September 29, 2006

The only way to win is not to play

My dad is a man of few words. However, one of the things that I remember him saying when I was in high school that has stayed with me the rest of my life happened when I was struggling to learn Calc from a teaching-challenged educator. In a completely uncharacteristic move, he (a statician at the time) said "Son, whenever somebody needs Calculus to prove their argument they're trying to pull one over on you." Now whether or not you agree with this, you have to admit it's funny. I thought it was hilarious at the time (probably because it was so out of character for my dad) and I think it's equally hilarious now.

So where am I going with this, right? Well, I've noticed that there has been quite a bit of interest in the security community about how to use game theory to approach the topic of security. For example, I've noticed that folks are using game theory to understand terrorism, it's being used to understand network security, and so on. Now, when I first started hearing about folks doing this, I was excited and interested. But the more I've looked at what's coming out, the more disappointed and cynical I've become. In fact, I'm tempted to start applying my Dad's dismissive attitude toward Calculus to game theory (i.e. "whenever a security person starts quoting game theory, they're trying to pull one over on you.") Now, I haven't quite reached that level of cynicism just yet, but I'm close. I understand that given the popularity of using game theory in this context, it's possible that I could get flamed hardcore about this post; however, I feel like I need to say what I need to say. Here's why I think it's difficult to use game theory to understand security:

Security is non-zero-sum: Game theorists classify games as being either zero-sum or non-zero-sum. This is a fancy way of differentiating games where winning by one player comes at the total detriment of another player (zero-sum: the gain of one player comes at the loss of another player) vs. games where achievement by one player does not proportionately impact other players (non-zero-sum: it is possible for one player to gain without another player losing.) Despite what might seem intuitive on the surface, the typical security scenario is non-zero-sum. Really, it is. OK, ok - you're going to say that if someone is trying to defend a machine and somebody else hacks it, that their victory means your defeat (hence it's zero-sum), right? Well, that's true. Or you might say that if someone is trying to steal your money and you're trying to keep it, that that's zero-sum too. And you'd be right. But these are all discrete parts of a bigger game - these things are all individual competitive *strategies* that are part of a larger picture. Ask a typical security professional, for example, whether the goal of their job is to "defend all the servers at any expense" - the answer you'd get would be "no" - that's not the job; the job is, "help our business to understand their risk and operating accordingly" right? Meaning, an attacker could "win" (cause damage, steal money, etc.) at the same time that we're still doing our jobs (i.e. we win too - they get whatever it is they want - money, resources, data, etc. - and we get what we want - our business keeps operating despite the loss). See, non-zero-sum. So what does that mean for the game-theory approach? Well, based on what we know about non-zero-sum games, we know that "Non-zero-sum games differ from zero-sum games in that there is no universally accepted solution. That is, there is no single optimal strategy that is preferable to all others, nor is there a predictable outcome. Non-zero-sum games are also non-strictly competitive, as opposed to the completely competitive zero-sum games, because such games generally have both competitive and cooperative elements. Players engaged in a non-zero sum conflict have some complementary interests and some interests that are completely opposed." Interesting; "no universal solution" and "no predictable outcome"? That certainly jives with anecdotal experience. In short, non-zero-sum games are the most difficult to analyze.

Security is asymmetric:meaning, there is a different strategy for all players. A game like chess is symmetric because the goal/strategy of black is identical to the goal of white - checkmate the king using the same rules for movement of pieces. A game like "Deal or no deal" however, is asymmetric because the strategy of the banker is different from the strategy of the contestant. Now apply this to security; is the strategy of the hacker the same as the strategy of the firewall admin? Obviously not. So what does that mean to the broader question? It means that goals and strategies of individual players have to be taken into account when formulating a strategy - whcih in turn means that approaches to using game-theory for security will need to examine the different strategies used by "offense" and "defense" as well as consider their (as we stated above, not always contradictory) goals. Again, asymmetric games are the hardest to analyze

Security is infinitely-long: when are you "done" defending your firms assets? 2007? After 20 times hackers try to break in? How about never? The hardest games to understand are those that do not have a finite set of moves, as is the case in security. And guess what, infintely-long games are the hardest to analyze

Imperfect and Incomplete Information: no player knows the strategies and/or the moves of the other players; as you probably guessed, imperfect-information games are the hardest to analyze

Security is a Simultaneous Game: all players can move at any time. Additionally, players are not required to move in response to other players. The simultaneous game is the hardest to analyze.

So, that's it. Now, I'm not saying that you can't ever use game theory to understand subsets of the security problem. However, I am saying that understanding the broad security picture is hard using game theory and that certain aspects of security make it harder to analyze than a more controlled situation like chess. Now, maybe we don't need to understand the whole picture in order for this technique to be useful; however, I would argue that it's important to keep in mind where game theory helps and where it doesn't the next time you come across somebody pitching it as a security tool.

Posted by Ed at September 29, 2006 01:42 PM | TrackBack
Comments

Hmmmm...They can't *all* be hardest to analyze.

Posted by: Adam at October 1, 2006 07:57 PM

Adam,

You're right, that was probably phrased wrong. I guess my point is that in each of the given categories, security comes out harder to analyze than other types of problems. For example, non-zero-sum games are harder to analyze than zero-sum games, asymmetric games are harder to analyze than symmetric games, infinite games are harder to anlyze than finite games, and so on. So, I guess it should be "harder" rather than "hardest". :-)

-E

Posted by: Ed at October 3, 2006 04:04 PM

Your father sounds like quite a guy. Of course, the corollary to his observation is that whenever someone doesn't use calculus in their argument, they are trying to put one over on you, but perhaps I am too cynical ;^)

People, primarily economists, have been using these analytical mechanisms to study equally complex behaviors for many years. There are plenty of ways to criticize their approach, of course, but if we in infosec are wrong to use game theory, then at least we're in good (?) company.

Posted by: Chris Walsh at October 5, 2006 04:15 PM
Post a comment









Remember personal info?