Bastián Bahamondes,Mathieu Dahan

2024-04-18

Abstract:We consider a two-person network inspection game, in which a defender positions a limited number of detectors to detect multiple attacks caused by an attacker. We assume that detection is imperfect, and each detector location is associated with a probability of detecting attacks within its set of monitored network components. The objective of the defender (resp. attacker) is to minimize (resp. maximize) the expected number of undetected attacks. To compute Nash Equilibria (NE) for this large-scale zero-sum game, we formulate a linear program with a small number of constraints, which we solve via column generation. We provide an exact mixed-integer program for the pricing problem, which entails computing a defender's pure best response, and leverage its supermodular structure to derive two efficient approaches to obtain approximate NE with theoretical guarantees: A column generation and a multiplicative weights update (MWU) algorithm with approximate best responses. To address the computational challenges posed by combinatorial attacker strategies, each iteration of our MWU algorithm requires computing a projection under the unnormalized relative entropy. We provide a closed-form solution and a linear-time algorithm for the projection problem. Our computational results in real-world gas distribution networks illustrate the performance and scalability of our solution approaches.

Computer Science and Game Theory

Hao Wu,Wei Wang,Changyun Wen,Zhengguo Li

DOI: https://doi.org/10.1016/j.ins.2018.04.051

IF: 8.1

2018-01-01

Information Sciences

Abstract:In this paper, a game theoretical analysis method is presented to provide the optimal security detection strategies for heterogeneous networked systems. A two-stage game model is firstly established, in which the attacker and defender are considered as two players. In the first stage, the two players make decisions on whether to execute the attack/monitoring actions or to keep silence for each network unit. In the second stage, two important strategic varibles, i.e. the attack intensity and detection threshold, are cautiously determined. The necessary and sufficient conditions to ensure the existence of the Nash equilibriums for the game with complete information are rigorously analyzed. The results reflect that with limited resources and capacities, the defender (attacker) tends to perform defense (attack) actions and further allocate more defense (less attack) resources to the units with larger assets. Besides, Bayesian and robust Nash equilibrium analysis is provided for the game with incomplete information. Finally, a sampling based Nash equilibrium verification and calculation approach is proposed for the game model with continuous kernels. Thus the convexity restrictions can be relaxed and the computational complexity is effectively reduced, with comparison to the existing recursive calculation methods. Numerical examples are given to validate our theoretical results.

Jezdimir Milosevic,Mathieu Dahan,Saurabh Amin,Henrik Sandberg

2023-04-09

Abstract:We consider a strategic network monitoring problem involving the operator of a networked system and an attacker. The operator aims to randomize the placement of multiple protected sensors to monitor and protect components that are vulnerable to attacks. We account for the heterogeneity in the components' security levels and formulate a large-scale maximin optimization problem. After analyzing its structure, we propose a three-step approach to approximately solve the problem. First, we solve a generalized covering set problem and run a combinatorial algorithm to compute an approximate solution. Then, we compute approximation bounds by solving a nonlinear set packing problem. To evaluate our solution approach, we implement two classical solution methods based on column generation and multiplicative weights updates, and test them on real-world water distribution and power systems. Our numerical analysis shows that our solution method outperforms the classical methods on large-scale networks, as it efficiently generates solutions that achieve a close to optimal performance and that are simple to implement in practice.

Optimization and Control

Jianye Hao,Yinxing Xue,Mahinthan Chandramohan,Yang Liu,Jun Sun

DOI: https://doi.org/10.1109/ictai.2015.154

2015-01-01

Abstract:Network monitoring is an important way to ensure the security of hosts from being attacked by malicious attackers. One challenging problem for network operators is how to distribute the limited monitoring resources (e. g., intrusion detectors) among the network to detect attacks in a cost-effective manner, especially when the attacking strategies can be changing dynamically and unpredictable. To this end, we adopt Markov game to model the interactions between the network operator and the attacker and propose an adaptive Markov strategy (AMS) to determine how the detectors should be placed on the network against possible attacks to minimize the network's accumulated cost over time. The AMS is guaranteed to converge to the best response strategy when the attacker's strategy is fixed (rationality), converge to a fixed strategy under self-play (convergence) and obtain a payoff no less than that under the precomputed Nash equilibrium strategy of the Markov game (safety). The experimental results show that the AMS can achieve better protection for the network compared with both previous approaches based on the prediction of attack paths (equivalent to a graph coloring problem) and Nash equilibrium strategy.

Anh Tung Nguyen,Sribalaji C. Anand,André M. H. Teixeira,Alexander Medvedev

DOI: https://doi.org/10.1016/j.ifacol.2023.10.1896

2023-04-12

Abstract:This paper proposes a game-theoretic method to address the problem of optimal detector placement in a networked control system under cyber-attacks. The networked control system is composed of interconnected agents where each agent is regulated by its local controller over unprotected communication, which leaves the system vulnerable to malicious cyber-attacks. To guarantee a given local performance, the defender optimally selects a single agent on which to place a detector at its local controller with the purpose of detecting cyber-attacks. On the other hand, an adversary optimally chooses a single agent on which to conduct a cyber-attack on its input with the aim of maximally worsening the local performance while remaining stealthy to the defender. First, we present a necessary and sufficient condition to ensure that the maximal attack impact on the local performance is bounded, which restricts the possible actions of the defender to a subset of available agents. Then, by considering the maximal attack impact on the local performance as a game payoff, we cast the problem of finding optimal actions of the defender and the adversary as a zero-sum game. Finally, with the possible action sets of the defender and the adversary, an algorithm is devoted to determining the Nash equilibria of the zero-sum game that yield the optimal detector placement. The proposed method is illustrated on an IEEE benchmark for power systems.

Systems and Control

Xiaoqiang Ren,Yilin Mo

DOI: https://doi.org/10.1109/tsp.2018.2853110

IF: 4.875

2018-01-01

IEEE Transactions on Signal Processing

Abstract:This paper studies how to deploy sensors in the context of detection in adversarial environments. A fusion center is performing a binary hypothesis testing based on measurements from remotely deployed heterogeneous sensors. An attacker may compromise some of the deployed sensors, which send arbitrary measurements to the fusion center. The problems of interest are: to characterize the performance of the system under attack and, thus, develop a performance metric; and to deploy sensors within a cost budget, such that the proposed performance metric is maximized. In this paper, we first present a performance metric by formulating the detection in adversarial environments in a game theoretic way. A Nash equilibrium pair of the detection algorithm and attack strategy, with the deployed sensors given, is provided and the corresponding detection performance is adopted as the performance metric. We then show that the optimal sensor deployment can be determined approximately by solving a group of unbounded knapsack problems. We also show that the performance metric gap between the optimal sensor deployment and the optimal one with sensors being identical is within a fixed constant for any cost budget. The main results are illustrated by numerical examples.

Aron Laszka,Waseem Abbas,Yevgeniy Vorobeychik,Xenofon Koutsoukos

DOI: https://doi.org/10.1016/j.cose.2019.101576

2019-11-01

Abstract:<p>In recent years, state-of-the-art traffic-control devices have evolved from standalone hardware to networked smart devices. Smart traffic control enables operators to decrease traffic congestion and environmental impact by acquiring real-time traffic data and changing traffic signals from fixed to adaptive schedules. However, these capabilities have inadvertently exposed traffic control to a wide range of cyber-attacks, which adversaries can easily mount through wireless networks or even through the Internet. Indeed, recent studies have found that a large number of traffic signals that are deployed in practice suffer from exploitable vulnerabilities, which adversaries may use to take control of the devices. Thanks to the hardware-based failsafes that most devices employ, adversaries cannot cause traffic accidents directly by setting compromised signals to dangerous configurations. Nonetheless, an adversary could cause disastrous traffic congestion by changing the schedule of compromised traffic signals, thereby effectively crippling the transportation network. To provide theoretical foundations for the protection of transportation networks from these attacks, we introduce a game-theoretic model of launching, detecting, and mitigating attacks that tamper with traffic-signal schedules. We show that finding optimal strategies is a computationally challenging problem, and we propose efficient heuristic algorithms for finding near optimal strategies. We also introduce a Gaussian-process based anomaly detector, which can alert operators to ongoing attacks. Finally, we evaluate our algorithms and the proposed detector using numerical experiments based on the SUMO traffic simulator.</p>

computer science, information systems

Jason Tsai,Zhengyu Yin,Jun-young Kwak,David Kempe,Christopher Kiekintveld,Milind Tambe

DOI: https://doi.org/10.1609/aaai.v24i1.7612

2010-07-04

Proceedings of the AAAI Conference on Artificial Intelligence

Abstract:Law enforcement agencies frequently must allocate limited resources to protect targets embedded in a network, such as important buildings in a city road network. Since intelligent attackers may observe and exploit patterns in the allocation, it is crucial that the allocations be randomized. We cast this problem as an attacker-defender Stackelberg game: the defender’s goal is to obtain an optimal mixed strategy for allocating resources. The defender’s strategy space is exponential in the number of resources, and the attacker’s exponential in the network size. Existing algorithms are therefore useless for all but the smallest networks. We present a solution approach based on two key ideas: (i) A polynomial-sized game model obtained via an approximation of the strategy space, solved efficiently using a linear program; (ii) Two efficient techniques that map solutions from the approximate game to the original, with proofs of correctness under certain assumptions. We present in-depth experimental results, including an evaluation on part of the Mumbai road network.

Yinan Hu,Quanyan Zhu

2024-01-17

Abstract:The security in networked systems depends greatly on recognizing and identifying adversarial behaviors. Traditional detection methods focus on specific categories of attacks and have become inadequate for increasingly stealthy and deceptive attacks that are designed to bypass detection strategically. This work aims to develop a holistic theory to countermeasure such evasive attacks. We focus on extending a fundamental class of statistical-based detection methods based on Neyman-Pearson's (NP) hypothesis testing formulation. We propose game-theoretic frameworks to capture the conflicting relationship between a strategic evasive attacker and an evasion-aware NP detector. By analyzing both the equilibrium behaviors of the attacker and the NP detector, we characterize their performance using Equilibrium Receiver-Operational-Characteristic (EROC) curves. We show that the evasion-aware NP detectors outperform the passive ones in the way that the former can act strategically against the attacker's behavior and adaptively modify their decision rules based on the received messages. In addition, we extend our framework to a sequential setting where the user sends out identically distributed messages. We corroborate the analytical results with a case study of anomaly detection.

Cryptography and Security,Computer Science and Game Theory,Information Theory,Systems and Control

Zheng Wang,Bin Liu,JingZhao Chen,WeiHua Huang,Yong Hu

DOI: https://doi.org/10.1016/j.jisa.2023.103436

IF: 4.96

2023-02-02

Journal of Information Security and Applications

Abstract:The defense strategy of the Internet of Things (IoT) under hacker attack is a crucial issue in the security field of industry. When IoT plants are attacked by hackers, it is impossible to understand the type of attack employed by the hackers. At this point, we need a detection mechanism that can cope with the known multiple types of network attacks. In this paper, we focus on the issue of IoT security defense and construct a multi-detector detection system capable of detecting multiple types of network attacks based on a zero-sum stochastic game framework. The system can choose between multiple detectors according to a mixed Nash equilibrium strategy that takes into account both the detection cost and the detection effect. Finally, we present a simulation comparison between the multi-detector system and the single detector system to verify that the mixed strategy leads to higher detection effectiveness and lower control performance loss.

computer science, information systems

Kun Lv,Yun Chen,Changzhen Hu

DOI: https://doi.org/10.1016/j.inffus.2019.01.001

IF: 18.6

2019-01-01

Information Fusion

Abstract:Advanced persistent threats (APTs) pose a grave threat in cyberspace because of their long latency and concealment. In this paper, we propose a hybrid strategy game-based dynamic defense model to optimally allocate constrained secure resources for the target network. In addition, values of profits of players in this game are computed by a novel data-fusion method called NetF. Based on network protocols and log documents, the NetF deciphers data packets collected from different networks to natural language to make them comparable. Using this algorithm, data observed from the Internet and wireless sensor networks (WSNs) can be fused to calculate the comprehensive payoff of every node precisely. The Nash equilibrium can be computed using the value to detect the possibility of a node being a malicious node. Using this method, the dynamic optimal defense strategy can be allocated to every node at different times, which enhances the security of the target network obviously. In experiments, we illustrate the obtained results via case studies of a cluster of heterogeneous networks. The results guide planning of optimal defense strategies for different kinds of nodes at different times.

Ya-Peng Li,Suo-Yi Tan,Ye Deng,Jun Wu

DOI: https://doi.org/10.1063/1.5029343

2018-01-01

Abstract:Dealing with the protection of critical infrastructures, many game-theoretic methods have been developed to study the strategic interactions between defenders and attackers. However, most game models ignore the interrelationship between different components within a certain system. In this paper, we propose a simultaneous-move attacker-defender game model, which is a two-player zero-sum static game with complete information. The strategies and payoffs of this game are defined on the basis of the topology structure of the infrastructure system, which is represented by a complex network. Due to the complexity of strategies, the attack and defense strategies are confined by two typical strategies, namely, targeted strategy and random strategy. The simulation results indicate that in a scale-free network, the attacker virtually always attacks randomly in the Nash equilibrium. With a small cost-sensitive parameter, representing the degree to which costs increase with the importance of a target, the defender protects the hub targets with large degrees preferentially. When the cost-sensitive parameter exceeds a threshold, the defender switches to protecting nodes randomly. Our work provides a new theoretical framework to analyze the confrontations between the attacker and the defender on critical infrastructures and deserves further study. Published by AIP Publishing.

Huanhuan Yuan,Yuanqing Xia,Yuan,Hongjiu Yang

DOI: https://doi.org/10.1016/j.jfranklin.2021.04.049

IF: 4.246

2021-01-01

Journal of the Franklin Institute

Abstract:We consider a remote state estimation process under an active eavesdropper for cyber-physical system. A smart sensor transmits its local state estimates to a remote estimator over an unreliable network, which is eavesdropped by an adversary. The intelligent adversary can work in passive eavesdropping mode and active jamming mode. An active jamming mode enables the adversary to interfere the data transmission from sensor to estimator, and meanwhile improve the data reception of itself. To protect the transmission data from being wiretapped, the sensor with two antennas injects noise to the eavesdropping link with different power levels. Aiming at minimizing the estimation error covariance and power cost of themselves while maximizing the estimation error covariance of their opponents, a two-player nonzero-sum game is constructed for sensor and active eavesdropper. For an open-loop case, the mixed Nash equilibrium is obtained by solving an one-stage nonzero-sum game. For a long term consideration, a Markov stochastic game is introduced and a Nash Q-learning method is given to find the Nash equilibrium strategies for two players. Numerical results are provided to show the effectiveness of our theoretical conclusions.

Hao Wu,Zhonghua Wang

DOI: https://doi.org/10.1016/j.cose.2018.01.003

IF: 5.105

2018-01-01

Computers & Security

Abstract:In this paper, multi-source fusion-based detection method for the security of heterogeneous network is investigated. Fusion-based detection method exploits multi-source profiles from the whole network to make decisions on whether intrusion incident happens. A game theoretic analysis method for the concerned detection strategy is presented, where the attacker and defender are thought to be rational humans and they always try their best to get their maximum payoffs. A nonzero-sum game model is established to formulate the confrontation between the defender and attacker by considering the detection threshold and attack resource allocation as their strategies. The optimal strategies are then solved by using Nash equilibrium theory. The local optimal attack allocation scheme is firstly presented for heterogeneous network, which shows that with limited resources the attacker should only launch attacks to more valuable nodes and more attack resources should be allocated to more valuable nodes also. Then a general conclusion about the existence of the Nash equilibrium is given, which indicates that the Nash equilibrium must exist despite the attacks types. After that, an iterative method is presented for the calculation of the Nash equilibrium by considering DDoS attack as an example. Numerical simulations are shown to validate our theoretical results.

Wen Jiang,Zeyu Ma,Xinyang Deng

DOI: https://doi.org/10.1177/1550147719841293

IF: 1.938

2019-01-01

International Journal of Distributed Sensor Networks

Abstract:Wireless sensor networks play an important role in daily life and have been applied in diverse fields. In practice, malware tries to infect sensor nodes, while wireless sensor network prevents from attacking. This article establishes a new attack–defense game based on Stackelberg game. In this game, malware selects its strategy of attacking first, and then wireless sensor network makes decision after observing the action of malware. This game considers the situation in which malware is more dominant than wireless sensor network. Then this game is solved and an equilibrium solution is calculated, which is the best strategy for malware and wireless sensor network to maximize their payoffs. With infection probability and defense probability, mean time to failure of a sensor node is computed and is used to analyze the reliability of wireless sensor network. The experiments show the influence of true-positive rate and false-positive rate on the equilibrium solution of game and the reliability of wireless sensor network. Finally, the proposed method is compared with the existing method based on a simultaneous game.

Yuedong Xu,John C.S. Lui

DOI: https://doi.org/10.48550/arXiv.2202.09755

2022-02-20

Abstract:In this paper, we consider a new network security game wherein an attacker and a defender are battling over "multiple" targets. This type of game is appropriate to model many current network security conflicts such as Internet phishing, mobile malware or network intrusions. In such attacks, the attacker and the defender need to decide how to allocate resources on each target so as to maximize his utility within his resource limit. We model such a multi-dimensional network security game as a constrained non-zero sum game. Two security breaching models, the product-form and the proportion-form, are considered. For each breaching model, we prove the existence of a unique Nash equilibrium (NE) based on Rosen's theorem and propose efficient algorithms to find the NE when the games are strictly concave. Furthermore, we show the existence of multiple NEs in the product-form breaching model when the strict concavity does not hold. Our study sheds light on the strategic behaviors of the attacker and the defender, in particular, on how they allocate resources to the targets which have different weights, and how their utilities as well as strategies are influenced by the resource constraints.

Computer Science and Game Theory

Lemonia Dritsoula,Patrick Loiseau,John Musacchio

DOI: https://doi.org/10.48550/arXiv.1207.0745

2012-07-04

Abstract:We consider a game in which a strategic defender classifies an intruder as spy or spammer. The classification is based on the number of file server and mail server attacks observed during a fixed window. The spammer naively attacks (with a known distribution) his main target: the mail server. The spy strategically selects the number of attacks on his main target: the file server. The defender strategically selects his classification policy: a threshold on the number of file server attacks. We model the interaction of the two players (spy and defender) as a nonzero-sum game: The defender needs to balance missed detections and false alarms in his objective function, while the spy has a tradeoff between attacking the file server more aggressively and increasing the chances of getting caught. We give a characterization of the Nash equilibria in mixed strategies, and demonstrate how the Nash equilibria can be computed in polynomial time. Our characterization gives interesting and non-intuitive insights on the players' strategies at equilibrium: The defender uniformly randomizes between a set of thresholds that includes very large values. The strategy of the spy is a truncated version of the spammer's distribution. We present numerical simulations that validate and illustrate our theoretical results.

Computer Science and Game Theory

Jiaqi Ren,Jin Liu,Yibo Dong,Zhe Li,Weili Li

DOI: https://doi.org/10.3390/e26080624

IF: 2.738

2024-07-25

Entropy

Abstract:Recently, research interest in the field of infrastructure attack and defense scenarios has increased. Numerous methods have been proposed for studying strategy interactions that combine complex network theory and game theory. However, the unavoidable effect of constrained strategies in complex situations has not been considered in previous studies. This study introduces a novel approach to analyzing these interactions by including the effects of constrained strategies, a factor often neglected in traditional analyses. First, we introduce the rule of constraints on strategies, which depends on the average distance between selected nodes. As the average distance increases, the probability of choosing the corresponding strategy decreases. Second, we establish an attacker–defender game model with constrained strategies based on the above rule and using information theory to evaluate the uncertainty of these strategies. Finally, we present a method for solving this problem and conduct experiments based on a target network. The results highlight the unique characteristics of the Nash equilibrium when setting constraints, as these constraints influence decision makers' Nash equilibria. When considering the constrained strategies, both the attacker and the defender tend to select strategies with lower average distances. The effect of the constraints on their strategies becomes less apparent as the number of attackable or defendable nodes increases. This research advances the field by introducing a novel framework for examining strategic interactions in infrastructure defense and attack scenarios. By incorporating strategy constraints, our work offers a new perspective on the critical area of infrastructure security.

physics, multidisciplinary

Fei He,Jun Zhuang,Nageswara S. V. Rao

2012-01-01

Abstract:Critical infrastructures rely on cyber and physical components that are both subject to natural, incidental or intentional degradations. Game theory has been used in studying the strategic interactions between attackers and defenders for critical infrastructure protection, but has not been extensively used in complex cyber-physical networks. This paper fills the gap by modeling the probabilities of successful attacks in both cyber and physical spaces as functions of the number of components that are attacked and defended. The results show that the attack effort would first increase then decrease in (a) defense effort, (b) the probability of successful attack on each component, (c) the number of minimum required functioning resources, and (d) the maximum number of available resources. Comparing simultaneous and sequential games, our results show that the defender performs better when she moves first. Our research provides some novel insights into the survival of such infrastructures and optimal resource allocation under various costs and target valuations that players may have.

Lu Yu,Richard R. Brooks

DOI: https://doi.org/10.1007/978-3-319-75683-7_15

2017-09-22

Abstract:With the rapid development of Internet and the sharp increase of network crime, network security has become very important and received a lot of attention. We model security issues as stochastic systems. This allows us to find weaknesses in existing security systems and propose new solutions. Exploring the vulnerabilities of existing security tools can prevent cyber-attacks from taking advantages of the system weaknesses. We propose a hybrid network security scheme including intrusion detection systems (IDSs) and honeypots scattered throughout the network. This combines the advantages of two security technologies. A honeypot is an activity-based network security system, which could be the logical supplement of the passive detection policies used by IDSs. This integration forces us to balance security performance versus cost by scheduling device activities for the proposed system. By formulating the scheduling problem as a decentralized partially observable Markov decision process (DEC-POMDP), decisions are made in a distributed manner at each device without requiring centralized control. The partially observable Markov decision process (POMDP) is a useful choice for controlling stochastic systems. As a combination of two Markov models, POMDPs combine the strength of hidden Markov Model (HMM) (capturing dynamics that depend on unobserved states) and that of Markov decision process (MDP) (taking the decision aspect into account). Decision making under uncertainty is used in many parts of business and <a class="link-external link-http" href="http://science.We" rel="external noopener nofollow">this http URL</a> use here for security <a class="link-external link-http" href="http://tools.We" rel="external noopener nofollow">this http URL</a> adopt a high-quality approximation solution for finite-space POMDPs with the average cost criterion, and their extension to DEC-POMDPs. We show how this tool could be used to design a network security framework.

Cryptography and Security