Monday, February 8, 2016

Work in Progress (Cyber Security Investment Game)

Here is a video demo of the NetLogo "Cyber Security Investment Game", as a work in progress.  This run is a 6/3 multiplayer game, meaning 6 cooperative Defenders and 3 adversarial Attackers. Defenders play a 2-player game with everyone else, while Attackers only play 2-player games with Defenders. It's a complicated game, with up to 400 possible "moves" for each agent at each step, and also a dynamic game, meaning the structure of the game can change dynamically during the course of play. (Game Theory Purists will probably hate it for that reason!)

Here's a video of 1,700 time steps, with 20x speed-up.

What you see in this simulation is an ecosystem that provides a positive environment for both Defenders and Attackers. That is, they both have consistently positive payoffs (see bar graph, center left).

While the overall trends of payoffs are pretty clear (bottom graph), there is an "unruly" back and forth between attackers and defenders. Crucially, the time series of payoffs is non-stationary for all agents (see center graphs, third and fourth from the top). Simply, non-stationary means that the probability distribution for each payoff  changes over time. You can see a sample distribution of payoffs in the two histograms, center right. You'll notice them changing shape (going from skew to symmetric) and also changes in mean and standard deviation ("SD").  Non-stationarity has implications for risk estimation, as I will detail in the up-coming WEIS paper.

In terms of progress toward the goal, I would say this is not yet a model of cyber security investment. It models competitive relationships rather than not host-parasite relationships which I believe are close to the true nature of cyber security ecosystems. The good news is that I believe I know what extensions and modifications need to be made. I'll save that for a later post.

Here are some key features of this version of the model:
  • Three levels of investment: 1) architecture/infrastructure; 2) capabilities; 3) practices/routines (a.k.a. "moves")
  • Asymmetric number and variety of "moves" for Defenders and Attackers
  • Parametric control over diversity of "moves" and investments by Defenders and Attackers
Yes, the model is getting complicated.  But I hope this richness will be rewarded when crucial results are revealed in experiments.  We shall see...


Here is the same run after 4,000 time steps.  No sign of equilibrium or stationary time series.

(Click to enlarge)