Jichao Bi,Shibo He,Fengji Luo,Wenchao Meng,Luyue Ji,Da-Wen Huang

DOI: https://doi.org/10.1109/TII.2022.3231406

IF: 12.3

2023-01-01

IEEE Transactions on Industrial Informatics

Abstract:Industrial Internet of Things (IIoT) is vulnerable to advanced persistent threat (APT). In this article, we study a scenario in which APT is launched to attack IIoT devices. Considering the APTs lateral movement, a node-level state evolution model is established to calculate the probability of every device in an IIoT system to be compromised by APT. Based on this, a Stackelberg game model is proposed for the APT attacker and defender, which can accurately describe the gaming process. An effective computational approach is developed to obtain the potential Stackelberg equilibrium strategy pair of the game. Extensive case studies and comparison studies are conducted to validate the effectiveness of the proposed method.

Chenquan Gan,Jiabin Lin,Da-Wen Huang,Qingyi Zhu,Liang Tian

DOI: https://doi.org/10.3390/math11143115

IF: 2.4

2023-07-15

Mathematics

Abstract:The industrial internet of things (IIoT) is a key pillar of the intelligent society, integrating traditional industry with modern information technology to improve production efficiency and quality. However, the IIoT also faces serious challenges from advanced persistent threats (APTs), a stealthy and persistent method of attack that can cause enormous losses and damages. In this paper, we give the definition and development of APTs. Furthermore, we examine the types of APT attacks that each layer of the four-layer IIoT reference architecture may face and review existing defense techniques. Next, we use several models to model and analyze APT activities in IIoT to identify their inherent characteristics and patterns. Finally, based on a thorough discussion of IIoT security issues, we propose some open research topics and directions.

mathematics

Huici Wu,Qiuyue Gao,Xiaofeng Tao,Ning Zhang,Dajiang Chen,Zhu Han

DOI: https://doi.org/10.1109/jiot.2021.3122115

IF: 10.6

2021-01-01

IEEE Internet of Things Journal

Abstract:Internet of Things (IoT) is vulnerable to various cyber attacks due to the massive deployment of IoT devices and the openness of wireless environments. In this article, taking IoT devices as the network resources competed between an attacker and a defender, we study the modeling and analysis of network resource competition in an attack-defense game. The attacker and defender inject different competition strength in each IoT device as their strategies. As a result, the security state of each IoT device will change, which is captured by differential equations. To study the interaction between the attacker and defender and the evolution of the system security states, a zero-sum differential game is formulated by modeling the competition of IoT devices. To achieve the equilibrium of the formulated differential game, optimal control theory is employed to solve the optimization problems of players. Further, a Gauss–Seidel-like implicit finite-difference method is utilized to obtain the saddle point strategy. Finally, numerical results are provided to demonstrate the evolution of network resource competition between the attacker and defender. The results show that our formulated model can effectively and accurately characterize the evolution of the system security states with strategic interactions between the attacker and defender.

Hao Yan,Qianzhen Zhang,Junjie Xie,Ziyue Lu,Sheng Chen,Deke Guo

DOI: https://doi.org/10.1109/ICPADS53394.2021.00062

2021-01-01

Abstract:The advanced persistent threat (APT) is a stealthy cyber attack perpetrated by a group that gains unauthorized access to a computer network and remains undiscovered to steal specific data and resources. Fast detection and defense of APT attacks are critical tasks in cyber security. Previous works use simple feature extraction and classification methods to distinguish APT information flow from the ...

Kun Lv,Yun Chen,Changzhen Hu

DOI: https://doi.org/10.1016/j.inffus.2019.01.001

IF: 18.6

2019-01-01

Information Fusion

Abstract:Advanced persistent threats (APTs) pose a grave threat in cyberspace because of their long latency and concealment. In this paper, we propose a hybrid strategy game-based dynamic defense model to optimally allocate constrained secure resources for the target network. In addition, values of profits of players in this game are computed by a novel data-fusion method called NetF. Based on network protocols and log documents, the NetF deciphers data packets collected from different networks to natural language to make them comparable. Using this algorithm, data observed from the Internet and wireless sensor networks (WSNs) can be fused to calculate the comprehensive payoff of every node precisely. The Nash equilibrium can be computed using the value to detect the possibility of a node being a malicious node. Using this method, the dynamic optimal defense strategy can be allocated to every node at different times, which enhances the security of the target network obviously. In experiments, we illustrate the obtained results via case studies of a cluster of heterogeneous networks. The results guide planning of optimal defense strategies for different kinds of nodes at different times.

Lu-Xing Yang,Pengdeng Li,Yushu Zhang,Xiaofan Yang,Yong Xiang,Wanlei Zhou

DOI: https://doi.org/10.1109/tifs.2018.2885251

IF: 7.231

2019-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Advanced persistent threat (APT) is a new kind of cyberattack that poses a serious threat to modern society. When an APT campaign on an organization has been identified, the available repair resources must be reasonably allocated to the potentially insecure hosts to mitigate the potential loss of the organization. We refer to the feasible repair resource allocation strategies as repair strategies. This paper focuses on the APT repair problem, i.e., the problem of developing effective repair strategies for organizations. First, for an organization with time-varying communication relationship, we establish an evolution model of the organization’s expected state, in which the impact of lateral movement of APT is accommodated. On this basis, we model the APT repair problem as a differential Nash game problem (the APT repair game) in which the attacker attempts to maximize his potential benefit, and the organization manages to minimize its potential loss. Second, we derive a system (the potential system) for calculating a potential Nash equilibrium of an APT repair game, and we examine the structure of the potential attack and repair strategies in a potential Nash equilibrium. Next, we solve some potential systems to get the corresponding potential Nash equilibria. Finally, by comparison with a large number of randomly generated attack and repair strategies, we conclude that the potential Nash equilibrium of each APT repair game is a Nash equilibrium of the game. Therefore, we recommend to organizations their respective potential repair strategies. Our findings help to better understand and effectively defend against APT.

Zikai Zhang,Chuntao Ding,Yidong Li,Jinhui Yu,Jingy Li

DOI: https://doi.org/10.1109/tsc.2024.3422870

IF: 11.019

2024-01-01

IEEE Transactions on Services Computing

Abstract:With the advancement of intelligent and networked technology, the Industrial Internet of Things (IIoT) faces an escalating threat from cyberattacks, especially by Advanced Persistent Threat (APT) attacks. These novel and complex attacks, characterized by their dynamic nature and life-long duration, pose significant challenges to existing security protection methods. The challenges are twofold, i.e., sparse reward problem in the long-lasting attack, and partial observation of attack actions. To this end, we propose a Security-as-a-Service based reinforcement learning method, namely Attention Augmented Dueling Deep Q-learning Network (AD2QN), to make real-time defense strategies for the hot standby IIoT. Firstly, we build the attack-defend confrontation model as black boxes interact with the IIoT environment to play a long-lasting partially observable zero-sum stochastic game on the server. Then, to dynamically generate optimal defense strategies as the service, AD2QN is proposed employing information completion and prediction to more informed action selection. Furthermore, AD2QN utilizes an iteratively updated reward network to deal with the sparse reward problem. Extensive simulation results shown that the defense strategies generated by our method have a higher defense success rate and a stable defense performance with the average success rate of 0.7384, while the average success rate of baseline methods was 0.7375, in the best case.

Linan Huang,Quanyan Zhu

DOI: https://doi.org/10.48550/arXiv.1809.02227

2018-09-07

Abstract:Advanced Persistent Threats (APTs) have created new security challenges for critical infrastructures due to their stealthy, dynamic, and adaptive natures. In this work, we aim to lay a game-theoretic foundation by establishing a multi-stage Bayesian game framework to capture incomplete information of deceptive APTs and their multi-stage multi-phase movement. The analysis of the perfect Bayesian Nash equilibrium (PBNE) enables a prediction of attacker's behaviors and a design of defensive strategies that can deter the adversaries and mitigate the security risks. A conjugate-prior method allows online computation of the belief and reduces Bayesian update into an iterative parameter update. The forwardly updated parameters are assimilated into the backward dynamic programming computation to characterize a computationally tractable and time-consistent equilibrium solution based on the expanded state space. The Tennessee Eastman (TE) process control problem is used as a case study to demonstrate the dynamic game under the information asymmetry and show that APTs tend to be stealthy and deceptive during their transitions in the cyber layer and behave aggressively when reaching the targeted physical plant. The online update of the belief allows the defender to learn the behavior of the attacker and choose strategic defensive actions that can thwart adversarial behaviors and mitigate APTs. Numerical results illustrate the defender's tradeoff between the immediate reward and the future expectation as well as the attacker's goal to reach an advantageous system state while making the defender form a positive belief.

Computer Science and Game Theory

Yue Li,Teng Zhang,Xue Li,Ting Li

DOI: https://doi.org/10.1007/978-981-13-6621-5_10

2019-01-01

Abstract:AbstractThe targets of Advanced Persistent Threat (APT) are mainly concentrate on national key information infrastructure, key research institutes, and large commercial companies, for the purpose of stealing sensitive information, trade secrets or destroying important infrastructure. Traditional protection system is difficult to detect the APT attack, due to the method of the APT attack is unknown and uncertain. And the persisted evolution ability destroyed the traditional protection methods based on feature detection. Therefore, this paper based on the theory of red-blue confrontation, to construct the game model of attack and defense. And then combined the APT offense and defense experience, presents a model based on cyber threat detection to deal with APT attacks.

Stefan Rass,Sandra König,Stefan Schauer

DOI: https://doi.org/10.1371/journal.pone.0168675

2022-05-02

Abstract:Advanced persistent threats (APT) combine a variety of different attack forms ranging from social engineering to technical exploits. The diversity and usual stealthiness of APT turns them into a central problem of contemporary practical system security, since information on attacks, the current system status or the attacker's incentives is often vague, uncertain and in many cases even unavailable. Game theory is a natural approach to model the conflict between the attacker and the defender, and this work investigates a generalized class of matrix games as a risk mitigation tool for an APT defense. Unlike standard game and decision theory, our model is tailored to capture and handle the full uncertainty that is immanent to APT, such as disagreement among qualitative expert risk assessments, unknown adversarial incentives and uncertainty about the current system state (in terms of how deeply the attacker may have penetrated into the system's protective shells already). Practically, game-theoretic APT models can be derived straightforwardly from topological vulnerability analysis, together with risk assessments as they are done in common risk management standards like the ISO 31000 family. Theoretically, these models come with different properties than classical game theoretic models, whose technical solution presented in this work may be of independent interest.

Cryptography and Security,Computer Science and Game Theory

Linan Huang,Quanyan Zhu

DOI: https://doi.org/10.1016/j.cose.2019.101660

2019-11-05

Abstract:Advanced Persistent Threats (APTs) have recently emerged as a significant security challenge for a cyber-physical system due to their stealthy, dynamic and adaptive nature. Proactive dynamic defenses provide a strategic and holistic security mechanism to increase the costs of attacks and mitigate the risks. This work proposes a dynamic game framework to model a long-term interaction between a stealthy attacker and a proactive defender. The stealthy and deceptive behaviors are captured by the multi-stage game of incomplete information, where each player has his own private information unknown to the other. Both players act strategically according to their beliefs which are formed by the multi-stage observation and learning. The perfect Bayesian Nash equilibrium provides a useful prediction of both players' policies because no players benefit from unilateral deviations from the equilibrium. We propose an iterative algorithm to compute the perfect Bayesian Nash equilibrium and use the Tennessee Eastman process as a benchmark case study. Our numerical experiment corroborates the analytical results and provides further insights into the design of proactive defense-in-depth strategies.

Computer Science and Game Theory,Cryptography and Security

Minghui Min,Liang Xiao,Caixia Xie,Mohammad Hajimirsadeghi,Narayan B. Mandayam

DOI: https://doi.org/10.1109/icc.2017.7997103

2017-01-01

Abstract:An Advanced Persistent Threat (APT) attacker applies multiple sophisticated methods to continuously and stealthily attack targeted cyber systems. In this paper, the interactions between an APT attacker and a cloud system defender in their allocation of the Central Processing Units (CPUs) over multiple devices are formulated as a Colonel Blotto game (CBG), which models the competition of two players under given resource constraints over multiple battlefields. The Nash equilibria (NEs) of the CBG-based APT defense game are derived for the case with symmetric players and the case with asymmetric players each with different total number of CPUs. The expected data protection level and the utility of the defender are provided for each game at the NE. An APT defense strategy based on the policy hill-climbing (PHC) algorithm is proposed for the defender to achieve the optimal CPU allocation distribution over the devices in the dynamic defense game without being aware of the APT attack model. Simulation results have verified the efficacy of our proposed algorithm, showing that both the data protection level and the utility of the defender are improved compared with the benchmark greedy allocation algorithm.

Wang Neng,Zhang Ya

DOI: https://doi.org/10.1007/978-981-19-3998-3_95

2022-01-01

Abstract:An advanced persistent threat (APT) is a stealthy cyber attack which can have the ability to illegally enter a system and remain undiscovered for a long time. Dynamic information flow tracking is one of the leading methods to detecting advanced persistent threats, which can taint suspicious information flows and generate security analysis for abnormal and questionable use of the information flow. In this paper, we develop a novel model to detect APTs. We build a zero-sum, two-player, asymmetric information Markov game. Because the DIFT cannot distinguish between normal and malicious information flow, the defender has less state information than the attacker. We analyzed the existence of the Nash equilibrium of our game. Finally, we used Neural Fictitious Self-play (NFSP), the leading algorithm for zero-sum games in Deep Reinforcement Learning, to solve the Nash equilibrium for this game.

Lili Chen,Zhen Wang,Jintao Wu,Yunchuan Guo,Fenghua Li,Zifu Li

DOI: https://doi.org/10.1002/cpe.6944

2022-04-20

Concurrency and Computation: Practice and Experience

Abstract:As mobile communications, the Internet, databases, distributed computing, and other technologies continue to develop, the Internet of Things (IoT) has emerged as prevalent technique. However, attacks on security and sensitive data in IoT occur frequently, and these attacks often evade intrusion detection systems strategically by mutating their traffic. To prevent security threats and sensitive data leakage, we propose a game approach based on adversarial deep learning to optimize a dynamic security threshold strategy. We introduce a mobile edge computing framework and utilize a game model to describe the adversarial interaction between the two participants. To solve the complexity of the game problem to gain dynamically randomized adversarial attacks, we present a column generation (CG) framework, which uses a feedforward neural network to quantify data flowing through IoT devices. Considering the limited resources of IoT devices, we calculate an optimal response to cyberattacks via a particle swarm optimization algorithm, aiming to reduce the false alarm rate. The adversarial dynamic threshold (ADT)‐based column generation (CG‐ADT) algorithm generates the set of detection threshold and the probability. Finally, we present the results of experiments conducted to demonstrate the effectiveness and robustness of the proposed dynamic threshold scheme for sensitive data security protection in IoT and its suitability for implementation in production systems.

Shengling Wang,Hongwei Shi,Qin Hu,Bin Lin,Xiuzhen Cheng

DOI: https://doi.org/10.1109/jiot.2019.2943151

IF: 10.6

2019-01-01

IEEE Internet of Things Journal

Abstract:At present, the proliferation of the online connected devices conceives the Internet of Things (IoT), in which many wireless sensors, smart devices are implemented. However, the nature of openness rooted in IoT makes itself vulnerable to be attacked. One of the pioneer countermeasures is the moving target defense (MTD), which encourages an active and dynamic defense in IoT. In this article, a macroscopic research in MTD is carried out. The existing macroscopic studies take advantage of a traditional game theory. Consequently, protected IoT devices need extra operations to dominate the game. In this article, we take a dramatically different approach where a player can dominate the game without extra operation. Our approach benefits from the power of the zero-determinant (ZD) strategy, in which the player who adopts ZD can unilaterally set the expected payoff of the adversary or itself. Aware of such a powerful strategy, both players may want to employ it for dominating the confrontation. In this case, two fundamental questions need to be answered: who should take the ZD strategy? and to what extent can the ZD player dominate the game? To solve these problems, we model the interactions between the IoT devices and the malicious attackers as a Markov game. Besides, we obtain the conditions to adopt ZD, based on which we deduce the effectiveness of the ZD player. To the best of our knowledge, we are the first to employ the ZD strategy theory to enhance a better counterattack performance in IoT.

Yuyang Zhou,Guang Cheng,Yuyu Zhao,Zihan Chen,Shanqing Jiang

DOI: https://doi.org/10.1109/tii.2021.3090719

IF: 12.3

2022-01-01

IEEE Transactions on Industrial Informatics

Abstract:Nowadays, a large number of intelligent devices involved in the industrial Internet of Things (IIoT) environment lead to unprecedented challenges in security. Due to limited resources with weak security protection, the IIoT devices can be easily compromised to launch distributed denial-of-service (DDoS) attacks, resulting in catastrophic results. Although there are many DDoS mitigations of traditional static schemes, the proactive defense method to resist attacks has not been well studied. Furthermore, existing proactive schemes ignored the delay-sensitive characteristic of applications under the IIoT environments. To address these issues, we first adopt two kinds of moving target defense (MTD) techniques that dynamically control the admission of devices and migrate service replicas to isolate attackers on limited edge clouds and mitigate DDoS attacks early near its source. Then, we formulate a multistage optimization problem of MTD mechanisms deployment and model it as constrained Markov decision processes in order to maximize the available resources of the system under the limitations of the IIoT environments. Besides, we present an MTD optimal strategy algorithm to solve decision problems in a cost-effective manner. In this article, the proposed algorithm can achieve an optimal admission allocation by means of attackers gathering within the same service where the service migration decisions are assisted by means of value iteration. The experimental results verify that the proposed algorithm, compared with existing strategies, can effectively mitigate DDoS attacks with acceptable degradation of the quality of service.

Pengdeng Li,Xiaofan Yang,Qingyu Xiong,Junhao Wen,Yuan Yan Tang

DOI: https://doi.org/10.1155/2018/2975376

IF: 1.968

2018-01-01

Security and Communication Networks

Abstract:The new cyberattack pattern of advanced persistent threat (APT) has posed a serious threat to modern society. This paper addresses the APT defense problem, that is, the problem of how to effectively defend against an APT campaign. Based on a novel APT attack-defense model, the effectiveness of an APT defense strategy is quantified. Thereby, the APT defense problem is modeled as an optimal control problem, in which an optimal control stands for a most effective APT defense strategy. The existence of an optimal control is proved, and an optimality system is derived. Consequently, an optimal control can be figured out by solving the optimality system. Some examples of the optimal control are given. Finally, the influence of some factors on the effectiveness of an optimal control is examined through computer experiments. These findings help organizations to work out policies of defending against APTs.

Huanhuan Yuan,Yuanqing Xia,Jinhui Zhang,Hongjiu Yang,Magdi S. Mahmoud

DOI: https://doi.org/10.1109/tii.2019.2925035

IF: 12.3

2019-01-01

IEEE Transactions on Industrial Informatics

Abstract:In this paper, the security problem for a cloud control system (CCS) is studied. In the CCS, so-called advanced persistent threats (APTs) can be launched by a malicious attacker to reduce the quality of service of cloud and deteriorate the system performance further. To defend against APTs and create a security as a service scheme, a defender needs to allocate defense resource to different units serving to different plants for improving the overall system performance when the CCS accommodates multiple physical plants simultaneously. After observing the defender's action, the attacker decides which serve units to comprise. Considering that both defender and attacker are subject to resource constraints, the interaction of two sides is modeled by a Stackelberg game. The optimal solutions for two players under different types of budget constraints are investigated. Simulation examples and comparison results are provided to verify the main results of this paper.

Kai Xing,Aiping Li,Rong Jiang,Yan Jia

DOI: https://doi.org/10.1109/dsc50466.2020.00018

2020-01-01

Abstract:Cyberspace has been threatened by attacks ever since its birth. With the development of the Internet and artificial intelligence, forms of cyberattacks are emerging in endlessly, and technical means are constantly being renovated. In particular, advanced persistent threats are intensifying. How to effectively prevent this type of attack has become the focus, and attack detection and defense technology has made great progress. This article mainly discusses the research progress of APT attack detection and defense strategies at home and abroad, and focuses on the practice of using machine learning to perform attack detection while elaborating on traditional attack detection methods. Defense strategy is about how to use game theory to find the best defense strategy in limited resources, dynamic information flow tracking and cloud platform.

Yi-xi Xie,Li-xin Ji,Ling-shu Li,Zehua Guo,Thar Baker

DOI: https://doi.org/10.1080/09540091.2020.1832960

2020-01-01

Connection Science

Abstract:The expansion of information technology infrastructure is encountered with Advanced Persistent Threats (APTs), which can launch data destruction, disclosure, modification, and/or Denial of Service attacks by drawing upon vulnerabilities of software and hardware. Moving Target Defense (MTD) is a promising risk mitigation technique that replies to APTs via implementing randomisation and dynamic strategies on compromised assets. However, some MTD techniques adopt the blind random mutation, which causes greater performance overhead and worse defense utility. In this paper, we formulate the cyber-attack and defense as a dynamic partially observable Markov process based on dynamic Bayesian inference. Then we develop an Inference-Based Adaptive Attack Tolerance (IBAAT) system , which includes two stages. In the first stage, a forward–backward algorithm with a time window is employed to perform a security risk assessment. To select the defense strategy, in the second stage, the attack and defense process is modelled as a two-player general-sum Markov game and the optimal defense strategy is acquired by quantitative analysis based on the first stage. The evaluation shows that the proposed algorithm has about 10% security utility improvement compared to the state-of-the-art.