Optimal Timing in Dynamic and Robust Attacker Engagement During Advanced Persistent Threats

Advanced persistent threats (APTs) are stealthy attacks which make use of social engineering and deception to give adversaries insider access to networked systems. Against APTs, active defense technologies aim to create and exploit information asymmetry for defenders. In this paper, we study a scenario in which a powerful defender uses honeynets for active defense in order to observe an attacker who has penetrated the network. Rather than immediately eject the attacker, the defender may elect to gather information. We introduce an undiscounted, infinite-horizon Markov decision process on a continuous state space in order to model the defender's problem. We find a threshold of information that the defender should gather about the attacker before ejecting him. Then we study the robustness of this policy using a Stackelberg game. Finally, we simulate the policy for a conceptual network. Our results provide a quantitative foundation for studying optimal timing for attacker engagement in network defense.

[1]  Oguzhan Alagöz,et al.  Modeling secrecy and deception in a multiple-period attacker-defender signaling game , 2010, Eur. J. Oper. Res..

[2]  H. Stackelberg,et al.  Marktform und Gleichgewicht , 1935 .

[3]  Branislav Bosanský,et al.  Optimal Network Security Hardening Using Attack Graph Games , 2015, IJCAI.

[4]  Quanyan Zhu,et al.  Flip the Cloud: Cyber-Physical Signaling Games in the Presence of Advanced Persistent Threats , 2015, GameSec.

[5]  Ronald L. Rivest,et al.  FlipIt: The Game of “Stealthy Takeover” , 2012, Journal of Cryptology.

[6]  Sushil Jajodia,et al.  Deceiving Attackers by Creating a Virtual Attack Surface , 2016, Cyber Deception.

[7]  William H. Sanders,et al.  A Game-Theoretic Approach to Respond to Attacker Lateral Movement , 2016, GameSec.

[8]  H. Vincent Poor,et al.  Cloud Storage Defense Against Advanced Persistent Threats: A Prospect Theoretic Study , 2017, IEEE Journal on Selected Areas in Communications.

[9]  Sushil Jajodia,et al.  k-Zero Day Safety: A Network Security Metric for Measuring the Risk of Unknown Vulnerabilities , 2014, IEEE Transactions on Dependable and Secure Computing.

[10]  R Bellman,et al.  On the Theory of Dynamic Programming. , 1952, Proceedings of the National Academy of Sciences of the United States of America.

[11]  Branislav Bosanský,et al.  Manipulating Adversary's Belief: A Dynamic Game Approach to Deception by Design for Proactive Network Security , 2017, GameSec.

[12]  Quanyan Zhu,et al.  Strategic Trust in Cloud-Enabled Cyber-Physical Systems With an Application to Glucose Control , 2017, IEEE Transactions on Information Forensics and Security.

[13]  Liang Xiao,et al.  Defense Against Advanced Persistent Threats in Dynamic Cloud Storage: A Colonel Blotto Game Approach , 2018, IEEE Internet of Things Journal.

[14]  Daniel Grosu,et al.  A Game Theoretic Investigation of Deception in Network Security , 2009, 2009 Proceedings of 18th International Conference on Computer Communications and Networks.

[15]  Quanyan Zhu,et al.  Analysis and Computation of Adaptive Defense Strategies Against Advanced Persistent Threats for Cyber-Physical Systems , 2018, GameSec.

[16]  Quanyan Zhu,et al.  Deception by Design: Evidence-Based Signaling Games for Network Defense , 2015, WEIS.

[17]  Jeffrey M. Voas,et al.  BYOD: Security and Privacy Considerations , 2012, IT Professional.

[18]  Frank J. Stech,et al.  Integrating Cyber-D&D into Adversary Modeling for Active Cyber Defense , 2016, Cyber Deception.

[19]  H. Vincent Poor,et al.  Attacker-Centric View of a Detection Game against Advanced Persistent Threats , 2018, IEEE Transactions on Mobile Computing.