Principal Investigator: Saurabh Bagchi
Modern cyber-physical systems (CPS) are increasingly facing attacks by sophisticated adversaries. These attackers are able to identify the susceptibility of different targets in the system and strategically allocate their efforts to compromise the security of the network. In response to such intelligent adversaries, the operators (or defenders) of these systems also need to allocate their often limited security budget across many assets to best mitigate their vulnerabilities. This has led to significant research in understanding how to better secure these systems, with game-theoretical models receiving increasing attention due to their ability to systematically capture the interactions of strategic attackers and defenders.
In the context of large-scale interdependent systems, adversaries often use stepping-stone attacks to exploit vulnerabilities within the network in order to compromise a particular target. Such threats can be captured via the notion of attack graphs that represent all possible paths that attackers may have to reach their targets within the CPS. The defenders in such systems are each responsible for defending some subset of the assets with their limited resources. In much of the existing literature, the defenders and attackers are modeled as fully rational decision-makers who choose their actions to maximize their expected utilities. However, a large body of work in behavioral economics has shown that humans consistently deviate from such classical models of decision-making seminal model capturing such deviations is prospect theory (introduced by Kahneman and Tversky in 1979), which shows that humans perceive gains, losses, and probabilities in a skewed (nonlinear) manner, typically overweighting low probabilities and underweighting high probabilities.
We model the behavioral biases of human decision-making in securing interdependent systems and show that such behavioral decision-making leads to a suboptimal pattern of resource allocation compared to non-behavioral (rational) decision-making. We provide empirical evidence for the existence of such behavioral bias model through a controlled subject study with 145 participants. We then propose three learning techniques for enhancing decision-making in multi-round setups. We illustrate the benefits of our decision-making model through multiple interdependent real-world systems and quantify the level of gain compared to the case in which the defenders are behavioral. We also show the benefit of our learning techniques against different attack models.
Other PIs: Shreyas Sundaram Timothy Cason
Mustafa Abdallah, Parinaz Naghizadeh, Ashish R. Hota, Timothy Cason, Saurabh Bagchi, and Shreyas Sundaram, “Behavioral and Game-Theoretic Security Investments in Interdependent Systems Modeled by Attack Graphs,” in IEEE Transactions on Control of Network Systems (TCNS), accepted for publication in a future issue, pp. 1-12, April 2020.
Mustafa Abdallah, Parinaz Naghizadeh, Timothy Cason, Saurabh Bagchi, and Shreyas Sundaram. "Protecting assets with heterogeneous valuations under behavioral probability weighting." In 2019 IEEE 58th Conference on Decision and Control (CDC), pp. 5374-5379, December 11-13, 2019.
Mustafa Abdallah, Parinaz Naghizadeh, Ashish Hota, Timothy Cason, Saurabh Bagchi, and Shreyas Sundaram, “The Impacts of Behavioral Probability Weighting on Security Investments in Interdependent Systems,” At the American Control Conference (ACC), pp 5260-5265, July 10-12, 2019, Philadelphia, PA.
Aritra Mitra, John A. Richards, Saurabh Bagchi, and Shreyas Sundaram, “Resilient Distributed State Estimation with Mobile Agents: Overcoming Byzantine Adversaries, Communication Losses, and Intermittent Measurements,” in Springer “Autonomous Robots”, vol. 43, no. 3, pp. 743-768, March 2019.
Daniel Woods, Mustafa Abdallah, Saurabh Bagchi, Shreyas Sundaram, Timothy Cason, "Network Defense and Behavioral Biases: An Experimental Study," Journal of Experimental Economics, August 2020.
Keywords: cyber-physical system security, game-theoretic security, interdependent systems