Adversarial Security: Getting to the Root of the Problem

This paper revisits the conventional notion of security, and champions a paradigm shift in the way that security should be viewed: we argue that the fundamental notion of security should naturally be one that actively aims for the root of the security problem: the malicious (human-terminated) adversary. To that end, we propose the notion of adversarial security where non-malicious parties and the security mechanism are allowed more activeness; we discuss framework ideas based on factors affecting the (human) adversary, and motivate approaches to designing adversarial security systems. Indeed, while security research has in recent years begun to focus on human elements of the legitimate user as part of the security system’s design e.g. the notion of ceremonies; our adversarial security notion approaches general security design by considering the human elements of the malicious adversary. 1 The General Security Problem This paper sets out to revisit the conventional notion of security. In essence, conventional security represents the security advocate as a boxed-in non-initiator, in that (technical) security mechanisms therein aim to protect the good guy against or cope with, anticipated attacks. Quoting from [25], the general view is that “security is inherently about avoiding a negative”. By design, the advocate is not equipped with the ability to initiate actions in the reverse direction towards the malicious adversary. In that light, cryptographic techniques and network security techniques are traditionally defensive mechanisms in face of the malicious adversary. More precisely, confidentiality (encryption), integrity (message authentication codes, hash+signatures), authentication (signatures), non-repudiation (signatures) ensure that in the event of attacks, either data or identities are protected from unauthorized adversarial (read and/or write) access or at the very least that any attack is discovered by the victim parties; while intrusion detection or firewalls detect or block adversarial access. ? Part of this work adversarially motivated by coffee. Intrusion tolerance, network resilience and proactive cryptography [8] (including forward security [9], key insulation [14], intrusion resilience [13], leakage resilience [26, 23]) techniques are of similar nature, emphasizing on being able to cope with or survive adversarial attacks. While it must be said here that the network forensics approach does to some extent provide a channel to get back at the malicious adversary, this is via nontechnical means, i.e. legal actions. Another emerging approach, non-technical as well, is that of security economics [7] that can also be seen as more proactive rather than simply defensive. Taking a holistic view of the security problem, we would like to champion a paradigm shift in the way that security should be viewed, by arguing that the fundamental notion of security should naturally be one that actively aims to tackle the root of the security problem: the malicious adversary. We also champion in this paper the fact that security should fully exploit the fact that the adversary is human-terminated; thus in terms of proactively addressing this root of the security problem, one should bear in mind that the human adversary lives in the real world and is thus influenced by real world factors aside from technical ones. Essentially, security pits human ingenuity (designer) against human ingenuity (adversary). While security research in recent years has begun to consider human factors within security designs in view that legitimate security users are often human (this makes a lot of sense since attackers have long been exploiting this weakness, e.g. social engineering), less research has concentrated on designing security by considering that adversaries are also human-initiated, although to some extent the research direction popularized by CAPTCHA [6] in considering how to identify if a human is present during web based authentication dates back to the work of Naor [22] in 1996. 2 Adversarial Security Design We propose the notion of adversarial security. The adversarial angle of this notion is twofold. First, it emphasizes on the ideal that security should be the resultant equilibrium established after fair play (to some extent) among all parties, whether honest or malicious. This is akin to the adversarial process e.g. in adversarial legal systems or adversarial politics which is game-like in nature. In contrast, the conventional notion of security does not really capture this since techniques therein are less symmetric in terms of the activeness, i.e. the malicious adversary is the active initiating party while the attacked party is the non-active defending or coping party. What is worse, the adversary bears no consequences from his/her actions nor from actions of the other non-malicious parties, while the non-adversarial parties bear the consequences of their own actions (e.g. lack of emphasis on security increases risk of being attacked) and even those of the adversary. Furthermore, although the provable security paradigm also adopts a game-like approach to defining security, it resembles less the fair play element between opposing sides that should be the nature of an adversarial process. Second, our notion is so-called adversarial in the sense it aims to emphasize on and get to the root of security problems, i.e. the malicious human-terminated adversary.