Optimizing honeypot strategies against dynamic lateral movement using partially observable stochastic games

Abstract Partially observable stochastic games (POSGs) are a general game-theoretic model for capturing dynamic interactions where players have partial information. The existing algorithms for solving subclasses of POSGs have theoretical guarantees for converging to approximate optimal strategies, however, their scalability is limited and they cannot be directly used to solve games of realistic sizes. In our problem, the attacker uses lateral movement through the network in order to reach a specific host, while the defender wants to discover the attacker by dynamically reallocating honeypots. We demonstrate that restricting to a specific domain allows us to substantially improve existing algorithms: (1) we formulate a compact representation of uncertainty the defender faces, (2) we exploit the incremental strategy-generation method that over iterations expands the possible actions for players. The experimental evaluation shows that our novel algorithms scale several orders of magnitude better compared to the existing state of the art.

[1]  Wei Hu,et al.  Moving target defense: state of the art and characteristics , 2016, Frontiers of Information Technology & Electronic Engineering.

[2]  David Silver,et al.  A Unified Game-Theoretic Approach to Multiagent Reinforcement Learning , 2017, NIPS.

[3]  William H. Sanders,et al.  A Game-Theoretic Approach to Respond to Attacker Lateral Movement , 2016, GameSec.

[4]  Sushil Jajodia,et al.  Moving Target Defense II: Application of Game Theory and Adversarial Modeling , 2012 .

[5]  Vincent Conitzer,et al.  Security scheduling for real-world networks , 2013, AAMAS.

[6]  Walid Saad,et al.  Dynamic Connectivity Game for Adversarial Internet of Battlefield Things Systems , 2017, IEEE Internet of Things Journal.

[7]  Shlomo Zilberstein,et al.  Dynamic Programming for Partially Observable Stochastic Games , 2004, AAAI.

[8]  Avrim Blum,et al.  Planning in the Presence of Cost Functions Controlled by an Adversary , 2003, ICML.

[9]  Jiming Liu,et al.  Improving POMDP Tractability via Belief Compression and Clustering , 2010, IEEE Transactions on Systems, Man, and Cybernetics, Part B (Cybernetics).

[10]  Shlomo Zilberstein,et al.  Dynamic Programming Approximations for Partially Observable Stochastic Games , 2009, FLAIRS.

[11]  Lantao Yu,et al.  Deep Reinforcement Learning for Green Security Games with Real-Time Information , 2018, AAAI.

[12]  Branislav Bosanský,et al.  Heuristic Search Value Iteration for One-Sided Partially Observable Stochastic Games , 2017, AAAI.

[13]  Michael C. Fu,et al.  Solving Continuous-State POMDPs via Density Projection , 2010, IEEE Transactions on Automatic Control.

[14]  N. Garg,et al.  Deception in Honeynets: A Game-Theoretic Analysis , 2007, 2007 IEEE SMC Information Assurance and Security Workshop.

[15]  Branislav Bosanský,et al.  Game Theoretic Model of Strategic Honeypot Selection in Computer Networks , 2012, GameSec.

[16]  Reid G. Simmons,et al.  Heuristic Search Value Iteration for POMDPs , 2004, UAI.

[17]  Kun Wang,et al.  Bayesian Game Based Pseudo Honeypot Model in Social Networks , 2017, ICCCS.

[18]  Yanfei Sun,et al.  Strategic Honeypot Game Model for Distributed Denial of Service Attacks in the Smart Grid , 2017, IEEE Transactions on Smart Grid.

[19]  Edwin D. de Jong,et al.  GANGs: Generative Adversarial Network Games , 2017, ArXiv.

[20]  M. K. Ghosh,et al.  Zero-Sum Stochastic Games with Partial Information , 2004 .

[21]  Kevin Waugh,et al.  DeepStack: Expert-level artificial intelligence in heads-up no-limit poker , 2017, Science.

[22]  Vincent Conitzer,et al.  A double oracle algorithm for zero-sum security games on graphs , 2011, AAMAS.

[23]  Debasish Jena,et al.  Honeypot in network security: a survey , 2011, ICCCS '11.

[24]  Branislav Bosanský,et al.  Approximate Solutions for Attack Graph Games with Imperfect Information , 2015, GameSec.

[25]  Branislav Bosanský,et al.  A Point-Based Approximate Algorithm for One-Sided Partially Observable Pursuit-Evasion Games , 2016, GameSec.

[26]  Branislav Bosanský,et al.  An Exact Double-Oracle Algorithm for Zero-Sum Extensive-Form Games with Imperfect Information , 2014, J. Artif. Intell. Res..

[27]  Marcin Nawrocki,et al.  A Survey on Honeypot Software and Data Analysis , 2016, ArXiv.

[28]  Krishnendu Chatterjee,et al.  Partial-Observation Stochastic Games: How to Win When Belief Fails , 2011, 2012 27th Annual IEEE Symposium on Logic in Computer Science.

[29]  C. Stoll The Cuckoo's Egg : Tracking a Spy Through the Maze of Computer Espionage , 1990 .

[30]  Quanyan Zhu,et al.  Deception by Design: Evidence-Based Signaling Games for Network Defense , 2015, WEIS.

[31]  Lukasz Stettner,et al.  Finite- and Infinite-Horizon Shapley Games with Nonsymmetric Partial Observation , 2015, SIAM J. Control. Optim..

[32]  Branislav Bosanský,et al.  Solving Partially Observable Stochastic Games with Public Observations , 2019, AAAI.

[33]  Geoffrey J. Gordon,et al.  Finding Approximate POMDP solutions Through Belief Compression , 2011, J. Artif. Intell. Res..

[34]  Branislav Bosanský,et al.  Game-theoretic resource allocation for malicious packet detection in computer networks , 2012, AAMAS.

[35]  Hongbo Zhu,et al.  Deceptive Attack and Defense Game in Honeypot-Enabled Networks for the Internet of Things , 2016, IEEE Internet of Things Journal.

[36]  Yue Lu,et al.  A Markov Game Theoritic Approach for Power Grid Security , 2017, 2017 IEEE 37th International Conference on Distributed Computing Systems Workshops (ICDCSW).

[37]  Michael P. Wellman,et al.  A Stackelberg Game Model for Botnet Data Exfiltration , 2017, GameSec.

[38]  Viliam Lisý,et al.  Game-Theoretic Foundations for the Strategic Use of Honeypots in Network Security , 2015, Cyber Warfare.