Skip to main content
SpringerLink
Log in

A Learning-Based Approach to Reactive Security

  • Conference paper
Financial Cryptography and Data Security (FC 2010)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 6052))

Included in the following conference series:

Abstract

Despite the conventional wisdom that proactive security is superior to reactive security, we show that reactive security can be competitive with proactive security as long as the reactive defender learns from past attacks instead of myopically overreacting to the last attack. Our game-theoretic model follows common practice in the security literature by making worst-case assumptions about the attacker: we grant the attacker complete knowledge of the defender’s strategy and do not require the attacker to act rationally. In this model, we bound the competitive ratio between a reactive defense algorithm (which is inspired by online learning theory) and the best fixed proactive defense. Additionally, we show that, unlike proactive defenses, this reactive strategy is robust to a lack of information about the attacker’s incentives and knowledge.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Anderson, R.: Why information security is hard—An economic perspective. In: 17th Annual Computer Security Applications Conference, pp. 358–365 (2001)

    Google Scholar 

  2. August, T., Tunca, T.I.: Network software security and user incentives. Management Science 52(11), 1703–1720 (2006)

    Article  Google Scholar 

  3. Barth, A., Rubinstein, B.I.P., Sundararajan, M., Mitchell, J.C., Song, D., Bartlett, P.L.: A learning-based approach to reactive security (2009), http://arxiv.org/abs/0912.1155

  4. Beard, C.: Introducing Test Pilot (March 2008), http://labs.mozilla.com/2008/03/introducing-test-pilot/

  5. Cavusoglu, H., Raghunathan, S., Yue, W.: Decision-theoretic and game-theoretic approaches to IT security investment. Journal of Management Information Systems 25(2), 281–304 (2008)

    Article  Google Scholar 

  6. Cesa-Bianchi, N., Freund, Y., Haussler, D., Helmbold, D.P., Schapire, R.E., Warmuth, M.K.: How to use expert advice. Journal of the Association for Computing Machinery 44(3), 427–485 (1997)

    MATH  MathSciNet  Google Scholar 

  7. Chakrabarty, D., Mehta, A., Vazirani, V.V.: Design is as easy as optimization. In: Bugliesi, M., Preneel, B., Sassone, V., Wegener, I. (eds.) ICALP 2006. LNCS, vol. 4051, pp. 477–488. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  8. Cremonini, M.: Evaluating information security investments from attackers perspective: the return-on-attack (ROA). In: Fourth Workshop on the Economics of Information Security (2005)

    Google Scholar 

  9. Fisher, D.: Multi-process architecture (July 2008), http://dev.chromium.org/developers/design-documents/multi-process-architecture

  10. Franklin, J., Paxson, V., Perrig, A., Savage, S.: An inquiry into the nature and causes of the wealth of internet miscreants. In: Proceedings of the 2007 ACM Conference on Computer and Communications Security, pp. 375–388. ACM, New York (2007)

    Google Scholar 

  11. Freund, Y., Schapire, R.: A short introduction to boosting. Journal of the Japanese Society for Artificial Intelligence 14(5), 771–780 (1999)

    Google Scholar 

  12. Freund, Y., Schapire, R.E.: Adaptive game playing using multiplicative weights. Games and Economic Behavior 29, 79–103 (1999)

    Article  MATH  MathSciNet  Google Scholar 

  13. Friedberg, J.: Internet fraud battlefield (April 2007), http://www.ftc.gov/bcp/workshops/proofpositive/Battlefield_Overview.pdf

  14. Fultz, N., Grossklags, J. (eds.): Blue versus Red: Towards a model of distributed security attacks. Proceedings of the Thirteenth International Conference Financial Cryptography and Data Security (February 2009)

    Google Scholar 

  15. Gordon, L.A., Loeb, M.P.: The economics of information security investment. ACM Transactions on Information and System Security 5(4), 438–457 (2002)

    Article  Google Scholar 

  16. Grossklags, J., Christin, N., Chuang, J.: Secure or insure?: A game-theoretic analysis of information security games. In: Proceeding of the 17th International Conference on World Wide Web, pp. 209–218. ACM, New York (2008)

    Chapter  Google Scholar 

  17. Hausken, K.: Returns to information security investment: The effect of alternative information security breach functions on optimal investment and sensitivity to vulnerability. Information Systems Frontiers 8(5), 338–349 (2006)

    Article  Google Scholar 

  18. Herbster, M., Warmuth, M.K.: Tracking the best expert. Machine Learning 32(2), 151–178 (1998)

    Article  MATH  Google Scholar 

  19. Howard, M.: Attack surface: Mitigate security risks by minimizing the code you expose to untrusted users. MSDN Magazine (November 2004), http://msdn.microsoft.com/en-us/magazine/cc163882.aspx

  20. Kanich, C., Kreibich, C., Levchenko, K., Enright, B., Voelker, G.M., Paxson, V., Savage, S.: Spamalytics: An empirical analysis of spam marketing conversion. In: Proceedings of the 2008 ACM Conference on Computer and Communications Security, pp. 3–14. ACM, New York (2008)

    Chapter  Google Scholar 

  21. Kark, K., Penn, J., Dill, A.: 2008 CISO priorities: The right objectives but the wrong focus. Le Magazine de la Sécurité Informatique (April 2009)

    Google Scholar 

  22. Kumar, V., Telang, R., Mukhopadhyay, T.: Optimal information security architecture for the enterprise, http://ssrn.com/abstract=1086690

  23. Lye, K.W., Wing, J.M.: Game strategies in network security. In: Proceedings of the Foundations of Computer Security Workshop, pp. 13–22 (2002)

    Google Scholar 

  24. Miura-Ko, R.A., Yolken, B., Mitchell, J., Bambos, N.: Security decision-making among interdependent organizations. In: Proceedings of the 21st IEEE Computer Security Foundations Symposium, pp. 66–80. IEEE Computer Society, Washington (2008)

    Google Scholar 

  25. Miura-Ko, R., Bambos, N.: SecureRank: A risk-based vulnerability management scheme for computing infrastructures. In: Proceedings of IEEE International Conference on Communications, pp. 1455–1460 (June 2007)

    Google Scholar 

  26. Ordentlich, E., Cover, T.M.: The cost of achieving the best portfolio in hindsight. Mathematics of Operations Research 23(4), 960–982 (1998)

    Article  MATH  MathSciNet  Google Scholar 

  27. Ou, X., Boyer, W.F., McQueen, M.A.: A scalable approach to attack graph generation. In: Proceedings of the 13th ACM Conference on Computer and Communications Security, pp. 336–345 (2006)

    Google Scholar 

  28. Pironti, J.P.: Key elements of an information security program. Information Systems Control Journal 1 (2005)

    Google Scholar 

  29. Rescorla, E.: Is finding security holes a good idea? IEEE Security and Privacy 3(1), 14–19 (2005)

    Article  Google Scholar 

  30. Varian, H.: System reliability and free riding (2001)

    Google Scholar 

  31. Varian, H.R.: Managing online security risks, June 1. New York Times (2000)

    Google Scholar 

  32. Warner, B.: Home PCs rented out in sabotage-for-hire racket. Reuters (July 2004)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Computer Science Division,  

    Adam Barth, Benjamin I. P. Rubinstein, Dawn Song & Peter L. Bartlett

  2. Department of Statistics, UC Berkeley,  

    Peter L. Bartlett

  3. Google Inc., Mountain View, CA

    Mukund Sundararajan

  4. Department of Computer Science, Stanford University,  

    John C. Mitchell

Authors
  1. Adam Barth
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Benjamin I. P. Rubinstein
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Mukund Sundararajan
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. John C. Mitchell
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Dawn Song
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Peter L. Bartlett
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Computer Science Department, Stony Brook, Stony Brook University, 11794, NY, USA

    Radu Sion

Rights and permissions

Reprints and permissions

Copyright information

© 2010 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Barth, A., Rubinstein, B.I.P., Sundararajan, M., Mitchell, J.C., Song, D., Bartlett, P.L. (2010). A Learning-Based Approach to Reactive Security. In: Sion, R. (eds) Financial Cryptography and Data Security. FC 2010. Lecture Notes in Computer Science, vol 6052. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-14577-3_16

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-14577-3_16

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-14576-6

  • Online ISBN: 978-3-642-14577-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation