Dynamic Defense Strategy against Stealth Malware Propagation in Cyber-Physical Systems

Stealth malware, a representative tool of advanced persistent threat (APT) attacks, in particular poses an increased threat to cyber-physical systems (CPS). Due to the use of stealthy and evasive techniques (e.g., zero-day exploits, obfuscation techniques), stealth malwares usually render conventional heavyweight countermeasures (e.g., exploits patching, specialized ant-malware program) inapplicable. Light-weight countermeasures (e.g., containment techniques), on the other hand, can help retard the spread of stealth malwares, but the ensuing side effects might violate the primary safety requirement of CPS. Hence, defenders need to find a balance between the gain and loss of deploying light-weight countermeasures. To address this challenge, we model the persistent anti-malware process as a shortest-path tree interdiction (SPTI) Stackelberg game, and safety requirements of CPS are introduced as constraints in the defender's decision model. Specifically, we first propose a static game (SSPTI), and then extend it to a multi-stage dynamic game (DSPTI) to meet the need of real-time decision making. Both games are modelled as bi-level integer programs, and proved to be NP-hard. We then develop a Benders decomposition algorithm to achieve the Stackelberg Equilibrium of SSPTI. Finally, we design a model predictive control strategy to solve DSPTI approximately by sequentially solving an approximation of SSPTI. The extensive simulation results demonstrate that the proposed dynamic defense strategy can achieve a balance between fail-secure ability and fail-safe ability while retarding the stealth malware propagation in CPS.

[1]  Eytan Modiano,et al.  Robustness of interdependent networks: The case of communication networks and the power grid , 2013, 2013 IEEE Global Communications Conference (GLOBECOM).

[2]  Mark E. J. Newman,et al.  The Structure and Function of Complex Networks , 2003, SIAM Rev..

[3]  Ping Chen,et al.  A Study on Advanced Persistent Threats , 2014, Communications and Multimedia Security.

[4]  J. Cole Smith,et al.  Dynamic shortest‐path interdiction , 2016, Networks.

[5]  Kyung-Bok Lee,et al.  The Reality and Response of Cyber Threats to Critical Infrastructure: A Case Study of the Cyber-terror Attack on the Korea Hydro & Nuclear Power Co., Ltd , 2016, KSII Trans. Internet Inf. Syst..

[6]  Aditya P. Mathur,et al.  Aligning Cyber-Physical System Safety and Security , 2014, CSDM Asia.

[7]  Basel Alomair,et al.  Adaptive Mitigation of Multi-Virus Propagation: A Passivity-Based Approach , 2016, IEEE Transactions on Control of Network Systems.

[8]  Ángel Martín del Rey,et al.  A method for malware propagation in industrial critical infrastructures , 2016, Integr. Comput. Aided Eng..

[9]  Basel Alomair,et al.  Distributed adaptive patching strategies against malware propagation: A passivity approach , 2016, 2016 IEEE 55th Conference on Decision and Control (CDC).

[10]  Jong Hyuk Park,et al.  A comprehensive study on APT attacks and countermeasures for future networks and communications: challenges and solutions , 2019, The Journal of Supercomputing.

[11]  Branislav Bosanský,et al.  Case Studies of Network Defense with Attack Graph Games , 2016, IEEE Intelligent Systems.

[12]  Stamatis Karnouskos,et al.  Stuxnet worm impact on industrial cyber-physical system security , 2011, IECON 2011 - 37th Annual Conference of the IEEE Industrial Electronics Society.

[13]  Levente Buttyán,et al.  The Cousins of Stuxnet: Duqu, Flame, and Gauss , 2012, Future Internet.

[14]  R. Kevin Wood,et al.  Shortest‐path network interdiction , 2002, Networks.

[15]  Kai-Yeung Siu,et al.  New dynamic algorithms for shortest path tree computation , 2000, TNET.

[16]  Albert,et al.  Emergence of scaling in random networks , 1999, Science.

[17]  Shang Gao,et al.  FloodDefender: Protecting data and control plane resources under SDN-aimed DoS attacks , 2017, INFOCOM.

[18]  Johan Löfberg,et al.  YALMIP : a toolbox for modeling and optimization in MATLAB , 2004 .

[19]  Somesh Jha,et al.  Global Intrusion Detection in the DOMINO Overlay System , 2004, NDSS.

[20]  T. Başar,et al.  Optimal and robust epidemic response for multiple networks , 2009 .

[21]  Satish Vadlamani,et al.  Interdicting attack graphs to protect organizations from cyber attacks: A bi-level defender-attacker model , 2016, Comput. Oper. Res..

[22]  Hakim Weatherspoon,et al.  Netbait: a Distributed Worm Detection Service , 2003 .

[23]  H. Stanley,et al.  Networks formed from interdependent networks , 2011, Nature Physics.

[24]  David Hutchison,et al.  A survey of cyber security management in industrial control systems , 2015, Int. J. Crit. Infrastructure Prot..

[25]  Hugh R. Medal,et al.  Minimizing expected maximum risk from cyber-attacks with probabilistic attack success , 2016, 2016 IEEE Symposium on Technologies for Homeland Security (HST).

[26]  Manish Parashar,et al.  Cooperative detection and protection against network attacks using decentralized information sharing , 2009, Cluster Computing.

[27]  Terrance E. Boult,et al.  A Survey of Stealth Malware Attacks, Mitigation Measures, and Steps Toward Autonomous Open World Solutions , 2016, IEEE Communications Surveys & Tutorials.

[28]  David K. Y. Yau,et al.  Defending against distributed denial-of-service attacks with max-min fair server-centric router throttles , 2005, IEEE/ACM Transactions on Networking.

[29]  Angelia Nedic,et al.  Stability analysis and control of virus spread over time-varying networks , 2015, 2015 54th IEEE Conference on Decision and Control (CDC).

[30]  Argyris Kalogeratos,et al.  Suppressing Epidemics in Networks Using Priority Planning , 2016, IEEE Transactions on Network Science and Engineering.

[31]  Mauro Conti,et al.  SLICOTS: An SDN-Based Lightweight Countermeasure for TCP SYN Flooding Attacks , 2017, IEEE Transactions on Network and Service Management.

[32]  Prasant Mohapatra,et al.  Dynamic defense strategy against advanced persistent threat with insiders , 2015, 2015 IEEE Conference on Computer Communications (INFOCOM).

[33]  Junshan Zhang,et al.  Optimal Allocation of Interconnecting Links in Cyber-Physical Systems: Interdependence, Cascading Failures, and Robustness , 2012, IEEE Transactions on Parallel and Distributed Systems.

[34]  Jie Chen,et al.  A survey on the security of cyber-physical systems , 2016 .

[35]  Cong Pu,et al.  A Light-Weight Countermeasure to Forwarding Misbehavior in Wireless Sensor Networks: Design, Analysis, and Evaluation , 2018, IEEE Systems Journal.

[36]  Harry Eugene Stanley,et al.  Catastrophic cascade of failures in interdependent networks , 2009, Nature.

[37]  David S. Johnson,et al.  Computers and Intractability: A Guide to the Theory of NP-Completeness , 1978 .

[38]  Jianfang Li,et al.  The study of APT attack stage model , 2016, 2016 IEEE/ACIS 15th International Conference on Computer and Information Science (ICIS).