Ziqin Chen,Guanpu Chen,Yiguang Hong

DOI: https://doi.org/10.1142/s2301385024410152

2024-01-01

Unmanned Systems

Abstract:In this paper, we propose a game theory framework to solve advanced persistent threat problems, especially considering two types of insider threats: malicious and inadvertent. Within this framework, we establish a unified three-player game model and derive Nash equilibria in response to different types of insider threats. By analyzing these Nash equilibria, we provide quantitative solutions to advanced persistent threat problems pertaining to insider threats. Furthermore, we have conducted a comparative assessment of the optimal defense strategy and corresponding defender's costs between two types of insider threats. Interestingly, our findings advocate a more proactive defense strategy against inadvertent insider threats in contrast to malicious ones, despite the latter imposing a higher burden on the defender. Our theoretical results are substantiated by numerical results, which additionally include a detailed exploration of the conditions under which different insiders adopt risky strategies. These conditions can serve as guiding indicators for the defender when calibrating their monitoring intensities and devising defensive strategies.

Linan Huang,Quanyan Zhu

DOI: https://doi.org/10.1016/j.cose.2019.101660

2019-11-05

Abstract:Advanced Persistent Threats (APTs) have recently emerged as a significant security challenge for a cyber-physical system due to their stealthy, dynamic and adaptive nature. Proactive dynamic defenses provide a strategic and holistic security mechanism to increase the costs of attacks and mitigate the risks. This work proposes a dynamic game framework to model a long-term interaction between a stealthy attacker and a proactive defender. The stealthy and deceptive behaviors are captured by the multi-stage game of incomplete information, where each player has his own private information unknown to the other. Both players act strategically according to their beliefs which are formed by the multi-stage observation and learning. The perfect Bayesian Nash equilibrium provides a useful prediction of both players' policies because no players benefit from unilateral deviations from the equilibrium. We propose an iterative algorithm to compute the perfect Bayesian Nash equilibrium and use the Tennessee Eastman process as a benchmark case study. Our numerical experiment corroborates the analytical results and provides further insights into the design of proactive defense-in-depth strategies.

Computer Science and Game Theory,Cryptography and Security

Qiumei Cheng,Chunming Wu,Bin Hu,Dezhang Kong,Boyang Zhou

DOI: https://doi.org/10.1109/globecom38437.2019.9013291

2019-01-01

Abstract:The intrusion response system is dedicated to automatically respond to sophisticated network intrusions, which is a sequential decision-making problem for autonomous agents. The current Markov decision process (MDP) or stochastic games based solutions suffer from several weaknesses: (i) The MDPbased approach is unable to explicitly model the opponents; (ii) The Nash equilibrium approach of stochastic games cannot handle the condition with multi equilibria. Existing studies have not considered the cognitive ability of the agent and lack of explicit opponent modeling. Inspired by recursive reasoning, this paper introduces a theory of mind (ToM)-based stochastic game-theoretic approach to reason about the beliefs and behaviors of the attackers. Each agent maintains different order ToM beliefs concerning his opponent with explicit opponent modeling. In order to accurately predict the attacker's action with nested beliefs, we utilize the Bayesian attack graph (BAG) to model multi-step attacks scenarios. In addition, the agent is allowed to learn from new information to adjust his beliefs and learning speed. Simulation results validate that ToM modeling performs well in the intrusion response system than random defense actions. Besides, a defender with first-order ToM beliefs always wins an attacker with zero-order ToM beliefs.

Linan Huang,Quanyan Zhu

DOI: https://doi.org/10.48550/arXiv.1809.02227

2018-09-07

Abstract:Advanced Persistent Threats (APTs) have created new security challenges for critical infrastructures due to their stealthy, dynamic, and adaptive natures. In this work, we aim to lay a game-theoretic foundation by establishing a multi-stage Bayesian game framework to capture incomplete information of deceptive APTs and their multi-stage multi-phase movement. The analysis of the perfect Bayesian Nash equilibrium (PBNE) enables a prediction of attacker's behaviors and a design of defensive strategies that can deter the adversaries and mitigate the security risks. A conjugate-prior method allows online computation of the belief and reduces Bayesian update into an iterative parameter update. The forwardly updated parameters are assimilated into the backward dynamic programming computation to characterize a computationally tractable and time-consistent equilibrium solution based on the expanded state space. The Tennessee Eastman (TE) process control problem is used as a case study to demonstrate the dynamic game under the information asymmetry and show that APTs tend to be stealthy and deceptive during their transitions in the cyber layer and behave aggressively when reaching the targeted physical plant. The online update of the belief allows the defender to learn the behavior of the attacker and choose strategic defensive actions that can thwart adversarial behaviors and mitigate APTs. Numerical results illustrate the defender's tradeoff between the immediate reward and the future expectation as well as the attacker's goal to reach an advantageous system state while making the defender form a positive belief.

Computer Science and Game Theory

Stefan Rass,Sandra König,Stefan Schauer

DOI: https://doi.org/10.1371/journal.pone.0168675

2022-05-02

Abstract:Advanced persistent threats (APT) combine a variety of different attack forms ranging from social engineering to technical exploits. The diversity and usual stealthiness of APT turns them into a central problem of contemporary practical system security, since information on attacks, the current system status or the attacker's incentives is often vague, uncertain and in many cases even unavailable. Game theory is a natural approach to model the conflict between the attacker and the defender, and this work investigates a generalized class of matrix games as a risk mitigation tool for an APT defense. Unlike standard game and decision theory, our model is tailored to capture and handle the full uncertainty that is immanent to APT, such as disagreement among qualitative expert risk assessments, unknown adversarial incentives and uncertainty about the current system state (in terms of how deeply the attacker may have penetrated into the system's protective shells already). Practically, game-theoretic APT models can be derived straightforwardly from topological vulnerability analysis, together with risk assessments as they are done in common risk management standards like the ISO 31000 family. Theoretically, these models come with different properties than classical game theoretic models, whose technical solution presented in this work may be of independent interest.

Cryptography and Security,Computer Science and Game Theory

Jichao Bi,Shibo He,Fengji Luo,Wenchao Meng,Luyue Ji,Da-Wen Huang

DOI: https://doi.org/10.1109/TII.2022.3231406

IF: 12.3

2023-01-01

IEEE Transactions on Industrial Informatics

Abstract:Industrial Internet of Things (IIoT) is vulnerable to advanced persistent threat (APT). In this article, we study a scenario in which APT is launched to attack IIoT devices. Considering the APTs lateral movement, a node-level state evolution model is established to calculate the probability of every device in an IIoT system to be compromised by APT. Based on this, a Stackelberg game model is proposed for the APT attacker and defender, which can accurately describe the gaming process. An effective computational approach is developed to obtain the potential Stackelberg equilibrium strategy pair of the game. Extensive case studies and comparison studies are conducted to validate the effectiveness of the proposed method.

Shuxin Li,Xiaohong Li,Jianye Hao,Bo An,Zhiyong Feng,Kangjie Chen,Chengwei Zhang

DOI: https://doi.org/10.24963/ijcai.2017/523

2017-01-01

Abstract:The Man-in-the-Middle (MITM) attack has become widespread in networks nowadays. The MITM attack would cause serious information leakage and result in tremendous loss to users. Previous work applies game theory to analyze the MITM attack-defense problem and computes the optimal defense strategy to minimize the total loss. It assumes that all defenders are cooperative and the attacker know defenders' strategies beforehand. However, each individual defender is rational and may not have the incentive to cooperate. Furthermore, the attacker can hardly know defenders' strategies ahead of schedule in practice. To this end, we assume that all defenders are self-interested and model the MITM attack-defense scenario as a simultaneous-move game. Nash equilibrium is adopted as the solution concept which is proved to be always unique. Given the impracticability of computing Nash equilibrium directly, we propose practical adaptive algorithms for the defenders and the attacker to learn towards the unique Nash equilibrium through repeated interactions. Simulation results show that the algorithms are able to converge to Nash equilibrium strategy efficiently.

Chaitanya Joshi,Jesus Rios Aliaga,David Rios Insua

DOI: https://doi.org/10.1109/tifs.2020.3029898

IF: 7.231

2021-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Insider threats entail major security issues in many organizations. Game theoretic models of insider threats so far proposed do not take into account important factors such as the organizational culture and whether the attacker was detected or not. They also fail to model defensive mechanisms already put in place by an organization to mitigate insider attacks. We propose two new models which incorporate these settings and, hence, are more realistic, and use adversarial risk analysis to find their solutions. Our models and solutions are general and can be applied to most insider threat scenarios. A data security example illustrates the discussion.

computer science, theory & methods,engineering, electrical & electronic

Kun Lv,Yun Chen,Changzhen Hu

DOI: https://doi.org/10.1016/j.inffus.2019.01.001

IF: 18.6

2019-01-01

Information Fusion

Abstract:Advanced persistent threats (APTs) pose a grave threat in cyberspace because of their long latency and concealment. In this paper, we propose a hybrid strategy game-based dynamic defense model to optimally allocate constrained secure resources for the target network. In addition, values of profits of players in this game are computed by a novel data-fusion method called NetF. Based on network protocols and log documents, the NetF deciphers data packets collected from different networks to natural language to make them comparable. Using this algorithm, data observed from the Internet and wireless sensor networks (WSNs) can be fused to calculate the comprehensive payoff of every node precisely. The Nash equilibrium can be computed using the value to detect the possibility of a node being a malicious node. Using this method, the dynamic optimal defense strategy can be allocated to every node at different times, which enhances the security of the target network obviously. In experiments, we illustrate the obtained results via case studies of a cluster of heterogeneous networks. The results guide planning of optimal defense strategies for different kinds of nodes at different times.

Xiaohong Li,Shuxin Li,Jianye Hao,Zhiyong Feng,Bo An

DOI: https://doi.org/10.1609/aaai.v31i1.10565

2017-01-01

Proceedings of the AAAI Conference on Artificial Intelligence

Abstract:The Man-In-The-Middle (MITM) attack is one of the most common attacks employed in the network hacking. MITM attackers can successfully invoke attacks such as denial of service (DoS) and port stealing, and lead to surprisingly harmful consequences for users in terms of both financial loss and security issues. The conventional defense approaches mainly consider how to detect and eliminate those attacks or how to prevent those attacks from being launched in the first place. This paper proposes a game-theoretic defense strategy from a different perspective, which aims at minimizing the loss that the whole system sustains given that the MITM attacks are inevitable. We model the interaction between the attacker and the defender as a Stackelberg security game and adopt the Strong Stackelberg Equilibrium (SSE) as the defender's strategy. Since the defender's strategy space is infinite in our model, we employ a novel method to reduce the searching space of computing the optimal defense strategy. Finally, we empirically evaluate our optimal defense strategy by comparing it with non-strategic defense strategies. The results indicate that our game-theoretic defense strategy significantly outperforms other non-strategic defense strategies in terms of decreasing the total losses against MITM attacks.

Yang Qin,Xiaofan Yang,Lu-Xing Yang,Kaifan Huang

DOI: https://doi.org/10.1016/j.cose.2024.104003

IF: 5.105

2024-01-01

Computers & Security

Abstract:Advanced persistent threat (APT) poses serious threat to organizations with rich digital assets. APT detection programs designed for quickly finding possibly hijacked hosts are now commercially available. This greatly reduces the workload of APT defense. In practice, the identification and repair of APT-hijacked hosts are out of a system administrator’s capability and have to be outsourced to an established cybersecurity firm. Owing to the limited security budget, the APT defense can be outsourced only in a small number of maintenance periods. We refer to the sequence of outsourcing costs paid in these maintenance periods as an impulsive defense (ID) strategy. On the other hand, APT is time-continuous. We refer to the growth rate function of the attack cost over time as a continuous attack (CA) strategy. In the context that the APT actor is strategic and pursues a cost-effective CA strategy, the organization faces the problem of finding a cost-effective ID strategy (the single-impulsive defense (SID) problem). This paper addresses the SID problem through game-theoretic modeling. Based on an impulsive state evolutionary model, the SID problem is boiled down to a single-impulsive differential game model (the SID model). By applying single-impulsive differential game theory, an iterative algorithm of solving the SID problem is presented. The ID strategy obtained by running the algorithm is corroborated to be cost-effective under the Nash equilibrium solution concept. Therefore, we recommend the ID strategy. This work takes the first step toward the theoretic study of APT defense outsourcing in the presence of strategic attacker.

Hao Wu,Wei Wang,Changyun Wen,Zhengguo Li

DOI: https://doi.org/10.1016/j.ins.2018.04.051

IF: 8.1

2018-01-01

Information Sciences

Abstract:In this paper, a game theoretical analysis method is presented to provide the optimal security detection strategies for heterogeneous networked systems. A two-stage game model is firstly established, in which the attacker and defender are considered as two players. In the first stage, the two players make decisions on whether to execute the attack/monitoring actions or to keep silence for each network unit. In the second stage, two important strategic varibles, i.e. the attack intensity and detection threshold, are cautiously determined. The necessary and sufficient conditions to ensure the existence of the Nash equilibriums for the game with complete information are rigorously analyzed. The results reflect that with limited resources and capacities, the defender (attacker) tends to perform defense (attack) actions and further allocate more defense (less attack) resources to the units with larger assets. Besides, Bayesian and robust Nash equilibrium analysis is provided for the game with incomplete information. Finally, a sampling based Nash equilibrium verification and calculation approach is proposed for the game model with continuous kernels. Thus the convexity restrictions can be relaxed and the computational complexity is effectively reduced, with comparison to the existing recursive calculation methods. Numerical examples are given to validate our theoretical results.

Jing Zhang,Shifei Shen,Rui Yang

DOI: https://doi.org/10.1108/03684921011043279

IF: 2.352

2013-01-01

Kybernetes

Abstract:Purpose - The purpose of this paper is to focus on resource allocation and information disclosure policy for defending multiple targets against intentional attacks. The intentional attacks, like terrorism events, probably cause great losses and fatalities. Attackers and defenders usually make decisions based on incomplete information. Adaptive attacking and defending strategies are considered, to study how both sides make more effective decisions according to previous fights. Design/methodology/approach - A stochastic game-theoretic approach is proposed for modeling attacker-defender conflicts. Attackers and defenders are supposed both to be strategic decision makers and partially aware of adversary's information. Adaptive strategies are compared with different inflexible strategies in a fortification-patrol problem, where the fortification affects the security vulnerability of targets and the patrol indicates the defensive signal. Findings - The result shows that the intentional risk would be elevated by adaptive attack strategies. An inflexible defending strategy probably fails when facing uncertainties of adversary. It is shown that the optimal response of defenders is to adjust defending strategies by learning from previous games and assessing behaviors of adversaries to minimize the expected loss. Originality/value - This paper explores how adaptive strategies affect attacker-defender conflicts. The key issue is defense allocation and information disclosure policy for mitigation of intentional threats. Attackers and defenders can adjust their strategies by learning from previous fights, and the strategic adjustment of both sides may be asynchronous.

Keyang Wang,Shaobo Zhou,Yao Yao,Qi Sun,Yintao Wang

DOI: https://doi.org/10.1049/cth2.12630

IF: 2.67

2024-02-27

IET Control Theory and Applications

Abstract:This paper considers the problem of a defender agent to guard the target area being attacked by a hostile agent. There are two different agents‐intruder and defender in this game. The purpose of the defender is to prevent the intruder from approaching the target and if possible, catch the intruder. This paper considers the problem of a defender agent to guard the target area being attacked by a hostile agent. There are two different agents‐intruder and defender here. The purpose of the defender is to prevent the intruder from approaching the target and if possible, catch the intruder. As the guardian object of the defender, the target area also obstructs its free movement. Therefore, a new geometric method is proposed to solve the problem. Firstly, the winning zones are constructed for the agents using two different methods. When the defender's initial position is in the defender's winning zone, the defender can capture the intruder. When the initial position of the defender is in the winning zone of the intruder, the intruder can successfully attack the target. Subsequently, a method is proposed for determining the dominance region boundary under the influence of target obstruction. Also, the winner can be ascertained by observing whether the dominance region boundary intersects the target area. The optimal strategy is then given according to the different payoff functions. Finally, some examples show the effectiveness of the method. In addition, the conditions and limitations for applying this method to other convex targets are provided.

automation & control systems,engineering, electrical & electronic,instruments & instrumentation

Hao Yan,Qianzhen Zhang,Junjie Xie,Ziyue Lu,Sheng Chen,Deke Guo

DOI: https://doi.org/10.1109/ICPADS53394.2021.00062

2021-01-01

Abstract:The advanced persistent threat (APT) is a stealthy cyber attack perpetrated by a group that gains unauthorized access to a computer network and remains undiscovered to steal specific data and resources. Fast detection and defense of APT attacks are critical tasks in cyber security. Previous works use simple feature extraction and classification methods to distinguish APT information flow from the ...

Zixuan Wang,Jiliang Li,Yuntao Wang,Zhou Su,Shui Yu,Weizhi Meng

2023-09-01

Abstract:Advanced persistent threat (APT) is a kind of stealthy, sophisticated, and long-term cyberattack that has brought severe financial losses and critical infrastructure damages. Existing works mainly focus on APT defense under stable network topologies, while the problem under time-varying dynamic networks (e.g., vehicular networks) remains unexplored, which motivates our work. Besides, the spatiotemporal dynamics in defense resources, complex attackers' lateral movement behaviors, and lack of timely defense make APT defense a challenging issue under time-varying networks. In this paper, we propose a novel game-theoretical APT defense approach to promote real-time and optimal defense strategy-making under both periodic time-varying and general time-varying environments. Specifically, we first model the interactions between attackers and defenders in an APT process as a dynamic APT repair game, and then formulate the APT damage minimization problem as the precise prevention and control (PPAC) problem. To derive the optimal defense strategy under both latency and defense resource constraints, we further devise an online optimal control-based mechanism integrated with two backtracking-forward algorithms to fastly derive the near-optimal solution of the PPAC problem in real time. Extensive experiments are carried out, and the results demonstrate that our proposed scheme can efficiently obtain optimal defense strategy in 54481 ms under seven attack-defense interactions with 9.64$\%$ resource occupancy in stimulated periodic time-varying and general time-varying networks. Besides, even under static networks, our proposed scheme still outperforms existing representative APT defense approaches in terms of service stability and defense resource utilization.

Computer Science and Game Theory

Wenjun Ma,Weiru Liu,Paul Miller,Xudong Luo

2014-01-01

Abstract:Threat intervention with limited security resources is a challenging problem. An optimal strategy is to eectively predict attackers’ targets (or goals) based on current available information, and use such predictions to disrupt their planned attacks. In this paper, we propose a game-theoretic framework to address this challenge which encompasses the following three elements. First, we design a method to analyze an attacker’s types in order to determine the most plausible type of an attacker. Second, we propose an approach to predict possible targets of an attack and the course of actions that the attackers may take even when the attackers’ types are ambiguous. Third, a game-theoretic based strategy is developed to determine the best intervention approaches taken by defenders (security resources).

Lu-Xing Yang,Pengdeng Li,Yushu Zhang,Xiaofan Yang,Yong Xiang,Wanlei Zhou

DOI: https://doi.org/10.1109/tifs.2018.2885251

IF: 7.231

2019-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Advanced persistent threat (APT) is a new kind of cyberattack that poses a serious threat to modern society. When an APT campaign on an organization has been identified, the available repair resources must be reasonably allocated to the potentially insecure hosts to mitigate the potential loss of the organization. We refer to the feasible repair resource allocation strategies as repair strategies. This paper focuses on the APT repair problem, i.e., the problem of developing effective repair strategies for organizations. First, for an organization with time-varying communication relationship, we establish an evolution model of the organization’s expected state, in which the impact of lateral movement of APT is accommodated. On this basis, we model the APT repair problem as a differential Nash game problem (the APT repair game) in which the attacker attempts to maximize his potential benefit, and the organization manages to minimize its potential loss. Second, we derive a system (the potential system) for calculating a potential Nash equilibrium of an APT repair game, and we examine the structure of the potential attack and repair strategies in a potential Nash equilibrium. Next, we solve some potential systems to get the corresponding potential Nash equilibria. Finally, by comparison with a large number of randomly generated attack and repair strategies, we conclude that the potential Nash equilibrium of each APT repair game is a Nash equilibrium of the game. Therefore, we recommend to organizations their respective potential repair strategies. Our findings help to better understand and effectively defend against APT.

Wenjun Ma,Weiru Liu,Paul Miller,Xudong Luo

DOI: https://doi.org/10.5555/2615731.2616064

2014-01-01

Abstract:Threat intervention with limited security resources is a challenging problem. An optimal strategy is to effectively predict attackers' targets (or goals) based on current available information, and use such predictions to disrupt their planned attacks. In this paper, we propose a game-theoretic framework to address this challenge which encompasses the following three elements. First, we design a method to analyze an attacker's types in order to determine the most plausible type of an attacker. Second, we propose an approach to predict possible targets of an attack and the course of actions that the attackers may take even when the attackers' types are ambiguous. Third, a game-theoretic based strategy is developed to determine the best intervention approaches taken by defenders (security resources).

Di Wu,Xiangbin Yan,Rui Peng,Shaomin Wu

DOI: https://doi.org/10.1016/j.ress.2019.106778

IF: 7.247

2019-01-01

Reliability Engineering & System Safety

Abstract:This paper analyzes the optimal strategies for the attacker and the defender in an attack–defense game, considering the risk attitudes of both parties. The defender moves first, allocating its limited resources to three different measures: launching a proactive strike or preventive strike, building false targets, and protecting its genuine object. It is assumed that (a) launching a proactive strike has limited effectiveness on its rival and does not expose the genuine object itself, (b) a false target might be correctly identified as false, and (c) launching a preventive strike consumes less resources than a proactive strike and might expose the genuine object. The attacker moves after observing the defender's movements, allocating its limited resources to three measures: protecting its own base from a proactive strike or preventive strike, building false bases, and attacking the defender's genuine object. For each of the defender's given strategies, the attacker chooses the attack strategy that maximizes its cumulative prospect value, which accounts for the players’ risk attitudes. Similarly, the defender maximizes its cumulative prospect value by anticipating that the attacker will always choose the strategy combination that maximizes its own cumulative prospect value. Backward induction is used to obtain the optimal defense, attack strategies, and their corresponding cumulative prospect values. Our results show that the introduction of risk attitudes leads the game to a lose-lose situation under some circumstances and benefits one party in other cases.