A Game-Theoretic Approach to Respond to Attacker Lateral Movement

In the wake of an increasing number in targeted and complex attacks on enterprise networks, there is a growing need for timely, efficient and strategic network response. Intrusion detection systems provide network administrators with a plethora of monitoring information, but that information must often be processed manually to enable decisions on response actions and thwart attacks. This gap between detection time and response time, which may be months long, may allow attackers to move freely in the network and achieve their goals. In this paper, we present a game-theoretic approach for automatic network response to an attacker that is moving laterally in an enterprise network. To do so, we first model the system as a network services graph and use monitoring information to label the graph with possible attacker lateral movement communications. We then build a defense-based zero-sum game in which we aim to prevent the attacker from reaching a sensitive node in the network. Solving the matrix game for saddle-point strategies provides us with an effective way to select appropriate response actions. We use simulations to show that our engine can efficiently delay an attacker that is moving laterally in the network from reaching the sensitive target, thus giving network administrators enough time to analyze the monitoring data and deploy effective actions to neutralize any impending threats.

[1]  A. N. Zincir-Heywood,et al.  Intrusion Detection Systems , 2008 .

[2]  송왕철,et al.  IDS(Intrusion Detection System) , 2000 .

[3]  Michel Dagenais,et al.  Intrusion Response Systems: Survey and Taxonomy , 2012 .

[4]  Mathew D. Penrose,et al.  Random Geometric Graphs , 2003 .

[5]  Quanyan Zhu,et al.  Game theory meets network security and privacy , 2013, CSUR.

[6]  Eric Jones,et al.  SciPy: Open Source Scientific Tools for Python , 2001 .

[7]  Ross Brewer,et al.  Advanced persistent threats: minimising the damage , 2014, Netw. Secur..

[8]  Maziar Nekovee,et al.  Worm epidemics in wireless ad hoc networks , 2007, ArXiv.

[9]  T. Basar,et al.  Intrusion Response as a Resource Allocation Problem , 2006, Proceedings of the 45th IEEE Conference on Decision and Control.

[10]  William H. Sanders,et al.  Ieee Transactions on Parallel and Distributed Systems Rre: a Game-theoretic Intrusion Response and Recovery Engine , 2022 .

[11]  BERNARD M. WAXMAN,et al.  Routing of multipoint connections , 1988, IEEE J. Sel. Areas Commun..

[12]  Eric Michael Hutchins,et al.  Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains , 2010 .

[13]  Tansu Alpcan,et al.  Network Security , 2010 .

[14]  Johnny S. Wong,et al.  A taxonomy of intrusion response systems , 2007, Int. J. Inf. Comput. Secur..

[15]  Christopher Bronk,et al.  Hack or Attack? Shamoon and the Evolution of Cyber Conflict , 2013 .

[16]  Robert K. Cunningham,et al.  A taxonomy of computer worms , 2003, WORM '03.

[17]  Harkeerat Singh Bedi,et al.  ADAPT: A Game Inspired Attack-Defense and Performance Metric Taxonomy , 2013, SEC.

[18]  Tansu Alpcan,et al.  Fictitious play with time-invariant frequency update for network security , 2010, 2010 IEEE International Conference on Control Applications.

[19]  William H. Sanders,et al.  RRE: A Game-Theoretic Intrusion Response and Recovery Engine , 2014, IEEE Trans. Parallel Distributed Syst..

[20]  Andrew McLennan,et al.  Gambit: Software Tools for Game Theory , 2006 .

[21]  Peter Mell,et al.  Intrusion Detection Systems , 2001 .

[22]  Albert-László Barabási,et al.  Statistical mechanics of complex networks , 2001, ArXiv.

[23]  Quanyan Zhu,et al.  Dynamic policy-based IDS configuration , 2009, Proceedings of the 48h IEEE Conference on Decision and Control (CDC) held jointly with 2009 28th Chinese Control Conference.

[24]  T. Basar,et al.  A game theoretic approach to decision and analysis in network intrusion detection , 2003, 42nd IEEE International Conference on Decision and Control (IEEE Cat. No.03CH37475).

[25]  Ralph Langner,et al.  Stuxnet: Dissecting a Cyberwarfare Weapon , 2011, IEEE Security & Privacy.

[26]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[27]  Gábor Csárdi,et al.  The igraph software package for complex network research , 2006 .