Abstract
A “noisy-rich” (NR) cyber-attacker (Lippmann et al. 2012) is one who tries all available vulnerabilities until he or she successfully compromises the targeted network. We develop an adversarial foundation, based on Stackelberg games, for how NR-attackers will explore an enterprise network and how they will attack it, based on the concept of a system vulnerability dependency graph. We develop a mechanism by which the network can be modified by the defender to induce deception by placing honey nodes and apparent vulnerabilities into the network to minimize the expected impact of the NR-attacker’s attacks (according to multiple measures of impact). We also consider the case where the adversary learns from blocked attacks using reinforcement learning. We run detailed experiments with real network data (but with simulated attack data) and show that Stackelberg Honey-based Adversarial Reasoning Engine performs very well, even when the adversary deviates from the initial assumptions made about his or her behavior. We also develop a method for the attacker to use reinforcement learning when his or her activities are stopped by the defender. We propose two stopping policies for the defender: Stop Upon Detection allows the attacker to learn about the defender’s strategy and (according to our experiments) leads to significant damage in the long run, whereas Stop After Delay allows the defender to introduce greater uncertainty into the attacker, leading to better defendability in the long run.
- L. Ablon, M. C. Libicki, and A. Golay. 2014. Markets for Cybercrime Tools and Stole Data: Hackers Bazaar. Technical Report. Retrieved from http://www.rand.org/pubs/research_reports/RR610.html.Google Scholar
- Palvi Aggarwal, Zahid Maqbool, Antra Grover, V. S. Pammi, Saumya Singh, and Varun Dutt. 2015. Cyber security: A game-theoretic analysis of defender and attacker strategies in defacing-website games. In Proceedings of the International Conference on Cyber Situational Awareness, Data Analytics and Assessment (CyberSA’15). IEEE, 1--8.Google Scholar
Cross Ref
- Tansu Alpcan and Tamer Baar. 2010. Network Security: A Decision and Game-Theoretic Approach (1st ed.). Cambridge University Press. Google Scholar
Digital Library
- Bo An, David Kempe, Christopher Kiekintveld, Eric Shieh, Satinder Singh, Milind Tambe, and Yevgeniy Vorobeychik. 2012. Security games with limited surveillance. In Proceedings of the Association for the Advancement of Artificial Intelligence Conference on Artificial Intelligence (AAAI’12). 1241--1248. Google Scholar
Digital Library
- Ning Bao and John Musacchio. 2009. Optimizing the decision to expel attackers from an information system. In Proceedings of the 47th Annual Allerton Conference on Communication, Control, and Computing. 644--651. Google Scholar
Digital Library
- Tamer Başar and Geert Jan Olsder. 1998. Dynamic Noncooperative Game Theory. SIAM.Google Scholar
- Steve Beattie, Seth Arnold, Crispin Cowan, Perry Wagle, Chris Wright, and Adam Shostack. 2002. Timing the application of security patches for optimal uptime. In Proceedings of the Large Installation System Administration Conference (LISA’02), Vol. 2. 233--242. Google Scholar
Digital Library
- Maya Bercovitch, Meir Renford, Lior Hasson, Asaf Shabtai, Lior Rokach, and Yuval Elovici. 2011. HoneyGen: An automated honeytokens generator. In Proceedings of the IEEE Conference on Intelligence and Security Informatics (ISI’11). IEEE, 131--136.Google Scholar
Cross Ref
- Anita Borkar, Akshaya Salunke, Ankita Barabde, and N. P. Karlekar. 2011. Honeypot: A survey of technologies, tools and deployment. In Proceedings of the International Conference on Web Engineering and Technology (ICWET’11). ACM, New York, NY, 1357--1357. Google Scholar
Digital Library
- Jin-Yi Cai, Vinod Yegneswaran, Chris Alfeld, and others. 2009. An Attacker-Defender Game for Honeynets. Springer, Berlin, 7--16. Google Scholar
Digital Library
- R. M. Campbell, K. Padayachee, and T. Masombuka. 2015. A survey of honeypot research: Trends and opportunities. In Proceedings of the 2015 10th International Conference for Internet Technology and Secured Transactions (ICITST’15). 208--212.Google Scholar
- Huseyin Cavusoglu, Hasan Cavusoglu, and Jun Zhang. 2006. Economics of security patch management. In Proceedings of the Workshop on the Economics of Information Security (WEIS’06).Google Scholar
- Hasan Cavusoglu, Huseyin Cavusoglu, and Jun Zhang. 2008. Security patch management: Share the burden or share the damage? Manage. Sci. 54, 4 (2008), 657--670. Google Scholar
Digital Library
- Kalyanmoy Deb, Amrit Pratap, Sameer Agarwal, and T. Meyarivan. 2000. A fast elitist multi-objective genetic algorithm: NSGA-II. IEEE Trans. Evol. Comput. 6, 2 (2000), 182--197. Google Scholar
Digital Library
- Rinku Dewri, Nayot Poolsappasit, Indrajit Ray, and Darrell Whitley. 2007. Optimal security hardening using multi-objective optimization on attack tree models of networks. In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS’07). ACM, 204--213. Google Scholar
Digital Library
- Rinku Dewri, Indrajit Ray, Nayot Poolsappasit, and Darrell Whitley. 2012. Optimal security hardening on attack tree models of networks: A cost-benefit analysis. Int. J. Inf. Secur. 11, 3 (2012), 167--188. Google Scholar
Digital Library
- Gurpreet Dhillon and Gholamreza Torkzadeh. 2001. Value-focused assessment of information system security in organizations. In Proceedings of the International Conference on Information Systems (ICIS’01), Veda C. Storey, Sumit Sarkar, and Janice I. DeGross (Eds.). Association for Information Systems, 561--566.Google Scholar
- John P. Dickerson, Gerardo I. Simari, V. S. Subrahmanian, and Sarit Kraus. 2010. A graph-theoretic approach to protect static and moving targets from adversaries. In Proceedings of the International Conference on Autonomous Agents and Multiagent Systems (AAMAS’10), Vol. 1. IFAAMAS, 299--306. Google Scholar
Digital Library
- Karel Durkota, Viliam Lisy, Branislav Bošansky, and Christopher Kiekintveld. 2015. Optimal network security hardening using attack graph games. In Proceedings of the 24th International Conference on Artificial Intelligence (IJCAI’15). AAAI Press, 526--532. http://dl.acm.org/citation.cfm?id=2832249.2832322. Google Scholar
Digital Library
- Tobias Friedrich and Frank Neumann. 2014. Maximizing Submodular Functions under Matroid Constraints by Multi-objective Evolutionary Algorithms. Springer, 922--931.Google Scholar
- Parke Godfrey, Ryan Shipley, and Jarek Gryz. 2007. Algorithms and analyses for maximal vector computation. Int. J. VLDB 16, 1 (2007), 5--28. Google Scholar
Digital Library
- Sergiu Hart. 1992. Games in extensive and strategic forms. In Handbook of Game Theory with Economic Applications (1 ed.), R. J. Aumann and S. Hart (Eds.). Vol. 1. Elsevier, 19--40.Google Scholar
- Eric M. Hutchins, Michael J. Cloppert, and Rohan M. Amin. 2011. Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains. In Proceedings of the 6th Annual International Conference on Information Warfare and Security 1 (2011), 80.Google Scholar
- Sushil Jajodia and Steven Noel. 2010. Topological vulnerability analysis. In Cyber Situational Awareness, Sushil Jajodia, Peng Liu, Vipin Swarup, and Cliff Wang (Eds.). Advances in Information Security, Vol. 46. Springer, 139--154.Google Scholar
- Sushil Jajodia, Steven Noel, Pramod Kalapa, Massimiliano Albanese, and John Williams. 2011. Cauldron: Mission-centric cyber situational awareness with defense in depth. In Proceedings of the Military Communications Conference (MILCOM’11).Google Scholar
Cross Ref
- Sushil Jajodia, Paulo Shakarian, V. S. Subrahmanian, Vipin Swarup, and Cliff Wang (Eds.). 2015. Cyber Warfare—Building the Scientific Foundation. Advances in Information Security, Vol. 56. Springer. Google Scholar
Digital Library
- Ralph L. Keeney. 1992. Value-Focused Thinking: A Path to Creative Decisionmaking/Ralph L. Keeney. Harvard University Press, Cambridge, MA, xvi, 416.Google Scholar
- Ralph L. Keeney. 1996. Value-focused thinking: Identifying decision opportunities and creating alternatives. Eur. J. Operat. Res. 92, 3 (1996), 537--549.Google Scholar
Cross Ref
- Christopher Kiekintveld, Manish Jain, Jason Tsai, James Pita, Fernando Ordóñez, and Milind Tambe. 2009a. Computing optimal randomized resource allocations for massive security games. In Proceedings of the International Conference on Autonomous Agents and Multiagent Systems (AAMAS’09). 689--696. http://dl.acm.org/citation.cfm?id=1558013.1558108. Google Scholar
Digital Library
- Christopher Kiekintveld, Manish Jain, Jason Tsai, James Pita, Fernando Ordóñez, and Milind Tambe. 2009b. Computing optimal randomized resource allocations for massive security games. In Proceedings of the International Conference on Autonomous Agents and Multiagent Systems (AAMAS’09). 689--696. Google Scholar
Digital Library
- Christopher Kiekintveld, Viliam Lisý, and Radek Píbil. 2015. Game-theoretic foundations for the strategic use of honeypots in network security. In Cyber Warfare—Building the Scientific Foundation. 81--101.Google Scholar
- A. Kim and M. H. Kang. 2011. Determining Asset Criticality for Cyber Defense. Retrieved from www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA550373.Google Scholar
- Levente Kocsis and Csaba Szepesvári. 2006. Bandit based monte-carlo planning. In Proceedings of the 17th European Conference on Machine Learning (ECML’06). Springer-Verlag, Berlin, 282--293. Google Scholar
Digital Library
- Dmytro Korzhyk, Zhengyu Yin, Christopher Kiekintveld, Vincent Conitzer, and Milind Tambe. 2011. Stackelberg vs. nash in security games: An extended investigation of interchangeability, equivalence, and uniqueness. In Proceedings of the 9th International Conference on Autonomous Agents and Multiagent Systems (AAMAS’10). 1139–1146.Google Scholar
Cross Ref
- Hsiang-Tsung Kung, Fabrizio Luccio, and Franco P. Preparata. 1975. On finding the maxima of a set of vectors. J. ACM 22, 4 (1975), 469--476. Google Scholar
Digital Library
- Joshua Letchford and Yevgeniy Vorobeychik. 2013. Optimal interdiction of attack plans. In Proceedings of the International Conference on Autonomous Agents and Multiagent Systems (AAMAS’13). 199--206. http://dl.acm.org/citation.cfm?id=2484920.2484955. Google Scholar
Digital Library
- R. P. Lippmann, J. F. Riordan, T. H. Yu, and K. K. Watson. 2012. Continuous Security Metrics for Prevalent Network Threats: Introduction and First Four Metrics. Technical Report. DTIC Document.Google Scholar
- J. Lou, A. M. Smith, and Y. Vorobeychik. 2017. Multidefender security games. IEEE Intell. Syst. 32, 1 (Jan 2017), 50--60. Google Scholar
Digital Library
- Kong-wei Lye and Jeannette M. Wing. 2005. Game strategies in network security. Int. J. Inf. Secur. 4, 1-2 (2005), 71--86. Google Scholar
Digital Library
- Rebecca T. Mercuri. 2003. Analyzing security costs. Commun. ACM 46, 6 (2003), 15--18. Google Scholar
Digital Library
- J. Mirkovic and P. Reiher. 2004. A taxonomy of DDoS attack and DDoS defense mechanisms. ACM SIGCOMM Comput. Commun. Rev. 34, 2 (2004), 39--53. Google Scholar
Digital Library
- NIST. 2017. National Vulnerability Database. Retrieved from http://nvd.nist.gov.Google Scholar
- Praveen Paruchuri, Jonathan P. Pearce, Janusz Marecki, Milind Tambe, Fernando Ordonez, and Sarit Kraus. 2008. Playing games for security: An efficient exact algorithm for solving bayesian stackelberg games. In Proceedings of the International Conference on Autonomous Agents and Multiagent Systems (AAMAS’08). 895--902. Google Scholar
Digital Library
- James Pita, Manish Jain, Janusz Marecki, Fernando Ordóñez, Christopher Portway, Milind Tambe, Craig Western, Praveen Paruchuri, and Sarit Kraus. 2008. Deployed ARMOR protection: The application of a game theoretic model for security at the los angeles international airport. In Proceedings of the International Conference on Autonomous Agents and Multiagent Systems (AAMAS’08). 125--132. Google Scholar
Digital Library
- Nayot Poolsappasit, Rinku Dewri, and Indrajit Ray. 2012. Dynamic security risk management using bayesian attack graphs. IEEE Trans. Depend. Secur. Comput. 9, 1 (2012), 61--74. Google Scholar
Digital Library
- Fabien Pouget and Marc Dacier. 2003. Honeypot, honeynet: A comparative survey. In Institut EurÃl’com.Google Scholar
- Chao Qian, Yang Yu, and Zhi-Hua Zhou. 2015. On constrained boolean pareto optimization. In Proceedings of the 24th International Conference on Artificial Intelligence (IJCAI’15). AAAI Press, 389--395. Google Scholar
Digital Library
- Edoardo Serra, Sushil Jajodia, Andrea Pugliese, Antonino Rullo, and V. S. Subrahmanian. 2015. Pareto-optimal adversarial defense of enterprise systems. ACM Trans. Inf. Syst. Secur. 17, 3, Article 11 (March 2015), 39 pages. Google Scholar
Digital Library
- Asaf Shabtai, Yuval Elovici, and Lior Rokach. 2012. Data leakage detection/prevention solutions. In A Survey of Data Leakage Detection and Prevention Solutions. Springer, 17--37.Google Scholar
- Paulo Shakarian, Damon Paulo, Massimiliano Albanese, and Sushil Jajodia. 2014. Keeping intrudors at large: A graph-theoretic approach to reducing the probability of successful network intrusions. In Proceedings of the International Conference on Security and Cryptography (SECRYPT’14). 19--30.Google Scholar
- K. G. Srinivasa. 2012. Application of Genetic Algorithms for Detecting Anomaly in Network Intrusion Detection Systems. Springer, Berlin, 582--591.Google Scholar
- Colin Tankard. 2011. Advanced persistent threats and how to monitor and deter them. Network Security 2011, 8, 16--19.Google Scholar
Cross Ref
- The MITRE Corporation. 2011. Common Weakness Scoring System (CWSS™). Retrieved from http://cwe.mitre.org/cwss/.Google Scholar
- Eduardo Viegas, Altair Olivo Santin, Andre Franca, Ricardo Jasinski, Volnei A. Pedroni, and Luiz S. Oliveira. 2017. Towards an energy-efficient anomaly-based intrusion detection engine for embedded systems. IEEE Trans. Comput. 66, 1 (2017), 163--177. Google Scholar
Digital Library
- Darrell Whitley, Soraya Rana, and Robert B. Heckendorn. 1998. The island model genetic algorithm: On separability, population size and convergence. J. Comput. Inf. Technol. 7 (1998), 33--47.Google Scholar
Index Terms
SHARE: A Stackelberg Honey-Based Adversarial Reasoning Engine
Recommendations
Pareto-Optimal Adversarial Defense of Enterprise Systems
The National Vulnerability Database (NVD) maintained by the US National Institute of Standards and Technology provides valuable information about vulnerabilities in popular software, as well as any patches available to address these vulnerabilities. ...
Detecting Insider Theft of Trade Secrets
Trusted insiders who misuse their privileges to gather and steal sensitive information represent a potent threat to businesses. Applying access controls to protect sensitive information can reduce the threat but has significant limitations. Even if ...
A Tale of Three Cyber-Defense Workshops
The National Cyber Defense Initiative (NCDI) has been working behind the scenes to help inform the US research agenda for strategic cyber defense. An important part of the NDCI's activities has been sponsorship of three workshops: the 2006 Safe-...






Comments