A Stackelberg Game Model for Botnet Traffic Exfiltration

Cyber-criminals can distribute malware to control computers on a networked system and leverage these compromised computers (i.e., botnets) to perform their malicious activities inside the network. Botnet-detection mechanisms, based on a detailed analysis of network traffic characteristics, provide a basis for defense against botnet attacks. In this work, we formulate the botnet defense problem as a Stackelberg security game, allocating detection resources to deter botnet attacks taking into account the strategic response of cyber-criminals. Based on the new game model, we propose a game-theoretic algorithm, \ORANI, to compute an optimal detection resource allocation strategy in zero-sum game settings. Our algorithm employs the double-oracle method to deal with an exponential number of players' actions. Furthermore, we provide greedy heuristics to approximately compute an equilibrium of these botnet defense games. Finally, we conduct extensive experiments based on both simulated and real-world network topologies to demonstrate advantages of our game-theoretic solution compared to previously proposed defense policies.