Defending against the Unknown Enemy: Applying FlipIt to System Security
Most cryptographic systems carry the basic assumption that entities are able to preserve the secrecy of their keys. With attacks today showing ever increasing sophistication, however, this tenet is eroding. “Advanced Persistent Threats” (APTs), for instance, leverage zero-day exploits and extensive system knowledge to achieve full compromise of cryptographic keys and other secrets. Such compromise is often silent, with defenders failing to detect the loss of private keys critical to protection of their systems. The growing virulence of today’s threats clearly calls for new models of defenders’ goals and abilities.
In this paper, we explore applications of FlipIt, a novel game-theoretic model of system defense introduced in . In FlipIt, an attacker periodically gains complete control of a system, with the unique feature that system compromises are stealthy, i.e., not immediately detected by the system owner, called the defender. We distill out several lessons from our study of FlipIt and demonstrate their application to several real-world problems, including password reset policies, key rotation, VM refresh and cloud auditing.
KeywordsCloud Provider Cloud Service Provider Move Cost Security Game Advance Persistent Threat
Unable to display preview. Download preview PDF.
- 1.Ateniese, G., Burns, R., Curtmola, R., Herring, J., Kissner, L., Peterson, Z., Song, D.: Provable data possession at untrusted stores. In: Proc. 14th ACM Conference on Computer and Communication Security, CCS (2007)Google Scholar
- 2.Barker, E., Barker, W., Polk, W., Smid, M.: Recommendation for key management II: Best practices for key management organization. NIST SP (2/3), 1–79 (2005)Google Scholar
- 3.Juels, A., Kaliski, B.: PORs: Proofs of retrievability for large files. In: Proc. 14th ACM Conference on Computer and Communication Security (CCS), pp. 584–597 (2007)Google Scholar
- 5.Mailath, G.J., Samuelson, L.: Repeated Games and Reputations: Long-run relationships, Oxford (2006)Google Scholar
- 6.Manshaei, M., Zhu, Q., Alpcan, T., Basar, T., Hubaux, J.P.: Game Theory Meets Network Security and Privacy. Technical report, EPFL (2010)Google Scholar
- 7.Moore, T., Friedman, A., Procaccia, A.: Would a “cyber warrior” protect us? Exploring trade-offs between attack and defense of information systems. In: NSPW, pp. 85–94 (2010)Google Scholar
- 8.Myerson, R.B.: Game Theory—Analysis of Conflict. Harvard University Press (1997)Google Scholar
- 9.Nguyen, K.C., Alpcan, T., Basar, T.: Security games with incomplete information. In: Proc. IEEE International Conference on Communications, ICC (2009)Google Scholar
- 10.Pavlovic, D.: Gaming security by obscurity, CoRR abs/1109.5542 (2011)Google Scholar
- 11.Radzik, T.: Results and problems in games of timing. Statistics, Probability and Game Theory 30 (1996)Google Scholar
- 12.Rivest, R.L.: Illegitimi non carborundum. Invited keynote talk given at CRYPTO 2011 (August 15, 2011), http://people.csail.mit.edu/rivest/pubs.html#Riv11b
- 13.Roy, S., Ellis, C., Shiva, S., Dasgupta, D., Shandilya, V., Wu, Q.: A survey of game theory as applied to network security. In: Int. Conf. on System Sciences (HICSS), pp. 1–10 (2010)Google Scholar
- 14.van Dijk, M., Juels, A., Oprea, A., Rivest, R.L.: FlipIt: The game of “stealthy takeover”. To appear in Journal of Cryptology (2012)Google Scholar
- 15.Witty, R.J., Brittain, K., Allen, A.: Justify identity management investment with metrics. Gartner Group report (February 23, 2004)Google Scholar