A Game-Theoretic Approach for Dynamic Information Flow Tracking to Detect Multistage Advanced Persistent Threats

Advanced persistent threats (APTs) infiltrate cyber systems and compromise specifically targeted data and/or resources through a sequence of stealthy attacks consisting of multiple stages. Dynamic information flow tracking has been proposed to detect APTs. In this article, we develop a dynamic information flow tracking game for resource-efficient detection of APTs via multistage dynamic games. The game evolves on an information flow graph, whose nodes are processes and objects (e.g., file, network endpoints) in the system and the edges capture the interaction between different processes and objects. Each stage of the game has prespecified targets that are characterized by a set of nodes of the graph. The goal of the APT is to evade detection and reach a target node of each stage. The goal of the defender is to maximize the detection probability while minimizing performance overhead on the system. The resource costs of the players are different and the information structure is asymmetric, resulting in a nonzero-sum imperfect information game. We first calculate the best responses of the players and then compute Nash equilibrium for single-stage attacks. We then provide a polynomial-time algorithm to compute a correlated equilibrium for the multistage attack case. Finally, we simulate our model and algorithm on real-world nation state attack data obtained from the Refinable Attack INvestigation (RAIN) system.

[1]  J. Nash Equilibrium Points in N-Person Games. , 1950, Proceedings of the National Academy of Sciences of the United States of America.

[2]  H. W. Kuhn,et al.  11. Extensive Games and the Problem of Information , 1953 .

[3]  R. Aumann Correlated Equilibrium as an Expression of Bayesian Rationality Author ( s ) , 1987 .

[4]  James B. Orlin,et al.  A faster strongly polynomial minimum cost flow algorithm , 1993, STOC '88.

[5]  Ronald L. Rivest,et al.  Introduction to Algorithms , 1990 .

[6]  David Zhang,et al.  Secure program execution via dynamic information flow tracking , 2004, ASPLOS XI.

[7]  Christos H. Papadimitriou,et al.  Computing correlated equilibria in multi-player games , 2005, STOC '05.

[8]  Gábor Lugosi,et al.  Prediction, learning, and games , 2006 .

[9]  Christoforos E. Kozyrakis,et al.  Raksha: a flexible information flow architecture for software security , 2007, ISCA '07.

[10]  Christopher Krügel,et al.  Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis , 2007, NDSS.

[11]  Heng Yin,et al.  Panorama: capturing system-wide information flow for malware detection and analysis , 2007, CCS '07.

[12]  Alessandro Orso,et al.  Dytan: a generic dynamic taint analysis framework , 2007, ISSTA '07.

[13]  Xiaotie Deng,et al.  Settling the complexity of computing two-player Nash equilibria , 2007, JACM.

[14]  Tansu Alpcan,et al.  Network Security , 2010 .

[15]  David Brumley,et al.  All You Ever Wanted to Know about Dynamic Taint Analysis and Forward Symbolic Execution (but Might Have Been Afraid to Ask) , 2010, 2010 IEEE Symposium on Security and Privacy.

[16]  Milind Tambe,et al.  Security and Game Theory - Algorithms, Deployed Systems, Lessons Learned , 2011 .

[17]  Joseph Naor,et al.  A Tight Linear Time (1/2)-Approximation for Unconstrained Submodular Maximization , 2012, 2012 IEEE 53rd Annual Symposium on Foundations of Computer Science.

[18]  Ronald L. Rivest,et al.  FlipIt: The Game of “Stealthy Takeover” , 2012, Journal of Cryptology.

[19]  Prasant Mohapatra,et al.  Dynamic defense strategy against advanced persistent threat with insiders , 2015, 2015 IEEE Conference on Computer Communications (INFOCOM).

[20]  Basel Alomair,et al.  A host takeover game model for competing malware , 2015, 2015 54th IEEE Conference on Decision and Control (CDC).

[21]  Valérie Viet Triem Tong,et al.  TerminAPTor: Highlighting Advanced Persistent Threats through Information Flow Tracking , 2016, 2016 8th IFIP International Conference on New Technologies, Mobility and Security (NTMS).

[22]  Stefan Rass,et al.  Defending Against Advanced Persistent Threats Using Game-Theory , 2017, PloS one.

[23]  Alessandro Orso,et al.  RAIN: Refinable Attack Investigation with On-demand Inter-Process Information Flow Tracking , 2017, CCS.

[24]  Radha Poovendran,et al.  DIFT Games: Dynamic Information Flow Tracking Games for Advanced Persistent Threats , 2018, 2018 IEEE Conference on Decision and Control (CDC).

[25]  Radha Poovendran,et al.  Multi-stage Dynamic Information Flow Tracking Game , 2018, GameSec.

[26]  Liang Xiao,et al.  Defense Against Advanced Persistent Threats in Dynamic Cloud Storage: A Colonel Blotto Game Approach , 2018, IEEE Internet of Things Journal.

[27]  Alessandro Orso,et al.  Enabling Refinable Cross-Host Attack Investigation with Efficient Data Flow Tagging and Tracking , 2018, USENIX Security Symposium.