skip to main content
research-article
Public Access

SHARE: A Stackelberg Honey-Based Adversarial Reasoning Engine

Published:07 March 2018Publication History
Skip Abstract Section

Abstract

A “noisy-rich” (NR) cyber-attacker (Lippmann et al. 2012) is one who tries all available vulnerabilities until he or she successfully compromises the targeted network. We develop an adversarial foundation, based on Stackelberg games, for how NR-attackers will explore an enterprise network and how they will attack it, based on the concept of a system vulnerability dependency graph. We develop a mechanism by which the network can be modified by the defender to induce deception by placing honey nodes and apparent vulnerabilities into the network to minimize the expected impact of the NR-attacker’s attacks (according to multiple measures of impact). We also consider the case where the adversary learns from blocked attacks using reinforcement learning. We run detailed experiments with real network data (but with simulated attack data) and show that Stackelberg Honey-based Adversarial Reasoning Engine performs very well, even when the adversary deviates from the initial assumptions made about his or her behavior. We also develop a method for the attacker to use reinforcement learning when his or her activities are stopped by the defender. We propose two stopping policies for the defender: Stop Upon Detection allows the attacker to learn about the defender’s strategy and (according to our experiments) leads to significant damage in the long run, whereas Stop After Delay allows the defender to introduce greater uncertainty into the attacker, leading to better defendability in the long run.

References

  1. L. Ablon, M. C. Libicki, and A. Golay. 2014. Markets for Cybercrime Tools and Stole Data: Hackers Bazaar. Technical Report. Retrieved from http://www.rand.org/pubs/research_reports/RR610.html.Google ScholarGoogle Scholar
  2. Palvi Aggarwal, Zahid Maqbool, Antra Grover, V. S. Pammi, Saumya Singh, and Varun Dutt. 2015. Cyber security: A game-theoretic analysis of defender and attacker strategies in defacing-website games. In Proceedings of the International Conference on Cyber Situational Awareness, Data Analytics and Assessment (CyberSA’15). IEEE, 1--8.Google ScholarGoogle ScholarCross RefCross Ref
  3. Tansu Alpcan and Tamer Baar. 2010. Network Security: A Decision and Game-Theoretic Approach (1st ed.). Cambridge University Press. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. Bo An, David Kempe, Christopher Kiekintveld, Eric Shieh, Satinder Singh, Milind Tambe, and Yevgeniy Vorobeychik. 2012. Security games with limited surveillance. In Proceedings of the Association for the Advancement of Artificial Intelligence Conference on Artificial Intelligence (AAAI’12). 1241--1248. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. Ning Bao and John Musacchio. 2009. Optimizing the decision to expel attackers from an information system. In Proceedings of the 47th Annual Allerton Conference on Communication, Control, and Computing. 644--651. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. Tamer Başar and Geert Jan Olsder. 1998. Dynamic Noncooperative Game Theory. SIAM.Google ScholarGoogle Scholar
  7. Steve Beattie, Seth Arnold, Crispin Cowan, Perry Wagle, Chris Wright, and Adam Shostack. 2002. Timing the application of security patches for optimal uptime. In Proceedings of the Large Installation System Administration Conference (LISA’02), Vol. 2. 233--242. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. Maya Bercovitch, Meir Renford, Lior Hasson, Asaf Shabtai, Lior Rokach, and Yuval Elovici. 2011. HoneyGen: An automated honeytokens generator. In Proceedings of the IEEE Conference on Intelligence and Security Informatics (ISI’11). IEEE, 131--136.Google ScholarGoogle ScholarCross RefCross Ref
  9. Anita Borkar, Akshaya Salunke, Ankita Barabde, and N. P. Karlekar. 2011. Honeypot: A survey of technologies, tools and deployment. In Proceedings of the International Conference on Web Engineering and Technology (ICWET’11). ACM, New York, NY, 1357--1357. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. Jin-Yi Cai, Vinod Yegneswaran, Chris Alfeld, and others. 2009. An Attacker-Defender Game for Honeynets. Springer, Berlin, 7--16. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. R. M. Campbell, K. Padayachee, and T. Masombuka. 2015. A survey of honeypot research: Trends and opportunities. In Proceedings of the 2015 10th International Conference for Internet Technology and Secured Transactions (ICITST’15). 208--212.Google ScholarGoogle Scholar
  12. Huseyin Cavusoglu, Hasan Cavusoglu, and Jun Zhang. 2006. Economics of security patch management. In Proceedings of the Workshop on the Economics of Information Security (WEIS’06).Google ScholarGoogle Scholar
  13. Hasan Cavusoglu, Huseyin Cavusoglu, and Jun Zhang. 2008. Security patch management: Share the burden or share the damage? Manage. Sci. 54, 4 (2008), 657--670. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. Kalyanmoy Deb, Amrit Pratap, Sameer Agarwal, and T. Meyarivan. 2000. A fast elitist multi-objective genetic algorithm: NSGA-II. IEEE Trans. Evol. Comput. 6, 2 (2000), 182--197. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. Rinku Dewri, Nayot Poolsappasit, Indrajit Ray, and Darrell Whitley. 2007. Optimal security hardening using multi-objective optimization on attack tree models of networks. In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS’07). ACM, 204--213. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. Rinku Dewri, Indrajit Ray, Nayot Poolsappasit, and Darrell Whitley. 2012. Optimal security hardening on attack tree models of networks: A cost-benefit analysis. Int. J. Inf. Secur. 11, 3 (2012), 167--188. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. Gurpreet Dhillon and Gholamreza Torkzadeh. 2001. Value-focused assessment of information system security in organizations. In Proceedings of the International Conference on Information Systems (ICIS’01), Veda C. Storey, Sumit Sarkar, and Janice I. DeGross (Eds.). Association for Information Systems, 561--566.Google ScholarGoogle Scholar
  18. John P. Dickerson, Gerardo I. Simari, V. S. Subrahmanian, and Sarit Kraus. 2010. A graph-theoretic approach to protect static and moving targets from adversaries. In Proceedings of the International Conference on Autonomous Agents and Multiagent Systems (AAMAS’10), Vol. 1. IFAAMAS, 299--306. Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. Karel Durkota, Viliam Lisy, Branislav Bošansky, and Christopher Kiekintveld. 2015. Optimal network security hardening using attack graph games. In Proceedings of the 24th International Conference on Artificial Intelligence (IJCAI’15). AAAI Press, 526--532. http://dl.acm.org/citation.cfm?id=2832249.2832322. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. Tobias Friedrich and Frank Neumann. 2014. Maximizing Submodular Functions under Matroid Constraints by Multi-objective Evolutionary Algorithms. Springer, 922--931.Google ScholarGoogle Scholar
  21. Parke Godfrey, Ryan Shipley, and Jarek Gryz. 2007. Algorithms and analyses for maximal vector computation. Int. J. VLDB 16, 1 (2007), 5--28. Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. Sergiu Hart. 1992. Games in extensive and strategic forms. In Handbook of Game Theory with Economic Applications (1 ed.), R. J. Aumann and S. Hart (Eds.). Vol. 1. Elsevier, 19--40.Google ScholarGoogle Scholar
  23. Eric M. Hutchins, Michael J. Cloppert, and Rohan M. Amin. 2011. Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains. In Proceedings of the 6th Annual International Conference on Information Warfare and Security 1 (2011), 80.Google ScholarGoogle Scholar
  24. Sushil Jajodia and Steven Noel. 2010. Topological vulnerability analysis. In Cyber Situational Awareness, Sushil Jajodia, Peng Liu, Vipin Swarup, and Cliff Wang (Eds.). Advances in Information Security, Vol. 46. Springer, 139--154.Google ScholarGoogle Scholar
  25. Sushil Jajodia, Steven Noel, Pramod Kalapa, Massimiliano Albanese, and John Williams. 2011. Cauldron: Mission-centric cyber situational awareness with defense in depth. In Proceedings of the Military Communications Conference (MILCOM’11).Google ScholarGoogle ScholarCross RefCross Ref
  26. Sushil Jajodia, Paulo Shakarian, V. S. Subrahmanian, Vipin Swarup, and Cliff Wang (Eds.). 2015. Cyber Warfare—Building the Scientific Foundation. Advances in Information Security, Vol. 56. Springer. Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. Ralph L. Keeney. 1992. Value-Focused Thinking: A Path to Creative Decisionmaking/Ralph L. Keeney. Harvard University Press, Cambridge, MA, xvi, 416.Google ScholarGoogle Scholar
  28. Ralph L. Keeney. 1996. Value-focused thinking: Identifying decision opportunities and creating alternatives. Eur. J. Operat. Res. 92, 3 (1996), 537--549.Google ScholarGoogle ScholarCross RefCross Ref
  29. Christopher Kiekintveld, Manish Jain, Jason Tsai, James Pita, Fernando Ordóñez, and Milind Tambe. 2009a. Computing optimal randomized resource allocations for massive security games. In Proceedings of the International Conference on Autonomous Agents and Multiagent Systems (AAMAS’09). 689--696. http://dl.acm.org/citation.cfm?id=1558013.1558108. Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. Christopher Kiekintveld, Manish Jain, Jason Tsai, James Pita, Fernando Ordóñez, and Milind Tambe. 2009b. Computing optimal randomized resource allocations for massive security games. In Proceedings of the International Conference on Autonomous Agents and Multiagent Systems (AAMAS’09). 689--696. Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. Christopher Kiekintveld, Viliam Lisý, and Radek Píbil. 2015. Game-theoretic foundations for the strategic use of honeypots in network security. In Cyber Warfare—Building the Scientific Foundation. 81--101.Google ScholarGoogle Scholar
  32. A. Kim and M. H. Kang. 2011. Determining Asset Criticality for Cyber Defense. Retrieved from www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA550373.Google ScholarGoogle Scholar
  33. Levente Kocsis and Csaba Szepesvári. 2006. Bandit based monte-carlo planning. In Proceedings of the 17th European Conference on Machine Learning (ECML’06). Springer-Verlag, Berlin, 282--293. Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. Dmytro Korzhyk, Zhengyu Yin, Christopher Kiekintveld, Vincent Conitzer, and Milind Tambe. 2011. Stackelberg vs. nash in security games: An extended investigation of interchangeability, equivalence, and uniqueness. In Proceedings of the 9th International Conference on Autonomous Agents and Multiagent Systems (AAMAS’10). 1139–1146.Google ScholarGoogle ScholarCross RefCross Ref
  35. Hsiang-Tsung Kung, Fabrizio Luccio, and Franco P. Preparata. 1975. On finding the maxima of a set of vectors. J. ACM 22, 4 (1975), 469--476. Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. Joshua Letchford and Yevgeniy Vorobeychik. 2013. Optimal interdiction of attack plans. In Proceedings of the International Conference on Autonomous Agents and Multiagent Systems (AAMAS’13). 199--206. http://dl.acm.org/citation.cfm?id=2484920.2484955. Google ScholarGoogle ScholarDigital LibraryDigital Library
  37. R. P. Lippmann, J. F. Riordan, T. H. Yu, and K. K. Watson. 2012. Continuous Security Metrics for Prevalent Network Threats: Introduction and First Four Metrics. Technical Report. DTIC Document.Google ScholarGoogle Scholar
  38. J. Lou, A. M. Smith, and Y. Vorobeychik. 2017. Multidefender security games. IEEE Intell. Syst. 32, 1 (Jan 2017), 50--60. Google ScholarGoogle ScholarDigital LibraryDigital Library
  39. Kong-wei Lye and Jeannette M. Wing. 2005. Game strategies in network security. Int. J. Inf. Secur. 4, 1-2 (2005), 71--86. Google ScholarGoogle ScholarDigital LibraryDigital Library
  40. Rebecca T. Mercuri. 2003. Analyzing security costs. Commun. ACM 46, 6 (2003), 15--18. Google ScholarGoogle ScholarDigital LibraryDigital Library
  41. J. Mirkovic and P. Reiher. 2004. A taxonomy of DDoS attack and DDoS defense mechanisms. ACM SIGCOMM Comput. Commun. Rev. 34, 2 (2004), 39--53. Google ScholarGoogle ScholarDigital LibraryDigital Library
  42. NIST. 2017. National Vulnerability Database. Retrieved from http://nvd.nist.gov.Google ScholarGoogle Scholar
  43. Praveen Paruchuri, Jonathan P. Pearce, Janusz Marecki, Milind Tambe, Fernando Ordonez, and Sarit Kraus. 2008. Playing games for security: An efficient exact algorithm for solving bayesian stackelberg games. In Proceedings of the International Conference on Autonomous Agents and Multiagent Systems (AAMAS’08). 895--902. Google ScholarGoogle ScholarDigital LibraryDigital Library
  44. James Pita, Manish Jain, Janusz Marecki, Fernando Ordóñez, Christopher Portway, Milind Tambe, Craig Western, Praveen Paruchuri, and Sarit Kraus. 2008. Deployed ARMOR protection: The application of a game theoretic model for security at the los angeles international airport. In Proceedings of the International Conference on Autonomous Agents and Multiagent Systems (AAMAS’08). 125--132. Google ScholarGoogle ScholarDigital LibraryDigital Library
  45. Nayot Poolsappasit, Rinku Dewri, and Indrajit Ray. 2012. Dynamic security risk management using bayesian attack graphs. IEEE Trans. Depend. Secur. Comput. 9, 1 (2012), 61--74. Google ScholarGoogle ScholarDigital LibraryDigital Library
  46. Fabien Pouget and Marc Dacier. 2003. Honeypot, honeynet: A comparative survey. In Institut EurÃl’com.Google ScholarGoogle Scholar
  47. Chao Qian, Yang Yu, and Zhi-Hua Zhou. 2015. On constrained boolean pareto optimization. In Proceedings of the 24th International Conference on Artificial Intelligence (IJCAI’15). AAAI Press, 389--395. Google ScholarGoogle ScholarDigital LibraryDigital Library
  48. Edoardo Serra, Sushil Jajodia, Andrea Pugliese, Antonino Rullo, and V. S. Subrahmanian. 2015. Pareto-optimal adversarial defense of enterprise systems. ACM Trans. Inf. Syst. Secur. 17, 3, Article 11 (March 2015), 39 pages. Google ScholarGoogle ScholarDigital LibraryDigital Library
  49. Asaf Shabtai, Yuval Elovici, and Lior Rokach. 2012. Data leakage detection/prevention solutions. In A Survey of Data Leakage Detection and Prevention Solutions. Springer, 17--37.Google ScholarGoogle Scholar
  50. Paulo Shakarian, Damon Paulo, Massimiliano Albanese, and Sushil Jajodia. 2014. Keeping intrudors at large: A graph-theoretic approach to reducing the probability of successful network intrusions. In Proceedings of the International Conference on Security and Cryptography (SECRYPT’14). 19--30.Google ScholarGoogle Scholar
  51. K. G. Srinivasa. 2012. Application of Genetic Algorithms for Detecting Anomaly in Network Intrusion Detection Systems. Springer, Berlin, 582--591.Google ScholarGoogle Scholar
  52. Colin Tankard. 2011. Advanced persistent threats and how to monitor and deter them. Network Security 2011, 8, 16--19.Google ScholarGoogle ScholarCross RefCross Ref
  53. The MITRE Corporation. 2011. Common Weakness Scoring System (CWSS™). Retrieved from http://cwe.mitre.org/cwss/.Google ScholarGoogle Scholar
  54. Eduardo Viegas, Altair Olivo Santin, Andre Franca, Ricardo Jasinski, Volnei A. Pedroni, and Luiz S. Oliveira. 2017. Towards an energy-efficient anomaly-based intrusion detection engine for embedded systems. IEEE Trans. Comput. 66, 1 (2017), 163--177. Google ScholarGoogle ScholarDigital LibraryDigital Library
  55. Darrell Whitley, Soraya Rana, and Robert B. Heckendorn. 1998. The island model genetic algorithm: On separability, population size and convergence. J. Comput. Inf. Technol. 7 (1998), 33--47.Google ScholarGoogle Scholar

Index Terms

  1. SHARE: A Stackelberg Honey-Based Adversarial Reasoning Engine

          Recommendations

          Comments

          Login options

          Check if you have access through your login credentials or your institution to get full access on this article.

          Sign in

          Full Access

          • Published in

            cover image ACM Transactions on Internet Technology
            ACM Transactions on Internet Technology  Volume 18, Issue 3
            Special Issue on Artificial Intelligence for Secruity and Privacy and Regular Papers
            August 2018
            314 pages
            ISSN:1533-5399
            EISSN:1557-6051
            DOI:10.1145/3185332
            • Editor:
            • Munindar P. Singh
            Issue’s Table of Contents

            Copyright © 2018 ACM

            Publisher

            Association for Computing Machinery

            New York, NY, United States

            Publication History

            • Published: 7 March 2018
            • Revised: 1 August 2017
            • Accepted: 1 August 2017
            • Received: 1 September 2016
            Published in toit Volume 18, Issue 3

            Permissions

            Request permissions about this article.

            Request Permissions

            Check for updates

            Qualifiers

            • research-article
            • Research
            • Refereed

          PDF Format

          View or Download as a PDF file.

          PDF

          eReader

          View online with eReader.

          eReader
          About Cookies On This Site

          We use cookies to ensure that we give you the best experience on our website.

          Learn more

          Got it!