As I mentioned in an earlier blog, I was in Budapest in early November for the 3rd annual Gamesec conference, described in this way on their web site: “The GameSec conference aims to bring together researchers who aim to establish a theoretical foundation for making resource allocation decisions that balance available capabilities and perceived security risks in a principled manner.” Many of the conference sessions did indeed look at resource allocation decisions, from both theoretical and practical perspectives.
For example, there was an interesting discussion of allocating resources to honeypots in the paper by Radek Pibil and colleagues. The discussion of deceptive routing by Andrew Clark and colleagues also looked at issues of resource allocation, in that case in terms of the effectiveness of introducing randomly generated dummy packets into network flow to make it more difficult for attackers to jam the real network activity.
A number of the sessions focused on the implications of attacker/defender interaction for defensive security strategies, rather than for resource allocation. For example, this was the focus of papers on steganography by Benjamin Johnson and colleagues, on “lemonizing” cybercriminal black markets by SingRu Hoe and colleagues and on contractual agreements in cloud computing by Robert Nix and Murat Kantarcioglu. The paper by Viet Pham and Carlos Cid, on applying FlipIt to security assessment, as well as our RSA/MIT paper discussing how the FlipIt game can be applied in decisions regarding password rotation and key refresh, also explored aspects of defensive strategy.
A recurring theme of the conference was the application of game theory to password strategies, explored in the keynote by Cormac Herley of Microsoft, in our FlipIt paper and in a poster session by Jeremiah Blocki and colleagues. I’ll be writing more on this in my next blog.
The conference was both interesting and useful, as well as indicating lots of work still to be done in both the theory and practice of cybersecurity games. The papers from the conference (though unfortunately not the poster sessions) have been published by Springer in Decision and Game Theory for Security and are well worth study by anyone interested in the intersection of game theory and security.