Dynamic Defense against Stealth Malware Propagation in Cyber-Physical Systems: A Game-Theoretical Framework

Stealth malware is a representative tool of advanced persistent threat (APT) attacks, which poses an increased threat to cyber-physical systems (CPS) today. Due to the use of stealthy and evasive techniques, stealth malwares usually render conventional heavy-weight countermeasures inapplicable. Light-weight countermeasures, on the other hand, can help retard the spread of stealth malwares, but the ensuing side effects might violate the primary safety requirement of CPS. Hence, defenders need to find a balance between the gain and loss of deploying light-weight countermeasures, which normally is a challenging task. To address this challenge, we model the persistent anti-malware process as a shortest-path tree interdiction (SPTI) Stackelberg game with both static version (SSPTI) and multi-stage dynamic version (DSPTI), and safety requirements of CPS are introduced as constraints in the defender’s decision model. The attacker aims to stealthily penetrate the CPS at the lowest cost (e.g., time, effort) by selecting optimal network links to spread, while the defender aims to retard the malware epidemic as much as possible. Both games are modeled as bi-level integer programs and proved to be NP-hard. We then develop a Benders decomposition algorithm to achieve the Stackelberg equilibrium of SSPTI, and design a Model Predictive Control strategy to solve DSPTI approximately by sequentially solving an 1+δ approximation of SSPTI. Extensive experiments have been conducted by comparing proposed algorithms and strategies with existing ones on both static and dynamic performance metrics. The evaluation results demonstrate the efficiency of proposed algorithms and strategies on both simulated and real-case-based CPS networks. Furthermore, the proposed dynamic defense framework shows its advantage of achieving a balance between fail-secure ability and fail-safe ability while retarding the stealth malware propagation in CPS.

[1]  J. Lofberg,et al.  YALMIP : a toolbox for modeling and optimization in MATLAB , 2004, 2004 IEEE International Conference on Robotics and Automation (IEEE Cat. No.04CH37508).

[2]  Ping Chen,et al.  A Study on Advanced Persistent Threats , 2014, Communications and Multimedia Security.

[3]  Aditya P. Mathur,et al.  Aligning Cyber-Physical System Safety and Security , 2014, CSDM Asia.

[4]  Angelia Nedic,et al.  Stability analysis and control of virus spread over time-varying networks , 2015, 2015 54th IEEE Conference on Decision and Control (CDC).

[5]  A-L Barabási,et al.  Structure and tie strengths in mobile communication networks , 2006, Proceedings of the National Academy of Sciences.

[6]  Minghui Zhu,et al.  Stackelberg-game analysis of correlated attacks in cyber-physical systems , 2011, Proceedings of the 2011 American Control Conference.

[7]  Eytan Modiano,et al.  Robustness of interdependent networks: The case of communication networks and the power grid , 2013, 2013 IEEE Global Communications Conference (GLOBECOM).

[8]  Stamatis Karnouskos,et al.  Stuxnet worm impact on industrial cyber-physical system security , 2011, IECON 2011 - 37th Annual Conference of the IEEE Industrial Electronics Society.

[9]  Levente Buttyán,et al.  The Cousins of Stuxnet: Duqu, Flame, and Gauss , 2012, Future Internet.

[10]  David K. Y. Yau,et al.  Defending against distributed denial-of-service attacks with max-min fair server-centric router throttles , 2005, IEEE/ACM Transactions on Networking.

[11]  Manish Parashar,et al.  Cooperative detection and protection against network attacks using decentralized information sharing , 2009, Cluster Computing.

[12]  Mark E. J. Newman,et al.  The Structure and Function of Complex Networks , 2003, SIAM Rev..

[13]  Javier Salmerón,et al.  Deception tactics for network interdiction: A multiobjective approach , 2012, Networks.

[14]  FaloutsosMichalis,et al.  On power-law relationships of the Internet topology , 1999 .

[15]  Harry Eugene Stanley,et al.  Catastrophic cascade of failures in interdependent networks , 2009, Nature.

[16]  Kai Xu,et al.  Bridging the Gap between Observation and Decision Making: Goal Recognition and Flexible Resource Allocation in Dynamic Network Interdiction , 2017, IJCAI.

[17]  Somesh Jha,et al.  Global Intrusion Detection in the DOMINO Overlay System , 2004, NDSS.

[18]  Jay H. Lee,et al.  Model predictive control: Review of the three decades of development , 2011 .

[19]  Halil Bayrak,et al.  Shortest path network interdiction with asymmetric information , 2008, Networks.

[20]  Alessandro Vespignani,et al.  The role of the airline transportation network in the prediction and predictability of global epidemics , 2006, Proceedings of the National Academy of Sciences of the United States of America.

[21]  David S. Johnson,et al.  Computers and Intractability: A Guide to the Theory of NP-Completeness , 1978 .

[22]  Kai-Yeung Siu,et al.  New dynamic algorithms for shortest path tree computation , 2000, TNET.

[23]  Rafael Ramos Regis Barbosa,et al.  Anomaly Detection in SCADA Systems - A Network Based Approach , 2014 .

[24]  Ángel Martín del Rey,et al.  A method for malware propagation in industrial critical infrastructures , 2016, Integr. Comput. Aided Eng..

[25]  Jianfang Li,et al.  The study of APT attack stage model , 2016, 2016 IEEE/ACIS 15th International Conference on Computer and Information Science (ICIS).

[26]  Delbert Ray Fulkerson,et al.  Maximizing the minimum source-sink path subject to a budget constraint , 1977, Math. Program..

[27]  J. Cole Smith,et al.  Dynamic shortest‐path interdiction , 2016, Networks.

[28]  Jie Chen,et al.  A survey on the security of cyber-physical systems , 2016 .

[29]  Alessandro Vespignani,et al.  Prediction and predictability of global epidemics: the role of the airline transportation network , 2005, q-bio/0507029.

[30]  Jonas Johansson,et al.  A bi-objective formulation for robust defense strategies in multi-commodity networks , 2018, Reliab. Eng. Syst. Saf..

[31]  Hu Aiqun,et al.  FloodDefender: Protecting data and control plane resources under SDN-aimed DoS attacks , 2017, IEEE INFOCOM 2017 - IEEE Conference on Computer Communications.

[32]  Necati Aras,et al.  The r-interdiction selective multi-depot vehicle routing problem , 2019, Int. Trans. Oper. Res..

[33]  Prasant Mohapatra,et al.  Dynamic defense strategy against advanced persistent threat with insiders , 2015, 2015 IEEE Conference on Computer Communications (INFOCOM).

[34]  Saswati Sarkar,et al.  Optimal Patching in Clustered Malware Epidemics , 2014, IEEE/ACM Transactions on Networking.

[35]  Junshan Zhang,et al.  Optimal Allocation of Interconnecting Links in Cyber-Physical Systems: Interdependence, Cascading Failures, and Robustness , 2012, IEEE Transactions on Parallel and Distributed Systems.

[36]  Chris Hankin,et al.  Cybersecurity Games and Investments: A Decision Support Approach , 2014, GameSec.

[37]  Interdicting Attack Graphs to Protect Organizations from Cyber Attacks : A Bi-Level Attacker-Defender Model , 2016 .

[38]  Branislav Bosanský,et al.  Case Studies of Network Defense with Attack Graph Games , 2016, IEEE Intelligent Systems.

[39]  David P. Morton,et al.  Models for nuclear smuggling interdiction , 2007 .

[40]  Mauro Conti,et al.  SLICOTS: An SDN-Based Lightweight Countermeasure for TCP SYN Flooding Attacks , 2017, IEEE Transactions on Network and Service Management.

[41]  Jong Hyuk Park,et al.  A comprehensive study on APT attacks and countermeasures for future networks and communications: challenges and solutions , 2019, The Journal of Supercomputing.

[42]  David Hutchison,et al.  A survey of cyber security management in industrial control systems , 2015, Int. J. Crit. Infrastructure Prot..

[43]  Terrance E. Boult,et al.  A Survey of Stealth Malware Attacks, Mitigation Measures, and Steps Toward Autonomous Open World Solutions , 2016, IEEE Communications Surveys & Tutorials.

[44]  Michael Bloem,et al.  Optimal and robust epidemic response for multiple networks , 2007, 2007 46th IEEE Conference on Decision and Control.

[45]  J. Cole Smith,et al.  A survey of network interdiction models and algorithms , 2020, Eur. J. Oper. Res..

[46]  R. Powell Defending against Terrorist Attacks with Limited Resources , 2007, American Political Science Review.

[47]  Oleg A. Prokopyev,et al.  Sequential Interdiction with Incomplete Information and Learning , 2019, Oper. Res..

[48]  Hakim Weatherspoon,et al.  Netbait: a Distributed Worm Detection Service , 2003 .

[49]  H. Stanley,et al.  Networks formed from interdependent networks , 2011, Nature Physics.

[50]  Jing Chen,et al.  Applying the Bayesian Stackelberg Active Deception Game for Securing Infrastructure Networks , 2019, Entropy.

[51]  Michalis Faloutsos,et al.  On power-law relationships of the Internet topology , 1999, SIGCOMM '99.

[52]  Argyris Kalogeratos,et al.  Suppressing Epidemics in Networks Using Priority Planning , 2016, IEEE Transactions on Network Science and Engineering.

[53]  Weiming Zhang,et al.  Dynamic Defense Strategy against Stealth Malware Propagation in Cyber-Physical Systems , 2018, IEEE INFOCOM 2018 - IEEE Conference on Computer Communications.

[54]  Klaudia Frankfurter Computers And Intractability A Guide To The Theory Of Np Completeness , 2016 .

[55]  R. Kevin Wood,et al.  Shortest‐path network interdiction , 2002, Networks.

[56]  Albert,et al.  Emergence of scaling in random networks , 1999, Science.

[57]  Cong Pu,et al.  A Light-Weight Countermeasure to Forwarding Misbehavior in Wireless Sensor Networks: Design, Analysis, and Evaluation , 2018, IEEE Systems Journal.

[58]  Aiko Pras,et al.  Difficulties in Modeling SCADA Traffic: A Comparative Analysis , 2012, PAM.

[59]  Johan Löfberg,et al.  YALMIP : a toolbox for modeling and optimization in MATLAB , 2004 .

[60]  Satish Vadlamani,et al.  Interdicting attack graphs to protect organizations from cyber attacks: A bi-level defender-attacker model , 2016, Comput. Oper. Res..

[61]  Kyung-Bok Lee,et al.  The Reality and Response of Cyber Threats to Critical Infrastructure: A Case Study of the Cyber-terror Attack on the Korea Hydro & Nuclear Power Co., Ltd , 2016, KSII Trans. Internet Inf. Syst..