SHARE

A “noisy-rich” (NR) cyber-attacker (Lippmann et al. 2012) is one who tries all available vulnerabilities until he or she successfully compromises the targeted network. We develop an adversarial foundation, based on Stackelberg games, for how NR-attackers will explore an enterprise network and how they will attack it, based on the concept of a system vulnerability dependency graph. We develop a mechanism by which the network can be modified by the defender to induce deception by placing honey nodes and apparent vulnerabilities into the network to minimize the expected impact of the NR-attacker’s attacks (according to multiple measures of impact). We also consider the case where the adversary learns from blocked attacks using reinforcement learning. We run detailed experiments with real network data (but with simulated attack data) and show that Stackelberg Honey-based Adversarial Reasoning Engine performs very well, even when the adversary deviates from the initial assumptions made about his or her behavior. We also develop a method for the attacker to use reinforcement learning when his or her activities are stopped by the defender. We propose two stopping policies for the defender: Stop Upon Detection allows the attacker to learn about the defender’s strategy and (according to our experiments) leads to significant damage in the long run, whereas Stop After Delay allows the defender to introduce greater uncertainty into the attacker, leading to better defendability in the long run.

[1]  T. Başar,et al.  Dynamic Noncooperative Game Theory , 1982 .

[2]  N. P. Karlekar,et al.  Honeypot: a survey of technologies, tools and deployment , 2011, ICWET.

[3]  Colin Tankard,et al.  Advanced Persistent threats and how to monitor and deter them , 2011, Netw. Secur..

[4]  Bo An,et al.  Security Games with Limited Surveillance , 2012, AAAI.

[5]  Csaba Szepesvári,et al.  Bandit Based Monte-Carlo Planning , 2006, ECML.

[6]  Ralph L. Keeney,et al.  Value-Focused Thinking , 1996 .

[7]  Branislav Bosanský,et al.  Optimal Network Security Hardening Using Attack Graph Games , 2015, IJCAI.

[8]  Kalyanmoy Deb,et al.  A fast and elitist multiobjective genetic algorithm: NSGA-II , 2002, IEEE Trans. Evol. Comput..

[9]  Myong H. Kang,et al.  Determining Asset Criticality for Cyber Defense , 2011 .

[10]  Rebecca T. Mercuri Analyzing security costs , 2003, CACM.

[11]  Lior Rokach,et al.  HoneyGen: An automated honeytokens generator , 2011, Proceedings of 2011 IEEE International Conference on Intelligence and Security Informatics.

[12]  Воробьев Антон Александрович Анализ уязвимостей вычислительных систем на основе алгебраических структур и потоков данных National Vulnerability Database , 2013 .

[13]  Eric Michael Hutchins,et al.  Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains , 2010 .

[14]  Indrajit Ray,et al.  Dynamic Security Risk Management Using Bayesian Attack Graphs , 2012, IEEE Transactions on Dependable and Secure Computing.

[15]  Sarit Kraus,et al.  Playing games for security: an efficient exact algorithm for solving Bayesian Stackelberg games , 2008, AAMAS.

[16]  Jun Zhang,et al.  Economics of Security Patch Management , 2006, WEIS.

[17]  Sarit Kraus,et al.  A graph-theoretic approach to protect static and moving targets from adversaries , 2010, AAMAS.

[18]  Jun Zhang,et al.  Security Patch Management: Share the Burden or Share the Damage? , 2008, Manag. Sci..

[19]  Keshnee Padayachee,et al.  A survey of honeypot research: Trends and opportunities , 2015, 2015 10th International Conference for Internet Technology and Secured Transactions (ICITST).

[20]  Lior Rokach,et al.  A Survey of Data Leakage Detection and Prevention Solutions , 2012, SpringerBriefs in Computer Science.

[21]  Sushil Jajodia,et al.  Cyber Warfare: Building the Scientific Foundation , 2015 .

[22]  Gurpreet Dhillon,et al.  Value‐focused assessment of information system security in organizations , 2006, Inf. Syst. J..

[23]  Ralph L. Keeney,et al.  Value-Focused Thinking: A Path to Creative Decisionmaking , 1992 .

[24]  T. Başar,et al.  Dynamic Noncooperative Game Theory, 2nd Edition , 1998 .

[25]  K. G. Srinivasa,et al.  Application of Genetic Algorithms for Detecting Anomaly in Network Intrusion Detection Systems , 2012 .

[26]  Frank Neumann,et al.  Maximizing Submodular Functions under Matroid Constraints by Multi-objective Evolutionary Algorithms , 2014, PPSN.

[27]  Jeannette M. Wing,et al.  Game strategies in network security , 2005, International Journal of Information Security.

[28]  Sushil Jajodia,et al.  Cauldron mission-centric cyber situational awareness with defense in depth , 2011, 2011 - MILCOM 2011 Military Communications Conference.

[29]  Varun Dutt,et al.  Cyber security: A game-theoretic analysis of defender and attacker strategies in defacing-website games , 2015, 2015 International Conference on Cyber Situational Awareness, Data Analytics and Assessment (CyberSA).

[30]  Sarit Kraus,et al.  Deployed ARMOR protection: the application of a game theoretic model for security at the Los Angeles International Airport , 2008, AAMAS.

[31]  Manish Jain,et al.  Computing optimal randomized resource allocations for massive security games , 2009, AAMAS.

[32]  Darrell Whitley,et al.  The Island Model Genetic Algorithm: On Separability, Population Size and Convergence , 2015, CIT 2015.

[33]  Indrajit Ray,et al.  Optimal security hardening using multi-objective optimization on attack tree models of networks , 2007, CCS '07.

[34]  Aravind Seshadri,et al.  A FAST ELITIST MULTIOBJECTIVE GENETIC ALGORITHM: NSGA-II , 2000 .

[35]  Peter Reiher,et al.  A taxonomy of DDoS attack and DDoS defense mechanisms , 2004, CCRV.

[36]  Tansu Alpcan,et al.  Network Security , 2010 .

[37]  Jarek Gryz,et al.  Algorithms and analyses for maximal vector computation , 2007, The VLDB Journal.

[38]  Viliam Lisý,et al.  Game-Theoretic Foundations for the Strategic Use of Honeypots in Network Security , 2015, Cyber Warfare.

[39]  Yevgeniy Vorobeychik,et al.  Multidefender Security Games , 2015, IEEE Intelligent Systems.

[40]  John Musacchio,et al.  Optimizing the decision to expel attackers from an information system , 2009, 2009 47th Annual Allerton Conference on Communication, Control, and Computing (Allerton).

[41]  Crispin Cowan,et al.  Timing the Application of Security Patches for Optimal Uptime , 2002, LISA.

[42]  Indrajit Ray,et al.  Optimal security hardening on attack tree models of networks: a cost-benefit analysis , 2012, International Journal of Information Security.

[43]  Yevgeniy Vorobeychik,et al.  Optimal interdiction of attack plans , 2013, AAMAS.

[44]  Lior Rokach,et al.  Data Leakage Detection/Prevention Solutions , 2012 .

[45]  Sergiu Hart,et al.  Games in extensive and strategic forms , 1992 .

[46]  Sushil Jajodia,et al.  Pareto-Optimal Adversarial Defense of Enterprise Systems , 2015, TSEC.

[47]  Vinod Yegneswaran,et al.  An Attacker-Defender Game for Honeynets , 2009, COCOON.

[48]  Luiz Eduardo Soares de Oliveira,et al.  Towards an Energy-Efficient Anomaly-Based Intrusion Detection Engine for Embedded Systems , 2017, IEEE Transactions on Computers.

[49]  Saman Asadi Value focused assessment of information system security , 2014 .

[50]  Vincent Conitzer,et al.  Stackelberg vs. Nash in Security Games: An Extended Investigation of Interchangeability, Equivalence, and Uniqueness , 2011, J. Artif. Intell. Res..

[51]  Sushil Jajodia,et al.  Keeping intruders at large: A graph-theoretic approach to reducing the probability of successful network intrusions , 2014, 2014 11th International Conference on Security and Cryptography (SECRYPT).

[52]  Tamara Yu,et al.  Continuous Security Metrics for Prevalent Network Threats: Introduction and First Four Metrics , 2012 .

[53]  Yang Yu,et al.  On Constrained Boolean Pareto Optimization , 2015, IJCAI.

[54]  Martin C. Libicki,et al.  Markets for Cybercrime Tools and Stolen Data: Hackers' Bazaar , 2014 .

[55]  Sushil Jajodia,et al.  Topological Vulnerability Analysis , 2010, Cyber Situational Awareness.