Nick Moffat

Towards A Game Theoretic Understanding of Ad-Hoc Routing

In this paper we present a new application of game theory, in which game theoretic techniques are used to provide a rigorous underpinning to the analysis of ad-hoc routing protocols. The explosion of interest in ad-hoc networks over the last few years has resulted in a very large number of routing protocols being proposed. Despite this, the science of analysing routing protocols is still relatively immature, and the question that remains is how to decide “how good” a given protocol is. We propose a game theoretic approach as a potentially effective means of answering this question. The conceptual mapping of routing into a game is, we believe, natural and simple. Furthermore, game theory provides an extensive repertoire of tools to analyse key properties. The paper describes how routing techniques can be modelled as games and presents some analytical results.

Watchdog Transformations for Property-Oriented Model-Checking

We discuss how to transform a CSP refinement, \(S \sqsubseteq I\), to enable all its events to be hidden; this is useful because many of the state space compression functions provided by the model-checker FDR are effective only when events are hidden [1]. In an earlier paper [2] we described a suitable transformation for the case where the refinement is in the traces semantics of CSP. This paper extends the approach to the more difficult case of the stable-failures semantics. In both cases, a watchdog transformation is applied to the specification S, resulting in a watchdog processWDS, which is then composed in parallel with I, or with I in a simple context. The watchdog process monitors I and somehow indicates whether it can behave in a way that is incompatible with refinement of S. All events of the original assertion can be hidden in the transformed assertion. We also discuss the design of compression strategies that try to hide as many events as possible in the component processes of I and WDS, and compress the composition as it is being built up. We describe our implementation of the watchdog transformations and some simple compression strategies.

CyberVis: Visualizing the potential impact of cyber attacks on the wider enterprise

A variety of data-mining tools and filtering techniques exist to detect and analyze cyber-attacks by monitoring network traffic. In recent years many of these tools use visualization designed to make traffic patterns and impact of an attack tangible to a security analyst. The visualizations attempt to facilitate understanding elements of an attack, including the location of malicious activity on a network and the consequences for the wider system. The human observer is able to detect patterns from useful visualizations, and so discover new knowledge about existing data sets. Because of human reasoning, such approaches still have an advantage over automated detection, data-mining and analysis. The core challenge still lies in using the appropriate visualization at the right time. It is this lack of situational awareness that our CyberVis framework is designed to address. In this paper we present a novel approach to the visualization of enterprise network attacks and their subsequent potential consequences. We achieve this by combining traditional network diagram icons with Business Process Modeling and Notation (BPMN), a risk-propagation logic that connects the network and business-process and task layer, and a flexible alert input schema able to support intrusion alerts from any third-party sensor. Rather than overwhelming a user with excessive amounts of information, CyberVis abstracts the visuals to show only noteworthy information about attack data and indicates potential impact both across the network and on enterprise tasks. CyberVis is designed with the Human Visual System (HVS) in mind, so severe attacks (or many smaller attacks that make up a large risk) appear more salient than other components in the scene. A Deep-Dive window allows for investigation of data, similar to a database interface. Finally, a Forensic Mode allows movie-style playback of past alerts under user-defined conditions for closer examination.

A Representative Function Approach to Symmetry Exploitation for CSP Refinement Checking

Effective temporal logic model checking algorithms exist that exploit symmetries arising from parallel composition of multiple identical components. These algorithms often employ a function repfrom states to representative states under the symmetries exploited. We adapt this idea to the context of refinement checking for the process algebra CSP. In so doing, we must cope with refinement-style specifications. The main challenge, though, is the need for access to sufficient local information about states to enable definition of a useful repfunction, since compilation of CSP processes to Labelled Transition Systems (LTSs) renders state information a global property instead of a local one. Using a structured form of implementation transition system, we obtain an efficient symmetry exploiting CSP refinement checking algorithm, generalise it in two directions, and demonstrate all three variants on simple examples.

Assumption---Commitment Support for CSP Model Checking

We present a simple formulation of Assumption–Commitment reasoning using CSP (Communicating Sequential Processes). An assumption–commitment style property of a process SYS takes the form

Towards a Conceptual Model and Reasoning Structure for Insider Threat Detection

COM \sqsubseteq SYS \| ASS

Property Based Compression Strategies

, for ‘assumption’ and ‘commitment’ processes ASS and COM. We describe proof rules that allow derivation of assumption–commitment style properties of a composite system from such properties of its components, given appropriate side conditions. Most of the rules have a superficially appealing ‘homomorphic’ quality: the overall assumption and commitment processes are composed similarly to the overall system. We also give a ‘non-homomorphic’ rule that corresponds quite well to classical assumption–commitment rules. Antecedants and side conditions can be expressed as refinements and checked separately by the refinement-style model checker FDR. Examples illustrate application of our theory.