An analysis of two layers of encryption to protect network traffic

Ware, Ryan T.

January 2010

Thesis (M.S. in Computer Science)--Naval Postgraduate School, June 2010. / Thesis Advisor(s): Dinolt, George ; Second Reader: Guild, Jennifer. "June 2010." Description based on title screen as viewed on July 15, 2010. Author(s) subject terms: encryption, computer security, network security, architecture, fault tree analysis, defense-in-depth Includes bibliographical references (p. 75-77). Also available in print.

Computer security. Cost.

Mathematical analysis of security investment strategies and influence of cyber-insurance in networks.

January 2012

在互聯網上的主機(或節點)經常面對比如病毒和蠕蟲攻擊這一類能夠傳播的風險。儘管對這種風險的已經知曉，並且網絡/系統的安全非常重要，對於安全防護的投入依然很少，因此這種傳播式風險依然非常普遍。決定是否對安全保護進行投入是一個相互影響的過程:一個節點關於安全保護的投入會影響到其他節點所遭受的安全風險，因此也會影響它們關於安全保護投入的決定。我們的第一個目標是要了解“網絡外部性"和“節點異質性"如何影響安全投入。每個節點通過評估所受到的安全威脅和預期損失來做出決定。我們把它刻畫成一個貝葉斯博弈，在這個博弈裡面，每個節點只知道局部的信息，例如，自身有多少個鄰節點，和一些很少的全局信息，比如網絡中節點的度分佈。我們的第二個目標是研究一種叫做網絡保險的新的風險管理方式。我們探討競爭的網絡保險市場存在對於安全投入有什麼影響。通過分析，我們發現如果網絡保險提供商能夠觀察到節點的安全狀況，當節點所採取的保護措施質量不是很高時，網絡保險市場對於促進安全保護投入有積極的作用。我們還發現網絡保險對於度數高的節點的激勵程度更好。相反，如果網絡保險提供商不能觀察到節點的安全保護狀況，我們驗證了部分保險可以起到一個非負的激勵效用，雖然不是一種激勵，但是能夠提高節點的效用。 / Hosts (or nodes) in the Internet often face epidemic risks such as virus and worms attack. Despite the awareness of these risks and the importance of network/system security, investment in security protection is still scare, and hence epidemic risk is still prevalent. Deciding whether to invest in security protection is an interdependent process: security investment decision made by one node can affect the security risk of others, and therefore affect their decisions also. Our first goal is to understand how "network externality" and "nodes heterogeneity" may affect security adoption. Nodes make decisions on security investment by evaluating the epidemic risk and the expected loss. We characterize it as a Bayesian network game in which nodes only have the local information, e.g., the number of neighbors, and minimum common information, e.g., degree distribution of the network. Our second goal is to study a new form of risk management, called cyber-insurance. We investigate how the presence of competitive insurance market can affect the security adoption and show that if the insurance provider can observe the protection level of nodes, the insurance market is a positive incentive for security adoption if the protection quality is not very high. We also find that cyber-insurance is more likely to be a good incentive for nodes with higher degree. Conversely, if the insurance provider cannot observe the protection level of nodes, we verify that partial insurance can be a non-negative incentive, improving node’s utility though not being an incentive. / Detailed summary in vernacular field only. / Yang, Zichao. / Thesis (M.Phil.)--Chinese University of Hong Kong, 2012. / Includes bibliographical references (leaves 59-65). / Abstracts also in Chinese. / Abstract --- p.i / Acknowledgement --- p.iv / Chapter 1 --- Introduction --- p.1 / Chapter 2 --- Mathematical Models --- p.6 / Chapter 2.1 --- Epidemic Model --- p.6 / Chapter 2.2 --- InvestmentModel --- p.8 / Chapter 2.3 --- Bayesian Network Game --- p.11 / Chapter 3 --- Analysis for Strategic Security Adoption --- p.13 / Chapter 3.1 --- General Case --- p.13 / Chapter 3.1.1 --- Estimating the Probability --- p.14 / Chapter 3.1.2 --- Security Adoption. --- p.17 / Chapter 3.2 --- Analysis of Node Heterogeneity: Two Types Case --- p.25 / Chapter 4 --- Analysis for Cyber-insurance Market --- p.30 / Chapter 4.1 --- Supply of Insurance --- p.30 / Chapter 4.2 --- Cyber-insuranceWithoutMoral Hazard --- p.34 / Chapter 4.2.1 --- Security Adoption with Cyber-insurance Market --- p.34 / Chapter 4.2.2 --- Incentive Analysis --- p.37 / Chapter 4.3 --- Cyber-insurance withMoral Hazard --- p.41 / Chapter 5 --- Simulation & Numerical Results --- p.46 / Chapter 5.1 --- Validating Final Infection Probability --- p.46 / Chapter 5.2 --- Security Adoption with Externality Effect --- p.49 / Chapter 5.3 --- Influence of Cyber-insurance --- p.52 / Chapter 6 --- Related Work --- p.53 / Chapter 7 --- Conclusion --- p.57 / Bibliography --- p.59

Computer security--Cost effectiveness

Decision making