Stefan Rass - Academia.edu (original) (raw)
Papers by Stefan Rass
arXiv (Cornell University), Nov 27, 2015
The game-theoretic risk management framework put forth in the precursor work "Towards a Theory of... more The game-theoretic risk management framework put forth in the precursor work "Towards a Theory of Games with Payoffs that are Probability-Distributions" (arXiv:1506.07368 [q-fin.EC]) is herein extended by algorithmic details on how to compute equilibria in games where the payoffs are probability distributions. Our approach is "data driven" in the sense that we assume empirical data (measurements, simulation, etc.) to be available that can be compiled into distribution models, which are suitable for efficient decisions about preferences, and setting up and solving games using these as payoffs. While preferences among distributions turn out to be quite simple if nonparametric methods (kernel density estimates) are used, computing Nash-equilibria in games using such models is discovered as inefficient (if not impossible). In fact, we give a counterexample in which fictitious play fails to converge for the (specifically unfortunate) choice of payoff distributions in the game, and introduce a suitable tail approximation of the payoff densities to tackle the issue. The overall procedure is essentially a modified version of fictitious play, and is herein described for standard and multicriteria games, to iteratively deliver an (approximate) Nash-equilibrium. An exact method using linear programming is also given.
Lecture Notes in Computer Science, 2018
Even though players in a game optimize their goals by playing an equilibrium, the perceived payof... more Even though players in a game optimize their goals by playing an equilibrium, the perceived payoff per round may (and in most cases will) deviate from the expected average payoff. For the example of loss minimization, an undercut of the expected loss is unproblematic, while suffering more than the expected loss may disappoint the player and lead it to believe that the played strategy is not optimal. In the worst case, this may subsequently cause deviations towards seemingly better strategies, even though the equilibrium cannot be improved in general. Such deviations from the utility maximization principle are subject of bounded rationality research, and this work is a step towards more accurate game theoretic models that include disappointment aversion as an additional incentive. This incentive necessarily creates discontinuities in the payoff functionals, so that Nash’s classical equilibrium theorem is no longer applicable. For games with disappointment aversion (defined in this work) the existence of equilibria can nonetheless be shown, i.e., we are able to find Nash equilibria that comply with disappointment aversion.
Advanced Sciences and Technologies for Security Applications, 2020
Advanced Sciences and Technologies for Security Applications, 2020
Patrolling and surveillance games both deal with a chasing-evading situation of an adversary tryi... more Patrolling and surveillance games both deal with a chasing-evading situation of an adversary trying to escape detection by either a mobile defender (patrolling) or a fixed defender (surveillance). Both kinds of games are played on graphs as abstract models of an infrastructure, and we review a variety of closed-form solutions for optimal patrolling in different classes of graph topologies. Applications include patrolling along lines (borders, pipelines, or similar), harbors (tree-structured graphs), and large geographic areas in general (planar graphs and maps). For surveillance and patrolling, we give hints on how to estimate the necessary resources, and how to include imperfectness and uncertainty, related to the detection capabilities, but also the chances of the adversary escaping the view of the patroller or surveillance. In complex terrain, we will discuss the use of simulation and empirical games (over real-valued and stochastic orders). 8.1 The General Setting Whenever a certain terrain defined by physical boundaries (museum, airport, city district, warehouse, or similar) needs protection, patrolling games may be a model to consider. They assume a mobile defender obliged with the continuous surveillance of the area, but who is (generally) unable to rely on sensor information or has otherwise no means of seeing remote areas beyond its proximity. If remote sensing is doable, we are getting into surveillance games that we postpone until Sect. 8.8, not the least so, since it changes the nature of the game from a pursuit-evasion style for patrolling, into the different matter of optimizing sensor placement. In a patrolling game, the defender usually acts alone and on its own. This is in somewhat contrast to practical situations of security guards, which often work in
We report on a computational model for data processing in privacy. As a core design goal here, we... more We report on a computational model for data processing in privacy. As a core design goal here, we will focus o n how the data owner can authorize another party to process dat on his behalf. In that scenario, the algorithm or software for the processing can even be provided by a third party. The goal is here to protect the intellectual property rights of all three players (data owner, execution environment and software ve ndor), while retaining an efficient system that allows data process ing in distrusted environments, such as clouds. We first sketch a si mple method for private function evaluation. On this basis, we describe how code and data can be bound together, to implement an intrinsic access control, so that the user remains the exclu sive owner of the data, and a software vendor can prevent any use of code unless it is licensed. Since there is no access control l ogic, we gain a particularly strong protection against code manipul ations (such as “cracking” of software). Keyw...
Lecture Notes in Computer Science, 2019
In this paper, we define a cyber deception game between the Advanced Metering Infrastructure (AMI... more In this paper, we define a cyber deception game between the Advanced Metering Infrastructure (AMI) network administrator (henceforth, defender) and attacker. The defender decides to install between a low-interaction honeypot, high-interaction honeypot, and a real system with no honeypot. The attacker decides on whether or not to attack the system given her belief about the type of device she is facing. We model this interaction as a Bayesian game with complete but imperfect information. The choice of honeypot type is private information and characterizes the essence and objective of the defender i.e., the degree of deception and amount of threat intelligence. We study the players’ equilibrium strategies and provide numerical illustrations. The work presented in this paper has been motivated by the H2020 SPEAR project which investigates the implementation of honeypots in smart grid infrastructures to: (i) contribute towards creating attack data sets for training a SIEM (Security Information and Event Management) and (ii) to support post-incident forensics analysis by having recorded a collection of evidence regarding an attacker’s actions.
In diesem Artikel betrachten wir die Anforderungen an die Verwendung von mobilen Endgeräten wie S... more In diesem Artikel betrachten wir die Anforderungen an die Verwendung von mobilen Endgeräten wie Smartphones oder Tablets in einem Unternehmen mit erhöhtem Sicherheitsbedarf. Der Schwerpunkt der Betrachtung liegt dabei vorrangig auf der sicheren Speicherung und der Übertragung von Daten zwischen bzw. auf mobile(n) Endgeräten (Smartphones, etc.). Diesen Anforderungen werden die Möglichkeiten für vertrauliche Kommunikation und Datenspeicherung gegenübergestellt, welche aktuelle mobile Plattformen (Android, Apple iOS, BlackBerry und Windows Phone) derzeit nativ, also ohne Modifikationen oder Erweiterungen, bieten. Hierfür werden die Sicherheitsarchitekturen der genannten mobilen Plattformen untersucht und die Vorund Nachteile der entsprechenden Systeme in den einzelnen Bereichen diskutiert. Zusätzlich werden ergänzende Infrastrukturmaßnahmen wie etwa Mobile Device Management (MDM) Systeme umrissen, welche insbesondere plattformübergreifend eingesetzt werden können.
ArXiv, 2020
The reuse of technologies and inherent complexity of most robotic systems is increasingly leading... more The reuse of technologies and inherent complexity of most robotic systems is increasingly leading to robots with wide attack surfaces and a variety of potential vulnerabilities. Given their growing presence in public environments, security research is increasingly becoming more important than in any other area, specially due to the safety implications that robot vulnerabilities could cause on humans. We argue that security triage in robotics is still immature and that new tools must be developed to accelerate the testing-triage-exploitation cycle, necessary for prioritizing and accelerating the mitigation of flaws. The present work tackles the current lack of offensive cybersecurity research in robotics by presenting a toolbox and the results obtained with it through several use cases conducted over a year period. We propose a modular and composable toolbox for robot cybersecurity: alurity. By ensuring that both roboticists and security researchers working on a project have a common...
Proceedings of the 13th International Conference on Availability, Reliability and Security, 2018
Critical infrastructures are a core part in modern society, supplying essential goods and service... more Critical infrastructures are a core part in modern society, supplying essential goods and services for our everyday life. Therefore, any incident compromising the operation of a critical infrastructure can directly affect the social life. Moreover, due to the increasing interconnections between critical infrastructures, any incident can have cascading effects on other infrastructures as well. In this article, we present a novel simulation framework which allows to model the interdependencies and thus also the cascading effects among critical infrastructures. This framework builds upon stochastic processes describing, on the one hand, the relations between the critical infrastructures and, on the other hand, the random and sometimes arbitrary propagation of the consequences. This existing framework is extended and implemented in OMNeT++, which allows an easy and swift implementation of the mathematical algorithms and also provides a built-in visualization of the propagation of consequences within the critical infrastructure network. The goal is to support risk and security officers within the critical infrastructure in their decisions.
Game Theory and Machine Learning for Cyber Security, 2021
Many practical situations require some modeling of uncertainty, and often, this means speaking ab... more Many practical situations require some modeling of uncertainty, and often, this means speaking about events whose likelihood to occur is conveniently expressible by probability parameters, say, a scalar 0 ≤ p ≤ 1 . The semantics of such values can be arbitrarily complex, ranging from simple probabilities, up to conditional likelihoods, or factors of mere subjective interpretation, such as hyper‐parameters in Bayesian models. This chapter addresses the often untold story of how to find a value for a generic probability parameter p , or a whole set of such parameters. The simplicity of embodying opaque background dynamics in the mantle of uncertainty, brought into a model by a parameter p , is often bought at the challenge for the user of a model to find a good value for it. This tutorial is a step‐by‐step guidance through the idea of finding values for probability parameters “by examples.” Provided that a parameter p refers to the likelihood of an event to occur, or conditionally occur under certain settings of other parameters, we describe how to use logistic regression, as an instance of machine learning, to parameterize models using sets of examples. The method is explained in the R programming language and demonstrated along a running showcase application.
IEEE/ACM Transactions on Networking, 2019
In recent years, noticeable progress has been made in the development of quantum equipment, refle... more In recent years, noticeable progress has been made in the development of quantum equipment, reflected through the number of successful demonstrations of Quantum Key Distribution (QKD) technology. Although they showcase the great achievements of QKD, many practical difficulties still need to be resolved. Inspired by the significant similarity between mobile ad-hoc networks and QKD technology, we propose a novel quality of service (QoS) model including new metrics for determining the states of public and quantum channels as well as a comprehensive metric of the QKD link. We also propose a novel routing protocol to achieve high-level scalability and minimize consumption of cryptographic keys. Given the limited mobility of nodes in QKD networks, our routing protocol uses the geographical distance and calculated link states to determine the optimal route. It also benefits from a caching mechanism and detection of returning loops to provide effective forwarding while minimizing key consumption and achieving the desired utilization of network links. Simulation results are presented to demonstrate the validity and accuracy of the proposed solutions. Index Terms-Quantum key distribution, quality of service, routing protocol, real-time traffic. I. INTRODUCTION D URING the 30 years since the discovery of the first quantum protocol [1], quantum technology has grown significantly and is rapidly approaching high levels of maturity.
IEEE Access, 2018
Advanced persistent threats (APT) are considered as a significant security threat today. Despite ... more Advanced persistent threats (APT) are considered as a significant security threat today. Despite their diversity in nature and details, a common skeleton and sequence of phases can be identified that these attacks follow (in similar ways), which admits a game-theoretic description and analysis. This paper describes a general framework that divides a general APT into three major temporal phases, and fits an individual game model to each phase, connecting the games at the transition points between the phases (similarly to ''milestones'' accomplished during the launch of an APT). The theoretical description is derived from a running example. The benefit of this game-theoretic perspective is at least threefold, as it 1) helps to systematize the threat and respective mitigation actions (by turning them into pure strategies for the gameplay); 2) provides optimized actions for defense and attack, where the latter can be taken as a (nonunique) indication of neuralgic points; and 3) provides quantitative measures of resilience against an APT, in terms that can be defined freely by a security officer. We illustrate this approach with a numerical example.
IEEE Journal of Quantum Electronics, 2017
Quantum key distribution (QKD) relies on the laws of physics to establish a symmetric binary key ... more Quantum key distribution (QKD) relies on the laws of physics to establish a symmetric binary key between remote parties. A QKD link involves the realization of a quantum channel for the transmission of quantum key material encoded in certain photon properties, as well as a public channel for verification of the exchanged key material. This paper deals with the mutual dependence of these channels and analyzes the impact of performance of both channels on the overall key material establishment process. This paper presents measurement data obtained under laboratory conditions as well as the results obtained by establishing a virtual QKD link. Despite the common beliefs that increased quantum bit error rate implies a larger amount of traffic on the public channel, our measurements prove the opposite. The obtained data clearly show that the public channel has a major impact on the overall performance of the QKD link.
IEEE Access, 2017
The protection of cyber-physical networks is a topic of increasing importance. The evolution of I... more The protection of cyber-physical networks is a topic of increasing importance. The evolution of IT (cyber) systems that control and supervise the underlying physical system has grown over decades, whereas security has not become a concern until quite recently. Advanced persistent threats (APTs) have proven to be a difficult but significant challenge for practitioners. This work adopts a game-theoretic modeling of APTs and applies it to the (sub)problem of physical intrusion in an infrastructure. The gap between defining a good theoretical model and practically instantiating it is considered in particular. The model description serves to illustrate what is needed to put it into practice. The main contribution of this article is the demonstration of how simulation, physical understanding of an infrastructure, and theoretical methods can be combined towards a practical solution to the physical intrusion avoidance problem. Numerical results are given to show how the physical intrusion game is being set up, and how the results obtained from its analysis can be interpreted and used for an optimized defense.
NOMS 2016 - 2016 IEEE/IFIP Network Operations and Management Symposium, 2016
Anonymous communication is traditionally achieved by communication over a sequence of proxies so ... more Anonymous communication is traditionally achieved by communication over a sequence of proxies so that the relation between the sender and receiver is obfuscated. Security of anonymization is usually understood as the inability to discover the initiator or receiver of a transmission. We introduce a different notion here, which defines anonymity as the inability to confirm a given guess about the initiator or receiver. We call this arguable anonymity, as it offers the suspect a way of plausible repudiation on grounds of the accusal being not independently verifiable. As a proof of concept, we introduce a deterministic version of Crowds that achieves this kind of anonymity. As a separate (and independent) contribution, the derandomizing of Crowds additionally achieves receiver anonymity to the protocol, based on key-privacy properties of an underlying encryption scheme.
Quantum Science and Technology, 2020
Random numbers are an important ingredient in cryptographic applications, whose importance is oft... more Random numbers are an important ingredient in cryptographic applications, whose importance is often underestimated. For example, various protocols hinge on the requirement of using numbers only once and never again (most prominently, the one-time pad), or rest on a certain minimal entropy of a random quantity. Quantum random number generators can help fulfilling such requirements, however, they may as well be subject to attacks. Here, we consider what we coin a randomness substitution attack, in which the adversary replaces a good randomness source by another one, which produces duplicate values (over time) and perhaps numbers of low entropy. A binding between a random number and its origin is thus a certificate of quality and security, when upper level applications rest on the good properties of quantum randomness.
Games
This article is an overview of recent progress on a theory of games, whose payoffs are probabilit... more This article is an overview of recent progress on a theory of games, whose payoffs are probability distributions rather than real numbers, and which have their equilibria defined and computed over a (suitably restricted yet dense) set of distributions. While the classical method of defining game models with real-valued utility functions has proven strikingly successful in many domains, some use cases from the security area revealed shortcomings of the classical real-valued game models. These issues motivated the use of probability distributions as a more complex object to express revenues. The resulting class of games displays a variety of phenomena not encountered in classical games, such as games that have continuous payoff functions but still no equilibrium, or games that are zero-sum but for which fictitious play does not converge. We discuss suitable restrictions of how such games should be defined to allow the definition of equilibria, and show the notion of a lexicographic Na...
Die subjektive Bewertung von Risiko stellt Experten oftmals vor die Herausforderung einer Quantif... more Die subjektive Bewertung von Risiko stellt Experten oftmals vor die Herausforderung einer Quantifizierung unscharfer Größen (wie etwa „Security“, „Gefahr“ oder Ähnliches) auf Grundlage unvollständiger Informationen. Die dafür empfohlene kategoriale (qualitative) Risikobewertung erleichtert die Arbeit der ExpertInnen, erschwert jedoch gleichermaßen die Weiterverarbeitung der Risikodaten auf Grundlage mathematischer oder statistischer Modelle. In diesem Beitrag stellen wir eine Form der Datenerhebung vor, welche eine Spezifikation qualitativer Risikowerte unter (gleichzeitiger) Angabe von Unsicherheit über die geäußerte Meinung (im Sinne einer Quantifizierung) ermöglicht. Aus den so erhobenen Daten lassen sich sehr einfach und direkt statistische Modelle für die Risikobewertung ableiten, welche in vielfältiger Form weiterverarbeitet werden können. Insbesondere ermöglichen geeignet erhobene Daten ein sogenanntes „Opinion Pooling“, welches langfristig zu einer Konsensfindung über eine R...
arXiv (Cornell University), Nov 27, 2015
The game-theoretic risk management framework put forth in the precursor work "Towards a Theory of... more The game-theoretic risk management framework put forth in the precursor work "Towards a Theory of Games with Payoffs that are Probability-Distributions" (arXiv:1506.07368 [q-fin.EC]) is herein extended by algorithmic details on how to compute equilibria in games where the payoffs are probability distributions. Our approach is "data driven" in the sense that we assume empirical data (measurements, simulation, etc.) to be available that can be compiled into distribution models, which are suitable for efficient decisions about preferences, and setting up and solving games using these as payoffs. While preferences among distributions turn out to be quite simple if nonparametric methods (kernel density estimates) are used, computing Nash-equilibria in games using such models is discovered as inefficient (if not impossible). In fact, we give a counterexample in which fictitious play fails to converge for the (specifically unfortunate) choice of payoff distributions in the game, and introduce a suitable tail approximation of the payoff densities to tackle the issue. The overall procedure is essentially a modified version of fictitious play, and is herein described for standard and multicriteria games, to iteratively deliver an (approximate) Nash-equilibrium. An exact method using linear programming is also given.
Lecture Notes in Computer Science, 2018
Even though players in a game optimize their goals by playing an equilibrium, the perceived payof... more Even though players in a game optimize their goals by playing an equilibrium, the perceived payoff per round may (and in most cases will) deviate from the expected average payoff. For the example of loss minimization, an undercut of the expected loss is unproblematic, while suffering more than the expected loss may disappoint the player and lead it to believe that the played strategy is not optimal. In the worst case, this may subsequently cause deviations towards seemingly better strategies, even though the equilibrium cannot be improved in general. Such deviations from the utility maximization principle are subject of bounded rationality research, and this work is a step towards more accurate game theoretic models that include disappointment aversion as an additional incentive. This incentive necessarily creates discontinuities in the payoff functionals, so that Nash’s classical equilibrium theorem is no longer applicable. For games with disappointment aversion (defined in this work) the existence of equilibria can nonetheless be shown, i.e., we are able to find Nash equilibria that comply with disappointment aversion.
Advanced Sciences and Technologies for Security Applications, 2020
Advanced Sciences and Technologies for Security Applications, 2020
Patrolling and surveillance games both deal with a chasing-evading situation of an adversary tryi... more Patrolling and surveillance games both deal with a chasing-evading situation of an adversary trying to escape detection by either a mobile defender (patrolling) or a fixed defender (surveillance). Both kinds of games are played on graphs as abstract models of an infrastructure, and we review a variety of closed-form solutions for optimal patrolling in different classes of graph topologies. Applications include patrolling along lines (borders, pipelines, or similar), harbors (tree-structured graphs), and large geographic areas in general (planar graphs and maps). For surveillance and patrolling, we give hints on how to estimate the necessary resources, and how to include imperfectness and uncertainty, related to the detection capabilities, but also the chances of the adversary escaping the view of the patroller or surveillance. In complex terrain, we will discuss the use of simulation and empirical games (over real-valued and stochastic orders). 8.1 The General Setting Whenever a certain terrain defined by physical boundaries (museum, airport, city district, warehouse, or similar) needs protection, patrolling games may be a model to consider. They assume a mobile defender obliged with the continuous surveillance of the area, but who is (generally) unable to rely on sensor information or has otherwise no means of seeing remote areas beyond its proximity. If remote sensing is doable, we are getting into surveillance games that we postpone until Sect. 8.8, not the least so, since it changes the nature of the game from a pursuit-evasion style for patrolling, into the different matter of optimizing sensor placement. In a patrolling game, the defender usually acts alone and on its own. This is in somewhat contrast to practical situations of security guards, which often work in
We report on a computational model for data processing in privacy. As a core design goal here, we... more We report on a computational model for data processing in privacy. As a core design goal here, we will focus o n how the data owner can authorize another party to process dat on his behalf. In that scenario, the algorithm or software for the processing can even be provided by a third party. The goal is here to protect the intellectual property rights of all three players (data owner, execution environment and software ve ndor), while retaining an efficient system that allows data process ing in distrusted environments, such as clouds. We first sketch a si mple method for private function evaluation. On this basis, we describe how code and data can be bound together, to implement an intrinsic access control, so that the user remains the exclu sive owner of the data, and a software vendor can prevent any use of code unless it is licensed. Since there is no access control l ogic, we gain a particularly strong protection against code manipul ations (such as “cracking” of software). Keyw...
Lecture Notes in Computer Science, 2019
In this paper, we define a cyber deception game between the Advanced Metering Infrastructure (AMI... more In this paper, we define a cyber deception game between the Advanced Metering Infrastructure (AMI) network administrator (henceforth, defender) and attacker. The defender decides to install between a low-interaction honeypot, high-interaction honeypot, and a real system with no honeypot. The attacker decides on whether or not to attack the system given her belief about the type of device she is facing. We model this interaction as a Bayesian game with complete but imperfect information. The choice of honeypot type is private information and characterizes the essence and objective of the defender i.e., the degree of deception and amount of threat intelligence. We study the players’ equilibrium strategies and provide numerical illustrations. The work presented in this paper has been motivated by the H2020 SPEAR project which investigates the implementation of honeypots in smart grid infrastructures to: (i) contribute towards creating attack data sets for training a SIEM (Security Information and Event Management) and (ii) to support post-incident forensics analysis by having recorded a collection of evidence regarding an attacker’s actions.
In diesem Artikel betrachten wir die Anforderungen an die Verwendung von mobilen Endgeräten wie S... more In diesem Artikel betrachten wir die Anforderungen an die Verwendung von mobilen Endgeräten wie Smartphones oder Tablets in einem Unternehmen mit erhöhtem Sicherheitsbedarf. Der Schwerpunkt der Betrachtung liegt dabei vorrangig auf der sicheren Speicherung und der Übertragung von Daten zwischen bzw. auf mobile(n) Endgeräten (Smartphones, etc.). Diesen Anforderungen werden die Möglichkeiten für vertrauliche Kommunikation und Datenspeicherung gegenübergestellt, welche aktuelle mobile Plattformen (Android, Apple iOS, BlackBerry und Windows Phone) derzeit nativ, also ohne Modifikationen oder Erweiterungen, bieten. Hierfür werden die Sicherheitsarchitekturen der genannten mobilen Plattformen untersucht und die Vorund Nachteile der entsprechenden Systeme in den einzelnen Bereichen diskutiert. Zusätzlich werden ergänzende Infrastrukturmaßnahmen wie etwa Mobile Device Management (MDM) Systeme umrissen, welche insbesondere plattformübergreifend eingesetzt werden können.
ArXiv, 2020
The reuse of technologies and inherent complexity of most robotic systems is increasingly leading... more The reuse of technologies and inherent complexity of most robotic systems is increasingly leading to robots with wide attack surfaces and a variety of potential vulnerabilities. Given their growing presence in public environments, security research is increasingly becoming more important than in any other area, specially due to the safety implications that robot vulnerabilities could cause on humans. We argue that security triage in robotics is still immature and that new tools must be developed to accelerate the testing-triage-exploitation cycle, necessary for prioritizing and accelerating the mitigation of flaws. The present work tackles the current lack of offensive cybersecurity research in robotics by presenting a toolbox and the results obtained with it through several use cases conducted over a year period. We propose a modular and composable toolbox for robot cybersecurity: alurity. By ensuring that both roboticists and security researchers working on a project have a common...
Proceedings of the 13th International Conference on Availability, Reliability and Security, 2018
Critical infrastructures are a core part in modern society, supplying essential goods and service... more Critical infrastructures are a core part in modern society, supplying essential goods and services for our everyday life. Therefore, any incident compromising the operation of a critical infrastructure can directly affect the social life. Moreover, due to the increasing interconnections between critical infrastructures, any incident can have cascading effects on other infrastructures as well. In this article, we present a novel simulation framework which allows to model the interdependencies and thus also the cascading effects among critical infrastructures. This framework builds upon stochastic processes describing, on the one hand, the relations between the critical infrastructures and, on the other hand, the random and sometimes arbitrary propagation of the consequences. This existing framework is extended and implemented in OMNeT++, which allows an easy and swift implementation of the mathematical algorithms and also provides a built-in visualization of the propagation of consequences within the critical infrastructure network. The goal is to support risk and security officers within the critical infrastructure in their decisions.
Game Theory and Machine Learning for Cyber Security, 2021
Many practical situations require some modeling of uncertainty, and often, this means speaking ab... more Many practical situations require some modeling of uncertainty, and often, this means speaking about events whose likelihood to occur is conveniently expressible by probability parameters, say, a scalar 0 ≤ p ≤ 1 . The semantics of such values can be arbitrarily complex, ranging from simple probabilities, up to conditional likelihoods, or factors of mere subjective interpretation, such as hyper‐parameters in Bayesian models. This chapter addresses the often untold story of how to find a value for a generic probability parameter p , or a whole set of such parameters. The simplicity of embodying opaque background dynamics in the mantle of uncertainty, brought into a model by a parameter p , is often bought at the challenge for the user of a model to find a good value for it. This tutorial is a step‐by‐step guidance through the idea of finding values for probability parameters “by examples.” Provided that a parameter p refers to the likelihood of an event to occur, or conditionally occur under certain settings of other parameters, we describe how to use logistic regression, as an instance of machine learning, to parameterize models using sets of examples. The method is explained in the R programming language and demonstrated along a running showcase application.
IEEE/ACM Transactions on Networking, 2019
In recent years, noticeable progress has been made in the development of quantum equipment, refle... more In recent years, noticeable progress has been made in the development of quantum equipment, reflected through the number of successful demonstrations of Quantum Key Distribution (QKD) technology. Although they showcase the great achievements of QKD, many practical difficulties still need to be resolved. Inspired by the significant similarity between mobile ad-hoc networks and QKD technology, we propose a novel quality of service (QoS) model including new metrics for determining the states of public and quantum channels as well as a comprehensive metric of the QKD link. We also propose a novel routing protocol to achieve high-level scalability and minimize consumption of cryptographic keys. Given the limited mobility of nodes in QKD networks, our routing protocol uses the geographical distance and calculated link states to determine the optimal route. It also benefits from a caching mechanism and detection of returning loops to provide effective forwarding while minimizing key consumption and achieving the desired utilization of network links. Simulation results are presented to demonstrate the validity and accuracy of the proposed solutions. Index Terms-Quantum key distribution, quality of service, routing protocol, real-time traffic. I. INTRODUCTION D URING the 30 years since the discovery of the first quantum protocol [1], quantum technology has grown significantly and is rapidly approaching high levels of maturity.
IEEE Access, 2018
Advanced persistent threats (APT) are considered as a significant security threat today. Despite ... more Advanced persistent threats (APT) are considered as a significant security threat today. Despite their diversity in nature and details, a common skeleton and sequence of phases can be identified that these attacks follow (in similar ways), which admits a game-theoretic description and analysis. This paper describes a general framework that divides a general APT into three major temporal phases, and fits an individual game model to each phase, connecting the games at the transition points between the phases (similarly to ''milestones'' accomplished during the launch of an APT). The theoretical description is derived from a running example. The benefit of this game-theoretic perspective is at least threefold, as it 1) helps to systematize the threat and respective mitigation actions (by turning them into pure strategies for the gameplay); 2) provides optimized actions for defense and attack, where the latter can be taken as a (nonunique) indication of neuralgic points; and 3) provides quantitative measures of resilience against an APT, in terms that can be defined freely by a security officer. We illustrate this approach with a numerical example.
IEEE Journal of Quantum Electronics, 2017
Quantum key distribution (QKD) relies on the laws of physics to establish a symmetric binary key ... more Quantum key distribution (QKD) relies on the laws of physics to establish a symmetric binary key between remote parties. A QKD link involves the realization of a quantum channel for the transmission of quantum key material encoded in certain photon properties, as well as a public channel for verification of the exchanged key material. This paper deals with the mutual dependence of these channels and analyzes the impact of performance of both channels on the overall key material establishment process. This paper presents measurement data obtained under laboratory conditions as well as the results obtained by establishing a virtual QKD link. Despite the common beliefs that increased quantum bit error rate implies a larger amount of traffic on the public channel, our measurements prove the opposite. The obtained data clearly show that the public channel has a major impact on the overall performance of the QKD link.
IEEE Access, 2017
The protection of cyber-physical networks is a topic of increasing importance. The evolution of I... more The protection of cyber-physical networks is a topic of increasing importance. The evolution of IT (cyber) systems that control and supervise the underlying physical system has grown over decades, whereas security has not become a concern until quite recently. Advanced persistent threats (APTs) have proven to be a difficult but significant challenge for practitioners. This work adopts a game-theoretic modeling of APTs and applies it to the (sub)problem of physical intrusion in an infrastructure. The gap between defining a good theoretical model and practically instantiating it is considered in particular. The model description serves to illustrate what is needed to put it into practice. The main contribution of this article is the demonstration of how simulation, physical understanding of an infrastructure, and theoretical methods can be combined towards a practical solution to the physical intrusion avoidance problem. Numerical results are given to show how the physical intrusion game is being set up, and how the results obtained from its analysis can be interpreted and used for an optimized defense.
NOMS 2016 - 2016 IEEE/IFIP Network Operations and Management Symposium, 2016
Anonymous communication is traditionally achieved by communication over a sequence of proxies so ... more Anonymous communication is traditionally achieved by communication over a sequence of proxies so that the relation between the sender and receiver is obfuscated. Security of anonymization is usually understood as the inability to discover the initiator or receiver of a transmission. We introduce a different notion here, which defines anonymity as the inability to confirm a given guess about the initiator or receiver. We call this arguable anonymity, as it offers the suspect a way of plausible repudiation on grounds of the accusal being not independently verifiable. As a proof of concept, we introduce a deterministic version of Crowds that achieves this kind of anonymity. As a separate (and independent) contribution, the derandomizing of Crowds additionally achieves receiver anonymity to the protocol, based on key-privacy properties of an underlying encryption scheme.
Quantum Science and Technology, 2020
Random numbers are an important ingredient in cryptographic applications, whose importance is oft... more Random numbers are an important ingredient in cryptographic applications, whose importance is often underestimated. For example, various protocols hinge on the requirement of using numbers only once and never again (most prominently, the one-time pad), or rest on a certain minimal entropy of a random quantity. Quantum random number generators can help fulfilling such requirements, however, they may as well be subject to attacks. Here, we consider what we coin a randomness substitution attack, in which the adversary replaces a good randomness source by another one, which produces duplicate values (over time) and perhaps numbers of low entropy. A binding between a random number and its origin is thus a certificate of quality and security, when upper level applications rest on the good properties of quantum randomness.
Games
This article is an overview of recent progress on a theory of games, whose payoffs are probabilit... more This article is an overview of recent progress on a theory of games, whose payoffs are probability distributions rather than real numbers, and which have their equilibria defined and computed over a (suitably restricted yet dense) set of distributions. While the classical method of defining game models with real-valued utility functions has proven strikingly successful in many domains, some use cases from the security area revealed shortcomings of the classical real-valued game models. These issues motivated the use of probability distributions as a more complex object to express revenues. The resulting class of games displays a variety of phenomena not encountered in classical games, such as games that have continuous payoff functions but still no equilibrium, or games that are zero-sum but for which fictitious play does not converge. We discuss suitable restrictions of how such games should be defined to allow the definition of equilibria, and show the notion of a lexicographic Na...
Die subjektive Bewertung von Risiko stellt Experten oftmals vor die Herausforderung einer Quantif... more Die subjektive Bewertung von Risiko stellt Experten oftmals vor die Herausforderung einer Quantifizierung unscharfer Größen (wie etwa „Security“, „Gefahr“ oder Ähnliches) auf Grundlage unvollständiger Informationen. Die dafür empfohlene kategoriale (qualitative) Risikobewertung erleichtert die Arbeit der ExpertInnen, erschwert jedoch gleichermaßen die Weiterverarbeitung der Risikodaten auf Grundlage mathematischer oder statistischer Modelle. In diesem Beitrag stellen wir eine Form der Datenerhebung vor, welche eine Spezifikation qualitativer Risikowerte unter (gleichzeitiger) Angabe von Unsicherheit über die geäußerte Meinung (im Sinne einer Quantifizierung) ermöglicht. Aus den so erhobenen Daten lassen sich sehr einfach und direkt statistische Modelle für die Risikobewertung ableiten, welche in vielfältiger Form weiterverarbeitet werden können. Insbesondere ermöglichen geeignet erhobene Daten ein sogenanntes „Opinion Pooling“, welches langfristig zu einer Konsensfindung über eine R...