Gamesec 2012: The Intersection of Game Theory and Security

Categories: IT Security

As I mentioned in an earlier blog, I was in Budapest in early November for the 3rd annual Gamesec conference, described in this way on their web site: “The GameSec conference aims to bring together researchers who aim to establish a theoretical foundation for making resource allocation decisions that balance available capabilities and perceived security risks in a principled manner.” Many of the conference sessions did indeed look at resource allocation decisions, from both theoretical and practical perspectives.

For example, there was an interesting discussion of allocating resources to honeypots in the paper by Radek Pibil and colleagues. The discussion of deceptive routing by Andrew Clark and colleagues also looked at issues of resource allocation, in that case in terms of the effectiveness of introducing randomly generated dummy packets into network flow to make it more difficult for attackers to jam the real network activity.

A number of the sessions focused on the implications of attacker/defender interaction for defensive security strategies, rather than for resource allocation. For example, this was the focus of papers on steganography by Benjamin Johnson and colleagues, on “lemonizing” cybercriminal black markets by SingRu Hoe and colleagues and on contractual agreements in cloud computing by Robert Nix and Murat Kantarcioglu. The paper by Viet Pham and Carlos Cid, on applying FlipIt to security assessment, as well as our RSA/MIT paper discussing how the FlipIt game can be applied in decisions regarding password rotation and key refresh, also explored aspects of defensive strategy.

A recurring theme of the conference was the application of game theory to password strategies, explored in the keynote by Cormac Herley of Microsoft, in our FlipIt paper and in a poster session by Jeremiah Blocki and colleagues. I’ll be writing more on this in my next blog.

The conference was both interesting and useful, as well as indicating lots of work still to be done in both the theory and practice of cybersecurity games. The papers from the conference (though unfortunately not the poster sessions) have been published by Springer in Decision and Game Theory for Security and are well worth study by anyone interested in the intersection of game theory and security.

Bob Griffin

Bob Griffin is Chief Security Architect at RSA, the Security Division of EMC, where he is responsible for technical architecture, standards and strategy, particularly for RSA’s data security products. He represents EMC to several standards organization, including as co-chair of the OASIS Key Management Interoperability Protocol (KMIP) technical committee. Bob has extensive experience in security strategy, corporate governance, business process transformation and software development. He has had the primary architectural responsibility for a number of production systems environments and for major software engineering projects at RSA, Entrust and Digital Equipment Corporation,. He is a frequently requested speaker for professional and industry conferences and has instructed courses within both professional and university settings.