and he condiion c d σ guaranee ha # c d σ g c p q u AR d c d σ g p q σ g p q c d, which how ha c d σ g p q and herefore (8) canno lead o a larger maximum han (7). Suppoe now, alo by conradicion, ha (7) could lead o a larger maximum han (8). Fir noe ha if a few of he ha maximize (7) were larger han, for hoe we would have g p q 0 and he ame exac co could c d be obained for (7) by replacing each of hee wih c d. So we may aume, wihou lo of generaliy, ha all he are maller han or equal o c d In hi cae, we could ue he ame in (8) and e. σ # 0 c d c d c d. Thi elecion of σ would aify he conrain of (8) and guaranee ha g p q c d σ, and herefore (7) and (8) would lead o he ame maximum. Thi complee he proof ha (7) and (8) are equivalen.

Formulaing Cyber-Securiy a Convex Opimizaion Problem 7 The opimizaion cheme ju defined i a concave maximizaion problem (convex minimizaion) wih linear conrain. The dual problem i given by, J K max max pa λ 0,η 0,ζ 0 u AR PIR λ ζ max U TR max λ 0,η 0,ζ 0 u AR PIR λ η ζ max max λ 0,η 0,ζ 0 u AR PIR λ U TR η c d. η b qpc d q c d a c a d b c b d 2 λ U TR a c b d 2 η c d pb c a d ζ η λ q The inner maximizaion can be olved uing andard calculu and i achieved for yielding b c a d ζ η λ 2b d, J K max λ 0,η 0,ζ 0 pb c a d ζ η λ q 2 4b d η c d λ U TR. For hi problem he Karuh-Kuhn-Tucker (KKT) condiion [] lead o T S BJ K 0 ô λ Bλ BJ K Bη BJ K Bζ b c a d ζ η 2b d 2b d T S U TR or λ 0 0 ô η ζ a d b c λ or η 0 0 ô ζ b c a d η λ or ζ 0.

8 Vamvoudaki, Hepanha, Kemmerer, Vigna Le u aume ha i inide he inerval 0, c d, which would lead o all he η and ζ equal o zero (inacive conrain) and herefore we would need b c a d λ 2b d U TR ô λ or λ 0 T S b c a d 2b d T S 2b d U TR 0 (9) and ū µ max!0, ū U TR ), ū b c a d 2b d, µ 2b d S We can view he erm being ubraced from a a normalizing erm ha make ure ha he add up o he conrain U TR. Noe ha if he cloed-form formula hown above for ever become negaive, hen he correponding ζ will become acive and we mu have 2b d. BJ K Bζ 0 ñ ζ λ a d b c ñ 0. Similarly if he formula for ever become larger han c d, hen he correponding η will become acive and we mu have BJ K Bη 0 ñ η b c λ a d ñ c d. Remark. Noe ha, if any of he conrain on he aack reource are acive, a cloed-form oluion i no poible and one ha o olve he opimizaion problem inead. l 3.2 Unknown Miion Damage Daa Ofen he miion-pecific parameer a, b, c, d : @, u ha define he poenial damage and uncerainy equaion are no known a-priori and, inead, need o be eimaed online. One approach ha can be ued o addre hi cenario i o aume ha hee parameer are generaed by linear dynamic of he form x a A ax a B aw, a C ax a, (0) x b A bx b B b w, b C b x b, () x c A cx c B cw, c C c x c, (2) x d A dx d B dw, d C dx d, (3)

Formulaing Cyber-Securiy a Convex Opimizaion Problem 9 where he w, @, u are equence of zero-mean random procee wih variance σw. One can hen ue hiorical daa o eimae hee dynamic uing blackbox idenificaion echnique. Once eimae for he dynamic are available, one can ue online daa o predic fuure value for he miion-pecific parameer a, b, c, d : @, u, baed on pa obervaion. Suppoe ha a ome ime k T he aacker ha oberved he value of he pa miion-pecific parameer a, b, c, d : @, ku and need o make deciion on he fuure aack reource, k. One can ue (0) (3) o conruc eimae â, ˆb, ĉ, ˆd : @, ku for he fuure miion-pecific parameer and obain he fuure, k uing he following opimizaion: maximize ubjec o ķ f p qg p q k ˆf p qĝ p q (4) U TR (5) w.r.. P r0, 8q, @ P k,..., T u, @, (6) where f and g denoe he funcion defined in (4) and (5), repecively, wherea ˆf and ĝ are eimae of hee funcion compued uing he eimaed miionpecific parameer â,ˆb, ĉ, ˆd : @, ku. The opimizaion (4) can be olved a each ime ep k P, 2,..., T u, allowing he aacker o improve her allocaion of aack reource a new informaion abou he miing parameer become available. Noe ha one could remove from he (double) ummaion in (4) any erm ha do no depend on he opimizaion variable. 4 ictf Compeiion The inernaional Capure The Flag (ictf) i a diribued wide-area ecuriy exercie o e he ecuriy kill of he paricipan. Thi cone i organized by he Securiy Lab of he Deparmen of Compuer Science a UCSB and i ha been held yearly ince 2003. In radiional ediion of he ictf (2003-2007), he goal of each eam wa o mainain a e of ervice uch ha hey remain available and uncompromied hroughou he cone. Each eam alo had o aemp o compromie he oher eam ervice. Since all he eam received an idenical copy of he virual ho conaining he vulnerable ervice, each eam had o find he vulnerabiliie in heir copy of he ho and poibly fix he vulnerabiliie wihou diruping he ervice. A he ame ime, he eam had o leverage heir knowledge abou he vulnerabiliie hey found o compromie he erver run by oher eam. Compromiing a ervice allowed a eam o bypa he ervice ecuriy mechanim and o capure he flag aociaed wih he ervice. During he 2008-200 ictf, new compeiion deign have been inroduced. More preciely, in 2008 a eparae virual nework wa creaed

0 Vamvoudaki, Hepanha, Kemmerer, Vigna for each eam. The goal wa o aack a errori nework and defue a bomb afer compromiing a number of ho. In 2009, he paricipan had o compromie he brower of a large group of imulaed uer, eal heir money, and creae a bone. In 200, he paricipan had o aack he rogue naion Liya, ruled by he evil Livoy Bironulek. The eam goal wa o aack he ervice upporing Liya infrarucure only a pecific ime, when cerain aciviie were in progre. In addiion, an inruion deecion yem would emporarily firewall ou he eam whoe aack were deeced. The 20 ictf compeiion i briefly ummarized below from he perpecive of one eam playing again he re of he world. The 200 [2] and 20 [5] ictf compeiion were deigned cloely mach pracical cyber-ecuriy miion cenario. 4. 20 ictf The 20 ictf wa cenered around he heme of illegal money laundering. Thi aciviy i modeled afer cyber-criminal money laundering operaion and provided a perfec eing for rik-reward analyi, a he rade-off are very inuiively underood. The general idea behind he compeiion wa he converion ( laundering ) of money ino poin. The money wa obained by he eam by olving ecuriyrelaed challenge (e.g., decryping an encryped meage, find hidden informaion in a documen, ec.) The converion of money ino poin wa performed by uilizing daa capured from an exploied ervice. Therefore, fir a eam had o obain money by olving challenge, and hen he money had o be ranlaed ino poin by exploiing he vulnerabiliy in a ervice of anoher eam. Succeful converion of money o poin depended on a number of facor, calculaed ogeher a he rik funcion, which i decribed in deail below. Noe ha, a he end of he game, he money had no conribuion o he final and of a eam: only poin maered. One challenge wih he formulaion one-again-world i ha in he 20 ictf game, winning wa no ju abou maximizing poin. Winning wa abou geing more poin han each of he opponen (individually). The game wa played in round 255 (each ake abou 2min), bu we only have daa for 248 round ince he logging erver wa emporarily down. Each eam ho a erver ha run 0 ervice each wih i own (unknown) vulnerabiliie. Each ervice P, 2,..., 0u of each hoing eam i characerized by hree ime-varying quaniie @ P, 2,..., 248u: he cu C, which i he percenage of money ha goe o he eam when money i laundered hrough ervice (ame value for every eam), he payoff P, which i he percenage of money ha will be ranformed ino poin for he eam ha launder he money (ame value for every eam); P 0.9e T ickacive 0

Formulaing Cyber-Securiy a Convex Opimizaion Problem he rik R, which i he probabiliy of loing all he money (inead of geing a converion o poin). The generaion of he ime erie for he cu, payoff, and rik for he differen ervice wa baed on an underlying e of cyber miion ha were running while he game wa played. Eenially, when he ae of he cyber miion required a paricular ervice, he cu, payoff, and rik would make ha ervice aracive for aacker from he perpecive of convering money o poin. However, he player were no informed abou he ae of he cyber-miion and, inead, a he beginning of each round, he eam i informed of he value of C, P, R for every, and. 4.2 Acion Available o Every Team A eam (we) ha he following key acion in he acual compeiion:. Defenive acion: Acivae/deacivae one of i own ervice. In he ictf compeiion a eam could alo correc any vulnerabiliy ha i dicovered in i ervice. We aumed here ha all known vulnerabiliie had been correced. 2. Money laundering: Selec (a) eam o aack (mue deciion wihin he one-again-world formulaion); (b) ervice o compromie, which implicily deermine he payoff P, he rik R, and he cu C ; (c) amoun of money o launder a ime hrough he ervice. Thi acion reul in a number of poin given by # X P p C qd w.p. minρ, u 0 w.p. minρ (7), u where D i he eam defene level and ρ i he probabiliy ha he converion of money o poin will ucceed, a given by he formula ρ R 30 N j 700 6 300 N j 700 Q 500 6 300 Q 500 where N j i he overall amoun of money ha ha been laundered by he eam j hrough he paricular eam being exploied and Q i he overall amoun of money ha ha been laundered by he eam hrough he paricular ervice being exploied. Becaue we do no model each eam individually we will conider he wor cae cenario for he following quaniie, N 492, Q 2257 (according o daa from he compeiion), and defene level of he eam a D.

2 Vamvoudaki, Hepanha, Kemmerer, Vigna To map hi game wih he general framework decribed in Secion 2, we aociae he money o launder a ime hrough ervice wih he reource devoed o aack ervice a ime, and aociae he poin X in (7) wih damage o he miion. The oal aack reource U TR available o each eam in he general framework decribed in Secion 2, now correpond o he money available o each eam. While we could model more accuraely he proce by which eam ge money, for impliciy we aumed ha each eam had available a fixed amoun of money ($5060) ha could be pend hroughou he duraion of he game which i given by he average money of all he eam during he compeiion. The reul regarding which ervice where aacked and when proved o be relaively ineniive o hi parameer. 4.3 Opimizaion Scheme and ictf In hi ecion we apply he opimizaion cheme defined in Secion 3. and 3.2 o he ictf game. We are eeking o opimally allocae our available reource in he compeiion uch ha he oal number of poin i maximized while meeing he pecified conrain. The maximizaion of he expeced reward by a eam can be formulaed a follow where, maximize ubjec o 248 0 ρ P p C qd 248 0 U TR 5060 w.r.. P r0, 8q, @ P, 2,..., 0u, P, 2,..., 248u, R ρ minpβ 30 q, u, β N 700 Q 500 6 300 N 700 6 300 Q 500 0.4 and he parameer P, C, D, β can eiher be conidered known or unknown. By uing Propoiion, and eing he conrain σ 0 in (8) (ince p β q P r0, ), we can wrie he equivalen opimizaion problem a, maximize ubjec o w.r.. 248 0 p β R 30 qp p C q 248 0 U TR P 0, β, @ P, 2,..., 0u, P, 2,..., 248u, R 30

Formulaing Cyber-Securiy a Convex Opimizaion Problem 3 which i a concave maximizaion problem wih linear conrain ha i eay o olve numerically a decribed in Secion 3.. The above opimizaion depend on he following aignmen, a 0, b P p C q, c β, d R 30. When hee are no known, one can eimae b P p C q, c β, d R 30 uing a low order ae pace model given by ()-(3). By hen applying he opimizaion cheme decribed in Secion 3.2, wih a horizon of N 5, one can ill make accurae predicion of when and how o diribue he available aack reource. The opimizaion model ju decribed, reul in an opimizaion o obain he fuure, @ k and performed under a moving horizon of 5 ick, maximize ubjec o ķ 0 b pc d q 248 0 U TRk x b A bx a B b w ˆb C b x b x c A cx c B cw ĉ C c x c 248 0 k ˆb pĉ ˆd q x d A dx d B dw w.r.. ˆd C dx d P 0, ĉ ˆd, @ P k,..., 248u, @ P, 2,..., 0u. 5 ictf Reul Thi ecion preen numerical reul obained from he opimizaion decribed above o daa from he aack log of he 20 ictf compeiion. All he opimizaion have been implemened hrough a Malab-baed convex opimizaion olver uch a CVX []. The opimizaion cheme decribed in Secion 3.2 yielded very cloe reul o he cheme decribed in Secion 3. for a predicing horizon of N 5. Iniially we will aume ha a ophiicaed aacker would be able o compromie any one of he 0 ervice. Figure how he poin and he money colleced by uch an opimal aacker, wherea Figure 2 how he ame (aggregae) daa for he eam ha paricipaed in he compeiion. One can alo conider aacker wih differen level of ophiicaion, e.g., aacker ha are only able o find vulnerabiliie in a ube of he 0 ervice ha he ophiicaed wa able o aack. By oberving he daa of he op 20 eam in he compeiion we were able o pariion he ophiicaion in wo level. For comparion, we how he behavior of an aacker A ha wa

4 Vamvoudaki, Hepanha, Kemmerer, Vigna (a) poin earned (b) money laundered Fig.. Behavior of an opimal ophiicaed aacker able o aack all 0 ervice (a) poin earned (b) money laundered Fig. 2. Aggregae behavior of all eam ha paricipaed in he compeiion only able o aack he ervice, 2, 4, 5, 6, 9 (imilar o he fir 0 eam in he compeiion); and anoher aacker B ha wa only able o aack ervice, 2, 5, 6, 7, 8 (imilar o he eam from place o 20 in he compeiion). The ophiicaed aacker wa able o gaher wih 987 poin, wherea he wo oher aacker were able o ge 82 and 72 poin, repecively. The reul in Figure (a) how ha he mo profiable ervice o aack were 5, 6 and 9. The op 0 eam in he compeiion aacked moly 5 and 6 becaue 9 wa a hard ervice o ge ino. Only he op 3 eam dicovered how o aack ervice 9 and only a he end of he game o hey had relaively lile ime o explore ha vulnerabiliy. Aide from hi, he predicion baed on he opimizaion framework developed here qualiaively reflec he acion of he good eam. In fac, he op wo eam in he compeiion followed aack raegie qualiaively cloe o ha of aacker A in Figure 3 a een in Figure 5.

Formulaing Cyber-Securiy a Convex Opimizaion Problem 5 (a) poin earned (b) money laundered Fig. 3. Behavior of an opimal aacker A able o aack ervice,2,4,5,6,9 (a) poin earned (b) money laundered Fig. 4. Behavior of an opimal aacker B able o aack ervice,2,5,6,7,8 6 Fuure Work Our fuure work in hi area i focued on developing analyi ool o explore wha-if cenario baed on pa daa and he rucure of he cyber-miion. To hi end, we are developing opimizaion cheme for he defender poible acion, uch a aking a ervice off-line when he ervice i no needed or exending he duraion of a ae ha would be unable o progre if a cerain ervice i compromied. We are alo developing human-compuer inerface o demonrae he ueful of hi ype of analyi for ecuriy analy. Reference. S. Boyd and Lieven Vandenberghe, Convex Opimizaion, Cambridge Univeriy Pre, 2004 2. A. Doupe, M. Egele, B. Cailla, G. Sringhini,G. Yakin, A. Zand, L. Cavedon, and G. Vigna, Hi em where i hur: A live ecuriy exercie on cyber iuaional

6 Vamvoudaki, Hepanha, Kemmerer, Vigna (a) poin earned (b) money laundered Fig. 5. Behavior of he op 3 eam during he compeiion awarene, Proceeding of he Annual Compuer Securiy Applicaion Conference (ACSAC 20), Orlando, FL, December 20 3. M. Endley, Theoreical Underpinning of Siuaion Awarene: A Criical Review, chaper, page 3-32, L. Erlbaum Aoc., 2000 4. N. Sockman, K. G. Vamvoudaki, L. Devendorf, T. Hllerer, R. Kemmerer, J. P. Hepanha, A Miion-Cenric Viualizaion Tool for Cyberecuriy Siuaion Awarene, Technical Repor, Univeriy of California, Sana Barbara, Augu 202 5. G. Vigna, The 20 UCSB ictf: Decripion of he game, hp://icf.c.ucb.edu/, 20