Selection of optimal countermeasure portfolio in
IT security planningAdviser: Frank, Yeong-Sung Lin
Presenter: Yi-Cin Lin
While this formulation has more variables than our original non-linear formulation, it should still solve more quickly than its non-linear counterpart.
Model
Single-objective
Risk-neutral Minimize expected cost SP_E
Risk-averse Minimization of expected worst-
case cost SP_CV
NSP_E
Bi-objective
Notation
Total of potential scenarios.
Problem description
Denote by the probability of threat .
Notation
The probability of attack scenario inthe presence of independent threat events is
Problem description
Notation
◦ indicates that countermeasure totally
prevents successful attacks of threat .
◦ denotes that countermeasure is totally incapable of mitigating threat .
Problem description
Notation
The subset of selected countermeasures must satisfy the available budget
constraint
Problem description
This added level of specificity is necessary to maintain the linearity of the formulation.
Also, it improves the model’s flexibility by allowing for the possibility of a countermeasure being implemented at numerous levels.
Minimization of expected cost- NSP_E
Countermeasure is selected at exactly one level i.e.,
Notation
Minimization of expected cost- NSP_E
Model NSP_E: Minimize Expected Cost (1)
Subject to
Minimization of expected cost- NSP_E
COST
Minimization of expected cost- SP_E
Single-objective
Risk-neutral Minimize expected cost SP_E
Risk-averse Minimization of expected worst-
case cost SP_CV
NSP_ENSP_E
Bi-objective
The nonlinear objective function (1) can be replaced with a formula
Minimization of expected cost- SP_E
In order to compute for each threat , a recursive procedure is proposed below.
Minimization of expected cost- SP_E
For each threat and countermeasure can be calculated recursively as
follows.
The initial condition is
The remaining terms
Minimization of expected cost- SP_E
In order to eliminate nonlinear terms in the right-hand side of Eq. (10), define an auxiliary variable
Minimization of expected cost- SP_E
and, in particular, for
Minimization of expected cost- SP_E
Minimization of expected cost- SP_E
Minimization of expected cost- SP_E
Comparison of Eqs. (12) and (15) produces to the following relation
Minimization of expected cost- SP_E
Minimization of expected cost- SP_E
The above procedure eliminates all variables
for each .
Summarizing, the proportion of successful attacks = in For each threat can be calculated recursively, using Eqs. (17), (16) and (13) with replaced by .
Minimization of expected cost- SP_E
Model SP_E:Minimize Expected Cost (5)
subject to 1. Countermeasure selection constraints Eqs. (2) and (3).
Minimization of expected cost- SP_E
Subject to 2. Surviving threats balance constraints
Minimization of expected cost- SP_E
(17)
(16)
(15)
Minimize conditional value-at-risk
Single-objective
Risk-neutral Minimize expected cost SP_E
Risk-averse Minimization of expected worst-
case cost SP_CV
NSP_ENSP_E
Bi-objective
Notation
Model SP_CV:Minimize
Minimize conditional value-at-risk
Subject to1. Countermeasure selection constraints:
Eqs. (2)–(3).2. Surviving threats balance constraints:
Eqs. (18)–(21).3. Risk constraints:
4. Non-negativity and integrality conditions: Eqs. (22)–(24)
Minimize conditional value-at-risk
Minimize conditional value-at-risk
Single-objective
Risk-neutral Minimize expected cost
SP_ESP_E+B
Risk-averse Minimization of expected worst-
case cost
SP_CVSP_CV+B
Bi-objective
Models SP_E and SP_CV can be enhanced for simultaneous optimization of the expenditures on countermeasures and the cost of losses from successful attacks.
◦ Removed constraints (3)
◦
Minimize conditional value-at-risk
Model SP_E+BMinimize Required Budget and Expected Cost
subject to Eqs. (2), (18)–(24) and (28)
Minimize conditional value-at-risk
Model SP_CV+BMinimize Required Budget and CVaR
subject to Eqs. (2) and (18)–(28)
Minimize conditional value-at-risk
Introduction
Problem description
Model◦ Single-objective approach◦ Bi-objective approach
Computational examples
Conclusion
Agenda
Bi-objective approach
Single-objective
Risk-neutral Minimize expected cost SP_E
Risk-averse Minimization of expected worst-
case cost SP_CV
NSP_ENSP_E
Bi-objective
In the single objective approach the countermeasure portfolio is selected by minimizing either the expected loss (plus the required budget) or the expected worst-case loss (plus the required budget).
Bi-objective approach
Model WSPMinimize
Subject to
Eqs. (2), (5) and (18)–(28)
Bi-objective approach
Decision maker controls ◦ Risk of high losses by choosing the confidence
level α
◦ trade-off between expected and worst-case losses by choosing the trade-off parameter λ.
Bi-objective approach
Introduction
Problem description
Model◦ Single-objective approach◦ Bi-objective approach
Computational examples
Conclusion
Agenda
The data set is similar to the one presented in [20], which was based on the threat set reported on IT security forum EndpointSecurity.org
Computational examples
Computational examples
= , the number of threats and the number of countermeasures, were equal to 10, and the corresponding number of potential attack scenarios, was equal to 1024.
Computational examples
Computational examples
Computational examples
Computational examples
Computational examples
Computational examples
Computational examples
Computational examples
Computational examples
For the bi-objective approach, the subsets of nondominated solutions were computed by parameterization on λ∈{0.01,0.10,0.25,0.50,0.75,0.90,0.99} the weighted-sum program WSP.
Computational examples
Computational examples
Computational examples
A critical issue that needs to be considered before any practical application of the proposed models is attempted, however, is the estimation of probabilities and the resulting losses associated with each type of threats and countermeasures.
Conclusion
In practice, threat likelihood estimates are provided by security experts (e.g., [24]) and complete distributional information is not available.
However, the proposed scenario-based approach does not require such a complete information to be available and only assumes independence of different threat events.
Conclusion
The computational experiments prove that for a limited number of attack scenarios considered, the optimal risk-averse portfolio can be found within CPU seconds, using the Gurobi solver for mixed integer programming.
Conclusion
Thanks for your listening!