A game-theoretic approach for selecting optimal time-dependent thresholds for anomaly detection

Adversaries may cause significant damage to smart infrastructure using malicious attacks. To detect and mitigate these attacks before they can cause physical damage, operators can deploy anomaly detection systems (ADS), which can alarm operators to suspicious activities. However, detection thresholds of ADS need to be configured properly, as an oversensitive detector raises a prohibitively large number of false alarms, while an undersensitive detector may miss actual attacks. This is an especially challenging problem in dynamical environments, where the impact of attacks may significantly vary over time. Using a game-theoretic approach, we formulate the problem of computing optimal detection thresholds which minimize both the number of false alarms and the probability of missing actual attacks as a two-player Stackelberg security game. We provide an efficient dynamic programming-based algorithm for solving the game, thereby finding optimal detection thresholds. We analyze the performance of the proposed algorithm and show that its running time scales polynomially as the length of the time horizon of interest increases. In addition, we study the problem of finding optimal thresholds in the presence of both random faults and attacks. Finally, we evaluate our result using a case study of contamination attacks in water networks, and show that our optimal thresholds significantly outperform fixed thresholds that do not consider that the environment is dynamical.

[1]  Henrik Sandberg,et al.  Limiting the Impact of Stealthy Attacks on Industrial Control Systems , 2016, CCS.

[2]  Cesare Alippi,et al.  An adaptive CUSUM-based test for signal change detection , 2006, 2006 IEEE International Symposium on Circuits and Systems.

[3]  Jean-Pierre Vila,et al.  Adaptive threshold computation for CUSUM-type procedures in change detection and isolation problems , 2008, Comput. Stat. Data Anal..

[4]  Yuanjie Li,et al.  Signaling game based strategy of intrusion detection in wireless sensor networks , 2011, Comput. Math. Appl..

[5]  Aron Laszka,et al.  Mitigating Covert Compromises - A Game-Theoretic Model of Targeted and Non-Targeted Covert Attacks , 2013, WINE.

[6]  Stefan Katzenbeisser,et al.  Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security , 2016, CCS.

[7]  Roy C. Haught,et al.  On–Line water quality parameters as indicators of distribution system contamination , 2007 .

[8]  Avi Ostfeld,et al.  A dynamic thresholds scheme for contaminant event detection in water distribution systems. , 2013, Water research.

[9]  A. Patcha,et al.  A game theoretic approach to modeling intrusion detection in mobile ad hoc networks , 2004, Proceedings from the Fifth Annual IEEE SMC Information Assurance Workshop, 2004..

[10]  Yong Deng,et al.  Modeling contaminant intrusion in water distribution networks: A new similarity-based DST method , 2011, Expert Syst. Appl..

[11]  Quanyan Zhu,et al.  Flip the Cloud: Cyber-Physical Signaling Games in the Presence of Advanced Persistent Threats , 2015, GameSec.

[12]  VARUN CHANDOLA,et al.  Anomaly detection: A survey , 2009, CSUR.

[13]  Milind Tambe,et al.  Security and Game Theory - Algorithms, Deployed Systems, Lessons Learned , 2011 .

[14]  T. Basar,et al.  A game theoretic approach to decision and analysis in network intrusion detection , 2003, 42nd IEEE International Conference on Decision and Control (IEEE Cat. No.03CH37475).

[15]  Robert D. Gibbons Use of combined Shewhart-CUSUM control charts for ground water monitoring applications. , 1999, Ground water.

[16]  Sarit Kraus,et al.  Playing games for security: an efficient exact algorithm for solving Bayesian Stackelberg games , 2008, AAMAS.

[17]  Katherine A. Klise,et al.  Water quality change detection: multivariate algorithms , 2006, SPIE Defense + Commercial Sensing.

[18]  Armando Di Nardo,et al.  Water Network Protection from Intentional Contamination by Sectorization , 2012, Water Resources Management.

[19]  B. Hart,et al.  Use of CUSUM Methods for Water-Quality Monitoring in Storages , 1997 .

[20]  Peter H. Gleick,et al.  Water and terrorism , 2006 .

[21]  T. Basar,et al.  A game theoretic analysis of intrusion detection in access control systems , 2004, 2004 43rd IEEE Conference on Decision and Control (CDC) (IEEE Cat. No.04CH37601).

[22]  Gaël Varoquaux,et al.  Scikit-learn: Machine Learning in Python , 2011, J. Mach. Learn. Res..

[23]  Katherine A. Klise,et al.  CANARY: A Water Quality Event Detection Algorithm Development Tool. , 2007 .

[24]  Vincent Conitzer,et al.  Stackelberg vs. Nash in Security Games: An Extended Investigation of Interchangeability, Equivalence, and Uniqueness , 2011, J. Artif. Intell. Res..

[25]  Michèle Basseville,et al.  Detection of abrupt changes , 1993 .

[26]  Zhonghua Li,et al.  Adaptive CUSUM control chart with variable sampling intervals , 2009, Comput. Stat. Data Anal..

[27]  Yevgeniy Vorobeychik,et al.  Optimal Thresholds for Anomaly-Based Intrusion Detection in Dynamical Environments , 2016, GameSec.

[28]  Katherine A. Klise,et al.  Detecting Changes in Water Quality Data , 2008 .

[29]  Michèle Basseville,et al.  Detection of abrupt changes: theory and application , 1993 .

[30]  Avi Ostfeld,et al.  Event detection in water distribution systems from multivariate water quality time series. , 2012, Environmental science & technology.

[31]  Ahmad Khademzadeh,et al.  A theoretical signaling game model for intrusion detection in wireless sensor networks , 2010, 2010 14th International Telecommunications Network Strategy and Planning Symposium (NETWORKS).

[32]  P. Mayer Residential End Uses of Water , 1999 .

[33]  Ronald L. Rivest,et al.  FlipIt: The Game of “Stealthy Takeover” , 2012, Journal of Cryptology.

[34]  E. S. Page CONTINUOUS INSPECTION SCHEMES , 1954 .