Abstract
Despite the conventional wisdom that proactive security is superior to reactive security, we show that reactive security can be competitive with proactive security as long as the reactive defender learns from past attacks instead of myopically overreacting to the last attack. Our game-theoretic model follows common practice in the security literature by making worst-case assumptions about the attacker: we grant the attacker complete knowledge of the defender’s strategy and do not require the attacker to act rationally. In this model, we bound the competitive ratio between a reactive defense algorithm (which is inspired by online learning theory) and the best fixed proactive defense. Additionally, we show that, unlike proactive defenses, this reactive strategy is robust to a lack of information about the attacker’s incentives and knowledge.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Anderson, R.: Why information security is hard—An economic perspective. In: 17th Annual Computer Security Applications Conference, pp. 358–365 (2001)
August, T., Tunca, T.I.: Network software security and user incentives. Management Science 52(11), 1703–1720 (2006)
Barth, A., Rubinstein, B.I.P., Sundararajan, M., Mitchell, J.C., Song, D., Bartlett, P.L.: A learning-based approach to reactive security (2009), http://arxiv.org/abs/0912.1155
Beard, C.: Introducing Test Pilot (March 2008), http://labs.mozilla.com/2008/03/introducing-test-pilot/
Cavusoglu, H., Raghunathan, S., Yue, W.: Decision-theoretic and game-theoretic approaches to IT security investment. Journal of Management Information Systems 25(2), 281–304 (2008)
Cesa-Bianchi, N., Freund, Y., Haussler, D., Helmbold, D.P., Schapire, R.E., Warmuth, M.K.: How to use expert advice. Journal of the Association for Computing Machinery 44(3), 427–485 (1997)
Chakrabarty, D., Mehta, A., Vazirani, V.V.: Design is as easy as optimization. In: Bugliesi, M., Preneel, B., Sassone, V., Wegener, I. (eds.) ICALP 2006. LNCS, vol. 4051, pp. 477–488. Springer, Heidelberg (2006)
Cremonini, M.: Evaluating information security investments from attackers perspective: the return-on-attack (ROA). In: Fourth Workshop on the Economics of Information Security (2005)
Fisher, D.: Multi-process architecture (July 2008), http://dev.chromium.org/developers/design-documents/multi-process-architecture
Franklin, J., Paxson, V., Perrig, A., Savage, S.: An inquiry into the nature and causes of the wealth of internet miscreants. In: Proceedings of the 2007 ACM Conference on Computer and Communications Security, pp. 375–388. ACM, New York (2007)
Freund, Y., Schapire, R.: A short introduction to boosting. Journal of the Japanese Society for Artificial Intelligence 14(5), 771–780 (1999)
Freund, Y., Schapire, R.E.: Adaptive game playing using multiplicative weights. Games and Economic Behavior 29, 79–103 (1999)
Friedberg, J.: Internet fraud battlefield (April 2007), http://www.ftc.gov/bcp/workshops/proofpositive/Battlefield_Overview.pdf
Fultz, N., Grossklags, J. (eds.): Blue versus Red: Towards a model of distributed security attacks. Proceedings of the Thirteenth International Conference Financial Cryptography and Data Security (February 2009)
Gordon, L.A., Loeb, M.P.: The economics of information security investment. ACM Transactions on Information and System Security 5(4), 438–457 (2002)
Grossklags, J., Christin, N., Chuang, J.: Secure or insure?: A game-theoretic analysis of information security games. In: Proceeding of the 17th International Conference on World Wide Web, pp. 209–218. ACM, New York (2008)
Hausken, K.: Returns to information security investment: The effect of alternative information security breach functions on optimal investment and sensitivity to vulnerability. Information Systems Frontiers 8(5), 338–349 (2006)
Herbster, M., Warmuth, M.K.: Tracking the best expert. Machine Learning 32(2), 151–178 (1998)
Howard, M.: Attack surface: Mitigate security risks by minimizing the code you expose to untrusted users. MSDN Magazine (November 2004), http://msdn.microsoft.com/en-us/magazine/cc163882.aspx
Kanich, C., Kreibich, C., Levchenko, K., Enright, B., Voelker, G.M., Paxson, V., Savage, S.: Spamalytics: An empirical analysis of spam marketing conversion. In: Proceedings of the 2008 ACM Conference on Computer and Communications Security, pp. 3–14. ACM, New York (2008)
Kark, K., Penn, J., Dill, A.: 2008 CISO priorities: The right objectives but the wrong focus. Le Magazine de la Sécurité Informatique (April 2009)
Kumar, V., Telang, R., Mukhopadhyay, T.: Optimal information security architecture for the enterprise, http://ssrn.com/abstract=1086690
Lye, K.W., Wing, J.M.: Game strategies in network security. In: Proceedings of the Foundations of Computer Security Workshop, pp. 13–22 (2002)
Miura-Ko, R.A., Yolken, B., Mitchell, J., Bambos, N.: Security decision-making among interdependent organizations. In: Proceedings of the 21st IEEE Computer Security Foundations Symposium, pp. 66–80. IEEE Computer Society, Washington (2008)
Miura-Ko, R., Bambos, N.: SecureRank: A risk-based vulnerability management scheme for computing infrastructures. In: Proceedings of IEEE International Conference on Communications, pp. 1455–1460 (June 2007)
Ordentlich, E., Cover, T.M.: The cost of achieving the best portfolio in hindsight. Mathematics of Operations Research 23(4), 960–982 (1998)
Ou, X., Boyer, W.F., McQueen, M.A.: A scalable approach to attack graph generation. In: Proceedings of the 13th ACM Conference on Computer and Communications Security, pp. 336–345 (2006)
Pironti, J.P.: Key elements of an information security program. Information Systems Control Journal 1 (2005)
Rescorla, E.: Is finding security holes a good idea? IEEE Security and Privacy 3(1), 14–19 (2005)
Varian, H.: System reliability and free riding (2001)
Varian, H.R.: Managing online security risks, June 1. New York Times (2000)
Warner, B.: Home PCs rented out in sabotage-for-hire racket. Reuters (July 2004)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Barth, A., Rubinstein, B.I.P., Sundararajan, M., Mitchell, J.C., Song, D., Bartlett, P.L. (2010). A Learning-Based Approach to Reactive Security. In: Sion, R. (eds) Financial Cryptography and Data Security. FC 2010. Lecture Notes in Computer Science, vol 6052. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-14577-3_16
Download citation
DOI: https://doi.org/10.1007/978-3-642-14577-3_16
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-14576-6
Online ISBN: 978-3-642-14577-3
eBook Packages: Computer ScienceComputer Science (R0)