SaTC: CORE: Small: The Impacts of Human Decision-Making on Security and Robustness of Interdependent Systems

SaTC：核心：小：人类决策对相互依赖系统的安全性和鲁棒性的影响

• 批准号: 1718637
• 负责人: Shreyas Sundaram
• 金额: $ 47.6万
• 依托单位: Purdue University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2017
• 资助国家: 美国
• 起止时间: 2017-08-15 至 2022-07-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1718637&HistoricalAwards=false
• 关键词: SaTC; CORE; Small; Impacts; Human

There is a substantial body of work in behavioral economics and psychology showing that people are only partially rational, and thus consistently deviate from classical economic theory. People's perceptions of risks, rewards, and losses can differ substantially from their true values, and these perceptions can have a significant impact on the investments made to protect the systems that the individuals are managing. The objective of this research is to understand the decisions people make to protect their computer systems using realistic models of behavioral decision-making. The research encompasses formal theory to rigorously analyze and predict the outcomes that should be expected under alternative models of behavioral decision-making, and laboratory experiments with human subjects to evaluate the predictions made by the theory and to identify new behavioral models. The research will tackle two specific classes of problems. First, it will identify the impact of behavioral decision-making in settings where different components of a large interconnected cyber-physical system are owned by different stakeholders, each deciding how much to invest in securing their owned assets. Second, it will characterize how decision-makers choose among different security technologies, open source and public versus closed source and proprietary, based on their perceived risks and rewards. The research will lead to a more complete understanding of the vulnerabilities that arise in large-scale interconnected systems, and guide us to the design of more secure systems, with corresponding societal benefits. This research systematically and rigorously characterizes the impact of behavioral deviations from optimal and unbounded rational choice in security settings. The work includes models of decision-making under risk and uncertainty, such as prospect theory, and how such models affect the behavior of agents who manage interdependent systems. The research brings together game-theoretic analysis to predict outcomes based on models of interacting humans and systems, computer security concepts to model how vulnerabilities are exploited and how attacks spread, and behavioral economics experiments to test the theoretical predictions and refine the models. The research is organized in two parts. The first part considers a class of interdependent security games on networks, where each player chooses security investments to protect nodes under her control; this work models applications such as multi-stakeholder SCADA systems. The research will encompass general formulations of attack probabilities, epidemic risks, attack graph models of system interdependencies, and the optimal design of networks to mitigate security vulnerabilities introduced by humans' decision-making. The second part considers a general class of common-pool resource management games, whereby players choose to split their utilization among multiple resources, each of which provides a certain rate-of-return and has a certain probability of failure. This class of games represents conditions in which decision-makers must choose between different public and proprietary security technologies. The research will characterize the impacts of prospect-theoretic decision-making and how users react to incentives provided by the resource operators or vendors. In both parts of the work, the research will identify how Nash equilibrium security investments and resource utilizations are affected by skewed perceptions of risks and rewards. Both parts include controlled behavioral economics experiments using human subjects that will evaluate the theoretical predictions and potentially yield new models of decision-making.

行为经济学和心理学中有大量的研究表明，人们只是部分理性的，因此总是偏离经典经济理论。人们对风险、回报和损失的看法可能与他们的真实价值大不相同，这些看法可能对保护个人管理的系统的投资产生重大影响。 本研究的目的是了解人们使用现实的行为决策模型来保护计算机系统的决策。该研究包括严格分析和预测在行为决策的替代模型下应该预期的结果的正式理论，以及对人类受试者进行的实验室实验，以评估该理论的预测并确定新的行为模型。这项研究将解决两类具体问题。首先，它将确定行为决策的影响，在这种情况下，一个大型互联网络物理系统的不同组件由不同的利益相关者拥有，每个利益相关者决定投资多少来保护他们拥有的资产。其次，它将描述决策者如何根据他们感知的风险和回报在不同的安全技术中进行选择，开源和公共与闭源和专有。这项研究将使我们更全面地了解大规模互联系统中出现的漏洞，并指导我们设计更安全的系统，从而产生相应的社会效益。 这项研究系统而严格地描述了安全环境中行为偏离最佳和无界理性选择的影响。这项工作包括风险和不确定性下的决策模型，如前景理论，以及这些模型如何影响管理相互依赖系统的代理人的行为。该研究汇集了博弈论分析，以预测基于人类和系统交互模型的结果，计算机安全概念，以模拟漏洞如何被利用以及攻击如何传播，以及行为经济学实验，以测试理论预测并完善模型。研究分为两部分。第一部分考虑一类网络上相互依赖的安全游戏，每个玩家选择安全投资来保护她控制下的节点;这项工作模拟了多利益相关者SCADA系统等应用程序。该研究将包括攻击概率的一般公式，流行病风险，系统相互依赖性的攻击图模型，以及网络的最佳设计，以减轻人类决策带来的安全漏洞。 第二部分考虑了一类通用的公共池资源管理游戏，玩家选择将其利用率分配给多个资源，每个资源都提供一定的回报率，并具有一定的失败概率。这类博弈代表了决策者必须在不同的公共和专有安全技术之间做出选择的条件。该研究将描述前景理论决策的影响，以及用户如何对资源运营商或供应商提供的激励措施作出反应。在这两个部分的工作中，研究将确定如何纳什均衡安全投资和资源利用受到扭曲的风险和回报的看法。这两部分都包括使用人类受试者进行的受控行为经济学实验，这些实验将评估理论预测并可能产生新的决策模型。

项目成果

Proactive privacy-preserving proximity prevention through bluetooth transceivers: poster abstract

• DOI: 10.1145/3384419.3430608
• 发表时间: 2020-11
• 期刊: Proceedings of the 18th Conference on Embedded Networked Sensor Systems
• 作者: Kavit Patel;Kyle Massa;N. Raghunathan;Heng Zhang-;Ananth V. Iyer;S. Bagchi

Controlling Human Utilization of Failure-Prone Systems via Taxes

通过税收控制人类对易发生故障的系统的利用

• DOI: 10.1109/tac.2020.3042481
• 发表时间: 2020
• 期刊: IEEE Transactions on Automatic Control
• 影响因子: 6.8
• 作者: Hota, Ashish R.;Sundaram, Shreyas
• 通讯作者: Sundaram, Shreyas

Topology-based Host-Level Attribution for Multi-Stage Attacks in Enterprise Systems using Software Defined Networks

使用软件定义网络对企业系统中的多阶段攻击进行基于拓扑的主机级归因

• DOI: 10.1007/978-3-319-78813-5_36
• 发表时间: 2018
• 期刊: Social Informatics and Telecommunications Engineering
• 作者: Kannan, S;Wood, P;Deatrick, L;Beane, P;Chaterji, S;Bagchi, S
• 通讯作者: Bagchi, S

TASHAROK: Using Mechanism Design for Enhancing Security Resource Allocation in Interdependent Systems

TASHAROK：利用机制设计增强相互依赖系统中的安全资源分配

• DOI: 10.1109/sp46214.2022.9833591
• 发表时间: 2022
• 期刊: 2022 IEEE Symposium on Security and Privacy (SP
• 作者: Abdallah, Mustafa;Woods, Daniel;Naghizadeh, Parinaz;Khalil, Issa;Cason, Timothy;Sundaram, Shreyas;Bagchi, Saurabh
• 通讯作者: Bagchi, Saurabh

Protecting Assets with Heterogeneous Valuations under Behavioral Probability Weighting

行为概率加权下的异质估值保护资产

• DOI: 10.1109/cdc40024.2019.9030279
• 发表时间: 2019
• 期刊: IEEE Conference on Decision and Control
• 作者: Abdallah, Mustafa;Naghizadeh, Parinaz;Cason, Timothy;Bagchi, Saurabh;Sundaram, Shreyas
• 通讯作者: Sundaram, Shreyas