A Game-theoretic Taxonomy and Survey of Defensive Deception for Cybersecurity and Privacy

Cyberattacks on both databases and critical infrastructure have threatened public and private sectors. Ubiquitous tracking and wearable computing have infringed upon privacy. Advocates and engineers have recently proposed using defensive deception as a means to leverage the information asymmetry typically enjoyed by attackers as a tool for defenders. The term deception, however, has been employed broadly and with a variety of meanings. In this article, we survey 24 articles from 2008 to 2018 that use game theory to model defensive deception for cybersecurity and privacy. Then, we propose a taxonomy that defines six types of deception: perturbation, moving target defense, obfuscation, mixing, honey-x, and attacker engagement. These types are delineated by their information structures, agents, actions, and duration: precisely concepts captured by game theory. Our aims are to rigorously define types of defensive deception, to capture a snapshot of the state of the literature, to provide a menu of models that can be used for applied research, and to identify promising areas for future work. Our taxonomy provides a systematic foundation for understanding different types of defensive deception commonly encountered in cybersecurity and privacy.

[1]  Neil C. Rowe,et al.  Introduction to Cyberdeception , 2016, Springer International Publishing.

[2]  Radha Poovendran,et al.  A Game-Theoretic Approach to IP Address Randomization in Decoy-Based Cyber Defense , 2015, GameSec.

[3]  Michael Bennett,et al.  Counterdeception Principles and Applications for National Security , 2007 .

[4]  Carmela Troncoso,et al.  Prolonging the Hide-and-Seek Game: Optimal Trajectory Privacy for Location-Based Services , 2014, WPES.

[5]  J. Sobel,et al.  STRATEGIC INFORMATION TRANSMISSION , 1982 .

[6]  Manish Jain,et al.  Software Assistants for Randomized Patrol Planning for the LAX Airport Police and the Federal Air Marshal Service , 2010, Interfaces.

[7]  Romit Roy Choudhury,et al.  Hiding stars with fireworks: location privacy through camouflage , 2009, MobiCom '09.

[8]  Quanyan Zhu,et al.  Flip the Cloud: Cyber-Physical Signaling Games in the Presence of Advanced Persistent Threats , 2015, GameSec.

[9]  E. Poulton Adaptive Coloration in Animals , 1940, Nature.

[10]  Sarit Kraus,et al.  Deployed ARMOR protection: the application of a game theoretic model for security at the Los Angeles International Airport , 2008, AAMAS.

[11]  Roger B. Myerson,et al.  Game theory - Analysis of Conflict , 1991 .

[12]  Rui Zhang,et al.  Secure and resilient distributed machine learning under adversarial environments , 2015, 2015 18th International Conference on Information Fusion (Fusion).

[13]  T. Basar,et al.  A game theoretic approach to decision and analysis in network intrusion detection , 2003, 42nd IEEE International Conference on Decision and Control (IEEE Cat. No.03CH37475).

[14]  J. Nash Equilibrium Points in N-Person Games. , 1950, Proceedings of the National Academy of Sciences of the United States of America.

[15]  Uri Gneezy,et al.  Deception: The Role of Consequences , 2005 .

[16]  Quanyan Zhu,et al.  Game-Theoretic Approach to Feedback-Driven Multi-stage Moving Target Defense , 2013, GameSec.

[17]  Branislav Bosanský,et al.  Optimal Network Security Hardening Using Attack Graph Games , 2015, IJCAI.

[18]  Prasant Mohapatra,et al.  A Stackelberg Game and Markov Modeling of Moving Target Defense , 2017, GameSec.

[19]  Branislav Bosanský,et al.  Manipulating Adversary's Belief: A Dynamic Game Approach to Deception by Design for Proactive Network Security , 2017, GameSec.

[20]  Sajal K. Das,et al.  gPath: A Game-Theoretic Path Selection Algorithm to Protect Tor's Anonymity , 2010, GameSec.

[21]  Quanyan Zhu,et al.  A Stackelberg game perspective on the conflict between machine learning and data obfuscation , 2016, 2016 IEEE International Workshop on Information Forensics and Security (WIFS).

[22]  Branislav Bosanský,et al.  Game Theoretic Model of Strategic Honeypot Selection in Computer Networks , 2012, GameSec.

[23]  James J. Wirtz,et al.  Strategic Denial and Deception : The Twenty-First Century Challenge , 2002 .

[24]  Scott R. Peppet Regulating the Internet of Things: First Steps Toward Managing Discrimination, Privacy, Security & Consent , 2014 .

[25]  H. Stackelberg,et al.  Marktform und Gleichgewicht , 1935 .

[26]  B. Depaulo,et al.  Individual differences in judging deception: accuracy and bias. , 2008, Psychological bulletin.

[27]  Chase Qishi Wu,et al.  A Survey of Game Theory as Applied to Network Security , 2010, 2010 43rd Hawaii International Conference on System Sciences.

[28]  Xiaohui Liang,et al.  Pseudonym Changing at Social Spots: An Effective Strategy for Location Privacy in VANETs , 2012, IEEE Transactions on Vehicular Technology.

[29]  Sarit Kraus,et al.  Deployed ARMOR protection: the application of a game theoretic model for security at the Los Angeles International Airport , 2008, AAMAS 2008.

[30]  D McMorrow,et al.  Science of Cyber-Security , 2010 .

[31]  Roshan K. Thomas,et al.  Cyber Denial, Deception and Counter Deception: A Framework for Supporting Active Cyber Defense , 2015 .

[32]  Richard J. Norton,et al.  Practise to Deceive: Learning Curves of Military Deception Planners , 2016 .

[33]  Cynthia Dwork,et al.  Differential Privacy , 2006, ICALP.

[34]  Roshan K. Thomas,et al.  Cyber Denial, Deception and Counter Deception , 2015, Advances in Information Security.

[35]  Reza Shokri,et al.  Privacy Games: Optimal User-Centric Data Obfuscation , 2014, Proc. Priv. Enhancing Technol..

[36]  Helen Nissenbaum,et al.  Trackmenot: Resisting Surveillance in Web Search , 2015 .

[37]  Paul R. Milgrom,et al.  Good News and Bad News: Representation Theorems and Applications , 1981 .

[38]  Quanyan Zhu,et al.  Strategic Trust in Cloud-Enabled Cyber-Physical Systems With an Application to Glucose Control , 2017, IEEE Transactions on Information Forensics and Security.

[39]  U. Fischbacher,et al.  Lies in Disguise. An experimental study on cheating , 2013 .

[40]  Sailik Sengupta,et al.  Moving Target Defense for the Placement of Intrusion Detection Systems in the Cloud , 2018, GameSec.

[41]  Quanyan Zhu,et al.  Deception by Design: Evidence-Based Signaling Games for Network Defense , 2015, WEIS.

[42]  Quanyan Zhu,et al.  Quantitative models of imperfect deception in network security using signaling games with evidence [IEEE CNS 17 Poster] , 2017, 2017 IEEE Conference on Communications and Network Security (CNS).

[43]  Quanyan Zhu,et al.  Modeling and Analysis of Leaky Deception Using Signaling Games With Evidence , 2018, IEEE Transactions on Information Forensics and Security.

[44]  Tamer Basar,et al.  With the Capacity 0.461(bits) and the Optimal Opd Being 'q = , 1998 .

[45]  Navin Kartik,et al.  Strategic Communication with Lying Costs , 2009 .

[46]  David C. Parkes,et al.  On non-cooperative location privacy: a game-theoretic analysis , 2009, CCS.

[47]  J. Filar,et al.  Competitive Markov Decision Processes , 1996 .

[48]  Colin Camerer,et al.  Pinocchio's Pupil: Using Eyetracking and Pupil Dilation to Understand Truth-Telling and Deception in Sender-Receiver Game , 2009 .

[49]  R. E. Geiselman,et al.  THE COGNITIVE INTERVIEW FOR SUSPECTS (CIS) , 2012 .

[50]  Quanyan Zhu,et al.  Decision and Game Theory for Security , 2016, Lecture Notes in Computer Science.

[51]  Navin Kartik,et al.  Would I lie to you? On social preferences and lying aversion , 2009 .

[52]  Quanyan Zhu,et al.  Deceptive routing games , 2012, 2012 IEEE 51st IEEE Conference on Decision and Control (CDC).

[53]  Benjamin Edwards,et al.  Hype and Heavy Tails: A Closer Look at Data Breaches , 2016, WEIS.

[54]  Viliam Lisý,et al.  Game-Theoretic Foundations for the Strategic Use of Honeypots in Network Security , 2015, Cyber Warfare.

[55]  Richard N. Cooper,et al.  Phishing for Phools: The Economics of Manipulation and Deception , 2016 .

[56]  Steven E. King,et al.  Science of Cyber Security , 2018, Lecture Notes in Computer Science.

[57]  D. Lykken The GSR in the detection of guilt. , 1959 .

[58]  Dijiang Huang,et al.  Moving Target Defense , 2018, Software-Defined Networking and Security.

[59]  Jens Grossklags,et al.  A Game-Theoretic Study on Non-monetary Incentives in Data Analytics Projects with Privacy Implications , 2015, 2015 IEEE 28th Computer Security Foundations Symposium.

[60]  Rui Zhang,et al.  A game-theoretic analysis of label flipping attacks on distributed support vector machines , 2017, 2017 51st Annual Conference on Information Sciences and Systems (CISS).

[61]  Ray Bull,et al.  Increasing Cognitive Load to Facilitate Lie Detection: The Benefit of Recalling an Event in Reverse Order , 2008, Law and human behavior.

[62]  H. Nissenbaum Privacy as contextual integrity , 2004 .

[63]  Quanyan Zhu,et al.  A mean-field stackelberg game approach for obfuscation adoption in empirical risk minimization , 2017, 2017 IEEE Global Conference on Signal and Information Processing (GlobalSIP).

[64]  Emily Gallup Fayen,et al.  Guidelines for the construction, format, and management of monolingual controlled vocabularies : A revision of ANSI/NISO Z39.19 for the 21st century , 2007 .

[65]  Boon-Hee Soong,et al.  Deception-Based Game Theoretical Approach to Mitigate DoS Attacks , 2016, GameSec.

[66]  Mário S. Alvim,et al.  Information Leakage Games , 2017, GameSec.

[67]  N. Rowe A Taxonomy of Deception in Cyberspace , 2006 .

[68]  Shaolei Ren,et al.  Game Theory for Cyber Security and Privacy , 2017, ACM Comput. Surv..

[69]  Quanyan Zhu,et al.  Game theory meets network security and privacy , 2013, CSUR.

[70]  Quanyan Zhu,et al.  Flip the Cloud: Cyber-Physical Signaling Games in the Presence of Advanced Persistent Threats , 2015, GameSec.

[71]  Lorrie Faith Cranor,et al.  Building an Ontology of Cyber Security , 2014, STIDS.

[72]  Bo An,et al.  PROTECT: a deployed game theoretic system to protect the ports of the United States , 2012, AAMAS.

[73]  Quanyan Zhu,et al.  A Game-Theoretic Analysis of Deception over Social Networks Using Fake Avatars , 2016, GameSec.

[74]  J. Bowyer Bell,et al.  Cheating and Deception , 1991 .

[75]  Stefan Rass,et al.  On the Cost of Game Playing: How to Control the Expenses in Mixed Strategies , 2017, GameSec.

[76]  Daniel Grosu,et al.  A Game Theoretic Investigation of Deception in Network Security , 2009, 2009 Proceedings of 18th International Conference on Computer Communications and Networks.

[77]  Quanyan Zhu,et al.  Deceptive Routing in Relay Networks , 2012, GameSec.

[78]  M. Dufwenberg Game theory. , 2011, Wiley interdisciplinary reviews. Cognitive science.

[79]  Oguzhan Alagöz,et al.  Modeling secrecy and deception in a multiple-period attacker-defender signaling game , 2010, Eur. J. Oper. Res..

[80]  James Edwin Mahon,et al.  The Definition of Lying and Deception , 2015 .