Monday, January 3, 2011

Enhancing SENDSim With Optimization

by David Davis

SENDSim is designed for human experimentation.  In the initial tests of SENDSim, a human will modify policies, procedures, and other parts of a network strategy, and then observe the effects as the simulation shows how a network with those policies, procedures, and strategies is impacted by the introduction of malicious software code like Conficker.

Human interaction is one valuable use of SENDSim. Perhaps equally valuable is another capability of the system—optimization. Use of an optimizer in conjunction with SENDSim allows us to find the best policies and procedures, given the constraints and various goals that are set by the user.

An optimizer is a computerized technique that finds very good solutions, often by exploring more solutions than a human would have time or inclination to explore. Optimizers can use the techniques humans would use to find solutions, but in addition they frequently use techniques for finding solutions that are unlike those a human would look employ. For this reason, optimizers often find solutions that are unlike those humans would find, and that are better.

The distinction between a person interacting with SENDSim to study a problem and the use of an optimizer to find solutions is an important one. A human’s interaction with SENDSim may well rely on the human’s past experience and intuition. Human operators or analysts may configure the simulated network as they have done in the past, unaware that there are better configurations and better uses of network resources.

An optimizer is able to explore new strategies, view the results of thousands of scenarios, and find new techniques and outcomes that experts may have overlooked.

There are a number of advantages to linking an optimizer with a simulation like SENDSim. These advantages include the potential to:

• find different solutions than those a human expert would discover
• find better solutions than those a human expert would unearth
• improve on the solutions produced by human experts
• find solutions more quickly than a human expert
• react to changing conditions more quickly than a human expert

These points are worth making in more detail.

An optimizer can find different solutions from those a human expert would find because it is not bound by its experience—it approaches the problem without preconceptions. In computer security, this feature may be especially beneficial, since we may be able to use diverse novel solutions to avoid a configuration monoculture that can more easily be exploited by malware.

An optimizer can find better solutions because it is able to consider many more solutions than a human expert would typically have time to consider.

An optimizer can improve on solutions produced by human experts, if it uses the human’s solution as a base for optimization and begins the optimization process there.

An optimizer can find solutions more quickly than a human expert if the optimizer uses a network of computers or grid computing to consider large numbers of solutions in parallel.

An optimizer reacts to changing conditions more quickly than an expert, in that it can accommodate changes in technology and changes in policy options without being bound by the way it has solved problems in the past.

An optimizer is a good tool for understanding what-if situations. What if we had a better firewall? What if we had instantaneous reaction to attacks? Humans have a more difficult time finding good solutions when technology changes significantly. An optimizer, working without presuppositions, adjusts to changes without difficulty.

In addition to these advantages, optimization allows us to better understand what-if scenarios. The design documents for SENDSim describe a range of questions that can be studied using SENDSim. Let's consider several of them, together with the way that an optimizer would add value to a human’s study of those questions.

How can a change in policy (enforced by Human Resources, for example, or enforced by technology) increase network security without decreasing worker productivity?

Suppose we are considering a change in network policy. An optimizer can be used to discover what other changes in policy and/or changes in worker behaviors would best be instituted together with the change that is envisioned. Human experts who have not worked with the new policy in place may not be aware of other changes that will increase its impact and decrease its negative effects.

Design documents for SENDSim describe a range of questions that can be studied using SENDSim.  Here I’ll consider several of them and describe the way that an optimizer would add value to a human’s study of those questions.

Q: Which solution results in a better outcome: expanding the IT security and administration staff or educating and empowering workers?

An optimizer can be used to explore a wide range of potential changes, finding the best combination of new approaches to security. Making changes to a complicated network often has unintended consequences—some of them undesirable. SENDSim will model these consequences. The optimizer can discover and exploit the desirable, unintended consequences while it avoids the undesirable ones.

Q: What does the timescale of a Conficker infection look like, given my particular network and worker profiles? What aspects of my worker policies and network policy are enabling or counteracting the spread?

An optimizer can be used to find the best combination of worker behaviors and network policies to slow the spread of an infection. In a complicated situation, like that of a working computer network, the best action to take in a new situation can be unlike anything seen in an expert’s prior experience.

Q: How might my staff react to combat a “zero-day” Conficker attack? How would network functionality and worker productivity change, and hopefully recover, over time?

An optimizer can find the best combination of network configuration and worker policies in order to minimize the impact of a zero-day event. In some cases, the optimizer might even uncover solutions that have not been seen or practiced before.

Q: What combination of policy and network design will help me meet my security and productivity goals?

The optimizer can be given a “budget” of dollars to spend and a limit on the magnitude of changes it can make to network policies. It will find the best way to spend that budget and institute changes within constraints in order to trade off improvements in network security while allowing workers to do their jobs.

The ability of an optimizer to provide high-quality answers to these types of questions is one of the strengths of the synergies we find in simulation enhanced with optimization. We’ll explore more opportunities to integrate simulation and optimization in future blogs.

NOTE:  Dr. David Davis is the president of VGO Associates, one of the original participants in the SENDS Consortium.