Game Theoretic, Multi-agent Approach to Network Traffic Monitoring

Abstract : The aim of the presented project was to investigate the potential of game-theoretical modeling of the attacker-defender interaction in the intrusion detection game. The key difference with respect to the past work is the integration of the game-theoretical methods with an actual, industry-strength anomaly detection system and operating this combination on live traffic data. Given the results presented, we can conclude that the simplified model presented in Section 3.2 and the extensive game model used in the core of this work can be integrated with live IDS under reasonable, but very restrictive assumptions. We conclude that this area of research has a very high potential to produce relevant, deployable results within next 5 years, based on the trend in the computational power of current processors, average memory required for the computation and the growing sophistication of methods for efficient solving of realistic IDS games. The critical assumptions need to be addressed related to the following problems: 1) Time representation and time-related assumptions in the game theoretical model. 2) Handling of several concurrent attackers. 3) Identification of attacker coalitions, where the actions from several attackers aim to achieve a common goal. 4) Sufficient detection precision and more thorough, two-way integration between the IDS and the game-theoretical model. We argue that applied research in this area should concentrate on progressive reduction of assumptions that are currently necessary to make the game theoretical model computationally solvable. The advances in game theory and gameplaying will need to be reflected in the security games domain. Further IDS and network security research is necessary to address the assumptions from the other side: by identifying the coalitions of attackers and treating them as a single individual.

[1]  Satyandra K. Gupta,et al.  Strategy generation in multi-agent imperfect-information pursuit games , 2010, AAMAS.

[2]  Blaine Nelson,et al.  Can machine learning be secure? , 2006, ASIACCS '06.

[3]  Joseph L. Hellerstein Why feedback implementations fail: the importance of systematic testing , 2010, FeBiD '10.

[4]  S. Hart Adaptive Heuristics , 2005 .

[5]  Nick Duffield,et al.  Sampling for Passive Internet Measurement: A Review , 2004 .

[6]  Radu State,et al.  Self Adaptive High Interaction Honeypots Driven by Game Theory , 2009, SSS.

[7]  Jeff S. Shamma,et al.  Dynamic fictitious play, dynamic gradient play, and distributed convergence to Nash equilibria , 2005, IEEE Transactions on Automatic Control.

[8]  Cristina Comaniciu,et al.  A Bayesian game approach for intrusion detection in wireless ad hoc networks , 2006, GameNets '06.

[9]  Thomas Engel,et al.  Runtime Monitoring and Dynamic Reconfiguration for Intrusion Detection Systems , 2009, RAID.

[10]  Ling Huang,et al.  ANTIDOTE: understanding and defending against poisoning of anomaly detectors , 2009, IMC '09.

[11]  Peter L. Bartlett,et al.  Open problems in the security of learning , 2008, AISec '08.

[12]  Ferenc Szidarovszky,et al.  Multi-Level Intrusion Detection System (ML-IDS) , 2008, 2008 International Conference on Autonomic Computing.

[13]  Csaba Szepesvári,et al.  Bandit Based Monte-Carlo Planning , 2006, ECML.

[14]  Dean Phillips Foster,et al.  Regret Testing: Learning to Play Nash Equilibrium Without Knowing You Have an Opponent , 2006 .

[15]  Karen A. Scarfone,et al.  Guide to Intrusion Detection and Prevention Systems (IDPS) , 2007 .

[16]  Hans-Peter Kriegel,et al.  LOF: identifying density-based local outliers , 2000, SIGMOD 2000.

[17]  J. Bather,et al.  Multi‐Armed Bandit Allocation Indices , 1990 .

[18]  Tao Ye,et al.  Connectionless port scan detection on the backbone , 2006, 2006 IEEE International Performance Computing and Communications Conference.

[19]  Ling Huang,et al.  Evading Anomaly Detection through Variance Injection Attacks on PCA , 2008, RAID.

[20]  Ronald R. Yager,et al.  On ordered weighted averaging aggregation operators in multicriteria decision-making , 1988 .

[21]  T. Başar,et al.  An Intrusion Detection Game with Limited Observations , 2005 .

[22]  Chase Qishi Wu,et al.  A Survey of Game Theory as Applied to Network Security , 2010, 2010 43rd Hawaii International Conference on System Sciences.

[23]  Guofei Gu,et al.  BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic , 2008, NDSS.

[24]  Michael H. Bowling,et al.  Regret Minimization in Games with Incomplete Information , 2007, NIPS.

[25]  Paolo Ciancarini,et al.  Monte Carlo tree search in Kriegspiel , 2010, Artif. Intell..

[26]  Thomas Henry Ptacek,et al.  Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection , 1998 .

[27]  T. Basar,et al.  A game theoretic approach to decision and analysis in network intrusion detection , 2003, 42nd IEEE International Conference on Decision and Control (IEEE Cat. No.03CH37475).

[28]  Lin Chen,et al.  A Game Theoretical Framework on Intrusion Detection in Heterogeneous Networks , 2009, IEEE Transactions on Information Forensics and Security.

[29]  Michael R. Genesereth,et al.  General Game Playing: Overview of the AAAI Competition , 2005, AI Mag..

[30]  Dorothy E. Denning,et al.  An Intrusion-Detection Model , 1986, 1986 IEEE Symposium on Security and Privacy.

[31]  S. Hart Nash Equilibrium and Dynamics , 2008 .

[32]  Yoav Shoham,et al.  Multiagent Systems - Algorithmic, Game-Theoretic, and Logical Foundations , 2009 .

[33]  James Newsome,et al.  Paragraph: Thwarting Signature Learning by Training Maliciously , 2006, RAID.

[34]  S. Hart,et al.  A simple adaptive procedure leading to correlated equilibrium , 2000 .

[35]  R. Aumann Correlated Equilibrium as an Expression of Bayesian Rationality Author ( s ) , 1987 .

[36]  Ariel Rubinstein,et al.  A Course in Game Theory , 1995 .

[37]  Benoit Claise,et al.  Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of IP Traffic Flow Information , 2008, RFC.

[38]  Michal Pechoucek,et al.  Dynamic information source selection for intrusion detection systems , 2009, AAMAS.

[39]  Y. Mansour,et al.  4 Learning , Regret minimization , and Equilibria , 2006 .

[40]  Milan Rollo,et al.  A -globe: Agent Development Platform with Inaccessibility and Mobility Support , 2005 .

[41]  Christer Carlsson,et al.  Fuzzy reasoning in decision making and optimization , 2001, Studies in Fuzziness and Soft Computing.

[42]  Peter Auer,et al.  The Nonstochastic Multiarmed Bandit Problem , 2002, SIAM J. Comput..

[43]  Pedro M. Domingos,et al.  Adversarial classification , 2004, KDD.

[44]  Michal Pechoucek,et al.  Adaptive Multiagent System for Network Traffic Monitoring , 2009, IEEE Intelligent Systems.

[45]  David Auger,et al.  Multiple Tree for Partially Observable Monte-Carlo Tree Search , 2011, EvoApplications.