סמינר באסטרטגיה ויזמות

Speaker: Amitai Gilad, a Ph.D. student at the Recanati Graduate School of Business Administration, Tel Aviv University

Abstract: Cyber-attacks and the serious threats that they pose to organizations can be analyzed along several dimensions: by the types of the attackers; the targets; the defense measures; and by the vulnerability of the systems being attacked. In this paper we study the problem of strategic network interdiction between a defender (which can employ costly detection and prevention measures) and a sophisticated cyber-attacker (with R&D capabilities).  

We assume that the defender operates a network that manages a critical infrastructure (such as a major bank, an electricity system or an airport control system). We develop and present a two-stage game in which the defender acts first by deploying various defense measures in the network. The attacker follows by attacking the network in order to maximize his own objectives. We also assume that the attacker has a full knowledge of the network and defense measures and attempts to maximize the damage to the network by dispatching the maximal possible flow of its own (malicious) software elements to a target node. In addition, the attacker can invest in costly R&D to improve his ability to overcome detection and prevention measures. The paper analyzes the network characteristics and optimal solution by using the concepts of network flow and cuts from graph theory. We first derive the optimal cut to defend the network. We then show that the detection rate per arc in the optimal cut is a monotonically decreasing function of the flow of legitimate volume of transactions in that arc. We also show that although the optimal defense strategy minimizes the damage to the network, it may enhance an arms-race between the attacker and defender, and then demonstrate that the observed technological sophistication of the attacker (which depends on his investment in R&D) is not a credible signal to his capabilities. Finally, we show that if the defender's budget is sufficiently high, her optimal strategy is to use only prevention measures when the attacker's budget is low; to employ both detection and prevention measures when the attacker's budget is medium; and to use only detection measures if the attacker's budget is high.