Optimal Scanning Bandwidth Strategy Incorporating Uncertainty about Adversary's Characteristics

In this paper we investigate the problem of designing a spectrum scanning strategy to detect an intelligent Invader who wants to utilize spectrum undetected for his/her unapproved purposes. To deal with this problem we model the situation as two games, between a Scanner and an Invader, and solve them sequentially. The first game is formulated to design the optimal (in maxmin sense) scanning algorithm, while the second one allows one to find the optimal values of the parameters for the algorithm depending on parameters of the network. These games provide solutions for two dilemmas that the rivals face. The Invader's dilemma consists of the following: the more bandwidth the Invader attempts to use leads to a larger payoff if he is not detected, but at the same time also increases the probability of being detected and thus fined. Similarly, the Scanner faces a dilemma: the wider the bandwidth scanned, the higher the probability of detecting the Invader, but at the expense of increasing the cost of building the scanning system. The equilibrium strategies are found explicitly and reveal interesting properties. In particular, we have found a discontinuous dependence of the equilibrium strategies on the network parameters, fine and the type of the Invader's award. This discontinuity of the fine means that the network provider has to take into account a human/social factor since some threshold values of fine could be very sensible for the Invader, while in other situations simply increasing the fine has minimal deterrence impact. Also we show how incomplete information about the Invader's technical characteristics and reward (e.g. motivated by using different type of application, say, video-streaming or downloading files) can be incorporated into scanning strategy to increase its efficiency.Comment: This is the last draft version of the paper. Revised version of the paper was published in EAI Endorsed Transactions on Mobile Communications and Applications, Vol. 14, Issue 5, 2014, doi=10.4108/mca.2.5.e6. arXiv admin note: substantial text overlap with arXiv:1310.724

A risk analysis and risk management methodology for mitigating wireless local area networks (WLANs) intrusion security risks

Every environment is susceptible to risks and Wireless Local Area Networks (WLANs) based on the Institute of Electrical and Electronics Engineers (IEEE) 802.11 standard are no exception. The most apparent risk of WLANs is the ease with which itinerant intruders obtain illicit entry into these networks. These intrusion security risks must therefore be addressed which means that information security risk analysis and risk management need to be considered as integral elements of the organisation’s business plan. A well-established qualitative risk analysis and risk management methodology, the Operationally Critical Threat Asset and Vulnerability Evaluation (OCTAVE) is selected for conducting the WLAN intrusion security risk analysis and risk management process. However, the OCTAVE risk analysis methodology is beset with a number of problems that could hamper a successful WLAN intrusion security risk analysis. The ultimate deliverable of this qualitative risk analysis methodology is the creation of an organisation-wide protection strategy and risk mitigation plan. Achieving this end using the OCTAVE risk analysis methodology requires an inordinate amount of time, ranging from months to years. Since WLANs are persistently under attack, there is a dire need for an expeditious risk analysis methodology. Furthermore, the OCTAVE risk analysis methodology stipulates the identification of assets and corresponding threat scenarios via a brainstorming session, which may be beyond the scope of a person who is not proficient in information security issues. This research was therefore inspired by the pivotal need for a risk analysis and risk management methodology to address WLAN intrusion attacks and the resulting risks they pose to the confidentiality, integrity and availability of information processed by these networks. CopyrightDissertation (MSc (Computer Science))--University of Pretoria, 2006.Computer Scienceunrestricte

Integrated helicopter survivability

A high level of survivability is important to protect military personnel and equipment and is central to UK defence policy. Integrated Survivability is the systems engineering methodology to achieve optimum survivability at an affordable cost, enabling a mission to be completed successfully in the face of a hostile environment. “Integrated Helicopter Survivability” is an emerging discipline that is applying this systems engineering approach within the helicopter domain. Philosophically the overall survivability objective is ‘zero attrition’, even though this is unobtainable in practice. The research question was: “How can helicopter survivability be assessed in an integrated way so that the best possible level of survivability can be achieved within the constraints and how will the associated methods support the acquisition process?” The research found that principles from safety management could be applied to the survivability problem, in particular reducing survivability risk to as low as reasonably practicable (ALARP). A survivability assessment process was developed to support this approach and was linked into the military helicopter life cycle. This process positioned the survivability assessment methods and associated input data derivation activities. The system influence diagram method was effective at defining the problem and capturing the wider survivability interactions, including those with the defence lines of development (DLOD). Influence diagrams and Quality Function Deployment (QFD) methods were effective visual tools to elicit stakeholder requirements and improve communication across organisational and domain boundaries. The semi-quantitative nature of the QFD method leads to numbers that are not real. These results are suitable for helping to prioritise requirements early in the helicopter life cycle, but they cannot provide the quantifiable estimate of risk needed to demonstrate ALARP. The probabilistic approach implemented within the Integrated Survivability Assessment Model (ISAM) was developed to provide a quantitative estimate of ‘risk’ to support the approach of reducing survivability risks to ALARP. Limitations in available input data for the rate of encountering threats leads to a probability of survival that is not a real number that can be used to assess actual loss rates. However, the method does support an assessment across platform options, provided that the ‘test environment’ remains consistent throughout the assessment. The survivability assessment process and ISAM have been applied to an acquisition programme, where they have been tested to support the survivability decision making and design process. The survivability ‘test environment’ is an essential element of the survivability assessment process and is required by integrated survivability tools such as ISAM. This test environment, comprising of threatening situations that span the complete spectrum of helicopter operations requires further development. The ‘test environment’ would be used throughout the helicopter life cycle from selection of design concepts through to test and evaluation of delivered solutions. It would be updated as part of the through life capability management (TLCM) process. A framework of survivability analysis tools requires development that can provide probabilistic input data into ISAM and allow derivation of confidence limits. This systems level framework would be capable of informing more detailed survivability design work later in the life cycle and could be enabled through a MATLAB® based approach. Survivability is an emerging system property that influences the whole system capability. There is a need for holistic capability level analysis tools that quantify survivability along with other influencing capabilities such as: mobility (payload / range), lethality, situational awareness, sustainability and other mission capabilities. It is recommended that an investigation of capability level analysis methods across defence should be undertaken to ensure a coherent and compliant approach to systems engineering that adopts best practice from across the domains. Systems dynamics techniques should be considered for further use by Dstl and the wider MOD, particularly within the survivability and operational analysis domains. This would improve understanding of the problem space, promote a more holistic approach and enable a better balance of capability, within which survivability is one essential element. There would be value in considering accidental losses within a more comprehensive ‘survivability’ analysis. This approach would enable a better balance to be struck between safety and survivability risk mitigations and would lead to an improved, more integrated overall design

Towards more Effective Censorship Resistance Systems

Internet censorship resistance systems (CRSs) have so far been designed in an ad-hoc manner. The fundamentals are unclear and the foundations are shaky. Censors are, more and more, able to take advantage of this situation. Future censorship resistance systems ought to be built from strong theoretical underpinnings and be based on empirical evidence. Our approach is based on systematizing the CRS field and its players. Informed by this systematization we develop frameworks that have broad scope, from which we gain general insight as well as answers to specific questions. We develop theoretical and simulation-based analysis tools 1) for learning how to manipulate censor behavior using game-theoretic tactics, 2) for learning about CRS-client activity levels on CRS networks, and finally 3) for evaluating security parameters in CRS designs. We learn that there are gaps in the CRS designer's arsenal: certain censor attacks go unmitigated and the dynamics of the censorship arms race are not modeled. Our game-theoretic analysis highlights how managing the base rate of CRS traffic can cause stable equilibriums where the censor allows some amount of CRS communication to occur. We design and deploy a privacy-preserving data gathering tool, and use it to collect statistics to help answer questions about the prevalence of CRS-related traffic in actual CRS communication networks. Finally, our security evaluation of a popular CRS exposes suboptimal settings, which have since been optimized according to our recommendations. All of these contributions help support the thesis that more formal and empirically driven CRS designs can have better outcomes than the current state of the art

Future Implications of Emerging Disruptive Technologies on Weapons of Mass Destruction

This report asks the questions: What are the future implications of Emerging Disruptive Technologies (EDTs) on the future of Weapons of Mass Destruction (WMD) warfare? How might EDTs increase the lethality and effectiveness of WMDs in kinetic warfare in 2040? How can civic leaders and public servants prepare for and mitigate projected threats? Problem  In the coming decade, state and non-state adversaries will use EDTs to attack systems and populations that may initiate and accelerate existing geopolitical conflict escalation. EDTs are expected to be used both in the initial attack or escalation as well as a part of the detection and decision-making process. Due to the speed of EDTs, expected confusion, and common lack of human oversight, attacks will also be incorrectly attributed, which has the capacity to escalate rapid geopolitical conflict to global military conflict, and ultimately, to the use of nuclear WMDs. The use of EDTs in the shadow of nuclear WMDs is also expected to create an existential threat to possible adversaries, pushing them to “lower the bar” of acceptability for using nuclear WMDs. EDTs will enable and embolden insider threats, both willing and unknowing, to effect geopolitical conflict on a global scale. In addition, the combination of multiple EDTs when used together for attacks will create WMD effects on populations and governments. Furthermore, EDTs will be used by adversaries to target and destabilize critical infrastructure systems, such as food, energy, and transportation, etc. that will have a broader effect on populations and governments. EDTs will enable adversaries to perpetrate a long-game attack, where the effect and attribution of the attack may not be detected for an extended period -- if ever. Solution  To combat these future threats, organizations will need to conduct research and intelligence gathering paired with exploratory research and development to better understand the state of EDTs and their potential impacts. With this information, organizations will need to conduct collaborative “wargaming” and planning to explore a range of possible and potential threats of EDTs. The knowledge gained from all of these activities will inform future training and best practices to prepare for and address these threats. Organizations will also need to increase their investments in EDT related domains, necessitating countries to not only change how they fight, but also evolve their thinking about deterrence. Expanded regulation, policy making, and political solidarity among members will take on an increasingly more significant and expanded role. Broader government, military, and civilian cooperation will be needed to disrupt and mitigate some of these future threats in conjunction with broader public awareness. All of these actions will place a higher value on cooperation and shared resiliency among NATO members

Defending networked resources against floods of unwelcome requests

Thesis (Ph. D.)--Massachusetts Institute of Technology, Dept. of Electrical Engineering and Computer Science, February 2008.Includes bibliographical references (p. 172-189).The Internet is afflicted by "unwelcome requests'" defined broadly as spurious claims on scarce resources. For example, the CPU and other resources at a server are targets of denial-of-service (DOS) attacks. Another example is spam (i.e., unsolicited bulk email); here, the resource is human attention. Absent any defense, a very small number of attackers can claim a very large fraction of the scarce resources. Traditional responses identify "bad" requests based on content (for example, spam filters analyze email text and embedded URLs). We argue that such approaches are inherently gameable because motivated attackers can make "bad" requests look "good". Instead, defenses should aim to allocate resources proportionally (so if lo% of the requesters are "bad", they should be limited to lo% of the scarce resources). To meet this goal, we present the design, implementation, analysis, and experimental evaluation of two systems. The first, speak-up, defends servers against application-level denial-of-service by encouraging all clients to automatically send more traffic. The "good" clients can thereby compete equally with the "bad" ones. Experiments with an implementation of speak-up indicate that it allocates a server's resources in rough proportion to clients' upload bandwidths, which is the intended result. The second system, DQE, controls spam with per-sender email quotas. Under DQE, senders attach stamps to emails. Receivers communicate with a well-known, untrusted enforcer to verify that stamps are fresh and to cancel stamps to prevent reuse. The enforcer is distributed over multiple hosts and is designed to tolerate arbitrary faults in these hosts, resist various attacks, and handle hundreds of billions of messages daily (two or three million stamp checks per second). Our experimental results suggest that our implementation can meet these goals with only a few thousand PCs.(cont) The enforcer occupies a novel design point: a set of hosts implement a simple storage abstraction but avoid neighbor maintenance, replica maintenance, and mutual trust. One connection between these systems is that DQE needs a DoS defense-and can use speak-up. We reflect on this connection, on why we apply speak-up to DoS and DQE to spam, and, more generally, on what problems call for which solutions.by Michael Walfish.Ph.D

Conceiving systems

The thesis is concerned with the development of innovative, robust design concepts for a class of systems called Information Decision Action (IDA) Systems. IDA systems are typified by Command and Control (C2) and Command, Control, Communications and Intelligence (C3I) systems as used by police, emergency services and the military - the two titles refer respectively to the human activity and the technological systems. The class of systems is much wider, however, and includes, financial, traffic control, business and even governmental systems where information is gathered, used as a basis for human decision-forming, and results in action, all in real, or near-real time. IDA system complexity stems largely from the dominance of robust human activity systems within the overall system, and also from the employment of often-rigid, technology-based, decision support systems which are unable to adapt as swiftly as the humans they serve. The thesis is in two parts. In the first part, the author presents a perspective on "hard" and "soft" systems and the gradual move by so-called "hard" systems engineers towards softer concepts in the search for more satisfactory IDA systems. This progression is presented partly by anecdote, supported by some of the author's papers showing the development of his contribution to understanding of, and partly by an exposition of the essential themes inherent in, IDA systems. Keynote papers in the first part are: MOSAIC: Concepts for the Deployment of Air Power in Europe and The Human Element in C3 I: The first of these presents a highly-survivable alternative to the present force and C2 deployment approaches which have evolved little since World War IT; the second considers the human and his social behaviour as keys to understanding IDA systems. Other papers develop the themes and show their application to systems in which the author has had major involvement The second part is concerned with the process of conceiving and creating IDA systems and it too draws on published papers as direct support for the thesis. Keynote papers here are A General Theory of Command and Control, a unique recent paper which proposes a set of design axioms for an idealized IDA system, the award-winning Managing Systems Creation which presents an engineering framework for Creating Systems, and SEAMS (Systems Engineering, Analysis and Management Support) which signals a major design initiative to develop engineering frameworks into company-wide IT environments. The second part also introduces a complete Conceiving System, called the Seven-Step Continuum (SSC), describes some prototype tools developed by the author to perform some of the tasks of design conception and - in Chapter 9, which is a paper within the thesis - shows results from using the SSC, its methods and tools, in practice. The second part closes with a look forward to the building of flexible future systems which can adapt to their environment