TESTING DECEPTION WITH A COMMERCIAL TOOL SIMULATING CYBERSPACE

Deception methods have been applied to the traditional domains of war (air, land, sea, and space). In the newest domain of cyber, deception can be studied to see how it can be best used. Cyberspace operations are an essential warfighting domain within the Department of Defense (DOD). Many training exercises and courses have been developed to aid leadership with planning and to execute cyberspace effects that support operations. However, only a few simulations train cyber operators about how to respond to cyberspace threats. This work tested a commercial product from Soar Technologies (Soar Tech) that simulates conflict in cyberspace. The Cyberspace Course of Action Tool (CCAT) is a decision-support tool that evaluates defensive deception in a wargame simulating a local-area network being attacked. Results showed that defensive deception methods of decoys and bait could be effective in cyberspace. This could help military cyber defenses since their digital infrastructure is threatened daily with cyberattacks.Marine Forces Cyberspace CommandChief Petty Officer, United States NavyChief Petty Officer, United States NavyApproved for public release. Distribution is unlimited

Prevention of terrorism : an assessment of prior POM work and future potentials

© 2020 Production and Operations Management Society In this study, we review POM-based research related to prevention of terrorism. According to the Federal Emergency Management Agency (FEMA) terrorist attacks have the potential to be prevented. Consequently, the focus of this study is on security enhancement and improving the resiliency of a nation to prevent terrorist attacks. Accordingly, we review articles from the 25 top journals, [following procedures developed by Gupta et al. (2016)], in the fields of Production and Operations Management, Operations Research, Management Science, and Supply Chain Management. In addition, we searched some selected journals in the fields of Information Sciences, Political Science, and Economics. This literature is organized and reviewed under the following seven core capabilities defined by the Department of Homeland Security (DHS): (1) Intelligence and Information Sharing, (2) Planning, (3) Interdiction and Disruption, (4) Screening, Search, and Detection, (5) Forensics and Attribution, (6) Public Information and Warning, and (7) Operational Coordination. We found that POM research on terrorism is primarily driven by the type of information that a defending country and a terrorist have about each other. Game theory is the main technique that is used in most research papers. Possible directions for future research are discussed

Draining the Water Hole: Mitigating Social Engineering Attacks with CyberTWEAK

Cyber adversaries have increasingly leveraged social engineering attacks to breach large organizations and threaten the well-being of today's online users. One clever technique, the "watering hole" attack, compromises a legitimate website to execute drive-by download attacks by redirecting users to another malicious domain. We introduce a game-theoretic model that captures the salient aspects for an organization protecting itself from a watering hole attack by altering the environment information in web traffic so as to deceive the attackers. Our main contributions are (1) a novel Social Engineering Deception (SED) game model that features a continuous action set for the attacker, (2) an in-depth analysis of the SED model to identify computationally feasible real-world cases, and (3) the CyberTWEAK algorithm which solves for the optimal protection policy. To illustrate the potential use of our framework, we built a browser extension based on our algorithms which is now publicly available online. The CyberTWEAK extension will be vital to the continued development and deployment of countermeasures for social engineering.Comment: IAAI-20, AICS-2020 Worksho

Stochastic network interdiction games

Thesis (Ph.D.)--Boston UniversityNetwork interdiction problems consist of games between an attacker and an intelligent network, where the attacker seeks to degrade network operations while the network adapts its operations to counteract the effects of the attacker. This problem has received significant attention in recent years due to its relevance to military problems and network security. When the attacker's actions achieve uncertain effects, the resulting problems become stochastic network interdiction problems. In this thesis, we develop new algorithms for the solutions of different classes of stochastic network interdiction problems. We first focus on static network interdiction games where the attacker attacks the network once, which will change the network with certain probability. Then the network will maximize the flow from a given source to its destination. The attacker is seeking a strategy which minimizes the expected maximum flow after the attack. For this problem, we develop a new solution algorithm, based on parsimonious integration of branch and bound techniques with increasingly accurate lower bounds. Our method obtains solutions significantly faster than previous approaches in the literature. In the second part, we study a multi-stage interdiction problem where the attacker can attack the network multiple times, and observe the outcomes of its past attacks before selecting a current attack. For this dynamic interdiction game, we use a model-predictive approach based on a lower bound approximation. We develop a new set of performance bounds, which are integrated into a modified branch and bound procedure that extends the single stage approach to multiple stages. We show that our new algorithm is faster than other available methods with simulated experiments. In the last part, we study the nested information game between an intelligent network and an attacker, where the attacker has partial information about the network state, which refers to the availability of arcs. The attacker does not know the exact state, but has a probability distribution over the possible network states. The attacker makes several attempts to attack the network and observes the flows on the network. These observations will update the attacker's knowledge of the network and will be used in selecting the next attack actions. The defender can either send flow on that arc if it survived, or refrain from using it in order to deceive the attacker. For these problems, we develop a faster algorithm, which decomposes this game into a sequence of subgames and solves them to get the equilibrium strategy for the original game. Numerical results show that our method can handle large problems which other available methods fail to solve

Network Interdiction Using Adversarial Traffic Flows

Traditional network interdiction refers to the problem of an interdictor trying to reduce the throughput of network users by removing network edges. In this paper, we propose a new paradigm for network interdiction that models scenarios, such as stealth DoS attack, where the interdiction is performed through injecting adversarial traffic flows. Under this paradigm, we first study the deterministic flow interdiction problem, where the interdictor has perfect knowledge of the operation of network users. We show that the problem is highly inapproximable on general networks and is NP-hard even when the network is acyclic. We then propose an algorithm that achieves a logarithmic approximation ratio and quasi-polynomial time complexity for acyclic networks through harnessing the submodularity of the problem. Next, we investigate the robust flow interdiction problem, which adopts the robust optimization framework to capture the case where definitive knowledge of the operation of network users is not available. We design an approximation framework that integrates the aforementioned algorithm, yielding a quasi-polynomial time procedure with poly-logarithmic approximation ratio for the more challenging robust flow interdiction. Finally, we evaluate the performance of the proposed algorithms through simulations, showing that they can be efficiently implemented and yield near-optimal solutions

Locating and Protecting Facilities Subject to Random Disruptions and Attacks

Recent events such as the 2011 Tohoku earthquake and tsunami in Japan have revealed the vulnerability of networks such as supply chains to disruptive events. In particular, it has become apparent that the failure of a few elements of an infrastructure system can cause a system-wide disruption. Thus, it is important to learn more about which elements of infrastructure systems are most critical and how to protect an infrastructure system from the effects of a disruption. This dissertation seeks to enhance the understanding of how to design and protect networked infrastructure systems from disruptions by developing new mathematical models and solution techniques and using them to help decision-makers by discovering new decision-making insights. Several gaps exist in the body of knowledge concerning how to design and protect networks that are subject to disruptions. First, there is a lack of insights on how to make equitable decisions related to designing networks subject to disruptions. This is important in public-sector decision-making where it is important to generate solutions that are equitable across multiple stakeholders. Second, there is a lack of models that integrate system design and system protection decisions. These models are needed so that we can understand the benefit of integrating design and protection decisions. Finally, most of the literature makes several key assumptions: 1) protection of infrastructure elements is perfect, 2) an element is either fully protected or fully unprotected, and 3) after a disruption facilities are either completely operational or completely failed. While these may be reasonable assumptions in some contexts, there may exist contexts in which these assumptions are limiting. There are several difficulties with filling these gaps in the literature. This dissertation describes the discovery of mathematical formulations needed to fill these gaps as well as the identification of appropriate solution strategies

Synthesis, Interdiction, and Protection of Layered Networks

This research developed the foundation, theory, and framework for a set of analysis techniques to assist decision makers in analyzing questions regarding the synthesis, interdiction, and protection of infrastructure networks. This includes extension of traditional network interdiction to directly model nodal interdiction; new techniques to identify potential targets in social networks based on extensions of shortest path network interdiction; extension of traditional network interdiction to include layered network formulations; and develops models/techniques to design robust layered networks while considering trade-offs with cost. These approaches identify the maximum protection/disruption possible across layered networks with limited resources, find the most robust layered network design possible given the budget limitations while ensuring that the demands are met, include traditional social network analysis, and incorporate new techniques to model the interdiction of nodes and edges throughout the formulations. In addition, the importance and effects of multiple optimal solutions for these (and similar) models is investigated. All the models developed are demonstrated on notional examples and were tested on a range of sample problem sets