![Page 1: 1 A Game Theoretic Approach for Active Defense Peng Liu Lab. for Info. and Sys. Security University of Maryland, Baltimore County Baltimore, MD 21250 OASIS,](https://reader035.vdocument.in/reader035/viewer/2022062515/56649cf85503460f949c86be/html5/thumbnails/1.jpg)
1
A Game Theoretic Approach for Active Defense
Peng LiuLab. for Info. and Sys. SecurityUniversity of Maryland, Baltimore CountyBaltimore, MD 21250
OASIS, March 2002
![Page 2: 1 A Game Theoretic Approach for Active Defense Peng Liu Lab. for Info. and Sys. Security University of Maryland, Baltimore County Baltimore, MD 21250 OASIS,](https://reader035.vdocument.in/reader035/viewer/2022062515/56649cf85503460f949c86be/html5/thumbnails/2.jpg)
2
Evolution of Defensive Computing Systems
However, many existing defensive computing systems are passive!.
Prevention- authentication, access control, inference control, information flows, encryption, keys, signatures, ...
Intrusion Detection
- host-based, network-based, misuse detection, anomaly detection, ...
Survivability- assessment - repair - isolation -containment - replication - segmentation - masking - migration - quorums - voting- reconfiguration- … ...
![Page 3: 1 A Game Theoretic Approach for Active Defense Peng Liu Lab. for Info. and Sys. Security University of Maryland, Baltimore County Baltimore, MD 21250 OASIS,](https://reader035.vdocument.in/reader035/viewer/2022062515/56649cf85503460f949c86be/html5/thumbnails/3.jpg)
3
Many IDS are passive
• Static intrusion detection -- fixed IDS configuration
• Adaptive intrusion detection -- reactive but not active
– adapting IDS configuration to the changing environment – most successful when new attacks follow the same trend
Passive -- the defense lags behind the offense.
![Page 4: 1 A Game Theoretic Approach for Active Defense Peng Liu Lab. for Info. and Sys. Security University of Maryland, Baltimore County Baltimore, MD 21250 OASIS,](https://reader035.vdocument.in/reader035/viewer/2022062515/56649cf85503460f949c86be/html5/thumbnails/4.jpg)
4
Many existing intrusion tolerant systems are passive
An intrusion tolerant system
Tuner
Environment
goodaccesses
attacks
• Reactive adaptations work well when the environment gradually changes following the same trend • When the environment suddenly changes, the adaptation latency can be significant, during which the system is not stable and can perform very poorly
![Page 5: 1 A Game Theoretic Approach for Active Defense Peng Liu Lab. for Info. and Sys. Security University of Maryland, Baltimore County Baltimore, MD 21250 OASIS,](https://reader035.vdocument.in/reader035/viewer/2022062515/56649cf85503460f949c86be/html5/thumbnails/5.jpg)
5
ITDB is passive
Authorized but malicious transactions
Mediator & DamageContainer
isolation
suspicious transactions
database
merge
Intrusion Detector
assess
repair
Repair managerdiscard
alarms
trails
trails
Tuner
alarms
malicious transactions
![Page 6: 1 A Game Theoretic Approach for Active Defense Peng Liu Lab. for Info. and Sys. Security University of Maryland, Baltimore County Baltimore, MD 21250 OASIS,](https://reader035.vdocument.in/reader035/viewer/2022062515/56649cf85503460f949c86be/html5/thumbnails/6.jpg)
6
Active Defense Systems
An intrusion tolerant system
Tuner
Environment
goodaccesses
An attackingsystem
battle
![Page 7: 1 A Game Theoretic Approach for Active Defense Peng Liu Lab. for Info. and Sys. Security University of Maryland, Baltimore County Baltimore, MD 21250 OASIS,](https://reader035.vdocument.in/reader035/viewer/2022062515/56649cf85503460f949c86be/html5/thumbnails/7.jpg)
7
A game theoretic approach for activedefense
An intrusion tolerant system
Game
An attackingsystem
Player 1
time
Player 2Attackstrategy
Defensestrategy
• The game should have multiple phases• The simplest case should be repeated games
Payoff-2 (D, A)Payoff-1 (D, A)
strategyspace
strategyspace
![Page 8: 1 A Game Theoretic Approach for Active Defense Peng Liu Lab. for Info. and Sys. Security University of Maryland, Baltimore County Baltimore, MD 21250 OASIS,](https://reader035.vdocument.in/reader035/viewer/2022062515/56649cf85503460f949c86be/html5/thumbnails/8.jpg)
8
A simple game
• Rational players: maximum payoffs with minimum risks• Rational prediction -- Nash equilibrium -- (confess, confess)
– player 1’s predicted strategy is player 1’s best response to the predicted strategy of player 2, and vice versa– no single player wants to deviate from his or her predicted strategy
Prisoner 2
Deny Confess
Deny
Confess
Prisoner 1
-1, -1 -9, 0
0, -9 -6, -6
highrisk
Nashequilibrium
![Page 9: 1 A Game Theoretic Approach for Active Defense Peng Liu Lab. for Info. and Sys. Security University of Maryland, Baltimore County Baltimore, MD 21250 OASIS,](https://reader035.vdocument.in/reader035/viewer/2022062515/56649cf85503460f949c86be/html5/thumbnails/9.jpg)
9
A motivating example
Merchant AcquiringBank
FraudDetection
Accountinformation
Issuing Bank
• credit card transactions• fraud detection
– a profile for each card (customer)– distance (transaction, profile) indicates the anomaly– raising several levels of alarms based on the distance using a set of thresholds
• challenge -- how to– minimize the fraud loss– minimize the denial-of-service
![Page 10: 1 A Game Theoretic Approach for Active Defense Peng Liu Lab. for Info. and Sys. Security University of Maryland, Baltimore County Baltimore, MD 21250 OASIS,](https://reader035.vdocument.in/reader035/viewer/2022062515/56649cf85503460f949c86be/html5/thumbnails/10.jpg)
10
Anomaly Detection System Specification
![Page 11: 1 A Game Theoretic Approach for Active Defense Peng Liu Lab. for Info. and Sys. Security University of Maryland, Baltimore County Baltimore, MD 21250 OASIS,](https://reader035.vdocument.in/reader035/viewer/2022062515/56649cf85503460f949c86be/html5/thumbnails/11.jpg)
11
A game for active fraud defense (1)
FraudDetectionSystemCustomer
Good guy
Bad guy
θ
1-θ
ProbabilityTypesPayoff
believes
Bayesian 2-player active defense game
ugood
ubad
uads = (1- θ)uads,good + θ uads, bad
![Page 12: 1 A Game Theoretic Approach for Active Defense Peng Liu Lab. for Info. and Sys. Security University of Maryland, Baltimore County Baltimore, MD 21250 OASIS,](https://reader035.vdocument.in/reader035/viewer/2022062515/56649cf85503460f949c86be/html5/thumbnails/12.jpg)
12
A game for active fraud defense (2)
• Assumption: the profile of each customer is simply specified by the transaction amount
THPiamountifamountDoS
THPiamountifugood ||)(
||0
THPiamountif
THPiamountifamountubad ||0
||
THPiamountif
THPiamountifTHbu goodads ||0
||.,
THPiamountif
THPiamountifamountu badads ||0
||,
![Page 13: 1 A Game Theoretic Approach for Active Defense Peng Liu Lab. for Info. and Sys. Security University of Maryland, Baltimore County Baltimore, MD 21250 OASIS,](https://reader035.vdocument.in/reader035/viewer/2022062515/56649cf85503460f949c86be/html5/thumbnails/13.jpg)
13
Attack Prediction Game
![Page 14: 1 A Game Theoretic Approach for Active Defense Peng Liu Lab. for Info. and Sys. Security University of Maryland, Baltimore County Baltimore, MD 21250 OASIS,](https://reader035.vdocument.in/reader035/viewer/2022062515/56649cf85503460f949c86be/html5/thumbnails/14.jpg)
14
A naïve approach
• Assumption: the attacker knows Pi• The Nash Equilibrium is:
– when b=0• the FDS’s stategy is: TH=0• the good guy’s strategy is: amount=Pi• the bad guy’s strategy is: amount =Pi
– when b>0• there is no (pure strategy) Nash equilibrium• since the FDS wants to outguess the bad guy and vice versa
However, Pi is usually not completely known to the bad guy!
![Page 15: 1 A Game Theoretic Approach for Active Defense Peng Liu Lab. for Info. and Sys. Security University of Maryland, Baltimore County Baltimore, MD 21250 OASIS,](https://reader035.vdocument.in/reader035/viewer/2022062515/56649cf85503460f949c86be/html5/thumbnails/15.jpg)
15
A probabilistic approach
• Assumption: the attacker only knows a distribution of Pi, e.g., a normal distribution• The Nash Equilibrium (TH*, Ag*, Ab*) must satisfy:
*|*| THPiAg
2
1)(max
r
rAbdxxfAb here
*),min(2
*),0max(1
THAbCLr
THAbr
),*,(.*..)1(max THPiAbhAbTHbTH
However, when b is very small:
|*|* PiAbTH 0
CLPi
Ab*
2TH
![Page 16: 1 A Game Theoretic Approach for Active Defense Peng Liu Lab. for Info. and Sys. Security University of Maryland, Baltimore County Baltimore, MD 21250 OASIS,](https://reader035.vdocument.in/reader035/viewer/2022062515/56649cf85503460f949c86be/html5/thumbnails/16.jpg)
16
Adding more uncertainty
• Motivation: in many cases, the FDS is uncertain about the attacker’s strategy • Assumption: the attacker’s strategy is randomly distributed over an attack window [X, X+B] where B is fixed• The results are:
0
CLPi
X X+B
Question: which X is best for the bad guy?
![Page 17: 1 A Game Theoretic Approach for Active Defense Peng Liu Lab. for Info. and Sys. Security University of Maryland, Baltimore County Baltimore, MD 21250 OASIS,](https://reader035.vdocument.in/reader035/viewer/2022062515/56649cf85503460f949c86be/html5/thumbnails/17.jpg)
17
Preliminary results (1)
Figure 1: The relationship between the attacker's strategy and ADS strategy, given different attacking
ranges
0102030405060708090
0 20 40 60 80 100
Threshold
Att
ack
er s
trat
eg
y
B=20B=40B=60
![Page 18: 1 A Game Theoretic Approach for Active Defense Peng Liu Lab. for Info. and Sys. Security University of Maryland, Baltimore County Baltimore, MD 21250 OASIS,](https://reader035.vdocument.in/reader035/viewer/2022062515/56649cf85503460f949c86be/html5/thumbnails/18.jpg)
18
Preliminary results (2)
Figure 2b: The relationship between normal user's profile and IDS strategy, given different bandwidth rewards (B=40,
Sita=0.05)
-20
0
20
40
60
80
100
0 20 40 60 80 100
User profile
AD
S T
hres
hold
bandwidth=0.001bandwidth=0.06bandwidth=0.2
![Page 19: 1 A Game Theoretic Approach for Active Defense Peng Liu Lab. for Info. and Sys. Security University of Maryland, Baltimore County Baltimore, MD 21250 OASIS,](https://reader035.vdocument.in/reader035/viewer/2022062515/56649cf85503460f949c86be/html5/thumbnails/19.jpg)
19
Preliminary results (3)
Figure 3b: The relationship between normal user's profile and attacker strategy, given different bandwidth rewards (B=40, Sita=0.05)
01020304050607080
0 20 40 60 80 100User profile
Att
acke
r S
trat
egy
bandw idth=0.001bandw idth=0.06bandw idth=0.2
![Page 20: 1 A Game Theoretic Approach for Active Defense Peng Liu Lab. for Info. and Sys. Security University of Maryland, Baltimore County Baltimore, MD 21250 OASIS,](https://reader035.vdocument.in/reader035/viewer/2022062515/56649cf85503460f949c86be/html5/thumbnails/20.jpg)
20
Preliminary results (4)
Figure 4b: The relationship between normal user's profile and attacker success rate, given different bandwidth rewards (B=40, Sita=0.05)
0
0.2
0.4
0.6
0.8
1
0 20 40 60 80 100
User profile
Att
acke
r su
cces
s ra
te
bandw idth=0.001bandw idth=0.06bandw idth=0.2
![Page 21: 1 A Game Theoretic Approach for Active Defense Peng Liu Lab. for Info. and Sys. Security University of Maryland, Baltimore County Baltimore, MD 21250 OASIS,](https://reader035.vdocument.in/reader035/viewer/2022062515/56649cf85503460f949c86be/html5/thumbnails/21.jpg)
21
The impact on false alarm rate and detection rate
• The false alarm rate is dependent on the behavior of the good guy
– If the good guy takes Nash strategies, the false alarm rate is 0
• The detection rate can be predicted using the Nash Equilibrium• Since in many practical defense systems there is incomplete information to compute the Nash Equilibrium, the false alarm rate is usually not zero, and the detection rate can only be approximately predicted
![Page 22: 1 A Game Theoretic Approach for Active Defense Peng Liu Lab. for Info. and Sys. Security University of Maryland, Baltimore County Baltimore, MD 21250 OASIS,](https://reader035.vdocument.in/reader035/viewer/2022062515/56649cf85503460f949c86be/html5/thumbnails/22.jpg)
22
Suggestions to card holders
• Have multiple cards• Each card has converged usage
![Page 23: 1 A Game Theoretic Approach for Active Defense Peng Liu Lab. for Info. and Sys. Security University of Maryland, Baltimore County Baltimore, MD 21250 OASIS,](https://reader035.vdocument.in/reader035/viewer/2022062515/56649cf85503460f949c86be/html5/thumbnails/23.jpg)
23
Broader Attack Prediction Applications
New types of attacksKnown types of
attacks
Valuable games
Not valuable games
New attacks
Attack Space
![Page 24: 1 A Game Theoretic Approach for Active Defense Peng Liu Lab. for Info. and Sys. Security University of Maryland, Baltimore County Baltimore, MD 21250 OASIS,](https://reader035.vdocument.in/reader035/viewer/2022062515/56649cf85503460f949c86be/html5/thumbnails/24.jpg)
24
Example 1: new attacks
• There is a game for each new attack, however, – the attacker knows a lot about it but the defender knows very little– the attacker knows a lot about the Nash equilibrium, but the defender does not know– the attacker will not inform the defender what he or she knows
• As a result, the attacker can exploit the nature of asymmetric information sharing to win more! • The defender can start to play the game only after the new attack happens
![Page 25: 1 A Game Theoretic Approach for Active Defense Peng Liu Lab. for Info. and Sys. Security University of Maryland, Baltimore County Baltimore, MD 21250 OASIS,](https://reader035.vdocument.in/reader035/viewer/2022062515/56649cf85503460f949c86be/html5/thumbnails/25.jpg)
25
Example 2: code red
Web server
Patch None
Code Red
None
Attacker
0, -1 10, -10
0, -1 0, 0
Nashequilibrium
Patch None
Code Red
None
-5, -1 5, -10
0, -1 0, 0
High probability of being captured
Low probability of being captured
![Page 26: 1 A Game Theoretic Approach for Active Defense Peng Liu Lab. for Info. and Sys. Security University of Maryland, Baltimore County Baltimore, MD 21250 OASIS,](https://reader035.vdocument.in/reader035/viewer/2022062515/56649cf85503460f949c86be/html5/thumbnails/26.jpg)
26
Potential impact
• Nash equilibrium are rational predictions for attacks
• Nash equilibrium can guide better defensive system design
![Page 27: 1 A Game Theoretic Approach for Active Defense Peng Liu Lab. for Info. and Sys. Security University of Maryland, Baltimore County Baltimore, MD 21250 OASIS,](https://reader035.vdocument.in/reader035/viewer/2022062515/56649cf85503460f949c86be/html5/thumbnails/27.jpg)
27
Questions?
Thank you!