Multi-Defender Strategic Filtering Against Spear-Phishing Attacks

Spear-phishing attacks pose a serious threat to sensitive computer systems, since they sidestep technical security mechanisms by exploiting the carelessness of authorized users. A common way to mitigate such attacks is to use e-mail filters which block e-mails with a maliciousness score above a chosen threshold. Optimal choice of such a threshold involves a tradeoff between the risk from delivered malicious emails and the cost of blocking benign traffic. A further complicating factor is the strategic nature of an attacker, who may selectively target users offering the best value in terms of likelihood of success and resulting access privileges. Previous work on strategic threshold-selection considered a single organization choosing thresholds for all users. In reality, many organizations are potential targets of such attacks, and their incentives need not be well aligned. We therefore consider the problem of strategic threshold-selection by a collection of independent self-interested users. We characterize both Stackelberg multi-defender equilibria, corresponding to short-term strategic dynamics, as well as Nash equilibria of the simultaneous game between all users and the attacker, modeling long-term dynamics, and exhibit a polynomial-time algorithm for computing short-term (Stackelberg) equilibria. We find that while Stackelberg multi-defender equilibrium need not exist, Nash equilibrium always exists, and remarkably, both equilibria are unique and socially optimal.

[1]  Yevgeniy Vorobeychik,et al.  Optimal Personalized Filtering Against Spear-Phishing Attacks , 2015, AAAI.

[2]  John Musacchio,et al.  Computing the Nash Equilibria of Intruder Classification Games , 2012, GameSec.

[3]  Norman M. Sadeh,et al.  Learning to detect phishing emails , 2007, WWW '07.

[4]  Yevgeniy Vorobeychik,et al.  Equilibrium Analysis of Multi-Defender Security Games , 2015, IJCAI.

[5]  Bo An,et al.  An Initial Study on Personalized Filtering Thresholds in Defending Sequential Spear Phishing Attacks , 2015 .

[6]  Enrico Blanzieri,et al.  A survey of learning-based techniques of email spam filtering , 2008, Artificial Intelligence Review.

[7]  Luis E. Ortiz,et al.  Interdependent Defense Games: Modeling Interdependent Security under Deliberate Attacks , 2012, UAI.

[8]  Moez Draief,et al.  Contagion and observability in security domains , 2013, 2013 51st Annual Allerton Conference on Communication, Control, and Computing (Allerton).

[9]  H. Kunreuther,et al.  Interdependent Security , 2003 .

[10]  Tomás Pevný,et al.  Randomized Operating Point Selection in Adversarial Classification , 2014, ECML/PKDD.

[11]  Jason Hong,et al.  The state of phishing attacks , 2012, Commun. ACM.

[12]  Cormac Herley,et al.  A profitless endeavor: phishing as tragedy of the commons , 2009, NSPW '08.

[13]  P. Lalitha,et al.  New Filtering Approaches for Phishing Email , 2013 .

[14]  Levente Buttyán,et al.  A Survey of Interdependent Information Security Games , 2014, ACM Comput. Surv..