Disclose or Exploit? A Game-Theoretic Approach to Strategic Decision Making in Cyber-Warfare

被引:6
作者
Chen, Haipeng [1 ]
Han, Qian [1 ]
Jajodia, Sushil [2 ]
Lindelauf, Roy [3 ]
Subrahmanian, V. S. [1 ]
Xiong, Yanhai [1 ]
机构
[1] Dartmouth Coll, Dept Comp Sci, Hanover, NH 03755 USA
[2] George Mason Univ, Ctr Secure Informat Syst, Fairfax, VA 22030 USA
[3] Netherlands Def Acad, Mil Operat Art & Sci, NL-4811 XC Breda, Netherlands
来源
IEEE SYSTEMS JOURNAL | 2020年 / 14卷 / 03期
关键词
Games; Government; Software; Nash equilibrium; Computer hacking; Companies; Cyber-security; decision support system; game theory; national defense and security; POLICY;
D O I
10.1109/JSYST.2020.2964985
中图分类号
TP [自动化技术、计算机技术];
学科分类号
0812 ;
摘要
Today, countries are engaged in the cyber-arms race. With over 16 K new hardware/software vulnerabilities reported in 2018 alone, an important question confronts senior government decision makers when their cyber-warfare units discover a new vulnerability. Should they disclose the vulnerability to the vendor who produced the vulnerable product? Or should they "stockpile" the vulnerability, holding it for developing exploits (i.e., cyber-weapons) that can be targeted at an adversary? Choosing the first option may be important when the affected company is a corporation in the nation state that discovers the vulnerability and/or if that nation state would have a big exposure to that vulnerability. Choosing the second option has obvious advantages to the discovering nation's defense. We formulate the cyber-competition between countries as a repeated cyber-warfare game (RCWG), where two countries (players) compete over a series of vulnerabilities by deciding, at the time of vulnerability discovery, 1) whether to exploit or disclose it and 2) how long to exploit it if they decide to exploit. We define the equilibrium state of the RCWG as a pure strategy Nash equilibrium, and propose a learning-while-competing framework to compute the pure strategy Nash equilibrium of the formulated RCWG. Although testing our results with real data in the murky world of cyber-warfare is challenging, we were able to obtain real statistics from other sources and demonstrate the effectiveness of our proposed algorithm through a set of simulation results under different scenarios using these third-party statistics. We also report on our DiscX system that can help support government decision makers in their decision whether to disclose or exploit a vulnerability that they find.
引用
收藏
页码:3779 / 3790
页数:12
相关论文
共 20 条
[1]  
[Anonymous], 2017, ZERO DAYS THOUSANDS
[2]   Optimal policy for software vulnerability disclosure [J].
Arora, Ashish ;
Telang, Rahul ;
Xu, Hao .
MANAGEMENT SCIENCE, 2008, 54 (04) :642-656
[3]  
Bilge L., 2012, P 2012 ACM C COMP CO, P833, DOI DOI 10.1145/2382196.2382284
[4]  
Cashell B, 2004, RL32331 CRS
[5]  
Caulfield Tristan, 2017, Decision and Game Theory for Security. 8th International Conference, GameSec 2017. Proceedings: LNCS 10575, P131, DOI 10.1007/978-3-319-68711-7_8
[6]   Efficiency of vulnerability disclosure mechanisms to disseminate vulnerability knowledge [J].
Cavusoglu, Hasan ;
Cavusoglu, Huseyin ;
Raghunathan, Srinivasan .
IEEE TRANSACTIONS ON SOFTWARE ENGINEERING, 2007, 33 (03) :171-185
[7]   NETWORK SECURITY: VULNERABILITIES AND DISCLOSURE POLICY* [J].
Choi, Jay Pil ;
Fershtman, Chaim ;
Gandal, Neil .
JOURNAL OF INDUSTRIAL ECONOMICS, 2010, 58 (04) :868-894
[8]  
Chung K, 2016, IEEE HI ASS SYS ENGR, P1, DOI [10.1109/iWEM.2016.7505035, 10.1109/HASE.2016.48]
[9]   An economic damage model for large-scale Internet attacks [J].
Dübendorfer, T ;
Wagner, A ;
Plattner, B .
THIRTEENTH IEEE INTERNATIONAL WORKSHOPS ON ENABLING TECHNOLOGIES: INFRASTRUCTURE FOR COLLABORATIVE ENTERPRISES, PROCEEDINGS, 2004, :223-228
[10]   Strategic aspects of cyberattack, attribution, and blame [J].
Edwards, Benjamin ;
Furnas, Alexander ;
Forrest, Stephanie ;
Axelrod, Robert .
PROCEEDINGS OF THE NATIONAL ACADEMY OF SCIENCES OF THE UNITED STATES OF AMERICA, 2017, 114 (11) :2825-2830