Interdiction Games for Advanced Persistent Threats using Dynamic Information Flow Tracking

Dynamic Information Flow Tracking (DIFT) has been proposed to detect and prevent various cyber attacks in computer systems. DIFT tracks information flows in the computer system and initiates security analysis, when anomalous behavior is detected, at the cost of additional memory and performance overhead. We consider an attacker that is trying to steal critical information in the system and a DIFT-based defense mechanism with limited resources. The objective of the DIFT is to optimally allocate the resources at the different processes of the computer system in order to maximize the probability of detecting the attacker while satisfying the resource constraint. We formulate the strategic interaction between the attacker and the DIFT as a nonzero-sum network interdiction game. We show that solution to the game can be obtained as a solution to a min-max problem on a flow network constructed from the problem instance. We recast the min-max problem as a Linear Program (LP) and prove that solution to the LP returns an optimal set of strategies for both players. We implement our algorithm on real-world data sets for two attacks: (i) ScreenGrab and (ii) Nation state, obtained using the Refinable Attack INvestigation (RAIN).

[1]  Richard D. Wollmer,et al.  Removing Arcs from a Network , 1964 .

[2]  Alan W. McMasters,et al.  Optimal interdiction of a supply network , 1970 .

[3]  Delbert Ray Fulkerson,et al.  Maximizing the minimum source-sink path subject to a budget constraint , 1977, Math. Program..

[4]  R. Kevin Wood,et al.  Deterministic network interdiction , 1993 .

[5]  Cynthia A. Phillips,et al.  The network inhibition problem , 1993, STOC.

[6]  Alan Washburn,et al.  Two-Person Zero-Sum Games for Network Interdiction , 1995, Oper. Res..

[7]  David P. Morton,et al.  Stochastic Network Interdiction , 1998, Oper. Res..

[8]  R. Kevin Wood,et al.  Shortest‐path network interdiction , 2002, Networks.

[9]  David Zhang,et al.  Secure program execution via dynamic information flow tracking , 2004, ASPLOS XI.

[10]  R. Powell Defending against Terrorist Attacks with Limited Resources , 2007, American Political Science Review.

[11]  J. C. Smith,et al.  Algorithms for discrete and continuous multicommodity flow network interdiction problems , 2007 .

[12]  Vincent Conitzer,et al.  Stackelberg vs. Nash in Security Games: An Extended Investigation of Interchangeability, Equivalence, and Uniqueness , 2011, J. Artif. Intell. Res..

[13]  Steven Okamoto,et al.  Solving non-zero sum multiagent network flow security games with attack costs , 2012, AAMAS.

[14]  Ronald L. Rivest,et al.  FlipIt: The Game of “Stealthy Takeover” , 2012, Journal of Cryptology.

[15]  Quanyan Zhu,et al.  Game theory meets network security and privacy , 2013, CSUR.

[16]  Basel Alomair,et al.  A host takeover game model for competing malware , 2015, 2015 54th IEEE Conference on Decision and Control (CDC).

[17]  Noam Goldberg Non‐zero‐sum nonlinear network path interdiction with an application to inspection in terror networks , 2017 .

[18]  Walid Saad,et al.  Prospect theory for enhanced cyber-physical security of drone delivery systems: A network interdiction game , 2017, 2017 IEEE International Conference on Communications (ICC).

[19]  Alessandro Orso,et al.  RAIN: Refinable Attack Investigation with On-demand Inter-Process Information Flow Tracking , 2017, CCS.

[20]  Radha Poovendran,et al.  DIFT Games: Dynamic Information Flow Tracking Games for Advanced Persistent Threats , 2018, 2018 IEEE Conference on Decision and Control (CDC).

[21]  R. Sekar,et al.  Dependence-Preserving Data Compaction for Scalable Forensic Analysis , 2018, USENIX Security Symposium.

[22]  Radha Poovendran,et al.  Multi-stage Dynamic Information Flow Tracking Game , 2018, GameSec.

[23]  Radha Poovendran,et al.  A Game Theoretic Approach for Dynamic Information Flow Tracking with Conditional Branching , 2019, 2019 American Control Conference (ACC).

[24]  Radha Poovendran,et al.  A Game-Theoretic Approach for Dynamic Information Flow Tracking to Detect Multistage Advanced Persistent Threats , 2018, IEEE Transactions on Automatic Control.