DIFT Games: Dynamic Information Flow Tracking Games for Advanced Persistent Threats

Dynamic Information Flow Tracking (DIFT) has been proposed to detect stealthy and persistent cyber attacks that evade existing defenses such as firewalls and signature-based antivirus systems. A DIFT defense taints and tracks suspicious information flows across the network in order to identify possible attacks, at the cost of additional memory overhead for tracking non-adversarial information flows. In this paper, we present the first analytical model that describes the interaction between DIFT and adversarial information flows, including the probability that the adversary evades detection and the performance overhead of the defense. Our analytical model consists of a multi-stage game, in which each stage represents a system process through which the information flow passes. We characterize the optimal strategies for both the defense and adversary, and derive efficient algorithms for computing the strategies. Our results are evaluated on a realworld attack dataset obtained using the Refinable Attack Investigation (RAIN) framework, enabling us to draw conclusions on the optimal adversary and defense strategies, as well as the effect of valid information flows on the interaction between adversary and defense.

[1]  David Zhang,et al.  Secure program execution via dynamic information flow tracking , 2004, ASPLOS XI.

[2]  T. Başar,et al.  An Intrusion Detection Game with Limited Observations , 2005 .

[3]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[4]  Vincent Conitzer,et al.  Stackelberg vs. Nash in Security Games: An Extended Investigation of Interchangeability, Equivalence, and Uniqueness , 2011, J. Artif. Intell. Res..

[5]  Ronald L. Rivest,et al.  FlipIt: The Game of “Stealthy Takeover” , 2012, Journal of Cryptology.

[6]  Quanyan Zhu,et al.  Game theory meets network security and privacy , 2013, CSUR.

[7]  Prasant Mohapatra,et al.  Dynamic defense strategy against advanced persistent threat with insiders , 2015, 2015 IEEE Conference on Computer Communications (INFOCOM).

[8]  Quanyan Zhu,et al.  Deception by Design: Evidence-Based Signaling Games for Network Defense , 2015, WEIS.

[9]  Basel Alomair,et al.  A host takeover game model for competing malware , 2015, 2015 54th IEEE Conference on Decision and Control (CDC).

[10]  Quanyan Zhu,et al.  Game-Theoretic Methods for Robustness, Security, and Resilience of Cyberphysical Control Systems: Games-in-Games Principle for Optimal Cross-Layer Resilient Control Systems , 2015, IEEE Control Systems.

[11]  Alessandro Orso,et al.  RAIN: Refinable Attack Investigation with On-demand Inter-Process Information Flow Tracking , 2017, CCS.

[12]  Thomas Moyer,et al.  Towards Scalable Cluster Auditing through Grammatical Inference over Provenance Graphs , 2018, NDSS.