Wei Sun,Xiangwei Kong,Dequan He,Xingang You

DOI: https://doi.org/10.1109/ISECS.2008.149

2008-01-01

Abstract:This paper analyzes information security in the E-commerce based on game theory, and this game analysis method is applied to information security for the first time. We set up the information security game model of the defender and the attacker, make the equilibrium analysis of this game model, and get the ideal strategy combination. Then we introduce the penalty parameter of the defender and the penalty parameter of the attacker to solve the problem that the restriction condition is not satisfied. The introduction of the penalty parameter of the defender promotes the defender to invest in information security, and the introduction of the penalty parameter of the attacker promotes the attacker to take no attack strategy. This paper provides good reference for information security in the E-commerce.

Erick Galinkin,John Carter,Spiros Mancoridis

DOI: https://doi.org/10.48550/arXiv.2109.11592

2021-09-23

Cryptography and Security

Abstract:In cybersecurity, attackers range from brash, unsophisticated script kiddies and cybercriminals to stealthy, patient advanced persistent threats. When modeling these attackers, we can observe that they demonstrate different risk-seeking and risk-averse behaviors. This work explores how an attacker's risk seeking or risk averse behavior affects their operations against detection-optimizing defenders in an Internet of Things ecosystem. Using an evaluation framework which uses real, parametrizable malware, we develop a game that is played by a defender against attackers with a suite of malware that is parameterized to be more aggressive and more stealthy. These results are evaluated under a framework of exponential utility according to their willingness to accept risk. We find that against a defender who must choose a single strategy up front, risk-seeking attackers gain more actual utility than risk-averse attackers, particularly in cases where the defender is better equipped than the two attackers anticipate. Additionally, we empirically confirm that high-risk, high-reward scenarios are more beneficial to risk-seeking attackers like cybercriminals, while low-risk, low-reward scenarios are more beneficial to risk-averse attackers like advanced persistent threats.

Giovanni Bottazzi,Gianluigi Me

DOI: https://doi.org/10.1145/2659651.2659673

2014-01-01

Abstract:Botnets have always been an insidious threat. The development of the "Internet Of Things" and its for-profit exploitation contributed to botnets spread and sophistication, but also to the rise of maturity of both organizations and business models behind them. Cybercrime market had a recent major leap in quality, starting from payload development (malware), sophisticated enough to allow a high degree of customization and polymorphism, subsequently used by organizations more and more structured and specialized to provide real, efficient and profitable criminal cyberservices. The purpose of this paper is to describe the pillars of the supply chain of botnets, in order to highlight that the criminal market behind their spread is mature enough to prefer a revenue model based on service rentals, instead of direct monolithic implementation. We also describe a possible measure of botnets effectiveness in order to identify vulnerabilities. As we will see, an extension of the Pay-Per-Install business model (widely used) throughout the whole supply chain, is the natural evolution of what has already happened in the spread of many botnets, allowing the low-risk growth of other productive borderline sectors. This should be considered, in our opinion, as one of the major concern about the future trends of botnets diffusion and would simply confirm the maturity of this market in its recent meaning of "Cybercrime-As-a-Service".

Erick Galinkin

DOI: https://doi.org/10.48550/arXiv.2107.14578

2021-07-30

Cryptography and Security

Abstract:Ransomware is a growing threat to individuals and enterprises alike, constituting a major factor in cyber insurance and in the security planning of every organization. Although the game theoretic lens often frames the game as a competition between equals -- a profit maximizing attacker and a loss minimizing defender -- the reality of many situations is that ransomware organizations are not playing a non-cooperative game, they are playing a lottery. The wanton behavior of attackers creates a situation where many victims are hit more than once by ransomware operators, sometimes even by the same group. If defenders wish to combat malware, they must then seek to remove the incentives of it. In this work, we construct an expected value model based on data from actual ransomware attacks and identify three variables: the value of payments, the cost of an attack, and the probability of payment. Using this model, we consider the potential to manipulate these variables to reduce the profit motive associated with ransomware attack. Based on the model, we present mitigations to encourage an environment that is hostile to ransomware operators. In particular, we find that off-site backups and government incentives for their adoption are the most fruitful avenue for combating ransomware.

Aaron Zimba,

DOI: https://doi.org/10.5815/ijcnis.2022.01.03

2021-02-08

International Journal of Computer Network and Information Security

Abstract:According to Cybersecurity Ventures, the damage related to cybercrime is projected to reach $6 trillion annually by 2021. The majority of the cyberattacks are directed at financial institutions as this reduces the number of intermediaries that the attacker needs to attack to reach the target - monetary proceeds. Research has shown that malware is the preferred attack vector in cybercrimes targeted at banks and other financial institutions. In light of the above, this paper presents a Bayesian Attack Network modeling technique of cyberattacks in the financial sector that are perpetuated by crimeware. We use the GameOver Zeus malware for our use cases as it’s the most common type of malware in this domain. The primary targets of this malware are any users of financial services. Today, financial services are accessed using personal laptops, institutional computers, mobile phones and tablets, etc. All these are potential victims that can be enlisted to the malware’s botnet. In our approach, phishing emails as well as Common Vulnerabilities and Exposures (CVEs) which are exhibited in various systems are employed to derive conditional probabilities that serve as inputs to the modeling technique. Compared to the state-of-the-art approaches, our method generates probability density curves of various attack structures whose semantics are applied in the mitigation process. This is based on the level exploitability that is deduced from the vertex degrees of the compromised nodes that characterizes the probability density curves.

Aron Laszka,Sadegh Farhang,Jens Grossklags

DOI: https://doi.org/10.48550/arXiv.1707.06247

2017-08-22

Abstract:While recognized as a theoretical and practical concept for over 20 years, only now ransomware has taken centerstage as one of the most prevalent cybercrimes. Various reports demonstrate the enormous burden placed on companies, which have to grapple with the ongoing attack waves. At the same time, our strategic understanding of the threat and the adversarial interaction between organizations and cybercriminals perpetrating ransomware attacks is lacking. In this paper, we develop, to the best of our knowledge, the first game-theoretic model of the ransomware ecosystem. Our model captures a multi-stage scenario involving organizations from different industry sectors facing a sophisticated ransomware attacker. We place particular emphasis on the decision of companies to invest in backup technologies as part of a contingency plan, and the economic incentives to pay a ransom if impacted by an attack. We further study to which degree comprehensive industry-wide backup investments can serve as a deterrent for ongoing attacks.

Cryptography and Security

El Mehdi Kandoussi,Adam Houmairi,Iman El Mir,Mostafa Bellafkih

DOI: https://doi.org/10.1007/s10586-024-04604-2

2024-06-15

Cluster Computing

Abstract:Security challenges in complex information technologies continue to grow and diversify. To improve network security, many researchers have explored the game theoretic approach as a hopeful modeling tool. Knowing that the attacker can take advantage of vulnerabilities and explore existing weaknesses in the network configuration to gain access to the system for a successful attack, our objective is to benefit from virtual machines' migration as a moving target defense technique and honeypot as a deceiving technique to increase the attack surface's dynamicity. This paper presents a game-theoretic framework for modeling attack-defense interaction. A model based on incomplete information game and attack graph is developed. Our main findings reveal in which case migration of virtual machines should be established in a architecture where a honeypot is deployed and identify the potential attack paths based on system security parameters. This provides network administrators with the ability to find unsecure nodes, avoid negative externality and more precisely inefficient migrations which impact the quality of service.

computer science, information systems, theory & methods

Don Maclean

DOI: https://doi.org/10.69554/ekap1025

2020-06-01

Abstract:In cyberspace, warfare is asymmetric. It takes only a small army of well-trained hackers to inflict major damage on a much larger adversary. Ironically, the inequity stems from standardisation. When bad actors find a vulnerability in a popular application or operating system, they can exploit it on millions of systems, yielding exponential reward for linear effort. The hacker’s advantage, then, is economic rather than technical. Unless and until we reverse this dynamic, the adversary will have the advantage. Moving target defence (MTD), also called polymorphic defence, has the potential to diminish the enemy’s asymmetric advantage. This paper surveys the major MTD technologies currently on the market and under development, with special attention to dynamic runtime environments. In particular, it explores how each technology might reverse, or at least mitigate, the economic leverage the enemy now exerts when discovering and exploiting vulnerabilities.

L. -F. Pau,L.-F. Pau

DOI: https://doi.org/10.48550/arXiv.1308.3693

2013-08-13

Computers and Society

Abstract:This paper gives an analytical method to determine the economic and indirect implications of denial of service and distributed denial of service attacks. It is based on time preference dynamics applied to the monetary mass for the restoration of capabilities, on long term investments to rebuild capabilities, and of the usability level of the capabilities after an attack. A simple illustrative example is provided for a denial of service on a corporate data centre. The needed data collection methodologies are categorized by classes of targets. The use of the method is explained in the context of legal or policy driven dissuasive, retaliation or compensation/ restoration actions. A concrete set of deployment cases in mobile communications services is discussed. The conclusion includes policy recommendations as well as information exchange requirements.

Jeffrey Pawlick,Quanyan Zhu

DOI: https://doi.org/10.48550/arXiv.1707.03708

2017-10-17

Abstract:While the Internet of things (IoT) promises to improve areas such as energy efficiency, health care, and transportation, it is highly vulnerable to cyberattacks. In particular, distributed denial-of-service (DDoS) attacks overload the bandwidth of a server. But many IoT devices form part of cyber-physical systems (CPS). Therefore, they can be used to launch "physical" denial-of-service attacks (PDoS) in which IoT devices overflow the "physical bandwidth" of a CPS. In this paper, we quantify the population-based risk to a group of IoT devices targeted by malware for a PDoS attack. In order to model the recruitment of bots, we develop a "Poisson signaling game," a signaling game with an unknown number of receivers, which have varying abilities to detect deception. Then we use a version of this game to analyze two mechanisms (legal and economic) to deter botnet recruitment. Equilibrium results indicate that 1) defenders can bound botnet activity, and 2) legislating a minimum level of security has only a limited effect, while incentivizing active defense can decrease botnet activity arbitrarily. This work provides a quantitative foundation for proactive PDoS defense.

Cryptography and Security

Jeffrey Pawlick,Quanyan Zhu

DOI: https://doi.org/10.48550/arXiv.1705.00682

2017-10-17

Abstract:While the Internet of things (IoT) promises to improve areas such as energy efficiency, health care, and transportation, it is highly vulnerable to cyberattacks. In particular, DDoS attacks work by overflowing the bandwidth of a server. But many IoT devices form part of cyber-physical systems (CPS). Therefore, they can be used to launch a "physical" denial-of-service attack (PDoS) in which IoT devices overflow the "physical bandwidth" of a CPS. In this paper, we quantify the population-based risk to a group of IoT devices targeted by malware for a PDoS attack. To model the recruitment of bots, we extend a traditional game-theoretic concept and create a "Poisson signaling game." Then we analyze two different mechanisms (legal and economic) to deter botnet recruitment. We find that 1) defenders can bound botnet activity and 2) legislating a minimum level of security has only a limited effect, while incentivizing active defense can decrease botnet activity arbitrarily. This work provides a quantitative foundation for designing proactive defense against PDoS attacks.

Cryptography and Security

Erick Galinkin,Emmanouil Pountourakis,Spiros Mancoridis

2024-09-28

Abstract:The well-worn George Box aphorism ``all models are wrong, but some are useful'' is particularly salient in the cybersecurity domain, where the assumptions built into a model can have substantial financial or even national security impacts. Computer scientists are often asked to optimize for worst-case outcomes, and since security is largely focused on risk mitigation, preparing for the worst-case scenario appears rational. In this work, we demonstrate that preparing for the worst case rather than the most probable case may yield suboptimal outcomes for learning agents. Through the lens of stochastic Bayesian games, we first explore different attacker knowledge modeling assumptions that impact the usefulness of models to cybersecurity practitioners. By considering different models of attacker knowledge about the state of the game and a defender's hidden information, we find that there is a cost to the defender for optimizing against the worst case.

Cryptography and Security,Artificial Intelligence

Zengguang Wang,Yu Lu,Xi Li,Wei Nie

DOI: https://doi.org/10.1504/ijsn.2020.106830

2020-01-01

International Journal of Security and Networks

Abstract:Existing passive defence methods cannot effectively guarantee network security; to solve this problem, a novel method is proposed that selects the optimal defence strategy. The network attack-defence process is modelled based on the Bayesian game. The payoff is quantified from the impact value of the attack-defence actions. The optimal defence strategy is selected that takes defence effectiveness as the criterion. The rationality and feasibility of the method are verified through a representative example, and the general rules of network defence are summarised. Compared to the classic strategy selection methods based on game theory, the proposed method can select the optimal strategy in the form of pure strategy by quantifying defence effectiveness, which was proven to perform better.

JIANG Jian,ZHUGE Jian-Wei,DUAN Hai-Xin,WU Jian-Ping

DOI: https://doi.org/10.3724/sp.j.1001.2012.04101

2012-01-01

Abstract:Botnets are one of the most serious threats to the Internet.Researchers have done plenty of research and made significant progress.However, botnets keep evolving and have become more and more sophisticated.Due to the underlying security limitation of current system and Internet architecture, and the complexity of botnet itself, how to effectively counter the global threat of botnets is still a very challenging issue.This paper first introduces the evolving of botnet's propagation, attack, command, and control mechanisms.Then the paper summarizes recent advances of botnet defense research and categorizes into five areas: Botnet monitoring, botnet infiltration, analysis of botnet characteristics, botnet detection and botnet disruption.The limitation of current botnet defense techniques, the evolving trend of botnet, and some possible directions for future research are also discussed.

Xu Chen,Wei Feng,Yantian Luo,Meng Shen,Ning Ge,Xianbin Wang

DOI: https://doi.org/10.1109/jiot.2021.3093538

IF: 10.6

2022-01-01

IEEE Internet of Things Journal

Abstract:The link flooding attack (LFA) has emerged as a new category of distributed denial of service (DDoS) attacks in recent years. Along with the massive deployment of low-cost insecure Internet-of-Things (IoT) devices, the fast proliferation of IoT botnets dramatically increases the risk of LFAs. However, how to efficiently defend against LFAs in IoT still remains as an open problem. To overcome this challenge, we model the interaction between an LFA attacker and the network manager as a two-person Bayesian game in this article to precisely characterize the behaviors of both sides. Then, the rational behaviors of the attacker and the optimal strategies of the defender are unveiled by deriving the Bayesian Nash equilibrium (BNE). Inspired by the obtained BNEs, a cost-effective decision framework is proposed for the defender to make defense decisions. Furthermore, we numerically analyze the effect of all the related factors and present feasible suggestions to deter attack motivations fundamentally. Experimental results demonstrate that the proposed method not only consistently outperforms baseline methods in terms of the defender's utilities under different attack intensities, but also is robust to the changes in important parameters, including the value of benign traffic and the latency of traffic scrubbing.

computer science, information systems,telecommunications,engineering, electrical & electronic

LI Qing-peng,ZHENG Lian-qing,YANG Tong,ZHANG Chuan-rong

DOI: https://doi.org/10.3969/j.issn.1000-7024.2012.01.016

2012-01-01

Abstract:For the sake of defensing Botnets,methods of bot programming and network structures are researched.A bot is designed by analyzing the functional structure and working mechanism of Botnet.The program is broken down into four modules that are scan module,exploit module,upload module and communicate module.Then the four modules are implemented by programming,and performance of bot is tested in lab environment,the data show that,botnet can achieve the desired results.Finally,some kinds of prevention measures are presented.

Jeremy Kepner,Jonathan Bernays,Stephen Buckley,Kenjiro Cho,Cary Conrad,Leslie Daigle,Keeley Erhardt,Vijay Gadepally,Barry Greene,Michael Jones,Robert Knake,Bruce Maggs,Peter Michaleas,Chad Meiners,Andrew Morris,Alex Pentland,Sandeep Pisharody,Sarah Powazek,Andrew Prout,Philip Reiner,Koichi Suzuki,Kenji Takahashi,Tony Tauber,Leah Walker,Douglas Stetson

DOI: https://doi.org/10.48550/arXiv.2201.06068

2022-01-16

Abstract:Adversarial Internet robots (botnets) represent a growing threat to the safe use and stability of the Internet. Botnets can play a role in launching adversary reconnaissance (scanning and phishing), influence operations (upvoting), and financing operations (ransomware, market manipulation, denial of service, spamming, and ad click fraud) while obfuscating tailored tactical operations. Reducing the presence of botnets on the Internet, with the aspirational target of zero, is a powerful vision for galvanizing policy action. Setting a global goal, encouraging international cooperation, creating incentives for improving networks, and supporting entities for botnet takedowns are among several policies that could advance this goal. These policies raise significant questions regarding proper authorities/access that cannot be answered in the abstract. Systems analysis has been widely used in other domains to achieve sufficient detail to enable these questions to be dealt with in concrete terms. Defeating botnets using an observe-pursue-counter architecture is analyzed, the technical feasibility is affirmed, and the authorities/access questions are significantly narrowed. Recommended next steps include: supporting the international botnet takedown community, expanding network observatories, enhancing the underlying network science at scale, conducting detailed systems analysis, and developing appropriate policy frameworks.

Cryptography and Security,Computers and Society,Networking and Internet Architecture,Social and Information Networks

Hampei Sasahara,Henrik Sandberg

DOI: https://doi.org/10.1109/TAC.2023.3340978

2023-12-07

Abstract:This paper addresses the question whether model knowledge can guide a defender to appropriate decisions, or not, when an attacker intrudes into control systems. The model-based defense scheme considered in this study, namely Bayesian defense mechanism, chooses reasonable reactions through observation of the system's behavior using models of the system's stochastic dynamics, the vulnerability to be exploited, and the attacker's objective. On the other hand, rational attackers take deceptive strategies for misleading the defender into making inappropriate decisions. In this paper, their dynamic decision making is formulated as a stochastic signaling game. It is shown that the belief of the true scenario has a limit in a stochastic sense at an equilibrium based on martingale analysis. This fact implies that there are only two possible cases: the defender asymptotically detects the attack with a firm belief, or the attacker takes actions such that the system's behavior becomes nominal after a finite time step. Consequently, if different scenarios result in different stochastic behaviors, the Bayesian defense mechanism guarantees the system to be secure in an asymptotic manner provided that effective countermeasures are implemented. As an application of the finding, a defensive deception utilizing asymmetric recognition of vulnerabilities exploited by the attacker is analyzed. It is shown that the attacker possibly stops the attack even if the defender is unaware of the exploited vulnerabilities as long as the defender's unawareness is concealed by the defensive deception.

Cryptography and Security,Computer Science and Game Theory,Systems and Control

Marc Lelarge,Jean Bolot

DOI: https://doi.org/10.48550/arXiv.0803.3455

2008-06-19

Abstract:Getting agents in the Internet, and in networks in general, to invest in and deploy security features and protocols is a challenge, in particular because of economic reasons arising from the presence of network externalities. Our goal in this paper is to carefully model and quantify the impact of such externalities on the investment in, and deployment of, security features and protocols in a network. Specifically, we study a network of interconnected agents, which are subject to epidemic risks such as those caused by propagating viruses and worms, and which can decide whether or not to invest some amount to self-protect and deploy security solutions. We make three contributions in the paper. First, we introduce a general model which combines an epidemic propagation model with an economic model for agents which captures network effects and externalities. Second, borrowing ideas and techniques used in statistical physics, we introduce a Local Mean Field (LMF) model, which extends the standard mean-field approximation to take into account the correlation structure on local neighborhoods. Third, we solve the LMF model in a network with externalities, and we derive analytic solutions for sparse random graphs, for which we obtain asymptotic results. We explicitly identify the impact of network externalities on the decision to invest in and deploy security features. In other words, we identify both the economic and network properties that determine the adoption of security technologies.

Computer Science and Game Theory,Networking and Internet Architecture

Fei He,Jun Zhuang,Nageswara S. V. Rao

2012-01-01

Abstract:Critical infrastructures rely on cyber and physical components that are both subject to natural, incidental or intentional degradations. Game theory has been used in studying the strategic interactions between attackers and defenders for critical infrastructure protection, but has not been extensively used in complex cyber-physical networks. This paper fills the gap by modeling the probabilities of successful attacks in both cyber and physical spaces as functions of the number of components that are attacked and defended. The results show that the attack effort would first increase then decrease in (a) defense effort, (b) the probability of successful attack on each component, (c) the number of minimum required functioning resources, and (d) the maximum number of available resources. Comparing simultaneous and sequential games, our results show that the defender performs better when she moves first. Our research provides some novel insights into the survival of such infrastructures and optimal resource allocation under various costs and target valuations that players may have.