Autonomic-Computing Approach to Secure Knowledge ... - IEEE Xplore

IEEE TRANSACTIONS ON SYSTEMS, MAN, AND CYBERNETICS—PART A: SYSTEMS AND HUMANS, VOL. 36, NO. 3, MAY 2006

487

Autonomic-Computing Approach to Secure Knowledge Management: A Game-Theoretic Analysis Hina Arora, Birendra K. Mishra, and T. S. Raghu

Abstract—The explosion of knowledge management systems (KMS) and the need for their wide accessibility and availability has created an urgent need for reassessing the security practices and policies in organizations. Security of these assets is a day-today job placing a tremendous cognitive load on information-technology (IT) professionals, which can make it almost impossible to manage the security aspects of KMS. Autonomic-computing systems are well suited to manage KMS, as they use high-level system objectives provided by administrators as the basis for managing the security of KMS. The authors model the self-protection and self-healing configuration attributes in autonomic systems through game-theoretic models. The proposed modeling approach progressively moves from a manual intervention-oriented security setup to an autonomic security setup. This allows the authors to compare and contrast the different approaches and provide insights on their applicability to different security environments. The authors find that moving to a partial autonomic system with self-healing mechanisms can provide a stable environment for securing enterprise knowledge assets and can reduce hacking. It is beneficial to implement an autonomic system when manual investigation costs are higher and/or when the volume of malicious traffic is very low. An autonomic approach is especially attractive when it is difficult to impose penalties on malicious users. Autonomic systems can be effective in securing organizational knowledge assets and in reducing the potential damage from malicious users. Index Terms—Autonomic computing, game theory, intrusion detection, secure knowledge management.

I. I NTRODUCTION

I

NCREASING adoption of knowledge management systems (KMS) for storing and disseminating sensitive enterprise knowledge has created the need to reassess security practices and policies. Threats to securing knowledge artifacts and systems arise from a large number of internal and external sources (hereafter referred to as malicious users) [1]. Additionally, Intranet-, Extranet-, and Web-based accesses to knowledge systems have increased the cognitive load on security professionals in monitoring and safeguarding corporate knowledge

Manuscript received March 7, 2005; revised May 10, 2005. This work was supported in part by the International Business Machines Corporation under a Faculty Research Award and in part by the University of California at Riverside under an Academic Senate Grant. This paper was recommended by Guest Editors H. R. Rao and S. Upadhyaya. H. Arora and T. S. Raghu are with the Department of Information Systems, W. P. Carey School of Business, Arizona State University, Tempe, AZ 85287 USA (e-mail: [email protected]; [email protected]). B. K. Mishra is with the Anderson Graduate School of Management, University of California—Riverside, Riverside, CA 92521-0203 USA (e-mail: [email protected]). Digital Object Identifier 10.1109/TSMCA.2006.871724

assets. Critical issues in secure knowledge management include content, communication, and collaboration [2]. Effective technological and organizational strategies are therefore essential to securing knowledge assets. In this context, we analyze the applicability and potential economic benefits of autonomiccomputing systems (ACS) in securing knowledge assets. As stated in [3], knowledge assets “include all the underlying skills, routines, practices, principles, formulas, methods, heuristics and intuitions, whether explicit or tacit; and all the databases, manuals, reference works, textbooks, diagrams, displays, computer files, and artifacts in which both facts and procedures are recorded and stored.” In other words, knowledge assets include knowledge, information, and data. As elaborated in [4], knowledge is processed information possessed by agents, information is articulated knowledge, and information when assigned a fixed or standard interpretation becomes data. Thus, while aggregate data stored in databases and data warehouses constitute the most basic form of explicit knowledge [5], [6], the value of this knowledge is dependent on its context, interpretation, and usefulness [4]. Securing knowledge assets involves protecting the assets from insider (authorized) and outsider (unauthorized) threats. Self-managing ACSs are intended to reduce human involvement in system management and configuration [7]–[10]. These systems rely on high-level system policies delineated by system administrators to ensure the smooth functioning of informationtechnology (IT) systems. Autonomic systems contain at least one of four self-management attributes: self-optimization, selfconfiguration, self-healing, and self-protection. The adoption of an autonomic architecture does not necessitate the implementation of all four self-management attributes. The “autonomic system” may be autonomic in one aspect and not in another [11]. Successful design and implementation of autonomic systems greatly hinges on strong theoretical contributions toward the development of these four self-management attributes. In this paper, we focus on the self-healing and self-protection aspects. These two aspects are essential for developing effective mechanisms to secure organizational knowledge assets [7]. The diversity of knowledge assets and organizational contexts necessitates an investigation of the economic benefits of implementing security management functionality through ACS. The research objectives for this paper are therefore twofold. First, we investigate the economic justification for implementing an ACS to secure knowledge assets. Second, we investigate high-level system behaviors and responses that strategically adapt to differing organizational and malicious use contexts.

1083-4427/$20.00 © 2006 IEEE

488

IEEE TRANSACTIONS ON SYSTEMS, MAN, AND CYBERNETICS—PART A: SYSTEMS AND HUMANS, VOL. 36, NO. 3, MAY 2006

A. Autonomic Computing Autonomic systems are composed of self-managed (selfconfiguring, self-optimizing, self-protecting, and self-healing) elements [12]. Each autonomic element consists of an autonomic manager (AM) and a set of managed components. The AM continuously Monitors the managed components, Analyzes the data these components generate, Plans actions if required, and Executes these actions (the MAPE model) in order to achieve the self-management aspects of the system. The AM relies on high-level system policies to guide its goals [13]. A policy is a representation, in a standard external form, of desired behaviors or constraints on behavior. High-level system policies refer to high-level objectives set by the administrators for the autonomic systems, while leaving the task of how they are achieved to the AMs. The AM also assumes the existence of a common knowledge base that it continuously uses and modifies according to its experiences and policies [14]. The nature of policies and the implementation of the MAPE model are usually problem specific. In the context of KMSs, the AM sets up an MAPE cycle, which monitors network traffic in order to protect knowledge assets against malicious (and innocent) attacks. This can be achieved by ensuring that effective detection, deterrence, and recovery mechanisms are in place. Detection mechanisms include anomaly detection, which has traditionally involved human intervention. However, anomaly detection requires continuous monitoring of network traffic, break-in attempts, and system logs in order to discern the possibility of an attack, which can be a daunting task for humans to perform in light of the massive amounts of data and complex correlations. ACSs can potentially mitigate this cognitive limitation constraint through intelligent monitoring (monitoring and correlating data in order to deduce the possibility of an attack) and response mechanisms [15]. Since there is a high cost associated with human resources, autonomic systems can also help reduce costs by bringing down human intervention to a minimum. However, the design of an ACS has to be robust to reduce or eliminate human intervention in protecting knowledge infrastructure of an organization. The performance of an ACS depends on: 1) the sensitivity of its intrusion detection system (IDS) in classifying traffic as either malicious or nonmalicious; 2) its intrusion deterrence mechanisms (such as increasing the effort required for an attack to succeed or increasing the risk associated with the attack) as a response to identified malicious traffic; and 3) the allocation of adequate computational resources to heal system components affected by malicious traffic. To better understand the strategic self-protection behavior of an ACS, we consider three distinct cases. In the first case, we model a traditional security setting where site security officers [16] strategically respond to malicious traffic conditions through investigations of alarms from an IDS. In the second case, we model a semiautonomic system that acts in response to malicious traffic by optimally allocating computational resources to investigate and heal the information infrastructure. In the third case, we model an ACS that not only performs the tasks of a semi-AM but also adapts the IDS sensitivity to control false alarm rates.

The need for a strategic approach to self-protection in ACS arises from the nature of security threats encountered in enterprise information infrastructures. Malicious attacks on systems originate from attackers who are motivated to overcome protection mechanisms and continuously adapt their behavior to counter detection and deterrence methods. An autonomic response is designed through detection, deterrence and healing. The system responds with deterrence mechanisms if malicious traffic is detected and healing procedures if the attack has caused damage. Even though the field of intrusion detection is more than 20 years old [17], many fundamental questions regarding IDS remain unanswered. According to [18] some of these questions relate to effectiveness, efficiency, ease of use, security, interoperability, and transparency. In [18], it is demonstrated that the false alarm rate of IDS is the limiting factor in effectively combating intrusions. In order to achieve a high detection rate in IDS, a high false alarm rate is almost inevitable. Previous designs on automated intrusion response systems often ignored cost implications of responses to alarms [19]. More recently, cost implications of intrusions and associated responses are often explicitly modeled in the design of automated intrusion responses [19], [20]. Costs due to malicious attacks include damages caused to the information infrastructure as well as the costs of response mechanisms to deter the attack [21]. We draw upon this research literature to model the costs of intrusions and intrusion responses. Response mechanisms also include deterrence responses that are intended to increase the malicious user’s cost and risk associated with the attack. However, deterrence mechanisms can also reduce nonmalicioususer utilities due to the measures taken to deter malicious users [22]. Alarm mechanisms in an IDS interact with response mechanisms; high false alarm rates could result in a denial of service to legitimate users and inefficient use of system resources [19]. For instance, in one specific automated response mechanism, delays were introduced in system-call execution as a result of the system’s response to an anomalous behavior [23]. In summary, self-protection mechanisms in ACSs should consider cost implications from investigation, deterrence, and self-healing activities. Additionally, it should be recognized that malicious users interact strategically with the ACS. These considerations warrant investigation of an ACS self-protection mechanism design from an economic and strategic perspective. Extant research on information and computer security from an economic perspective is very limited. Early research has focused on evaluation of investments in IT security [24]–[26]. Game-theoretic analysis of specific attack scenarios has been attempted in several recent studies [27]. In [28], a gametheoretic setting is used to detect intrusions through a packet sampling mechanism. In this setting, the intruder picks paths in the network to minimize detection whereas the defender chooses sampling strategies to maximize detection. Gametheoretic analyses have been used in other network-related settings such as for ensuring network stability [29] and switch service disciplines [30]. This paper makes the following contributions. First, our models capture the evolution of manually protected systems to autonomic self-protecting and self-healing systems. This

ARORA et al.: AUTONOMIC-COMPUTING APPROACH TO SECURE KNOWLEDGE MANAGEMENT: A GAME-THEORETIC ANALYSIS

489

TABLE I NOTATIONS USED

enables us to investigate the potential value in transitioning from a manual intrusion detection approach to an autonomic one. Second, we model and provide insights on the optimal allocation of computational resources to self-protection and self-healing functionalities of an ACS. Third, our modeling of the tradeoffs involved in the detection probability and false alarms enable us to investigate optimal configuration of intrusion detection sensitivity in an ACS. The rest of this paper is organized as follows. In Section II, we present the overall modeling framework for this study. In Section III, we model and analyze a manual investigation approach to intrusion detection and response. In Section IV, we introduce a partial autonomic-computing setting and analyze the implications. In Section V, we model and analyze a fully autonomic-computing setup. Finally, we summarize our findings and conclude in Section VI. II. M ODEL Intrusion refers to a deliberate or random attack on a system by an authorized or unauthorized user that compromises the confidentiality or integrity of the system. Outsider attacks refer to attacks by (external) unauthorized users, and insider attacks refer to deliberate attacks by (internal) authorized users [17]. Securing knowledge assets involves protecting knowledge repositories from both insider and outsider attacks and can be achieved through active monitoring of network data, session logs, and usage patterns. The proposed model caters to both insider and outsider threats. The ACS should identify the intent behind traffic sources as either nonmalicious (H0 ) or malicious (H1 ). In any system, a large percentage of the traffic is nonmalicious. The skewed nature of the frequency distribution makes detection of malicious transactions difficult, which is the cause of the baserate fallacy analyzed in [18]. AMs have to contend with two types of errors in classifying traffic: classification of malicious traffic as nonmalicious (false negative) and classification of nonmalicious traffic as malicious (false positive) [26]. We define the following terms: Probability of detection Probability of false negative Probability of false positive

PD = Pr(classify into H1 |H1 is true) or 1 − PD PF = Pr(classify into H1 |H0 is true).

We provide a list of notations used in this paper in Table I for easy reference. In general, AMs should be designed such that PD is as large as possible and PF is as small as possible. However, it is not possible to increase PD and decrease PF simultaneously. Variability associated with transaction data and the heuristic nature of algorithms and models used by an IDS place limits on the range of values for PD and PF . It is possible for both site security officers and ACS to fine tune the IDS parameter values by changing threshold values and/or inference rules. The quality profile of intrusion detection, i.e., the possible values of PD and PF pairs, is characterized by a curve known

as the receiver-operating-characteristics (ROC) curve [31]. The ROC curve can be derived empirically or analytically [32], [33]. IDSs often classify traffic based on whether a numerical score computed from history exceeds a threshold value and/or whether the transaction data satisfy a set of rules. Consider an IDS that uses traffic data and a sensitivity parameter φ to detect malicious traffic. We model PD and PF as follows:
PD =

1−

d



dmax

φ+

d dmax

(1)

and PF = φ.

(2)

The equations above effectively capture the tradeoffs involved in intrusion detection.1 The parameter d (< dmax ) is the damage potential of a malicious traffic instance. Fig. 1 illustrates these probability calculations. When the sensitivity parameter φ is set high, both probabilities of detection and false alarm approach the value of 1. When φ approaches zero, the probability of false alarm approaches zero; however, the probability of detection is dependent on both the sensitivity parameter as well as the damage potential of the malicious traffic. In other words, in the limiting case of φ = 0 (no IDS), the probability of detection will be determined by the extent of the damage. Our characterization of the relationship between the probability of false alarms and the probability of detection is different from [26]. In [26], the focus is on the value of IDS, and the probability of detection is assumed to be independent 1 Scaling the probability of false classifications, P = τ · φ would allow F one to model scenarios where a high detection probability is achieved at relatively low false alarm probabilities; however, adding the scale parameter will not change the results qualitatively and has been omitted here for modeling convenience.

490

IEEE TRANSACTIONS ON SYSTEMS, MAN, AND CYBERNETICS—PART A: SYSTEMS AND HUMANS, VOL. 36, NO. 3, MAY 2006

Fig. 1. ROC curves.

of the damage potential of an intrusion alarm instance. The characterization in our model is more realistic and is reflective of the empirical behavior of intrusion detection mechanisms reported in recent studies [34], [35]. Intrusion detection based on signature patterns and payloads have been reported to achieve higher probabilities of detection at relatively low false alarm rates depending on the nature of intrusion. The characterization used in this model enables us to capture the damage-potentialbased detection ability of IDS. In general, the proportion of traffic that is malicious is quite low. Let λ be the proportion of malicious transactions (both detected and undetected). Malicious users may affect the system depending on factors such as the benefit they derive from the intrusion and the likelihood of being deterred (and possibly being identified). We assume that malicious users committing intrusions derive a benefit equivalent to the damage potential d of the hacking incident.2 If the intrusion is detected and the malicious user is traced, potential penalties on the malicious user could be imposed through a number of response mechanisms. These response mechanisms (assumed proportional to the damage potential) reduce the utility of the malicious user from intruding. The penalty parameter L captures the disutility impact of penalty options including reduction or revocation of privileges on the system or possible legal recourse. Another means of intrusion deterrence is through creation of automated deterrence mechanisms. For example, system calls can be delayed or terminated as an automated response mechanism to possible intrusions [23]. Such response mechanisms are intended to deter malicious users from causing further damage. However, when there is a false alarm, such deterrence mechanisms are likely to reduce nonmalicious-user utilities as well. The parameter β captures this aspect of intrusion deterrence. While the proposed model caters to both insider and outsider threats, the model parameters may be different in the two cases. Insider attacks are usually harder to detect and can potentially

2 We have made this assumption for modeling convenience. In an implementation scenario, these parameters demand careful calibration, especially in an autonomic setting.

cause more damage since they originate from authorized users with internal knowledge of system configuration and policies [36]. However, if caught, insiders are also subject to penalties dictated by the employer. Hence, model parameters such as PD , PF , damage, and penalties may be different depending on whether it is an insider or outsider threat. The game-theoretic setting used in our model belongs to a broad class of mathematical models used to capture inspection settings. Inspection game settings have been used in arms control investigation [37], auditing [38], and piracy control [39]. We first model the scenario where site security officers are predominantly used to investigate and restore system functionality in the event of a security breach. This case is followed by the scenario where a partially configured ACS investigates and restores system functionality. Finally, we model a dynamic self-protection and self-healing ACS that monitors and reacts to security breaches.

III. C ASE 1: M ANUAL I NVESTIGATION The first case we analyze is when an IDS is supplanted with manual intervention (by site security officers). Site security officers investigate alarms generated through IDSs and other audit trails [40]. Cognitive limitations and personnel costs rule out investigation of all alarms. We assume that, when an intrusion alarm is generated and the investigation team decides to investigate the incident (detection and recovery), the cost of investigation is a fraction Cd of the damage if it is a true alarm and the cost of investigation is a fraction Cf of the damage if it is a false alarm. Since false alarms can be quickly identified by the investigation team, without loss of generality, it is assumed that Cd > Cf . The effectiveness of the manual investigation process determines the damages recovered during investigation. We capture the effectiveness of the process through the damage recovery rate parameter µ. Additionally, intrusion deterrence mechanisms can be implemented to slow down potential malicious users. However, when intrusion deterrence mechanisms are implemented, legitimate users can also be affected. The parameter β captures the intrusion deterrence mechanism. We assume that the malicious users and the firm are risk neutral. We define the objective functions for the malicious user (H) and firm (F ) as follows. The expected payoff for malicious users consists of the utility derived from hacking and the disutility in the event the hacking incident is investigated, detected, and traced back. The penalty parameter L captures the disutility to the hacker from expected penalties that can be imposed from investigation. The firm’s expected payoff consists of detecting true security breaches, investigating it, and reducing the damages incurred.3 The firm incurs investigation costs and damages due to malicious traffic. We define the probability of a security breach given an alarm (ηd ) from the

3 The firm can also investigate system logs when there is no alarm from the IDS. However, the investigation probability will always be higher when there is an alarm. In one specific model, it has been shown that, for an investigation to occur in the absence of an alarm, all alarm incidents must be investigated first [25].

ARORA et al.: AUTONOMIC-COMPUTING APPROACH TO SECURE KNOWLEDGE MANAGEMENT: A GAME-THEORETIC ANALYSIS

491

IDS and the probability of no security breach given an alarm (ηf ) as follows: ηd =

λPD λPD + (1 − λ)PF

(3)

ηf =

(1 − λ)PF λPD + (1 − λ)PF

(4)

Max H = d − PD ρLd − β

(5)

(d)

where H ={damage caused}−{penalty if caught}−{disutility due to intrusion deterrence} and Max F = ηd ρµd + λPD β − λd − ηd ρCd d ρ,β

− ηf ρCf dmax − (1 − λ)β α

(6)

where F = {damages saved due to investigation} + {damages saved through deterrence} − {potential for damage from malicious user traffic} − {cost of investigating true alarms} − {cost of investigating false alarms} − {cost to legitimate users from deterrence mechanisms}. Proposition 1: The equilibrium strategies for the malicious user and the firm in the manual investigation setup are as follows. Let M = λφ(µ − Cd ) + 4Cf (1 − λ)(1 − φ). Then, the probability of audit  ρ∗ =

(7)

λ(µ − Cd ) √ L φM

(8)

the intrusion damage   √ √ dmax φ M − φλ(µ − Cd )  d∗ = 2(1 − φ) λ(µ − Cd )

(9)

and the intrusion deterrence level 

√ 2Cf λ(1 − φ) φ

1  α−1

β ∗ =   √  α λ(µ − Cd )M − λ(µ − Cd ) φ

.

(10)

We assume that (µ − Cd ) > 0, i.e., the efficiency in damage recovery always exceeds the cost incurred in investigating and reacting to the security breach as a fraction of the damages inflicted. Due to the complexity of the solutions, we utilize numeric solutions to illustrate the game strategies. This approach also enables us to compare across cases. However, certain functional relations are straightforward and could be obtained through simple partial differentiation of the above equations. For instance, from (9), it is clear that d∗ increases with dmax ; from (8), we see that ρ∗ decreases with L. To investigate the parametric effects of this game, we have plotted the solutions for various values of the game parameters. The set of plots in Fig. 2(a)–(e) shows the impact of the IDS sensitivity parameter φ and the cost of investigation, Cd .

Fig. 2. (a)–(b) Sensitivity analysis of objective function values (for L = 3.0, Cf = 0.02, dmax = 1000, λ = 0.05, µ = 1.0, and α = 2). (c)–(e) Sensitivity analysis of decision variables against an IDS parameter (for L = 3.0, Cf = 0.02, dmax = 1000, λ = 0.05, µ = 1.0, and α = 2).

The graphs in Fig. 2(a)–(e) are representative of the solution behavior over a large range of parameter values. The efficacy of IDS technology and organizational constraints determines the feasible value of φ in the case of manual investigation of

492

IEEE TRANSACTIONS ON SYSTEMS, MAN, AND CYBERNETICS—PART A: SYSTEMS AND HUMANS, VOL. 36, NO. 3, MAY 2006

security breaches. The sensitivity analysis of decision variables against φ shows that an equilibrium investigation probability (ρ∗ ) would be higher when false alarm rates are lower (φ). This is consistent with previous findings in game-theoretic settings [26]. More importantly, the rational response in the intrusion game is reflective of the current practice where the values of IDSs are questioned due to high false alarm rates [18]. The organizational response to a higher cost of investigation is to reduce the investigation probability. Larger security-breach damages are incurred due to higher investigation costs, since the investigation probability is lower. The game-theoretic model highlights the substitutable nature of intrusion deterrence and manual investigation. The equilibrium value of intrusion deterrence increases with increasing false alarm rates. Interestingly, the malicious-user utility initially increases as the false alarm rate increases; however, the malicious-user utility decreases beyond a certain point. The decrease in utility is due to the increase in intrusion deterrence as well as the increase in the likelihood of detection through increased alarm frequency. Organizations have better incentives to institute higher levels of intrusion deterrence in their systems when manual investigation costs are higher. The game-theoretic analysis of the manual investigation game shows two prime possibilities for minimizing expected organizational losses due to intrusion: 1) increase the effectiveness of an IDS by improving the detection rates while keeping false alarm rates low and/or 2) decrease the cost of investigation. Recent research efforts have contributed to improved IDS effectiveness but the base-rate fallacy pointed out by [18] is still a limiting concern. Similarly, decreasing the cost of investigation, when investigations are handled manually by site security officers is difficult. It is in these contexts that the autonomic-computing concept appears to provide additional benefit to the organization in augmenting the IDS technology. IV. C ASE 2: P ARTIALLY C ONFIGURED AM We investigate a partially configured AM in this section. The AM’s objective is to allocate the optimal amount of computational effort and resources to the investigation of alarms and subsequent damage control. The sensitivity configuration of the autonomic system (φ) is static, i.e., considered to be preset given the traffic conditions (this assumption will be relaxed in our third case). The cost functions are modeled as functions of the computational effort and resources allocated. We assume that the AM investigates all alarms. Therefore, the decision variable for the AM is the computational effort (υ), in terms of computational resources, to be allocated to alarm investigation, i.e., self-protection and self-healing mechanisms. The cost of self-healing and detection is modeled as a fraction Cd of the damage if it is a true alarm and as Cf in case of a false alarm. The cost of investigation is modeled as a convex function in computational effort (i.e., ω < 1). When comparing across cases, it can be assumed that Cd and Cf from case 2 are considerably less than that in case 1 due to the lower cost of computational resources. Similarly, it can be argued that the potential for imposition of penalties (L) in an autonomiccomputing context are considerably lesser. In our numerical

analyses, we consider these possibilities in comparing across cases. The intrusion deterrence is modeled as before. Since all alarms are investigated, the disutility to malicious user due to intrusion deterrence is modeled as a product of the two parameters. The objective functions are therefore as follows: Max H = d − PD Ld − βν d

(11)

where H ={damage caused}−{penalty if caught}−{disutility due to intrusion deterrence} and Max F = λPD νd + λPD β − λd − λCd PD [dν ω ] ν,β

− (1 − λ)Cf PF ν − (1 − λ)β α

(12)

where F = {damages saved due to investigation} + {damages saved through deterrence} − {potential for damage from malicious user traffic} − {cost of investigating true alarms} − {cost of investigating false alarms} − {cost to legitimate users from deterrence mechanisms}. Proposition 2: The equilibrium strategies for the malicious user and the ACS are as follows: dmax (1 − Lφ) (13) 2L(1 − φ) 1

 1−ω λCd dmax (1 − L2 φ2 )ω ∗ ν = (14) λdmax (1 − L2 φ2 ) − 4Cf L2 (1 − λ)(1 − φ)

 1 λ(1 + Lφ) α−1 . (15) β∗ = 2αL(1 − λ) d∗ =

From (13), we find that for hacking to occur, i.e., for d∗ > 0, Lφ < 1. Moving from a manual investigation mode to a partial autonomic-computing mode yields interesting changes to the strategic nature of the game. Intrusion damage (d∗ ) under case 1 was independent of penalty L; in case 2, d∗ is a function of L, dmax , and φ. Additionally, d∗ in case 2 is independent of Cd ; whereas in case 1, d∗ is dependent on Cd [see Fig. 2(c)]. This is because the optimal damage is determined from maximizing the hacker’s utility, which is scaled up to a constant by the firm’s strategies and does not depend on Cd and Cf . A main component of strategy in case 1 is investigation probability (ρ∗ ); in case 2, the equivalent strategy is the resource allocation (ν ∗ ). While the functional form of the two strategies are different, both ρ∗ and ν ∗ are dependent on similar parameters in cases 1 and 2. Intrusion deterrence (β ∗ ) in case 1 is independent of penalties (L) on the malicious user; whereas in case 2, β ∗ is a function of L. Unlike in case 1, β ∗ is independent of Cd and Cf in case 2. This is because the firm’s deterrence strategy does not interact with Cd and Cf . To investigate the parametric effects of this game, we have plotted the solutions for various values of the game parameters. The set of plots in Fig. 3(a)–(e) shows the impact of the IDS sensitivity parameter φ. To the extent possible, parameter values are set similar to that of case 1 to facilitate a comparative analysis.

ARORA et al.: AUTONOMIC-COMPUTING APPROACH TO SECURE KNOWLEDGE MANAGEMENT: A GAME-THEORETIC ANALYSIS

Fig. 3. (a)–(c) Sensitivity analysis of decision variables against an IDS parameter (where applicable, L = 1.0, Cf = 0.02, dmax = 1000, λ = 0.05, α = 2, and ω = 0.5). (d)–(e) Sensitivity analysis of decision variables against an IDS parameter (where applicable, L = 1.0, Cf = 0.02, dmax = 1000, λ = 0.05, α = 2, and ω = 0.5).

Manual investigation effectiveness and investigation probability (µ and ρ) in case 1 are replaced by a resource allocation parameter (υ). While it is reasonable to assume that investigation costs would decrease in case 2 and investigation effectiveness may decrease, in Fig. 3(a)–(e), the same numbers

493

as in Fig. 2 are used to facilitate an easier comparison between the two cases. A key difference between the two sets of figures is that the autonomic system is operating at a much lower penalty level (L = 1.0−1.2). A manual investigation system at this level of penalty requires complete investigation (which could completely overwhelm the investigators). In case 2, at higher values of L, it is optimal for the malicious user not to attack [see (13)]. The origin of the malicious user, attack type, and the investigation sophistication impact the potential of penalties. Thus, the parameter range for which hacking equilibrium exists is curtailed, which implies a higher level of effectiveness compared to the manual system. However, in a hacking equilibrium, the results in case 2 imply a lowered sensitivity to the penalty parameter. The lowered sensitivity in case 2 is due to the fact that the AM investigates all signals. Unlike case 2, in case 1 (i.e., manual investigation), a costly investigation is traded off against deterrence from the legal penalty and deterrence through detection by the IDS. The tradeoff between investigation and penalty causes increased sensitivity to penalty parameter. Therefore, a low sensitivity to penalty in case 2 is beneficial for the firm, as the penalty parameter is outside the firm’s control. The autonomic system is less sensitive to the IDS parameter setting as well. Firm utility in case 2 is much less sensitive to the IDS setting [compare Figs. 2(a) and 3(a)]. The economic benefits of moving to an autonomic system seem to accrue when the cost of manual investigation is order of magnitude higher than that of an autonomic self-healing mechanism. Since the malicious-user utility is independent of Cd , we have plotted the malicious-user utility for different values of L. The malicioususer utility continues to decrease with the IDS sensitivity in case 2 as well (more penalties, the better). We find that the damage incurred reduces with the IDS sensitivity. This response function of the autonomic context is opposite to that of case 1, where we find that the damage incurred increases with φ. In case 2, any increase in penalty causes the damage value to reduce drastically [see Fig. 3(c)]. The intrusion deterrence level set by the autonomic system increases with φ; this behavior is similar to the one observed in case 1. Interestingly, the nature of functional form for resource allocation (ν) is basically unaffected by the IDS sensitivity (φ) within the feasible range. A comparison of malicious-user utility across the two cases for different values of malicious traffic frequency reveals contrasting behaviors. In case 1, at low levels of malicious traffic frequency (λ < 0.005), and low levels of penalty (L < 1.5), the damage incurred by the firm is at the maximum level (dmax ). In contrast, the partial autonomic system of case 2 exhibits a stable system behavior (Fig. 4). Malicious-user expected utility steadily decreases for all the values of the malicious traffic level plotted in Fig. 4; whereas, the firm expected utility remains almost constant over the same range. The plots reveal a stable behavior of the system in response to lower as well as higher levels of malicious traffic. In summary, moving to a partial autonomic setting is beneficial to the firm. The firm is able to respond to malicioususer traffic much more effectively, even when the potential for imposing penalty on malicious users is low. In addition, the

494

IEEE TRANSACTIONS ON SYSTEMS, MAN, AND CYBERNETICS—PART A: SYSTEMS AND HUMANS, VOL. 36, NO. 3, MAY 2006

Fig. 4. Sensitivity of firm and malicious-user utility to malicious traffic frequency (L = 1.0, Cf = 0.02, dmax = 1000, Cd = 0.05, α = 2, and ω = 0.5).

partial autonomic setting responds well to low as well as high levels of malicious traffic frequency. Hence, there is compelling economic justification for moving to an autonomic setting. V. C ASE 3: D YNAMICALLY C ONFIGURED AM The AM can dynamically tune its self-protecting capabilities by optimally setting the sensitivity parameter φ. The objective functions are as in case 2. However, the AM optimizes with respect to ν, β, and φ. The game-theoretic formulation is Max H = d − PD Ld − βν d

(16)

where H ={damage caused}−{penalty if caught}−{disutility due to intrusion deterrence} and Max F = λPD νd + λPD β − λd − λPD [Cd dν ω ] ν,β,φ

− (1 − λ)Cf PF ν − (1 − λ)β α

(17)

where F = {damages saved due to investigation} + {damages saved through deterrence} − {potential for damage from malicious user traffic} − {cost of investigating true alarms} − {cost of investigating false alarms} − {cost to legitimate users from deterrence mechanisms}. The analytical intractability precludes a closed-form solution to the game-theoretic formulation. We conducted extensive numerical analysis to determine the nature of the ACS behavior. Some sample results are provided in Fig. 5(a) and (b). The range of parameter values used in our numerical analyses is summarized in Table II. In addition to investigating all alarms as in the partially configured case, the dynamically configured system also optimizes the sensitivity parameter φ. As the malicious traffic frequency decreases, the autonomic system responds by increasing the IDS sensitivity [Fig. 5(a)]. The range of values of φ available as a response mechanism diminishes with increasing Cd . By comparing the two figures in Fig. 5(a), it can also be seen that the autonomic system chooses a lower operating range of the sensitivity parameter for higher values of the penalty parameter.

Fig. 5. (a) Proportion of malicious transactions against the IDS sensitivity choice made by ACS (Cf = 0.02, dmax = 1000, α = 2, and ω = 0.5). (b) Penalty parameter against IDS sensitivity parameter choice made by ACS (Cf = 0.02, dmax = 1000, α = 2, ω = 0.5, and λ = 0.08).

TABLE II RANGE OF VALUES USED IN THE NUMERICAL ANALYSIS

ARORA et al.: AUTONOMIC-COMPUTING APPROACH TO SECURE KNOWLEDGE MANAGEMENT: A GAME-THEORETIC ANALYSIS

Fig. 6.

495

Firm utility against malicious traffic frequency (Cf = 0.02, dmax = 1000, α = 2, ω = 0.5, and λ = 0.08).

Fig. 5(b) shows the relationship between the penalty parameter and the IDS sensitivity. As the penalty parameter decreases, the autonomic system operates at a higher IDS sensitivity in order to continue performing effectively. For the range of parameter values in Table II, the range of solutions is as follows: d ≤ 75.5 0.2522 ≤ φ ≤ 0.9089 H ≤ 1.7360 F ≥ − 7.171 0.00063 ≤ ν ≤ 0.119. The range of values for H and F indicate higher benefits to the firm from ACS. For example, the plot in Fig. 6 demonstrates that the firm utility is within a narrow range. This range of values is several orders of magnitude better than that shown in Fig. 4 for case 2. To achieve better performance, the autonomic system utilizes a range of IDS sensitivity values to respond to different conditions of malicious traffic frequency, penalty, and cost of self-healing. Having the ability to optimize the value of the sensitivity parameter φ allows the autonomic system to continue operating effectively and efficiently for different settings of deterrence mechanisms and penalty parameters. This can be valuable for configuring secure systems in different legal settings. The results demonstrate that it is possible to develop effective ACSs to strategically respond to security threats. Specification of broad system level objectives (and an input of malicious-user objectives) enables the ACS to dynamically reconfigure system parameters in response to changes in the operating environment and characteristics of the attack. When a model of this nature is utilized in an ACS setting, it is necessary to accurately estimate the parameter values. Several approaches are available to achieve accurate estimates. Model parameters can be estimated from historical industry or organizational data [41] or simulated in a test environment [42]. For instance, the damage potential and the associated cost of investigation can be estimated based on the historical data or forecasting tools. The sensitivity parameter can be tuned according to the damage potential. The deterrence penalty can

be based on whether the hacker is within national jurisdiction boundaries or not.

VI. C ONCLUSION In this paper, we investigate the economic benefits of utilizing ACSs in securing KMS. The game-theoretic model developed in this paper enables us to capture the strategic interactions between the firm and the malicious user. We have relaxed some of the assumptions made in earlier research. For the first time, we have modeled the detection probability of ROC curves as a function of possible damage due to intrusion and exposure of the firm. This makes our ROC curves similar to what is observed empirically. The primary cause for concern in the security community is the high false alarm rate in IDSs. We capture the effect of IDS false alarm rate in our models. We find that the manual investigation approach is extremely sensitive to false alarm rates (i.e., IDS sensitivity). In the case of a partial autonomic system (that exhibits self-healing behavior), we find that the IDS sensitivity becomes less of a concern. However, the ability of a partial autonomic system to outperform the manual investigation approach depends on the cost of investigation and the extant IDS technology. Primarily, due to the low cost of autonomic systems and decreasing computational costs over time, the manual investigation approach can be replaced even when the autonomic system is comparatively less effective than manual investigation. An interesting observation from our model is that autonomic systems are less sensitive to malicious traffic frequency. Additionally, at low malicious traffic frequency, the model presented here exhibits good self-protection and self-healing characteristics. When the ACS can tune IDS sensitivity (as in case 3), the performance effectiveness of the ACS over the manual investigation improves further compared to case 2. Even with the possibility of reduced damage recovery efficiency or reduced penalties on malicious users, the ACS behavior can provide significant organizational benefits in securing knowledge assets. The range of IDS parameter values used by the ACS indicates that the high false alarm rates of IDS can be less problematic; hence, a clear improvement over the manual investigation mode. Although we have generalized the ROC curves to include the damage potential by a hacker, our insights are based on the functional forms assumed for the hacker’s and the firm’s

496

IEEE TRANSACTIONS ON SYSTEMS, MAN, AND CYBERNETICS—PART A: SYSTEMS AND HUMANS, VOL. 36, NO. 3, MAY 2006

payoffs. However, such functional characterization also allows us to model the different aspects of ACS in a comprehensive manner. The parameters indicative of firm size, computing power, value, and skill level are captured through parameters such as dmax , Cd , and Cf . In our model, we look over a possible range to provide qualitative insight. However, we acknowledge that further calibration is necessary to accurately represent the variables mentioned here to reflect the organizational context investigated. Future research may relax some of these assumptions. Another approach to future research may be to look at the dynamic aspects of the ACS model to facilitate the detailed design of security features of ACSs. ACKNOWLEDGMENT The authors would like to thank the participants of the Secure Knowledge Management Workshop, Buffalo, NY, September 2004, for their valuable comments. R EFERENCES [1] R. DelZoppo, E. Browns, M. Downey, E. D. Liddy, S. Symonenko, and J. S. Park et al., “A multi-disciplinary approach to countering insider threats,” in Proc. Secure Knowledge Management Workshop, Buffalo, NY, Sep. 2004, pp. 221–226. [2] S. Upadhyaya, H. R. Rao, and G. Padmanabhan, “Secure knowledge management,” in Encyclopedia of Knowledge Management, D. Swartz, Ed. Hershey, PA: Iden Group, 2005, pp. 795–801. [3] S. G. Winter. (2001, Nov.). “Framing the issues: Knowledge asset strategies,” in Mack Center Technological Innovation—Impact Conf.—Managing Knowledge Assets. [Online]. Available: http://emertech.wharton. upenn.edu/ConfRpts_Folder/WhartonKnowledgeAssets_Report.pdf [4] M. Alavi and D. E. Leidner, “Review: Knowledge management and knowledge management systems: Conceptual foundations and research issues,” MIS Q., vol. 25, no. 1, pp. 107–136, Mar. 2001. [5] L. Fahey and L. Prusak, “The eleven deadliest sins of knowledge management,” Calif. Manage. Rev., vol. 40, no. 3, pp. 265–276, 1998. [6] J. S. Brown and P. Duguid, “Balancing act: How to capture knowledge without killing it,” Harvard Bus. Rev., vol. 78, no. 3, pp. 73–80, May/Jun. 2000. [7] J. Kephart and D. Chess, “The vision of autonomic computing,” Computer, vol. 36, no. 1, pp. 41–50, Jan. 2003. [8] P. MacInnis, “Autonomic computing blueprint unveiled,” Comput. Canada, vol. 29, no. 8, p. 4, 2003. [9] J. Teresko, “Autonomic computing: The next e-business step,” Ind. Week, vol. 252, no. 1, p. 19, 2003. [10] H. Tianfield and R. Unland, “Towards autonomic computing systems,” Eng. Appl. Artif. Intell., vol. 17, no. 7, pp. 689–699, 2004. [11] D. F. Bantz, C. Bisdikian, D. Challener, J. P. Karidis, S. Mastrianni, A. Mohindra et al.“Autonomic personal computing,"IBM Syst. J., vol. 42, no. 1, pp. 165–176, 2003. [12] S. R. White, J. E. Hanson, I. Whalley, D. M. Chess, and J. O. Kephart, “An architectural approach to autonomic computing,” in Proc. IEEE Int. Conf. Autonomic Computing, 2004, pp. 2–9. [13] J. O. Kephart and W. E. Walsh, “An artificial intelligence perspective on autonomic computing policies,” in Proc. 5th IEEE Int. Workshop Policies Distributed Systems and Networks, 2004, pp. 3–12. [14] L. Stojanovic, J. Schneider, A. Maedche, S. Libischer, R. Studer, T. Lumpp et al., “The role of ontologies in autonomic computing systems," IBM Syst. J., vol. 43, no. 3, pp. 598–617, 2004. [15] D. M. Chess, C. C. Palmer, and S. R. White, “Security in an autonomic computing environment,” IBM Syst. J., vol. 42, no. 1, pp. 107–118, 2003. [16] J. Branch, A. Bivens, C. Y. Chan, T. K. Lee, and B. Szymanski, “Denial of service intrusion detection using time dependent deterministic finite automata,” in Proc. Research Conf., Troy, NY, Oct. 2002, pp. 45–51. [17] J. P. Anderson, “Computer security threat and monitoring surveillance,” James P. Anderson Co., Fort Washington, PA, Tech. Rep. 79F26400, 1980. [18] S. Axelsson, “The base-rate fallacy and the difficulty of intrusion detection,” ACM Trans. Inf. Syst. Secur., vol. 3, no. 3, pp. 186–205, Aug. 2000.

[19] I. Balepin, S. Maltsev, J. Rowe, and K. Levitt, “Using specification-based intrusion detection for automated response,” in Proc. 6th Int. Symp. RAID, Pittsburgh, PA, Sep. 8–10, 2003, pp. 136–154. [20] W. Lee, W. Fan, M. Miller, S. Stolfo, and E. Zadok, “Toward cost-sensitive modeling for intrusion detection and response,” J. Comput. Secur., vol. 10, no. 1, pp. 5–22, 2002. [21] R. Bace, Intrusion Detection. Indianapolis, IN: Macmillan, 2000. [22] L. R. Halme and R. K. Bauer. (2004). A Taxonomy of Anti-Intrusion Techniques. [Online]. Available: http://www.sans.org/resources/idfaq/aint.php [23] A. Somayaji and S. Forrest, “Automated response using system call delays,” in Proc. 9th USENIX Security Symp., Aug. 14–17, 2000, pp. 185–198. [24] L. A. Gordon and M. P. Loeb, “The economics of information security investment,” ACM Trans. Inf. Syst. Secur., vol. 5, no. 4, pp. 438–457, Nov. 2002. [25] H. Cavusoglu, B. K. Mishra, and S. Raghunathan, “A model for evaluating IT security systems,” Commun. ACM, vol. 47, no. 7, pp. 87–92, Jul. 2004. [26] ——, “The value of intrusion detection systems in information technology security architectures,” Inf. Syst. Res., vol. 16, no. 1, pp. 28–46, Mar. 2005. [27] P. Liu and W. Zang, “Incentive-based modeling and inference of attacker intent, objectives, and strategies,” in Proc. 10th ACM Conf. Computer Communications Security, 2003, pp. 179–189. [28] M. Kodialam and T. V. Lakshman. (2003). “Detecting network intrusions via sampling: A game theoretic approach,” in Proc. IEEE INFOCOM. [Online]. Available: www.ieee-infocom.org/2003/papers/46_02.PDF [29] A. Akella, S. Seshan, R. Karp, and S. Shenker, “Selfish behavior and stability of the Internet: A game-theoretic analysis of TCP,” in Proc. ACM SIGCOMM, Pittsburgh, PA, Aug. 2002, pp. 117–130. [30] S. Shenker, “Making greed work in networks: A game-theoretic analysis of switch service disciplines,” IEEE/ACM Trans. Netw., vol. 3, no. 6, pp. 819–831, Dec. 1995. [31] H. V. Trees, Detection, Estimation and Modulation Theory—Part I. Hoboken, NJ: Wiley, 2001. [32] R. Durst, T. Champion, B. Witten, E. Miller, and L. Spagnuolo, “Testing and evaluating computer intrusion detection systems,” Commun. ACM, vol. 42, no. 7, pp. 53–61, Jul. 1999. [33] R. P. Lippmann, D. J. Fried, I. Graf, J. W. Haines, K. R. Kendall, D. McClung et al., “Evaluating intrusion detection systems: The 1998 DARPA off-line intrusion detection evaluation, " in Proc. DISCEX, 2000, vol. 2, pp. 12–26. [34] S. Zhong, T. M. Khoshgoftaar, and N. Seliya, “Evaluating clustering techniques for network intrusion detection,” in Proc. 10th ISSAT Int. Conf. Reliability Quality Design, Las Vegas, NV, Aug. 2004, pp. 149–155. [35] K. Wang and S. Stolfo, “Anomalous payload-based network intrusion detection,” in Proc. RAID, Sep. 2004, pp. 203–222. [36] N. Einwechter. (2002, Mar.). Preventing and Detecting Insider Attacks Using IDS. [Online]. Available: http://www.securityfocus.com/ infocus/1558 [37] S. Weissenberger, “Deterrence and the design of treaty verification systems,” IEEE Trans. Syst., Man, Cybern., vol. 22, no. 5, pp. 903–915, Sep./Oct. 1992. [38] J. C. Fellingham and P. Newman, “Strategic considerations in auditing,” Account. Rev., vol. 60, no. 4, pp. 634–650, Oct. 1985. [39] B. Mishra, T. S. Raghu, and A. Prasad, “Corporate software piracy prevention and detection: An analysis of strategies,” J. Organ. Comput. Electron. Commer., vol. 15, no. 3, pp. 223–252, 2005. [40] J. McHugh, A. C. Christie, and J. Allen, “Defending yourself: The role of intrusion detection systems,” IEEE Softw., vol. 17, no. 5, pp. 42–51, Sep./Oct. 2000. [41] B. Shao, “Optimal redundancy allocation for information technology disaster recovery in the network economy,” IEEE Trans. Dependable Secure Comput., vol. 2, no. 3, pp. 262–267, Jul./Sep. 2005. [42] S. Upadhyaya, R. Chinchani, and K. Kwiat, “An analytical framework for reasoning about intrusions,” in Proc. IEEE Symp. Reliable Distributed Systems, New Orleans, LA, Oct. 2001, pp. 99–108.

Hina Arora received degrees in physics and electrical engineering. She is currently pursuing the Ph.D. degree at the W. P. Carey School of Business, Arizona State University (ASU), Tempe. She has eight years of industry experience. Prior to joining ASU, she was a Software Engineer at IBM, Endicott, NY, and a Research Scientist at the Center for Excellence in Document Analysis and Recognition, Buffalo, NY. Her research focuses on modeling information supply chains and associated demand surge issues in the healthcare context.

ARORA et al.: AUTONOMIC-COMPUTING APPROACH TO SECURE KNOWLEDGE MANAGEMENT: A GAME-THEORETIC ANALYSIS

Birendra K. Mishra received the Ph.D. degree in accounting from the University of Texas at Austin, in 1996. He is currently Associate Dean and Director of seminar series at the University of California, Riverside. He teaches courses in managerial, financial, and accounting information system courses. His research interests are quite diverse and include the areas of accounting disclosure, management and control, information systems security, and open source software. He uses a variety of methodologies including game theory, agency theory, and empirical methods. He is a prolific writer and has been published in the Journal of Accounting Research, The Accounting Review, Management Science, Marketing Science, Information Systems Research, and various IEEE TRANSACTIONS.

497

T. S. Raghu is currently an Associate Professor of information systems at Arizona State University and the Director of Research of the Technology Research Center (CABIT). His research interests are in knowledge management, business process change, and collaborative decision making. His publications have appeared in refereed international journals such as Information Systems Research, Management Science, the International Journal of Production Economics, and Decision Support Systems. He serves as an Associate Editor for Information Systems Research. Most recently, he guest edited a special issue of Decision Support Systems on “Cyberinfrastructure for Homeland Security: Advances in Information Sharing, Data Mining, and Collaboration Systems.”