Agility refers to the context and operation-aware reconfiguration of the system or the operation autonomously or by the defender with respect to a potential attack or perceived risk. Such reconfigurations of environment or operation strategies are referred to as cyber-maneuvers. Maneuvers, often called moving target defenses, seek to continually alter the attack surface as perceived by an adversary. Within the CRA, the research effort focuses on developing models and algorithms that reason about the current state, the universe of potential security-compliant cyber maneuvers (i.e., “maneuver” in the space of hardware, software, network and system characteristics and topologies) and end-states, and how these maneuvers are affected by and impacts human users, defenders, and attackers. Building on recent advances in moving target defenses , we are exploring game-theoretic models that select maneuvers that mitigate adversarial actions on operation outcomes. Note that some maneuvers may be offensive (such as deception techniques) in that they launch counter-measures that impact would-be attackers.
Broadly speaking, in an agile operation environment the system state needs to be continuously analyzed based on detected threats, assessed risks and human feeds on operation evolution. Subsequently, the system must be reconfigured towards: (i) preventing and mitigating attacks, thereby maximizing outcome utility in our operation model; (ii) completing the operation in a secure and resource-optimal way given the current state and the dynamics of the end state; (iii) minimizing risk and accounting for deception; and (iv) integrating the human factors that impact the cyber-security operations. An adversary’s perception of the attack surface can be altered by maneuvers in different layers, e.g., software, network, and system layers. Not surprisingly, one can also formulate agility problems in a game-theoretic setting.
Our study of software maneuvers seeks to develop the science of software agility. The objective of software agility is to pick the optimal tasks to execute, and the optimal software configuration in which these will execute, given desired security outcomes, risks, and current state of the system (e.g., attacks, defenses, including psychosocial factors). We achieve this objective by (1) using a proactive approach to software agility to withstand and thwart attacks, and (2) continuously analyzing the systems software state and if/when needed, performing software reconfiguration, based on detected threats, assessed risks and human feeds on operation evolution. Our early efforts were focused on reactive approaches for reconfiguring a key-value server and mobile apps, and moved on to study of proactive reconfiguration, cost/payout metrics, and approaches beyond smartphones and key-value servers. The cost/benefit analysis balances security, capability, availability and resource consumption. The Agility team has made advances in several directions, such as the quantification of the cost of reconfigurations , theory and practice of cyber-maneuvering , and characterizing root-provider attacks . Over the next two years we will generalize to more powerful models of maneuver in a formal quasimetric space, reconfiguration, and cost; and formal guarantees of attack resistance. Agility mechanisms are one form of deception, and a formal approach to this, including psychosocial metrics of deception, warrant study. We proposed software “wrappers” as a flexible mechanism for dynamically changing programs and runtime environments and have used it for changing data structures on-the-fly in server-side processing , changing the OS state , and bytecode rewriting to survive faults . Recent work in the CRA is developing a unified approach to encoding configurations, and formal mechanisms for controlling transitions. A related validation study is analyzing existing and new side channels (e.g., TCP stacks, ) to understand the limitations of software randomization strategies.
A key issue in game-theoretic approaches is to determine the appropriate models of interactions between the defender and attacker. While it is conceivable that the two may choose their strategies simultaneously, it is more likely that each of them will choose their strategies in response to the “observable actions” by the other. The tradeoff between leading/following depends on the specific payoff functions as well as the penalty of delaying a player’s action (e.g., missing an attack opportunity). In this, we are exploring various dynamic game formulations, with different leader/follower roles for the attacker and defender. For example, the defender may lead the game by invoking his/her proactive security measures. The attacker will then respond with his/her own actions. The roles can be dynamically switched, depending on each player’s payoff (e.g., shortly after taking an action, the defender may decide to take a subsequent action without waiting for the attacker action; this decision may be triggered by more updated statistical analysis of adversarial responses). Such dynamism enable us to capture the bounded regimes of rationality of human adversaries. Other recent work on game theoretic approaches include models for stealthy attacks, involving two-player differential games, and asymmetric versions of the FlipIT game where the feedback may be delayed. We have characterized best response strategies . Our three-player game models build on this, including now a third player – the insider – who may be helpful or harmful. We have characterized Nash equilibria in this three-player sequential game.
Recent research on the psychology of decision making seeks to understand how humans make decisions from experience (DFE) rather than descriptions. Such an approach enables one to relax assumptions of rationality. PIs in the team have championed the development and use of Instance-Based Learning (IBL) models that do not need predefined implementations of interaction strategies , . IBL can be integrated with automated tools and models of risk assessment in cyber security, e.g., , as recently demonstrated in . Our current work addresses key challenges related to scalability with multiple players, and cognitive biases and judgment impairments (such as due to memory and recall limitations), and how attack and defense strategies evolve in repeated games, across multiple attack patterns. Central to most game theoretic assumptions are assumptions of information certainty and human rationality (which includes, for example, ability to perfectly recall all relevant information). Assumptions of rational behavior on part of the attacker may lead to poorly performing strategies against a myopic attacker; and assumptions of rational defenders may lead to defense mechanisms that are never realized in practice. We are augmenting our game theoretic approaches with IBL to model humans with bounded rationality. Psychological research suggests that risk variability in humans may be explained and predicted by cultural and other cognitive factors; and such factors have been observed in the cyber domain to gain insights into attackers . Our current focus is on incorporating such personality and cultural factors, for individuals and groups, into behavioral models such as IBL and game theoretical approaches to account for individual variability and biases . We are further incorporating tools to enable cutting edge analysis of individual decision-making  and exploring how system prompts and presentation effect security outcomes .
Discussion & Conclusions
We have introduced a conceptual framework and research agenda for reasoning about cyber-maneuvers in military environments. This model jointly reasons about situational awareness, risk assessment, and software, system and network agility to support ongoing cyber-operations. These factors are integrated into a unified operational model that defenders and automated systems can use to make “optimal” decisions about how to achieve mission goals and mitigate the activities of adversaries.
The inter-dependencies between the elements of risk, detection and agility are obvious. Resources spent on detection (how many monitors, how many samples, choices of algorithms) are dictated by assessment of threat and risk, and in turn feed into risk assessments. The outputs of detection (including our confidence in such detection outputs) provide inputs for agility maneuvers; in turn, agility decisions feed information about network configurations to detection strategies. Agility algorithms depend on the detection of potential attacks, the risks associated with the perceived attacks, the desired responses by the defenders and attackers, the perceived risk in transitioning from the current to a desired state; and accounting for human dynamics. Risk feeds both detection and agility; for both, it shapes the goals and focus of the algorithms. Thus, as is evident from our operation model, the goals of the models and algorithms for agility are integrally dependent on the risk, detection, and human dynamics.
Experimental verification and validation have been and continue to be key components of CRA research. While all algorithms are typically tested on synthetic / simulated date, we make extensive use of the cyber experimentation testbed called Cyber Virtual Ad hoc Network (CyberVAN) .
The research towards reaching this vision is just beginning its fourth year, but we have already made great strides in analyzing target environments and developing preliminary models. Our current focus is to bring together these disparate but complementary models into a comprehensive framework, and to measure its effectiveness in realistic military contexts. These experiments will assess the accuracy and sensitivities of decision making process and provide guidance into its refinement.