482 IEEE TRANSACTIONS ON DEPENDABLE AND …dawnsong/papers/2012 A Learning... · A Learning-Based Approach to Reactive Security ... 482 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE

A Learning-Based Approachto Reactive Security

Adam Barth, Benjamin I.P. Rubinstein, Mukund Sundararajan,

John C. Mitchell, Dawn Song, Member, IEEE, and Peter L. Bartlett, Member, IEEE

Abstract—Despite the conventional wisdom that proactive security is superior to reactive security, we show that reactive security can

be competitive with proactive security as long as the reactive defender learns from past attacks instead of myopically overreacting to

the last attack. Our game-theoretic model follows common practice in the security literature by making worst case assumptions about

the attacker: we grant the attacker complete knowledge of the defender’s strategy and do not require the attacker to act rationally. In

this model, we bound the competitive ratio between a reactive defense algorithm (which is inspired by online learning theory) and the

best fixed proactive defense. Additionally, we show that, unlike proactive defenses, this reactive strategy is robust to a lack of

information about the attacker’s incentives and knowledge.

Index Terms—Reactive security, risk management, attack graphs, online learning, adversarial learning, game theory.

Ç

1 INTRODUCTION

MANY enterprises employ a Chief Information SecurityOfficer (CISO) to manage the enterprise’s information

security risks. Typically, an enterprise has many moresecurity vulnerabilities than it can realistically repair. Insteadof declaring the enterprise “insecure” until every lastvulnerability is plugged, CISOs typically perform a cost-benefit analysis to identify which risks to address. But whatconstitutes an effective CISO strategy? The conventionalwisdom [1], [2] is that CISOs ought to adopt a “forward-looking” proactive approach to mitigating security risk byexamining the enterprise for vulnerabilities that might beexploited in the future. Advocates of proactive security oftenequate reactive security with myopic bug-chasing andconsider it ineffective. We establish sufficient conditionsfor when reacting strategically to attacks is as effective indiscouraging attackers.

We study the efficacy of reactive strategies in aneconomic model of the CISO’s security cost-benefit trade-offs. Unlike previously proposed economic models ofsecurity (see Section 9), we do not assume the attacker actsaccording to a fixed probability distribution. Instead, weconsider a game-theoretic model with a strategic attackerwho responds to the defender’s strategy. As is standard inthe security literature, we make worst case assumptionsabout the attacker. For example, we grant the attacker

complete knowledge of the defender’s strategy and do notrequire the attacker to act rationally. Further, we makeconservative assumptions about the reactive defender’sknowledge and do not assume the defender knows all thevulnerabilities in the system or the attacker’s incentives.However, we do assume that the defender can observe theattacker’s past actions, for example, via an intrusiondetection system or user metrics [3].

Under our theoretical model, we find that three assump-tions are sufficient for a reactive strategy to perform as wellas the best proactive strategies:

Assumption 1. No single attack is catastrophic.

Assumption 2. The defender’s budget is liquid.

Assumption 3. The attacker’s cost for mounting an attack islinear in the defensive allocations.

Our first assumption requires that the defender cansurvive a number of attacks. This is consistent with situationswhere intrusions (that, say, steal credit card numbers) areregrettable but not business-ending. Our results do notdirectly apply to settings in which catastrophic attacks arepossible, e.g., in nuclear warfare strategy.

That the defender’s budget is liquid—our secondassumption—means that the defender can reallocate re-sources without penalty. Of course, not all defense spendingis liquid (e.g., cement walls are difficult to move or sell),which means our results do not apply to all situations.However, our results do apply in common situations, suchas when allocating headcount, when the defenders budget isapproximately liquid. For example, a CISO can reassignmembers of the security team from managing firewall rulesto improving database access controls at relatively low-switching costs.

Because our model abstracts many vulnerabilities into asingle edge in an attack graph, we view the act of defense asincreasing the attacker’s cost for mounting an attack insteadof preventing the attack (e.g., by patching a single bug). By

482 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 9, NO. 4, JULY/AUGUST 2012

. A. Barth and M. Sundararajan are with Google, Inc., 1600 AmphitheatreParkway, Mountain View, CA 94043.E-mail: [email protected], [email protected].

. B.I.P. Rubinstein is with Microsoft Research, 1288 Pear Ave, MountainView, CA 94043. E-mail: [email protected].

. J.C. Mitchell is with the Department of Computer Science, StanfordUniversity, Stanford, CA 94305-9045. E-mail: [email protected].

. D. Song and P.L. Bartlett are with the Department of ElectricalEngineering and Computer Sciences, UC Berkeley, Berkeley, CA 94720-1776. E-mail: {dawnsong, bartlett}@cs.berkeley.edu.

Manuscript received 16 Nov. 2010; revised 6 Apr. 2011; accepted 10 June2011; published online 22 Aug. 2011.For information on obtaining reprints of this article, please send e-mail to:[email protected], and reference IEEECS Log NumberTDSCSI-2010-11-0214.Digital Object Identifier no. 10.1109/2011.42.

1545-5971/12/$31.00 � 2012 IEEE Published by the IEEE Computer Society

taking this viewpoint, we choose not to study the tacticalpatch-by-patch interaction of the attacker and defender.Instead, we model enterprise security at a more abstractlevel appropriate for the CISO. For example, the CISOmight allocate a portion of his or her budget to engage aconsultancy, such as WhiteHat or iSEC Partners, to find andfix cross-site scripting in a particular web application or torequire that employees use SecurID tokens during authen-tication. This leads to our third technical assumption thatattacker costs are linearly dependent on defense invest-ments locally. This assumption does not reflect patch-by-patch interaction, which would be better represented by astep function (with the step placed at the cost to deploy thepatch). Instead, this assumption reflects the CISO’s higherlevel point of view where the staircase of summed stepfunctions fades into a slope.

We evaluate the defender’s strategy by measuring theattacker’s cumulative return-on-investment, the return-on-attack (ROA), which has been proposed previously [4]. Bystudying this metric, we focus on defenders who seek to “cutoff the attacker’s oxygen,” that is to reduce the attacker’sincentives for attacking the enterprise. We do not distin-guish between “successful” and “unsuccessful” attacks.Instead, we compare the payoff the attacker receives fromhis or her nefarious deeds with the cost of performing saiddeeds. We imagine that sufficiently disincentivized attack-ers will seek alternatives, such as attacking a differentorganization or starting a legitimate business.

In our main result, we show sufficient conditions for alearning-based reactive strategy to be competitive with thebest fixed proactive defense in the sense that the competi-tive ratio between the reactive ROA and the proactive ROAis at most 1þ �, for all � > 0, provided the game lastssufficiently many rounds (at least �ð1=�Þ). To prove ourtheorems, we draw on techniques from the online learningliterature. We extend these techniques to the case where thelearner does not know all the game matrix rows a priori,letting us analyze situations where the defender does notknow all of the vulnerabilities in advance. Although ourmain results are in a graph-based model with a singleattacker, our results generalize to a model based on Hornclauses with multiple attackers (see Section 8.1). Our resultsare also robust to switching from ROA to attacker profit andto allowing the proactive defender to revise the defenseallocation a fixed number of times.

Although myopic bug chasing is most likely anineffective reactive strategy, we find that in some situationsa strategic reactive strategy is as effective as the optimalfixed proactive defense. In fact, we find that the naturalstrategy of gradually reinforcing attacked edges by shiftingbudget from unattacked edges “learns” the attacker’sincentives and constructs an effective defense. Such astrategic reactive strategy is both easier to implement thana proactive strategy—because it does not presume that thedefender knows the attacker’s intent and capabilities—andis less wasteful than a proactive strategy because thedefender does not expend budget on attacks that do notactually occur. Based on our results, we encourage CISOs toquestion the assumption that proactive risk management isinherently superior to reactive risk management. When

using reactive strategies, CISOs should employ monitoringtools to help focus on real attacks, lead a more agile securityorganization, and avoid overreacting to the most recentattacks and instead learn from past attacks while discount-ing their importance exponentially.

1.1 Organization

Section 2 formalizes our model. Section 3 shows thatperimeter defense and defense-in-depth arise naturally inour model. Section 4 describes the threat model and ournew learning-based reactive strategy. Section 5 presentsour main results bounding the competitive ratio of reactiveversus proactive defense strategies. Section 6 provides alower bound establishing the essential optimality of ourlearning-based defense among all reactive strategies.Section 7 outlines scenarios in which reactive securityoutperforms proactive security. Section 8 generalizes ourresults to Horn clauses and multiple attackers. Section 9relates related work. Section 10 concludes. This paper addsproofs and a lower bound to an earlier conference versionof this work [5].

2 FORMAL MODEL

In this section, we present a game-theoretic model of attackand defense. Unlike traditional bug-level attack graphs, ourmodel is meant to capture a managerial perspective onenterprise security. The model is somewhat general in thesense that attack graphs can represent a number of concretesituations, including a network (see Fig. 1), components ina complex software system [6], or an Internet Fraud“Battlefield” [7].

2.1 System

We model a system using a directed graph ðV ;EÞ, whichdefines the game between an attacker and a defender. Eachvertex v 2 V in the graph represents a state of the system.Each edge e 2 E represents a state transition the attackercan induce. For example, a vertex might represent whethera particular machine in a network has been compromisedby an attacker. An edge from one machine to anothermight represent that an attacker who has compromised thefirst machine might be able to compromise the secondmachine because the two are connected by a network.Alternatively, the vertices might represent different com-ponents in a software system. An edge might representthat an attacker sending input to the first component cansend input to the second.

BARTH ET AL.: A LEARNING-BASED APPROACH TO REACTIVE SECURITY 483

Fig. 1. An attack graph representing an enterprise data center.

In attacking the system, the attacker selects a path a inthe graph that begins with a designated start vertex s. Ourresults hold in more general models (e.g., based on Hornclauses), but we defer discussing such generalizations untilSection 8. We think of the attack as driving the systemthrough the series of state transitions indicated by theedges included in the path. In the networking example inFig. 1, an attacker might first compromise a front-endserver and then leverage the server’s connectivity to theback-end database server to steal credit card numbers fromthe database.

2.2 Incentives and Rewards

Attackers respond to incentives. For example, attackerscompromise machines and form botnets because they makemoney from spam [8] or rent the botnet to others [9]. Otherattackers steal credit card numbers because credit cardnumbers have monetary value [10]. We model the attacker’sincentives by attaching a nonnegative reward to each vertex.These rewards are the utility the attacker derives fromdriving the system into the state represented by the vertex.For example, compromising the database server might havea sizable reward because the database server contains easilymonetizable credit card numbers. We assume the startvertex has zero reward, forcing the attacker to undertakesome action before earning utility. Whenever the attackermounts an attack, the attacker receives a payoff equal to thesum of the rewards of the vertices visited in the attack patha : payoffðaÞ ¼

Pv2a rewardðvÞ. In the example from Fig. 1, if

an attacker compromises both a front-end server and thedatabase server, the attacker receives both rewards.

2.3 Attack Surface and Cost

The defender has a fixed defense budget B > 0, which thedefender can divide among the edges in the graphaccording to a defense allocation d: for all e 2 E, dðeÞ � 0and

Pe2E dðeÞ � B.

The defender’s allocation of budget to various edgescorresponds to the decisions made by the Chief InformationSecurity Officer about where to allocate the enterprise’ssecurity resources. For example, the CISO might allocateorganizational headcount to fuzzing enterprise web appli-cations for XSS vulnerabilities. These kinds of investmentsare continuous in the sense that the CISO can allocate 1=4 ofa full-time employee to worrying about XSS. We denote theset of feasible allocations of budget B on edge set E by DB;E .

By defending an edge, the defender makes it moredifficult for the attacker to use that edge in an attack. Eachunit of budget the defender allocates to an edge raises thecost that the attacker must pay to use that edge in an attack.Each edge has an attack surface [11] w that represents thedifficulty in defending against that state transition. Forexample, a server that runs both Apache and Sendmail has alarger attack surface than one that runs only Apache becausedefending the first server is more difficult than the second.Formally, the attacker must pay the following cost to traversethe edges of an attack: costða; dÞ ¼

Pe2a dðeÞ=wðeÞ. Allocat-

ing defense budget to an edge does not “reduce” an edge’sattack surface. For example, consider defending a hallwaywith bricks. The wider the hallway (the larger the attack

surface), the more bricks (budget allocation) required tobuild a wall of a certain height (the cost to the attacker).

In this formulation, the function mapping the defender’sbudget allocation to attacker cost is linear, preventing thedefender from ever fully defending an edge. Our use of alinear function reflects a level of abstraction more appro-priate to a CISO who can never fully defend assets, which wejustify by observing that the rate of vulnerability discoveryin a particular piece of software is roughly constant [12],which means an attacker with sufficient resources can oftenovercome even the best defenses. At a lower level of detail,we might replace this function with a step function,indicating that the defender can “patch” a vulnerability byallocating a threshold amount of budget.

2.4 Objective

To evaluate defense strategies, we measure the attacker’sincentive for attacking using the return-on-attack [4], whichwe define as follows:

ROAða; dÞ ¼ payoffðaÞcostða; dÞ :

We use this metric for evaluating defense strategy becausewe believe that if the defender lowers the ROA sufficiently,the attacker will be discouraged from attacking the systemand will find other uses for his or her capital or industry.For example, the attacker might decide to attack anothersystem. Analogous results hold if we quantify the attacker’sincentives in terms of profit (e.g., with profitða; dÞ ¼payoffðaÞ � costða; dÞ), but we focus our discussion onROA for simplicity. Results for both ROA and additiveprofit are presented in Section 5.

A purely rational attacker will mount attacks thatmaximize ROA. However, a real attacker might notmaximize ROA. For example, the attacker might not havecomplete knowledge of the system or its defense. Westrengthen our results by considering all attacks, not justthose that maximize ROA.

2.5 Proactive Security

We evaluate our learning-based reactive approach bycomparing it against a proactive approach to risk manage-ment in which the defender carefully examines thesystem and constructs a defense in order to fend offfuture attacks. We strengthen this benchmark by provid-ing the proactive defender complete knowledge about thesystem, but we require that the defender commit to afixed strategy. To strengthen our results, we state ourmain result in terms of all such proactive defenders. Inparticular, this class of defenders includes the rationalproactive defender who employs a defense allocation thatminimizes the maximum ROA the attacker can extractfrom the system: argmindmaxaROAða; dÞ.

3 CASE STUDIES

In this section, we describe instances of our model to buildthe reader’s intuition. These examples illustrate that somefamiliar security concepts, including perimeter defense anddefense in depth, arise naturally as optimal defenses in ourmodel. These defenses can be constructed either by rational


proactive attackers or converged to by a learning-basedreactive defense.

3.1 Perimeter Defense

Consider a system in which the attacker’s reward is nonzeroat exactly one vertex, t. For example, in a medical system,the attacker’s reward for obtaining electronic medicalrecords might well dominate the value of other attacktargets such as employees’ vacation calendars. In such asystem, a rational attacker will select the minimum-costpath from the start vertex s to the valuable vertex t. Theoptimal defense limits the attacker’s ROA by maximizingthe cost of the minimum s-t path. The algorithm forconstructing this defense is straightforward [13]:

1. Let C be the minimum weight s-t cut in ðV ;E;wÞ.2. Select the following defense:

dðeÞ ¼BwðeÞ=Z; if e 2 C;0; otherwise;

�

where Z ¼Xe2C

wðeÞ:

Notice that this algorithm constructs a perimeter defense: thedefender allocates the entire defense budget to a single cut inthe graph. Essentially, the defender spreads the defensebudget over the attack surface of the cut. By choosing theminimum-weight cut, the defender is choosing to defend thesmallest attack surface that separates the start vertex from thetarget vertex. Real defenders use similar perimeter defenses,for example, when they install a firewall at the boundarybetween their organization and the Internet because thenetwork’s perimeter is much smaller than its interior.

3.2 Defense in Depth

Many experts in security practice recommend that defen-ders employ defense in depth. Defense in depth arisesnaturally in our model as an optimal defense for somesystems. Consider, for example, the system depicted inFig. 2. This attack graph is a simplified version of the datacenter network depicted in Fig. 1. Although the attackerreceives the largest reward for compromising the back-enddatabase server, the attacker also receives some reward forcompromising the front-end web server. Moreover, thefront-end web server has a larger attack surface than theback-end database server because the front-end serverexposes a more complex interface (an entire enterprise webapplication), whereas the database server exposes only asimple SQL interface. Allocating defense budget to the left-most edge represents trying to protect sensitive databaseinformation with a complex web application firewallinstead of database access control lists (i.e., possible, buteconomically inefficient).

The optimal defense against a rational attacker is toallocate half of the defense budget to the left-most edge andhalf of the budget to the right-most edge, limiting theattacker to a ROA of unity. Shifting the entire budget to theright-most edge (i.e., defending only the database) isdisastrous because the attacker will simply attack thefront-end at zero cost, achieving an unbounded ROA.Shifting the entire budget to the left-most edge is alsoproblematic because the attacker will attack the database(achieving an ROA of five).

4 REACTIVE SECURITY

To analyze reactive security, we model the attacker anddefender as playing an iterative game of alternating moves.First, the defender selects a defense, and then the attackerselects an attack. We present a learning-based reactivedefense strategy that is oblivious to vertex rewards and toedges that have not yet been used in attacks. We prove atheorem bounding the competitive ratio between thisreactive strategy and the best proactive defense via a seriesof reductions to results from the online learning theoryliterature. Other applications of this literature includemanaging stock portfolios [14], playing zero-sum games[15], and boosting other machine learning heuristics [16].Although we provide a few technical extensions, our maincontribution comes from applying results from onlinelearning to risk management.

4.1 Repeated Game

We formalize the repeated game between the defender andthe attacker as follows: In each round t from 1 to T :

1. The defender chooses defense allocation dtðeÞ overthe edges e 2 E.

2. The attacker chooses an attack path at in G.3. The path at and attack surfaces fwðeÞ : e 2 atg are

revealed to the defender.4. The attacker pays costðat; dtÞ and gains payoffðatÞ.

In each round, we let the attacker choose the attack pathafter the defender commits to the defense allocation becausethe defender’s budget allocation is not a secret (in the senseof a cryptographic key). Following the “no security throughobscurity” principle, we make the conservative assumptionthat the attacker can accurately determine the defender’sbudget allocation.

4.2 Defender Knowledge

Unlike proactive defenders, reactive defenders do notknow all of the vulnerabilities that exist in the system inadvance. For example, browser vendors would routinelysurvive the Pwn2Own competition and conferences suchas Black Hat Briefings would serve little purpose ifdefenders had complete knowledge of vulnerabilities.Instead, we reveal an edge (and its attack surface) to thedefender after the attacker uses the edge in an attack. Forexample, the defender might monitor the system and learnhow the attacker attacked the system by periodicallyanalyzing logs for intrusions. Formally, we define areactive defense strategy to be a function from attacksequences faig and the subsystem induced by the edges


Fig. 2. Attack graph representing a simplified data center network.

contained inSi ai to defense allocations such that dðeÞ ¼ 0

if edge e 62Si ai. Notice that this requires the defender’s

strategy to be oblivious to the system beyond the edgesused by the attacker.

4.3 Algorithm

Algorithm 1 is a reactive defense strategy based on themultiplicative update learning algorithm [15], [17]. Thealgorithm reinforces edges on the attack path multiplica-tively, taking the attack surface into account by allocatingmore budget to easier-to-defend edges. When new edgesare revealed, the algorithm reallocates budget uniformlyfrom the already-revealed edges to the newly revealededges. We state the algorithm in terms of a normalizeddefense allocation PtðeÞ ¼ dtðeÞ=B. Notice that this algo-rithm is oblivious to unattacked edges and the attacker’sreward for visiting each vertex. An appropriate setting forthe algorithm parameters �t 2 ½0; 1Þwill be described below.

Algorithm 1. A reactive defense strategy for hidden edges.

. Initialize E0 ¼ ;

. For each round t 2 f2; . . . ; Tg- Let Et�1 ¼ Et�2 [ Eðat�1Þ- For each e 2 Et�1, let

St�1ðeÞ ¼St�2ðeÞ þMðe; at�1Þ if e 2 Et�2

Mðe; at�1Þ otherwise:

�~PtðeÞ ¼ �St�1ðeÞ

t�1

PtðeÞ ¼~PtðeÞP

e02Et~Ptðe0Þ

;

where Mðe; aÞ ¼ �1½e 2 a�=wðeÞ is a matrix with

jEj rows and a column for each attack.

The algorithm begins without any knowledge of thegraph whatsoever, and so allocates no defense budget to thesystem. Upon the tth attack on the system, the algorithmupdates Et to be the set of edges revealed up to this point,and updates StðeÞ to be a weighted count of the number oftimes e has been used in an attack thus far. For each edgethat has ever been revealed, the defense allocation Ptþ1ðeÞ ischosen to be �

StðeÞt normalized to sum to unity over all edges

e 2 Et. In this way, any edge attacked in round t will haveits defense allocation reinforced.

The parameters �t control how aggressively thedefender reallocates defense budget to recently attackededges. If �t is infinitesimal, the defender will move theentire defense budget to the edge on the most recentattack path with the smallest attack surface. If �t � 1, thedefender will not be very agile and, instead, leave thedefense budget in the initial allocation. For appropriatevalues of �t, the algorithm will converge to the optimaldefense strategy. For instance, the min-cut in the examplefrom Section 3.1.

5 MAIN RESULTS

We now describe a series of reductions establishing the mainresults that bound the difference between attacker profitunder this reactive strategy and fixed proactive strate-gies—Theorem 3—and the ratio between the corresponding

attacker ROAs—Theorem 7. First, we bound profits in thesimpler setting where the defender knows the entire graphin Section 5.1. Second, in Section 5.2 we remove thehypothesis that the defender knows the edges in advance.Finally, in Section 5.3 we extend our results to ROA. Tocompare strategies, we use the notion of regret from onlinelearning theory.

5.1 Attacker Profit (Known Edges Case)

Suppose that the reactive defender is granted full knowl-edge of the system1 ðV ;E;w; reward; sÞ from the outset,prior to the first round. Algorithm 2 is a reactive defensestrategy that makes use of this additional knowledge.

Algorithm 2. Reactive defense strategy for known edges

using the multiplicative update algorithm.

. For each e 2 E, initialize P1ðeÞ ¼ 1=jEj.

. For each round t 2 f2; . . . ; Tg and e 2 E, let

PtðeÞ ¼ Pt�1ðeÞ � �Mðe;at�1Þ=Ztwhere Zt ¼

Xe02E

Pt�1ðeÞ�Mðe0;at�1Þ

Lemma 1. If defense allocations fdtgTt¼1 are output by Algorithm 2

with parameter � ¼ ð1þffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi2 log jEj=T

pÞ�1 on any system

ðV ;E;w; reward; sÞ and attack sequence fatgTt¼1, then

1

T

XTt¼1

profitðat; dtÞ �1

T

XTt¼1

profitðat; d?Þ

� Bffiffiffiffiffiffiffiffiffiffiffiffiffiffilog jEj

2T

rþB log jEj

T;

for all proactive defense strategies d? 2 DB;E .

The lemma’s proof is a reduction to the following regretbound from online learning [15, Corollary 4].

Theorem 2. If the multiplicative update algorithm (Algorithm 2)is run with any game matrix M with elements in ½0; 1�, andparameter � ¼ ð1þ

ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi2 log jEj=T

pÞ�1, then

1

T

XTt¼1

MðPt; atÞ � minP?�0:Pe2E

P?ðeÞ¼1

1

T

XTt¼1

MðP?; atÞ( )

�ffiffiffiffiffiffiffiffiffiffiffiffiffiffilog jEj

2T

rþ log jEj

T:

In the original game-theoretic setting of Theorem 2,pure plays of the learner (adversary) correspond to rows(respectively columns) of a fixed game matrix, whichrecords the learner’s instantaneous loss. When either orboth of the learner and adversary play mixed strategiesaccording to some distribution(s) P and Q, then theexpected loss (or risk) corresponding to the matrix productPTMQ is written as MðP;QÞ for convenience. Similarly forcases when one player plays a mixed strategy and theother plays a pure strategy we write MðP; qÞ or Mðp;QÞ.

In our present setting we consider each edge as apossible pure play of the learner, and each attack path as a


1. The system consists of the weighted graph ðV ;E;wÞ, rewards and startvertex s.

pure play of the attacker. In this way, the learner’s mixedstrategies correspond to allocations of a unit budget oversubsets of edges within the graph.

Proof of Lemma 1. Due to the normalization by Zt, thesequence of defense allocations fPtgTt¼1 output by Algo-rithm 2 is invariant to adding a constant to all elements ofmatrix M. Let M 0 be the matrix obtained by addingconstant C to all entries of arbitrary game matrix M, andlet sequences fPtgTt¼1 and fP 0tg

Tt¼1 be obtained by running

multiplicative update with matrix M and M 0, respec-tively. Then, for all e 2 E and t 2 ½T � 1�,

P 0tþ1ðeÞ ¼P1ðeÞ�

Pt

i¼1M 0ðe;aiÞP

e02E P1ðe0Þ�Pt

i¼1M 0ðe0;aiÞ

¼ P1ðeÞ�Pt

i¼1Mðe;aiÞ

� �þtC

Pe02E P1ðe0Þ�

Pt

i¼1Mðe0;aiÞ

� �þtC

¼ P1ðeÞ�Pt

i¼1Mðe;aiÞP

e02E P1ðe0Þ�Pt

i¼1Mðe0;aiÞ

¼ Ptþ1ðeÞ:

In particular Algorithm 2 produces the same defenseallocation sequence as if the game matrix elements areincreased by one to

M 0ðe; aÞ ¼ 1� 1=wðeÞ if e 2 a1 otherwise:

�

Because this new matrix has entries in ½0; 1� we can applyTheorem 2 to prove that, for the original matrix M

1

T

XTt¼1

MðPt; atÞ � minP?2D1;E

1

T

XTt¼1

MðP?; atÞ( )


2T

rþ log jEj

T:

ð1Þ

Now, by definition of the original game matrix

MðPt; atÞ ¼Xe2E�ðPtðeÞ=wðeÞÞ � 1 e 2 at½ �

¼ �Xe2at

PtðeÞ=wðeÞ

¼ �B�1Xe2at

dtðeÞ=wðeÞ

¼ �B�1costðat; dtÞ:

Thus, Inequality (1) is equivalent to

� 1

T

XTt¼1

B�1costðat; dtÞ

� mind?2D1;E

� 1

T

XTt¼1

B�1costðat; d?Þ( )


2T

rþ log jEj

T:

Simple algebraic manipulation yields

1

T

XTt¼1

profitðat; dtÞ � mind?2DB;E

1

T

XTt¼1

profitðat; d?Þ( )

¼ 1

T

XTt¼1

payoffðatÞ � costðat; dtÞð Þ

� mind?2DB;E

1

T

XTt¼1

payoffðatÞ � costðat; d?Þð Þ( )

¼ 1

T

XTt¼1

�costðat; dtÞð Þ � mind?2DB;E

1

T

XTt¼1

�costðat; d?Þð Þ( )


2T

rþB log jEj

T;

establishing the result. tu

5.2 Attacker Profit (Hidden Edges Case)

The following is an additive regret bound relating theattacker’s profit under reactive and proactive defensestrategies, in the more restricted setting of a defenderobserving edges and weights only after they are firstexploited by the attacker.

Theorem 3. The average attacker profit against Algorithm 1converges to the average attacker profit against the bestproactive defense. Formally, if defense allocations fdtgTt¼1 areoutput by Algorithm 1 with parameter sequence �t ¼ð1þ

ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi2 log jEtj=ðtþ 1Þ

pÞ�1 on any system ðV ;E;w;

reward; sÞ revealed online and any attack sequencefatgTt¼1, then

1

T

XTt¼1

profitðat; dtÞ �1

T

XTt¼1

profitðat; d?Þ


2T

rþBðlog jEj þ w�1Þ

T;

for all proactive defense strategies d? 2 DB;E where w�1 ¼jEj�1P

e2E wðeÞ�1, the mean of the surface reciprocals.

Remark 4. We can interpret Theorem 3 as establishingsufficient conditions under which a reactive defensestrategy is within an additive constant of the bestproactive defense strategy. Instead of carefully analyzingthe system to construct the best proactive defense, thedefender need only react to attacks in a principledmanner to achieve almost the same quality of defense interms of attacker profit.

We now detail the proof of this first main theorem. Thestandard algorithms in online learning assume that therows of the game matrix are known in advance. Here, theedges are not known in advance and so we must relax thisassumption using a simulation argument, which is perhapsthe least obvious part of the reduction. The defenseallocation chosen by Algorithm 1 at time t is precisely thesame as the defense allocation that would have been chosenby Algorithm 2 had the defender run Algorithm 2 on thecurrently visible subgraph. The following lemma formalizesthis equivalence. Note that Algorithm 1’s parameter isreactive: it corresponds to Algorithm 2’s parameter, but forthe subgraph induced by the edges revealed so far. That is,�t depends only on edges visible to the defender in round t,letting the defender actually run the algorithm.


Lemma 5. Consider arbitrary round t 2 ½T �. If Algorithms 1 and2 are run with parameters �k ¼ ð1þ

ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi2 log jEkj=ðkþ 1Þ

pÞ�1

for k 2 ½t� and parameter � ¼ ð1þffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi2 log jEtj=ðtþ 1Þ

pÞ�1,

respectively, with the latter run on the subgraph induced byEt, then the defense allocations Ptþ1ðeÞ output by thealgorithms are identical for all e 2 Et.

Proof. If e 2 Et then ~Ptþ1ðeÞ ¼ �Pt

i¼1Mðe;aiÞ because �t ¼ �,

and the round tþ 1 defense allocation of Algorithm 1Ptþ1 is simply ~Ptþ1 normalized to sum to unity over edgeset Et, which is exactly the defense allocation output byAlgorithm 2. tu

Armed with this correspondence, we show that Algo-rithm 1 is almost as effective as Algorithm 2. In other words,hiding unattacked edges from the defender does not causemuch harm to the reactive defender’s ability to disincenti-vize the attacker.

Lemma 6. If defense allocations fd1;tgTt¼1 and fd2;tgTt¼1 areoutput by Algorithms 1 and 2 with parameters �t ¼ð1þ


pÞ�1 for t 2 ½T � 1� and � ¼ ð1 þffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi

2 log jEj=ðT Þp

Þ�1, respectively, on a system ðV ;E;w;reward; sÞ and attack sequence fatgTt¼1, then

1

T

XTt¼1

profitðat; d1;tÞ �1

T

XTt¼1

profitðat; d2;tÞ �B

Tw�1:

Proof. Consider attack at from a round t 2 ½T � and consideran edge e 2 at. If e 2 ak for some k < t, then the defensebudget allocated to e at time t by Algorithm 2 cannot begreater than the budget allocated by Algorithm 1. Thus,the instantaneous cost paid by the attacker on e whenAlgorithm 1 defends is at least the cost paid whenAlgorithm 2 defends: d1;tðeÞ=wðeÞ � d2;tðeÞ=wðeÞ. If e 62St�1k¼1 ak then for all k 2 ½t�, d1;kðeÞ ¼ 0, by definition. The

sequence fd2;kðeÞgt�1k¼1 is decreasing and positive. Thus

maxk<tðd2;kðeÞ � d1;kðeÞÞ is optimized at k ¼ 1 and isequal to B=jEj. Finally since each edge e 2 E is firstrevealed exactly once this leads to

XTt¼1

costðat; d2;tÞ �XTt¼1

costðat; d1;tÞ

¼XTt¼1

Xe2at

d2;tðeÞ � d1;tðeÞwðeÞ

�Xe2E

B

jEjwðeÞ :

Combined with the fact that the attacker receives thesame payout whether Algorithm 2 or Algorithm 1defends completes the result. tu

Proof of Theorem 3. The result follows immediately fromLemma 1 and Lemma 6. tu

Finally, notice that Algorithm 1 enjoys the same time andspace complexities as Algorithm 2, up to constants.

5.3 Attacker ROA (Hidden Edges Case)

Reactive defense strategies can also be competitive withproactive defense strategies when we consider an attacker

motivated by return on attack. The ROA formulation isappealing because (unlike with profit) the objective functiondoes not require measuring attacker cost and defenderbudget in the same units. Our second main result considersthe competitive ratio between the ROA for a reactive defensestrategy and the ROA for the best proactive defense strategy.

Theorem 7. The ROA against Algorithm 1 converges to the

ROA against best proactive defense. Formally, consider the

cumulative ROA

ROA�fatgTt¼1; fdtg

Tt¼1

�¼PT

t¼1 payoffðatÞPTt¼1 costðat; dtÞ

:

(We abuse notation slightly and use singleton arguments to

represent the corresponding constant sequence.) If defense

allocations fdtgTt¼1 are output by Algorithm 1 withparameters �t ¼ ð1þ


pÞ�1 on any system

ðV ;E;w; reward; sÞ revealed online, such that jEj > 1, and

any attack sequence fatgTt¼1, then for all � > 0 andproactive defense strategies d? 2 DB;E


Tt¼1

�ROA

�fatgTt¼1; d

?� � 1þ �;

provided T is sufficiently large.2

Remark 8. Notice that the reactive defender can use the same

algorithm regardless of whether the attacker is motivatedby profit or by ROA. As discussed in Section 7.2, theoptimal proactive defense is not similarly robust.

We now translate our bounds on profit into bounds onROA by observing that the ratio of two quantities is small ifthe quantities are large and their difference is small. Weconsider the competitive ratio between a reactive defensestrategy and the best proactive defense strategy after thefollowing technical lemma, which asserts that the quantitiesare large.

Lemma 9. For all attack sequences fatgTt¼1, maxd?2DB;EPTt¼1 costðat; d?Þ � V T where game value V is

maxd2DB;E

mina

costða; dÞ ¼ BPe2incðsÞ wðeÞ

> 0;

where incðvÞ � E denotes the edges incident to vertex v.

Proof. Let d? ¼ argmaxd2DB;Eminacostða; dÞ witness thegame’s value V , then maxd2DB;E

PTt¼1 costðat; dÞ �PT

t¼1 costðat; d?Þ � TV . Consider the defensive alloca-tion for each e 2 E. If e 2 incðsÞ, let ~dðeÞ ¼ BwðeÞ=P

e2incðsÞ wðeÞ > 0, and otherwise ~dðeÞ ¼ 0. This alloca-tion is feasible because

Xe2E

~dðeÞ ¼BP

e2incðsÞ wðeÞPe2incðsÞ wðeÞ

¼ B:

By definition ~dðeÞ=wðeÞ ¼ B=P

e2incðsÞ wðeÞ for each edge e

incident to s. Therefore, costða; ~dÞ � B=P

e2incðsÞ wðeÞ for

any nontrivial attack a, which necessarily includes at least

one s-incident edge. Finally, V � minacostða; ~dÞ proves


2. To wit: T � ð 13ffiffi2p ð1þ ��1Þð

Pe2incðsÞ wðeÞÞÞ

2 log jEj.

V � BPe2incðsÞ wðeÞ

:

Now, consider a defense allocation d and fix an attack athat minimizes the total attacker cost under d. At mostone edge e 2 a can have dðeÞ > 0, for otherwise the costunder d can be reduced by removing an edge from a.Moreover any attack a 2 argmine2incðsÞdðeÞ=wðeÞ mini-mizes attacker cost under d. Thus, the maximin V iswitnessed by defense allocations that maximizemine2incðsÞdðeÞ=wðeÞ. This maximization is achieved byallocation ~d and so Inequality (2) is an equality. tuWe are now ready to prove the main ROA theorem:

Proof of Theorem 7. First, observe that for all B > 0 and allA;C 2 IR

A

B� C () A�B � ðC � 1ÞB: ð3Þ

We will use this equivalence to convert the regret boundon profit to the desired bound on ROA. TogetherTheorem 3 and Lemma 9 imply

�XTt¼1

costðat; dtÞ

� � maxd?2DB;E

XTt¼1

costðat; d?Þ

� �B2

ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiT log jEj

p� �Bðlog jEj þ w�1Þ

ð4Þ

� �V T � �B2


p� �Bðlog jEj þ w�1Þ; ð5Þ

where V ¼ maxd2DB;Eminacostða; dÞ > 0. If

ffiffiffiffiTp� 13ffiffiffi

2p 1þ ��1� � ffiffiffiffiffiffiffiffiffiffiffiffiffiffi

log jEjp X

e2incðsÞwðeÞ;

we can use inequalities V ¼ B=P

e2incðsÞ wðeÞ, w�1 �2 log jEj (since jEj > 1), and ð

Pe2incðsÞ wðeÞÞ

�1 � 1 to show

ffiffiffiffiTp� ð1þ �ÞBþ

ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffið1þ �ÞBþ 24�V½ �ð1þ �ÞB

p2ffiffiffi2p

�V

ffiffiffiffiffiffiffiffiffiffiffiffiffiffilog jEj

p;

which combines with Theorem 3 and Inequality (5) toimply

�XTt¼1

costðat; dtÞ

� �V T � �B2


p� �Bðlog jEj þ w�1Þ

� B2


pþBðlog jEj þ w�1Þ

�XTt¼1

profitðat; dtÞ � mind?2DB;E

XTt¼1

profitðat; d?Þ

¼XTt¼1

�costðat; dtÞð Þ � mind?2DB;E

XTt¼1

�costðat; d?Þð Þ

¼ maxd?2DB;E

XTt¼1

costðat; d?Þ �XTt¼1

costðat; dtÞ:

Finally, combining this equation with Equivalence (3)yields


Tt¼1

�mind?2DB;EROA

�fatgTt¼1; d

?�

¼PT

t¼1 payoffðat; dtÞPTt¼1 costðat; dtÞ

� maxd?2DB;E

PTt¼1 costðat; d?ÞPT

t¼1 payoffðat; d?Þ

¼maxd?2DB;E

PTt¼1 costðat; d?ÞPT

t¼1 costðat; dtÞ� 1þ �;

proving the main result. tu

6 LOWER BOUNDS

In this section we use a two-vertex, two-edge graph toestablish a lower bound on the competitive ratio of theattacker ROA for all reactive strategies. The lower boundshows that the analysis of Algorithm 1 is tight and thatAlgorithm 1 is optimal given the information available tothe defender. The proof gives an example where the bestproactive defense (slightly) out-performs every reactivestrategy, suggesting the benchmark is not unreasonablyweak.

To construct the lower bound, we first show in thefollowing lemma that Algorithm 1 has optimal convergencetime for small enough �, up to constants. (For very large �,Algorithm 1 converges in constant time, and therefore isoptimal up to constants, vacuously.) The argument con-siders an attacker who randomly selects an attack path,rendering knowledge of past attacks useless, in the two-vertex graph of Fig. 3: let start vertex s be connected to avertex r (with reward one) by two parallel edges e1 and e2,each with an attack surface of one. Further suppose that thedefense budget B ¼ 1.

Lemma 10. For all reactive algorithms A, the competitive ratio Cis at least ðxþ �ð

ffiffiffiffiTpÞÞ=x, i.e., at least ðT þ �ð

ffiffiffiffiTpÞÞ=T

because x � T .

Proof. Consider the following random attack sequence: Foreach round, select an attack path uniform IID from theset fe1; e2g. A reactive strategy must commit to a defensein every round without knowledge of the attack, andtherefore every strategy that expends the entire budget ofone inflicts an expected cost of 1=2 in every round. Thus,every reactive strategy inflicts a total expected cost of (atmost) T=2, where the expectation is over the coin-tossesof the random attack process.

Given an attack sequence, however, there exists aproactive defense allocation with better performance. Wecan think of the proactive defender being prescient as towhich edge (e1 or e2) will be attacked most frequentlyand allocating the entire defense budget to that edge. It is


Fig. 3. The two node attack graph used to establish a lower bound forROA in Section 6.

well known (for instance via an analysis of a one-dimensional random walk) that in such a randomprocess, one of the edges will occur �ð

ffiffiffiffiTpÞ more often

than the other, in expectation.By the probabilistic method, a property that is true in

expectation must hold existentially, and, therefore, forevery reactive strategy A, there exists an attack sequencesuch that A has a cost x, whereas the best proactivestrategy (in retrospect) has a cost xþ �ð

ffiffiffiffiTpÞ. Because the

payoff of each attack is 1, the total reward in either case isT . The prescient proactive defender, therefore, has anROA of T=ðxþ �ð

ffiffiffiffiTpÞÞ, but the reactive algorithm has

an ROA of T=x, establishing the lemma. tu

Given this lemma, we show that Algorithm 1 is optimalgiven the information available. In this case, n ¼ 2 and,ignoring constants from Theorem 7, we are trying to matcha convergence time T is at most ð1þ ��1Þ2, which isapproximately ��2 for small �. For large enough T , thereexists a constant c such that C � ðT þ c

ffiffiffiffiTpÞ=T . By easy

algebra, ðT þ cffiffiffiffiTpÞ=T � 1þ � whenever T � c2=�2, con-

cluding the argument.We can generalize the above argument of optimality to

n > 2 using the combinatorial Lemma 3.2.1 from [18].Specifically, we can show that for every n, there is ann edge graph for which Algorithm 1 is optimal up toconstants for small enough �.

7 ADVANTAGES OF REACTIVITY

In this section, we examine some situations in which areactive defender outperforms a proactive defender. Proac-tive defenses hinge on the defender’s model of theattacker’s incentives. If the defender’s model is inaccurate,the defender will construct a proactive defense that is farfrom optimal. By contrast, a reactive defender need notreason about the attacker’s incentives directly. Instead, thereactive defender learns these incentives by observing theattacker in action.

7.1 Learning Rewards

One way to model inaccuracies in the defender’s estimatesof the attacker’s incentives is to hide the attacker’s rewardsfrom the defender. Without knowledge of the payoffs, aproactive defender has difficulty limiting the attacker’sROA. Consider, for example, the star system whose edgeshave equal attack surfaces, as depicted in Fig. 4. Withoutknowledge of the attacker’s rewards, a proactive defenderhas little choice but to allocate the defense budget equallyto each edge (because the edges are indistinguishable).However, if the attacker’s reward is concentrated at asingle vertex, the competitive ratio for attacker’s ROA(compared to the rational proactive defense) is the numberof leaf vertices. (We can, of course, make the ratio worseby adding more vertices.) By contrast, the reactivealgorithm we analyze in Section 4 is competitive withthe rational proactive defense because the reactive algo-rithm effectively learns the rewards by observing whichattacks the attacker chooses.

7.2 Robustness to Objective

Another way to model inaccuracies in the defender’sestimates of the attacker’s incentives is to assume thedefender mistakes which of profit and ROA actually matterto the attacker. The defense constructed by a rationalproactive defender depends crucially on whether theattacker’s actual incentives are based on profit or basedon ROA; whereas, the reactive algorithm we analyze inSection 4 is robust to this variation. In particular, considerthe system depicted in Fig. 5, and assume the defender hasa budget of nine. If the defender believes the attacker ismotivated by profit, the rational proactive defense is toallocate the entire defense budget to the right-most edge(making the profit 1 on both edges). However, this defenseis disastrous when viewed in terms of ROA because theROA for the left edge is infinite (as opposed to near unitywhen the proactive defender optimizes for ROA).

7.3 Catachresis

The defense constructed by the rational proactive defenderis optimized for a rational attacker. If the attacker is notperfectly rational, there is room for outperforming therational proactive defense. There are a number of situationsin which the attacker might not mount “optimal” attacks:

. The attacker might not have complete knowledge ofthe attack graph. Consider, for example, a softwarevendor who discovers five equally severe vulner-abilities in one of their products via fuzzing.According to proactive security, the defender oughtto dedicate equal resources to repairing these fivevulnerabilities. However, a reactive defender mightdedicate more resources to fixing a vulnerability


Fig. 4. Star-shaped attack graph with rewards concentrated in anunknown vertex.

Fig. 5. An attack graph that separates the minimax strategies optimizingROA and attacker profit.

actually exploited by attackers in the wild. We canmodel these situations by making the attackeroblivious to some edges.

. The attacker might not have complete knowledge ofthe defense allocation. For example, an attackerattempting to invade a corporate network mighttarget computers in human resources withoutrealizing that attacking the customer relationshipmanagement database in sales has a higher return-on-attack because the database is lightly defended.

By observing attacks, the reactive strategy learns a defensetuned for the actual attacker, causing the attacker to receivea lower ROA.

8 GENERALIZATIONS

In this section, we consider several extensions to our basicmodel for which results analogous to Theorems 3 and 7 canbe shown.

8.1 Horn Clauses

Thus far, we have presented our results using a graph-based system model. Our results extend, however, to amore general system model based on Horn clauses. Datalogprograms, which are based on Horn clauses, have beenused in previous work to represent vulnerability-levelattack graphs [19]. A Horn clause is a statement inpropositional logic of the form p1 ^ p2 ^ � � � ^ pn ! q. Thepropositions p1; p2; . . . ; pn are called the antecedents, and q iscalled the consequent. The set of antecedents might beempty, in which case the clause simply asserts theconsequent. Notice that Horn clauses are negation free. Insome sense, a Horn clause represents an edge in ahypergraph where multiple preconditions are requiredbefore taking a certain state transition.

In the Horn model, a system consists of a set of Hornclauses, an attack surface for each clause, and a reward foreach proposition. The defender allocates defense budgetamong the Horn clauses. To mount an attack, the attackerselects a valid proof: an ordered list of rules such that eachantecedent appears as a consequent of a rule earlier in thelist. For a given proof �,

costð�; dÞ ¼Xc2�

dðcÞ=wðeÞ payoffð�Þ ¼Xp2½½��

rewardðpÞ;

where ½½�� is the set of propositions proved by � (i.e., thosepropositions that appear as consequents in �). Profit andROA are computed as before.

Our results generalize to this model directly. Essentially,we need only replace each instance of the word “edge” with“Horn clause” and “path” with “valid proof.” For example,the rows of the matrix M used throughout the proof becomethe Horn clauses, and the columns become the valid proofs(which are numerous, but no matter). The entries of thematrix become Mðc;�Þ ¼ 1=wðcÞ, analogous to the graphcase. The one nonobvious substitution is incðsÞ, whichbecomes the set of clauses that lack antecedents.

8.2 Multiple Attackers

We have focused on a security game between a singleattacker and a defender. In practice, a security system might

be attacked by several uncoordinated attackers, each withdifferent information and different objectives. Fortunately,we can show that a model with multiple attackers ismathematically equivalent to a model with a single attackerwith a randomized strategy: Use the set of attacks, one perattacker, to define a distribution over edges where theprobability of an edge is linearly proportional to thenumber of attacks which use the edge. This precludes theinterpretation of an attack as an s-rooted path, but ourproofs do not rely upon this interpretation and our resultshold in such a model with appropriate modifications.

8.3 Adaptive Proactive Defenders

A simple application of an online learning result [20]modifies our regret bounds for a proactive defender whoreallocates budget a fixed number of times. In this model,our results remain qualitatively the same.

9 RELATED WORK

Anderson [21] and Varian [22] informally discuss (viaanecdotes) how the design of information security musttake incentives into account. August and Tunca [23]compare various ways to incentivize users to patch theirsystems in a setting where the users are more susceptible toattacks if their neighbors do not patch.

Gordon and Loeb [24] and Hausken [25] analyze thecosts and benefits of security in an economic model (withnonstrategic attackers) where the probability of a successfulexploit is a function of the defense investment. They use thismodel to compute the optimal level of investment. Varian[26] studies various (single-shot) security games andidentifies how much agents invest in security at equili-brium. Grossklags et al. [27] extend this model by lettingagents self-insure.

Miura-Ko et al. [28] study externalities that appear due tousers having the same password across various websitesand discuss pareto-improving security investments. Miura-Ko and Bambos [29] rank vulnerabilities according to arandom-attacker model. Skybox and RedSeal offer practicalsystems that help enterprises prioritize vulnerabilitiesbased on a random-attacker model. Kumar et al. [30]investigate optimal security architectures for a multidivi-sion enterprise, taking into account losses due to lack ofavailability and confidentiality. None of the above papersexplicitly model a truly adversarial attacker.

Fultz and Grossklags [31] generalize [27] by modelingattackers explicitly. Cavusoglu et al. [32] highlight theimportance of using a game-theoretic model over a decisiontheoretic model due to the presence of adversarial attack-ers. However, these models look at idealized settings thatare not generically applicable. Lye and Wing [33] study theNash equilibrium of a single-shot game between anattacker and a defender that models a particular enterprisesecurity scenario. Arguably this model is most similar toours in terms of abstraction level. However, calculating theNash equilibrium requires detailed knowledge of theadversary’s incentives, which as discussed in the introduc-tion, might not be readily available to the defender.Moreover, their game contains multiple equilibria, weak-ening their prescriptions.


10 CONCLUSIONS

Many security experts equate reactive security with myopicbug-chasing and ignore principled reactive strategies whenthey recommend adopting a proactive approach to riskmanagement. In this paper, we establish sufficient condi-tions for a learning-based reactive strategy to be competi-tive with the best fixed proactive defense. Additionally, weshow that reactive defenders can outperform proactivedefenders when the proactive defender defends againstattacks that never actually occur. Although our model is anabstraction of the complex interplay between attackers anddefenders, our results support the following practicaladvice for CISOs making security investments:

. Employ monitoring tools that let you detect andanalyze attacks against your enterprise. These toolshelp focus your efforts on thwarting real attacks.

. Make your security organization more agile. Forexample, build a rigorous testing lab that lets youroll out security patches quickly once you detect thatattackers are exploiting these vulnerabilities.

. When determining how to expend your securitybudget, avoid overreacting to the most recent attack.Instead, consider all previous attacks, but discountthe importance of past attacks exponentially.

In some situations, proactive security can outperformreactive security. For example, reactive approaches are illsuited for defending against catastrophic attacks becausethere is no “next round” in which the defender can useinformation learned from the attack. We hope our resultswill lead to a productive discussion of the limitations of ourmodel and the validity of our conclusions.

Instead of assuming that proactive security is alwayssuperior to reactive security, we invite the reader toconsider when a reactive approach, or a blend of reactiveand proactive elements, might be appropriate. For the partsof an enterprise where the defender’s budget is liquid andthere are no catastrophic losses, employing reactive ele-ments is likely to improve security.

ACKNOWLEDGMENTS

The authors would like to thank Elie Bursztein, Eu-Jin Goh,and Matt Finifter for their thoughtful comments andhelpful feedback. We gratefully acknowledge the supportof the US National Science Foundations (NSF) through theTRUST Science and Technology Center and grants DMS-0707060, CCF-0424422, 0311808, 0448452, and 0627511, andthe support of the AFOSR through the MURI Program, andthe support of the Siebel Scholars Foundation.

REFERENCES

[1] J.P. Pironti, “Key Elements of an Information Security Program,”Information Systems Control J., vol. 1, 2005.

[2] K. Kark, J. Penn, and A. Dill, “2008 CISO Priorities: The RightObjectives but the Wrong Focus,” Le Magazine de la SecuriteInformatique, Apr. 2009.

[3] C. Beard, “Introducing Test Pilot,” http://labs.mozilla.com/2008/03/introducing-test-pilot/, Mar. 2008.

[4] M. Cremonini, “Evaluating Information Security Investmentsfrom Attackers Perspective: The Return-On-Attack (ROA),” Proc.Fourth Workshop the Economics of Information Security, 2005.

[5] A. Barth, B.I.P. Rubinstein, M. Sundararajan, J.C. Mitchell, D.Song, and P.L. Bartlett, “A Learning-Based Approach to ReactiveSecurity,” Proc. 14th Int’l Conf. Financial Cryptography and DataSecurity (FC ’10), pp 192-206, 2010.

[6] D. Fisher, “Multi-Process Architecture,” http://dev.chromium.org/developers/design-documents/multi-process-architecture,July 2008.

[7] J. Friedberg, “Internet Fraud Battlefield,” http://www.ftc.gov/bcp/workshops/proofpositive/Battlefield_Overview.pdf, Apr.2007.

[8] C. Kanich, C. Kreibich, K. Levchenko, B. Enright, G.M. Voelker, V.Paxson, and S. Savage, “Spamalytics: An Empirical Analysis ofSpam Marketing Conversion,” Proc. ACM Conf. Computer andComm. Security, pp. 3-14, 2008.

[9] B. Warner, “Home PCs Rented Out in Sabotage-for-Hire Racket,”Reuters, July 2004.

[10] J. Franklin, V. Paxson, A. Perrig, and S. Savage, “An Inquiry intothe Nature and Causes of the Wealth of Internet Miscreants,” Proc.ACM Conf. Computer and Comm. Security, pp. 375-388, 2007.

[11] M. Howard, “Attack Surface: Mitigate Security Risks by Mini-mizing the Code You Expose to Untrusted Users,” MSDNMagazine, http://msdn.microsoft.com/en-us/magazine/cc163882.aspx, Nov. 2004.

[12] E. Rescorla, “Is Finding Security Holes a Good Idea?,” IEEESecurity and Privacy, vol. 3, no. 1, pp. 14-19, Jan./Feb. 2005.

[13] D. Chakrabarty, A. Mehta, and V.V. Vazirani, “Design is As EasyAs Optimization,” Proc. 33rd Int’l Colloquium Automata, Languagesand Programming (ICALP), pp. 477-488, 2006.

[14] E. Ordentlich and T.M. Cover, “The Cost of Achieving the BestPortfolio in Hindsight,” Math. of Operations Research, vol. 23, no. 4,pp. 960-982, 1998.

[15] Y. Freund and R.E. Schapire, “Adaptive Game Playing UsingMultiplicative Weights,” Games and Economic Behavior, vol. 29,pp. 79-103, 1999.

[16] Y. Freund and R. Schapire, “A Short Introduction to Boosting,” J.Japanese Soc. for Artificial Intelligence, vol. 14, no. 5, pp. 771-780,1999.

[17] N. Cesa-Bianchi, Y. Freund, D. Haussler, D.P. Helmbold, R.E.Schapire, and M.K. Warmuth, “How to Use Expert Advice,”J. Assoc. for Computing Machinery, vol. 44, no. 3, pp. 427-485, May1997.

[18] N. Cesa-Bianchi, Y. Freund, D.P. Helmbold, D. Haussler, R.E.Schapire, and M.K. Warmuth, “How to Use Expert Advice,” Proc.25th Ann. ACM Symp. Theory of Computing, pp. 382-391, 1993.

[19] X. Ou, W.F. Boyer, and M.A. McQueen, “A Scalable Approach toAttack Graph Generation,” Proc. 13th ACM Conf. Computer andComm. Security, pp. 336-345, 2006.

[20] M. Herbster and M.K. Warmuth, “Tracking the Best Expert,”Machine Learning, vol. 32, no. 2, pp. 151-178, 1998.

[21] R. Anderson, “Why Information Security Is Hard—An EconomicPerspective,” Proc. 17th Ann. Computer Security Applications Conf.,pp. 358-365, 2001.

[22] H.R. Varian, “Managing Online Security Risks,” New York Times,June 1 2000.

[23] T. August and T.I. Tunca, “Network Software Security and UserIncentives,” Management Science, vol. 52, no. 11, pp. 1703-1720,2006.

[24] L.A. Gordon and M.P. Loeb, “The Economics of InformationSecurity Investment,” ACM Trans. Information and System Security,vol. 5, no. 4, pp. 438-457, 2002.

[25] K. Hausken, “Returns to Information Security Investment: TheEffect of Alternative Information Security Breach Functions onOptimal Investment and Sensitivity to Vulnerability,” InformationSystems Frontiers, vol. 8, no. 5, pp. 338-349, 2006.

[26] H. Varian, “System Reliability and Free Riding,” Economics ofInformation Security, vol. 12, pp. 1-16, 2001.

[27] J. Grossklags, N. Christin, and J. Chuang, “Secure or Insure?: AGame-Theoretic Analysis of Information Security Games,” Proc.17th Int’l Conf. World Wide Web, pp. 209-218, 2008.

[28] R.A. Miura-Ko, B. Yolken, J. Mitchell, and N. Bambos, “SecurityDecision-Making among Interdependent Organizations,” Proc.21st IEEE Computer Security Foundations Symp., pp. 66-80, 2008.

[29] R. Miura-Ko and N. Bambos, “SecureRank: A Risk-BasedVulnerability Management Scheme for Computing Infrastruc-tures,” Proc. IEEE Int’l Conf. Comm., pp. 1455-1460, June 2007.


[30] V. Kumar, R. Telang, and T. Mukhopadhyay, “Optimal Informa-tion Security Architecture for the Enterprise,” http://ssrn.com/abstract=1086690, 2011.

[31] N. Fultz and J. Grossklags, “Blue Versus Red: Towards a Model ofDistributed Security Attacks,” Proc. 13th Int’l Conf. FinancialCryptography and Data Security, 2009.

[32] H. Cavusoglu, S. Raghunathan, and W. Yue, “Decision-Theoreticand Game-Theoretic Approaches to IT Security Investment,” J.Management Information Systems, vol. 25, no. 2, pp. 281-304, 2008.

[33] K.-w. Lye and J.M. Wing, “Game Strategies in Network Security,”Proc. Foundations of Computer Security Workshop, pp. 13-22, 2002.

Adam Barth received the PhD degree incomputer science from Stanford University. Heis a software engineer at Google, Inc. Prior tojoining Google, he was a postdoctoral fellow atUC Berkeley. His research focuses on websecurity, privacy, and risk management.

Benjamin I.P. Rubinstein Prior to joining MSRin 2010, he received the PhD degree at UCBerkeley under Peter Bartlett. He is a researcherin the Interaction & Intent Group at MicrosoftResearch Silicon Valley. His dissertation re-search focused on machine learning in adver-sarial environments, and applications of learningin computer security. During this time he wasawarded the Yahoo! Key Scientific ChallengesAward in Adversarial Machine Learning, Best

Poster Award at RAID08, and a Siebel Scholars fellowship. His currentinterests extend to applications of machine learning in privacy &security, search, measurement, social network analysis, and basicresearch questions in learning & statistics.

Mukund Sundararajan received the PhD de-gree in computer science from Stanford Uni-versity. He is a research scientist at Google, Inc.His research interests include foundations ofmarket design, market analysis, electronic com-merce and privacy.

John C. Mitchell is the Mary and Gordon CraryFamily professor in the Stanford ComputerScience Department. His research in computersecurity focuses on trust management, privacy,security analysis of network protocols, and websecurity. He has also worked on programminglanguage analysis and design, formal methods,and other applications of mathematical logic tocomputer science. He is currently involved in themultiuniversity PORTIA research project to study

privacy concerns in databases and information processing systems, andthe US National Science Foundations (NSF) TRUST Center.

Dawn Song is an associate professor ofcomputer science at UC Berkeley. Prior tojoining UC Berkeley, she was an assistantprofessor at Carnegie Mellon University from2002 to 2007. Her research interest lies insecurity and privacy issues in computer systemsand networks, including areas ranging fromsoftware security, networking security, databasesecurity, distributed systems security, to appliedcryptography. She is the recipient of various

awards including the MacArthur Fellowship, the Guggenheim Fellow-ship, the US National Science Foundation (NSF) CAREER Award, theAlfred P. Sloan Research Fellowship, the MIT Technology ReviewTR-35 Award, the IBM Faculty Award, the George Tallman LaddResearch Award, the Okawa Foundation Research Award, and the Li KaShing Foundation Women in Science Distinguished Lecture SeriesAward. She is also the author of multiple award papers in top securityconferences, including the best paper award at the USENIX SecuritySymposium and the highest ranked paper at the IEEE Symposium onSecurity and Privacy. She is a member of the IEEE.

Peter L. Bartlett is a professor in the Division ofComputer Science and Department of Statisticsat the University of California at Berkeley. He isthe coauthor, with Martin Anthony, of the bookLearning in Neural Networks: Theoretical Foun-dations, has edited three other books, and hascoauthored many papers in the areas ofmachine learning and statistical learning theory.He has served as an associate editor of thejournals Machine Learning, Mathematics of

Control Signals and Systems, the Journal of Machine LearningResearch, the Journal of Artificial Intelligence Research, and the IEEETransactions on Information Theory, as a member of the editorial boardsof Machine Learning, the Journal of Artificial Intelligence Research, andFoundations and Trends in Machine Learning, and as a member of thesteering committees of the Conference on Computational LearningTheory and the Algorithmic Learning Theory Workshop. He hasconsulted to a number of organizations, including General Electric,Telstra, and SAC Capital Advisors. In 2001, he was awarded theMalcolm McIntosh Prize for Physical Scientist of the Year in Australia,for his work in statistical learning theory. He was a Miller Institute visitingresearch professor in statistics and computer science at UC Berkeley inFall 2001, and a fellow, senior fellow, and professor in the ResearchSchool of Information Sciences and Engineering at the AustralianNational University’s Institute for Advanced Studies (1993-2003), and anhonorary professor in the School of Information Technology andElectrical Engineering at the University of Queensland. His researchinterests include machine learning, statistical learning theory, andadaptive control. He is a member of the IEEE.

. For more information on this or any other computing topic,please visit our Digital Library at www.computer.org/publications/dlib.


Documents

482 IEEE TRANSACTIONS ON DEPENDABLE AND …dawnsong/papers/2012 A Learning... · A Learning-Based Approach to Reactive Security ... 482 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE