Audit Games Jeremiah Blocki, Nicolas Christin, Anupam Datta, Ariel D. Procaccia, Arunesh Sinha 1...
-
Upload
felix-ball -
Category
Documents
-
view
216 -
download
0
description
Transcript of Audit Games Jeremiah Blocki, Nicolas Christin, Anupam Datta, Ariel D. Procaccia, Arunesh Sinha 1...
1
Audit Games
Jeremiah Blocki, Nicolas Christin, Anupam Datta, Ariel D. Procaccia, Arunesh Sinha
Carnegie Mellon University
2
Motivation
3
Auditing Permissive real time access control policy Inspect accesses after occurrence Find and punish policy violators
How does it help? Deter potential violators Take remedial measures to prevent future losses
4
Auditing for Policy Enforcement
HIPAA
GLBA
EU Data Protection Directive
5
Auditing in Practice FairWarning Audit Tool for hospitals
Flags all celebrity record accesses as suspicious Place traffic police at strategic locations
Intelligent heuristics, but, no mathematical model or guarantees
6
Why study Audit Process? Optimize costs expended in auditing
Audits costs money
Prevent violations Decide appropriate punishment for deterrence
Efficiently computable audit strategies Enable cost-optimal prioritized inspections
7
Outline Simple rational game model
Example
Main Algorithm for computing equilibrium Example
Future Work
8
Simple Rational ModelSimple Rational Model
Adversary: violation, fined if detected Utility when target is attacked
targets
inspection𝑝1 𝑝2 𝑝3 𝑝4
Utility when auditedUtility when unaudited
9
Punishment as an Action
High Punishment: Hostile Work Environment
Low Punishment: No incentive to follow policy.
x
Simple Rational Model
10
Stackelberg Equilibrium Concept Defender commits to a randomized resource
allocation strategy (’s and ) Adversary plays best response to that
strategy
For defender Stackelberg better than Nash eq.
Goal Compute optimal defender strategy
Simple Rational Model
11
Small exampleExample
2 2 31 0.1 0.5
Utility audited ()Utility unaudited ()
0.25 0.5 0.251 1 1
Utility audited ()Utility unaudited ()
Defender’s utility
Adversary’s utility
𝑝𝑖𝑈𝑎 ,𝐷 ( 𝑡𝑖 )+ (1−𝑝𝑖)𝑈𝑢 ,𝐷 (𝑡𝑖 )−𝑎0𝑥
𝑝𝑖(𝑈𝑎 , 𝐴(𝑡 𝑖) – 𝑥 )+ (1−𝑝𝑖)𝑈𝑢 , 𝐴(𝑡 𝑖)
= 0.5
12
Example contd.Example
Defender’s Stackelberg strategy (utility )
Adversary’s strategy: Attack target
Fix , equivalent to security games (utility )
0.285 0.43 0.285
0.43 0.57 0 0.25
13
Computing Optimal Defender StrategySolve optimization problems for all and pick the best solution
subject to
and ’s lie on the probability simplexand
QuadraticNon-
convex
Simple Rational Model
Properties of Optimal Point
14
Problem
𝑥
𝑝𝑖
TightConstraint
s
𝐶1
𝐶2𝐶3
𝐶41
1
Main Algorithm
15
Main Idea in Algorithm
Iterate over regions, solve sub-problems Set probabilities to zero for curves that lie above & make other
constraints tight Pick best solution of all
𝑥
𝛿=−3𝛿=−2𝛿=−1
𝛿=1− Δn 1
1
Main Algorithm
16
Solving Sub-problem 1.Objective can reduced to a polynomial function of
2. Find potential points of maxima by finding roots
3. Take the maximum over all values from steps 2
Splitting circle method: approximate real roots with precision in time polynomial in input size and
Main Algorithm
17
Main Theorem The problem can be approximated to an
additive ϵ factor in time using the splitting circle method, where K is the bit precision of inputs.
Main Algorithm
18
0.285 0.43 0.285 0
Varying cost of punishment , medium cost of punishment
, high cost of punishment
, low cost of punishment
0.43 0.57 0 0.25
0.46 0.54 0 0.99
Example
19
Future Work Studying security games variations in audit
games Budget-constrained defender Combinatorial constraints on use of defender
resources
Varying punishment with violation severity
Validation: Simulation: studying effect of various parameters Real world case study
Future Work
20
Conclusion
First model of auditing and first step toward a computationally
feasible solution of audit games.
Research at the intersection of AI and security & privacy holds lot of promise, given the encouraging precedent set by the deployment of security games
algorithms
21
Extensions inspections performed by single resource
Probability sum to : Each inspection’s probability distribution is Decompose using Birkhoff-von Neumann
decomposition
Zero violations by the adversary With no punishment Adds an additional non-convex constraint Handled in almost same way as the other
constraints
Extensions