skip to main content
DOE PAGES title logo U.S. Department of Energy
Office of Scientific and Technical Information

This content will become publicly available on July 19, 2020

Title: GPLADD: Quantifying Trust in Government and Commercial Systems A Game-Theoretic Approach

Abstract

Trust in a microelectronics-based system can be characterized as the level of confidence that a system is free of subversive alterations made during system development, or that the development process of a system has not been manipulated by a malicious adversary. Trust in systems has become an increasing concern over the past decade. This report introduces a novel game-theoretic framework, called GPLADD (Graph-based Probabilistic Learning Attacker and Dynamic Defender), for analyzing and quantifying system trustworthiness at the end of the development process, through the analysis of risk of development-time system manipulation. GPLADD represents attacks and attacker-defender contests over time. Here, time is an explicit constraint and allows incorporating the informational asymmetries between the attacker and defender into analysis. GPLADD includes an explicit representation of attack steps via multi-step attack graphs, attacker and defender strategies, and player actions at different times. GPLADD allows quantifying the attack success probability over time and the attacker and defender costs based on their capabilities and strategies. This ability to quantify different attacks provides an input for evaluation of trust in the development process. We demonstrate GPLADD on an example attack and its variants. We develop a method for representing success probability for arbitrary attacks andmore » derive an explicit analytic characterization of success probability for a specific attack. We present a numeric Monte Carlo study of a small set of attacks, quantify attack success probabilities, attacker and defender costs, and illustrate the options the defender has for limiting the attack success and improving trust in the development process.« less

Authors:
 [1];  [1];  [1];  [2];  [1];  [3];  [1];  [1]
  1. Sandia National Lab. (SNL-NM), Albuquerque, NM (United States)
  2. Georgia Inst. of Technology, Atlanta, GA (United States)
  3. The Ohio State Univ., Columbus, OH (United States)
Publication Date:
Research Org.:
Sandia National Lab. (SNL-NM), Albuquerque, NM (United States)
Sponsoring Org.:
USDOE National Nuclear Security Administration (NNSA)
OSTI Identifier:
1575267
Report Number(s):
SAND-2019-4521J
Journal ID: ISSN 2471-2566; 674919
Grant/Contract Number:  
AC04-94AL85000
Resource Type:
Accepted Manuscript
Journal Name:
ACM Transactions on Privacy and Security
Additional Journal Information:
Journal Volume: 22; Journal Issue: 3; Journal ID: ISSN 2471-2566
Country of Publication:
United States
Language:
English
Subject:
99 GENERAL AND MISCELLANEOUS; Trust, security; cyber security; physical security; game theory; attacker; defender; attack graphs; 37 attack; stochastic process; probability theory; optimization; Deterrence; Nash equilibrium; optimal policy; PLADD; GPLADD

Citation Formats

Outkin, Alexander V., Eames, Brandon K., Galiardi, Meghan A., Walsh, Sarah, Vugrin, Eric D., Heersink, Byron, Hobbs, Jacob, and Wyss, Gregory D. GPLADD: Quantifying Trust in Government and Commercial Systems A Game-Theoretic Approach. United States: N. p., 2019. Web. doi:10.1145/3326283.
Outkin, Alexander V., Eames, Brandon K., Galiardi, Meghan A., Walsh, Sarah, Vugrin, Eric D., Heersink, Byron, Hobbs, Jacob, & Wyss, Gregory D. GPLADD: Quantifying Trust in Government and Commercial Systems A Game-Theoretic Approach. United States. doi:10.1145/3326283.
Outkin, Alexander V., Eames, Brandon K., Galiardi, Meghan A., Walsh, Sarah, Vugrin, Eric D., Heersink, Byron, Hobbs, Jacob, and Wyss, Gregory D. Fri . "GPLADD: Quantifying Trust in Government and Commercial Systems A Game-Theoretic Approach". United States. doi:10.1145/3326283.
@article{osti_1575267,
title = {GPLADD: Quantifying Trust in Government and Commercial Systems A Game-Theoretic Approach},
author = {Outkin, Alexander V. and Eames, Brandon K. and Galiardi, Meghan A. and Walsh, Sarah and Vugrin, Eric D. and Heersink, Byron and Hobbs, Jacob and Wyss, Gregory D.},
abstractNote = {Trust in a microelectronics-based system can be characterized as the level of confidence that a system is free of subversive alterations made during system development, or that the development process of a system has not been manipulated by a malicious adversary. Trust in systems has become an increasing concern over the past decade. This report introduces a novel game-theoretic framework, called GPLADD (Graph-based Probabilistic Learning Attacker and Dynamic Defender), for analyzing and quantifying system trustworthiness at the end of the development process, through the analysis of risk of development-time system manipulation. GPLADD represents attacks and attacker-defender contests over time. Here, time is an explicit constraint and allows incorporating the informational asymmetries between the attacker and defender into analysis. GPLADD includes an explicit representation of attack steps via multi-step attack graphs, attacker and defender strategies, and player actions at different times. GPLADD allows quantifying the attack success probability over time and the attacker and defender costs based on their capabilities and strategies. This ability to quantify different attacks provides an input for evaluation of trust in the development process. We demonstrate GPLADD on an example attack and its variants. We develop a method for representing success probability for arbitrary attacks and derive an explicit analytic characterization of success probability for a specific attack. We present a numeric Monte Carlo study of a small set of attacks, quantify attack success probabilities, attacker and defender costs, and illustrate the options the defender has for limiting the attack success and improving trust in the development process.},
doi = {10.1145/3326283},
journal = {ACM Transactions on Privacy and Security},
number = 3,
volume = 22,
place = {United States},
year = {2019},
month = {7}
}

Journal Article:
Free Publicly Available Full Text
This content will become publicly available on July 19, 2020
Publisher's Version of Record

Save / Share:

Works referenced in this record:

Trojan Detection using IC Fingerprinting
conference, May 2007

  • Agrawal, Dakshi; Baktir, Selcuk; Karakoyunlu, Deniz
  • 2007 IEEE Symposium on Security and Privacy (SP '07)
  • DOI: 10.1109/SP.2007.36

A Hardware Threat Modeling Concept for Trustable Integrated Circuits
conference, April 2007


A Large-Scale Study of the Time Required to Compromise a Computer System
journal, January 2014

  • Holm, Hannes
  • IEEE Transactions on Dependable and Secure Computing, Vol. 11, Issue 1
  • DOI: 10.1109/TDSC.2013.21

Modeling Modern Network Attacks and Countermeasures Using Attack Graphs
conference, December 2009

  • Ingols, Kyle; Chu, Matthew; Lippmann, Richard
  • 2009 Annual Computer Security Applications Conference (ACSAC)
  • DOI: 10.1109/ACSAC.2009.21

A Survey on Systems Security Metrics
journal, December 2016

  • Pendleton, Marcus; Garcia-Lebron, Richard; Cho, Jin-Hee
  • ACM Computing Surveys, Vol. 49, Issue 4
  • DOI: 10.1145/3005714

Dynamic Security Risk Management Using Bayesian Attack Graphs
journal, January 2012

  • Poolsappasit, N.; Dewri, R.; Ray, I.
  • IEEE Transactions on Dependable and Secure Computing, Vol. 9, Issue 1
  • DOI: 10.1109/TDSC.2011.34

A Survey of Game Theory as Applied to Network Security
conference, January 2010

  • Roy, Sankardas; Ellis, Charles; Shiva, Sajjan
  • 2010 43rd Hawaii International Conference on System Sciences
  • DOI: 10.1109/HICSS.2010.35

Game theory for security: Key algorithmic principles, deployed systems, lessons learned
conference, October 2012

  • Tambe, Milind; Jain, Manish; Pita, James Adam
  • 2012 50th Annual Allerton Conference on Communication, Control, and Computing (Allerton)
  • DOI: 10.1109/Allerton.2012.6483443

Risk-based cost-benefit analysis for security assessment problems
conference, October 2010

  • Wyss, Gregory D.; Clem, John F.; Darby, John L.
  • 2010 IEEE International Carnahan Conference on Security Technology (ICCST), 44th Annual 2010 IEEE International Carnahan Conference on Security Technology
  • DOI: 10.1109/CCST.2010.5678687

    Works referencing / citing this record:

    A Survey on Systems Security Metrics
    journal, December 2016

    • Pendleton, Marcus; Garcia-Lebron, Richard; Cho, Jin-Hee
    • ACM Computing Surveys, Vol. 49, Issue 4
    • DOI: 10.1145/3005714