Game Strategies in Network Security

1 / 47
About This Presentation
Title:

Game Strategies in Network Security

Description:

Government agencies, banks, retailers, schools, and a growing number of goods ... the firewall rules are lax and the operating systems are insufficiently hardened. ... – PowerPoint PPT presentation

Number of Views:31
Avg rating:3.0/5.0

less

Transcript and Presenter's Notes

Title: Game Strategies in Network Security


1
Game Strategiesin Network Security
  • Kong-wei Lye1, Jeannete M. Wing2
  • 1Department of Electrical and Computer
    Engineering,
  • 2Computer Science Department,
  • Carnegie Mellon University
  • Int. Journal Inf. Security (2005) 4, 71-86
  • Presented by Franson, C.W. Chen

2
Agenda
  • Introduction
  • Networks as stochastic games
  • Nash Equilibrium
  • Attack and response scenarios
  • Nash equilibria results
  • Discussion
  • Conclusions and future work

3
Introduction (1/3)
  • Government agencies, banks, retailers, schools,
    and a growing number of goods and service
    providers today all use the Internet as an
    integral way of conducting their daily business.
    Individuals, good or bad, can also easily connect
    to the Internet.
  • Security specialists have long been interested in
    knowing what an intruder can do to a computer
    network and what can be done to prevent or
    counteract attacks.

4
Introduction (2/3)
Access
Remote administration
Private
Public
5
Introduction (3/3)
  • For our illustration purposes, we assume that the
    firewall rules are lax and the operating systems
    are insufficiently hardened.
  • It is thus possible for an attacker to succeed in
    several different attacks.
  • This setup would be the game board for the
    attacker and the administrator.

6
Networks as stochastic games
7
Networks as stochastic games
  • Game theory has been used in many other problems
    involving attackers and defenders.
  • The attacker can gain rewards, and the
    administrator can suffer damages.
  • We can model a team of attackers at different
    locations as the same as an omnipresent attacker,
    and similarly for the defenders.

8
Stochastic game model (1/2)
9
Stochastic game model (2/2)
  • High discount factor
  • It means the player is concerned about rewards
    far
  • into the future. An attacker with a long-term
  • objective who plans well and takes into
  • consideration what damage he can do not only at
  • present but far into the future
  • Low discount factor
  • It means he is only concerned about rewards in
    the
  • immediate future. An attacker has a short-term
  • objective and is only concerned about causing
  • damage at the present time.

10
Network state (1/3)
  • A node in the graph is a physical entity.
  • An edge in the graph represents a direct
    communication path.
  • We model the external world as a single computer
    (node E) and represent the Web server, file
    server, and workstation by nodes W, F, and N.

11
Network state (2/3) Node State
  • Each node X (where X ? E,W,F,N) has a node
    state nX ltP, a, dgt to represent information
    about hardware and software configurations.
  • P ?f, h, n, p, s, v, d
  • a ? u, c
  • d ? c, i

12
Network state (3/3) Traffic State
  • The traffic state t lt l XY gt, where X, Y ?
    E,W,F,N, captures the traffic information for
    the whole network.
  • l XY ? 0, 1/3 , 2/3 , 1 and indicates the load
    carried on the link between nodes X and Y. A
    value of 1 indicates maximum capacity.
  • The full state space in our example has a size of
    nW nF nN t (128 2 2)344 32
    billion states, but there are only 18 states
    relevant to our application here.

13
Actions (1/2)
  • An action pair (one from the attacker and one
    from the administrator) causes the system to move
    from one state to another in a probabilistic
    manner.
  • Attackers Actions
  • Attack_httpd, Attack_ftpd, Continue_attacking,
  • Deface_website_leave, Install_sniffer,
  • Run_DoS_virus, Crack_file_server_root_password,
  • Crack_workstation_root_password, Capture_data,
  • Shutdown_network, ø (where ø denotes inaction.)

14
Actions (2/2)
  • Administrators Actions
  • Remove_compromised_account_restart_httpd,
  • Restore_website_remove_compromised_account,
  • Remove_virus_and_compromised_account,
  • Install_sniffer_detector, Remove_sniffer_detector,
  • Remove_compromised_account_restart_ftpd,
  • Remove_compromised_account_sniffer, ø .

15
State transition probabilities
  • This paper assigns state transition probabilities
    based on the intuition and experience of our
    network manager. In practice, case studies,
    statistics, simulations, and knowledge
    engineering can provide the required
    probabilities.
  • When the network is in state Normal_operation and
    neither the attacker nor administrator takes any
    action, it will tend to stay in the same state.

16
Costs and rewards
  • There are costs (negative values) and rewards
    (positive values) associated with the actions of
    the administrator and attacker.
  • The reward for an attackers action is mostly
    defined in terms of the amount of effort the
    administrator has to make to bring the network
    from one state to another.
  • There are also some transitions in which the cost
    to the administrator is not the same magnitude as
    the reward to the attacker.

17
Nash Equilibrium
18
Notations (1/4)
19
Notations (2/4)
20
Notations (3/4)
21
Notations (4/4)
22
Nash Equilibrium
  • At this equilibrium, there is no mutual incentive
    for either one of the players to deviate from
    their equilibrium strategies
    and .
  • Every general-sum discounted stochastic game has
    at least one Nash equilibrium in stationary
    strategies.

23
Nonlinear Programming (1/3)
24
Nonlinear Programming (2/3)
25
Nonlinear Programming (3/3)
A solution to NLP-1 that
minimizes its objective function to 0 is a Nash
solution of the game.
26
Attack and response scenarios
27
Deface Web site
Noraml_operation ltlt(f,h),u,igt,lt(f,n),u,igt,lt(p),u,i
gt lt1/3,1/3,1/3,1/3gtgt
Attack_httpd,1,10
Httpd_attacked ltlt(f,h),u,igt,lt(f,n),u,igt,lt(p),u,igt
lt1/3,1/3,1/3,1/3gtgt
Continue_attacking,0.5,0
Httpd_hacked ltlt(f),c,igt,lt(f,n),u,igt,lt(p),u,igt lt1/3
,1/3,1/3,1/3gtgt
Continue_attacking,0.5,0
Deface_website_leave,1,99
Website_defaced ltlt(f,h),c,cgt,lt(f,n),u,igt,lt(p),u,igt
lt1/3,1/3,1/3,1/3gtgt
28
Denial of Service
Webserver_sniffer ltlt(f,h,s),c,igt,lt(f,n),u,igt,lt(p),
u,igt lt1/3,1/3,1/3,1/3gtgt
Run_DoS_virus,1,30
Webserver_DoS_1 ltlt(f,h,s,v),c,igt,lt(f,n),u,igt,lt(p),
u,igt lt1/3,2/3,1/3,2/3gtgt
Ø,0.8,30
Webserver_DoS_2 ltlt(f,h,s,v),c,igt,lt(f,n),u,igt,lt(p),
u,igt lt1/3,1,1/3,1gtgt
Ø,0.8,30
Network_shut_down ltlt(s,v),c,igt,lt(),u,igt,lt(),u,igt lt
0,0,0,0gtgt
29
Stealing confidential data
Noraml_operation ltlt(f,h),u,igt,lt(f,n),u,igt,lt(p),u,i
gt lt1/3,1/3,1/3,1/3gtgt
Attack_ftpd,1,10
Ftpd_attacked ltlt(f,h),u,igt,lt(f,n),u,igt,lt(p),u,igt lt
1/3,1/3,1/3,1/3gtgt
Continue_attacking,0.5,0
Ftpd_hacked ltlt(h),c,igt,lt(f,n),u,igt,lt(p),u,igt lt1/3,
1/3,1/3,1/3gtgt
Continue_attacking,0.5,0
Install_sniffer,0.5,10
Webserver_sniffer ltlt(f,h,s),c,igt,lt(f,n),u,igt,lt(p),
u,igt lt1/3,1/3,1/3,1/3gtgt
30
Stealing confidential data
Webserver_sniffer ltlt(f,h,s),c,igt,lt(f,n),u,igt,lt(p),
u,igt lt1/3,1/3,1/3,1/3gtgt
Crack_workstation_root_pw,0.9,50
Workstation_hacked ltlt(f,h,s),c,igt,lt(f,n),u,igt,lt(p)
,c,igt lt1/3,1/3,1/3,1/3gtgt
Capture_data,1,999
Workstation_data_stolen_1 ltlt(f,h,s),c,igt,lt(f,n),u,
igt,lt(p),c,cgt lt1/3,1/3,1/3,1/3gtgt
Shutdown_network,1,60
Network_shut_down ltlt(s,v),c,igt,lt(),u,igt,lt(),c,cgt lt
0,0,0,0gtgt
31
Recovery (Scenario 1, 2)
Noraml_operation ltlt(f,h),u,igt,lt(f,n),u,igt,lt(p),u,i
gt lt1/3,1/3,1/3,1/3gtgt
Remove_virus_and_ compromised_account,1,-30
Restore_website_remove_ compromised_account,1,-99
Webserver_DoS_1 ltlt(f,h,s,v),c,igt,lt(f,n),u,igt,lt(p),
u,igt lt1/3,2/3,1/3,2/3gtgt
Website_deface ltlt(f,h),c,cgt,lt(f,n),u,igt,lt(p),u,igt
lt1/3,1/3,1/3,1/3gtgt
Remove_virus_and_ compromised_account,1,-60
Webserver_DoS_2 ltlt(f,h,s,v),c,igt,lt(f,n),u,igt,lt(p),
u,igt lt1/3,1,1/3,1gtgt
32
Recovery (Scenario 3)
Workstation_data_stolen_1 ltlt(f,h,s),c,igt,lt(f,n),u,
igt,lt(p),c,cgt lt1/3,1/3,1/3,1/3gtgt
Remove_sniffer_and compromised_account,1,-20
Workstation_data_stolen_2 ltlt(f,h),c,igt,lt(f,n),u,igt
,lt(p),u,cgt lt1/3,1/3,1/3,1/3gtgt
Important data have been stolen, and no
action allows him to undo this situation.
33
Recovery (Ftpd_attack)
Ftpd_attacked_detector ltlt(f,h,d),u,igt,lt(f,n),u,igt,
lt(p),u,igt lt2/3,2/3,1/3,1/3gtgt
Install_sniffer_detector,0.5,-10
Ftpd_attacked ltlt(f,h),u,igt,lt(f,n),u,igt,lt(p),u,igt lt
1/3,1/3,1/3,1/3gtgt
Ftpd_hacked ltlt(h),c,igt,lt(f,n),u,igt,lt(p),u,igt lt1/3,
1/3,1/3,1/3gtgt
ø,0.5,-10
Install_sniffer_detector,0.5,-10
Webserver_sniffer_detector ltlt(f,h,s,d),c,igt,lt(f,n)
,u,igt,lt(p),u,igt lt1/3,1/3,1/3,1/3gtgt
34
Nash equilibria results
35
  • We implemented the nonlinear program
    mentioned(NLP-1) in MATLAB.
  • The players take actions only at discrete time
    instants.
  • We add the inaction ø to the action set for such
    a state so that the action sets are all of the
    same cardinality.

36
First Nash Equilibrium
State Strategies Strategies State Values State Values
State Attacker Administrator Attacker Administrator
1 Normal_operation 1.00 0.00 0.00 0.33 0.33 0.33 210.2 206.8
2 Httpd_attacked 1.00 0.00 0.00 0.33 0.33 0.33 202.2 191.1
3 Ftpd_attacked 0.65 0.00 0.35 1.00 0.00 0.00 176.9 189.3
4 Ftpd_attacked_detector 0.40 0.12 0.48 0.93 0.07 0.00 165.8 173.8
5 Httpd_hacked 0.33 0.10 0.57 0.67 0.19 0.14 197.4 206.4
6 Ftpd_hacked 0.12 0.00 0.88 0.96 0.00 0.04 204.8 203.5
7 Website_defaced 0.33 0.33 0.33 0.33 0.33 0.33 80.4 80.0
8 Webserver_sniffer 0.00 0.50 0.50 0.33 0.33 0.34 716.3 715.1
9 Webserver_sniffer_detector 0.34 0.33 0.33 1.00 0.00 0.00 148.2 185.4
10 Webserver_DOS_1 0.33 0.33 0.33 1.00 0.00 0.00 106.7 106.1
11 Webserver_DOS_2 0.34 0.33 0.33 1.00 0.00 0.00 96.5 96.0
12 Network_shutdown 0.33 0.33 0.33 0.33 0.33 0.33 80.4 80.0
13 Fileserver_hacked 1.00 0.00 0.00 0.35 0.34 0.31 1065.5 1049.2
14 Fileserver_data_stolen_1 1.00 0.00 0.00 1.00 0.00 0.00 94.4 74.0
15 Workstation_hacked 1.00 0.00 0.00 0.31 0.32 0.37 1065.5 1049.2
16 Workstation_data_stolen_1 1.00 0.00 0.00 1.00 0.00 0.00 94.4 74.0
17 Fileserver_data_stolen_2 0.33 0.33 0.33 0.33 0.33 0.33 80.4 80.0
18 Workstation_data_stolen_2 0.33 0.33 0.33 0.33 0.33 0.33 80.4 80.0
Normal_operation 1.00 0.00 0.00 0.33
0.33 0.33 210.2 -206.8
Httpd_hacked 0.33 0.10 0.57 0.67 0.19
0.14
Httpd_hacked 0.77 0.23 0.00 0.78 0.22
0.00
Fileserver_hacked 1.00 0.00 0.00 0.35
0.34 0.31 1065.5 -1049.2
Workstation_hacked 1.00 0.00 0.00 0.31 0.32
0.37 1065.5 -1049.2
37
Second Nash Equilibrium
State Strategies Strategies State Values State Values
State Attacker Administrator Attacker Administrator
1 Normal_operation 0.13 0.00 0.87 0.26 0.22 0.52 212.7 79.6
2 Httpd_attacked 1.00 0.00 0.00 0.27 0.30 0.43 204.6 166.9
3 Ftpd_attacked 0.12 0.32 0.56 1.00 0.00 0.00 179.1 141.0
4 Ftpd_attacked_detector 0.12 0.00 0.88 0.93 0.07 0.00 167.7 80.8
5 Httpd_hacked 0.91 0.06 0.04 0.66 0.20 0.13 199.2 177.4
6 Ftpd_hacked 0.10 0.00 0.90 0.70 0.23 0.08 207.9 175.0
7 Website_defaced 0.39 0.26 0.34 0.23 0.35 0.41 81.4 70.7
8 Webserver_sniffer 0.00 0.53 0.47 0.34 0.42 0.24 719.0 690.0
9 Webserver_sniffer_detector 0.34 0.34 0.33 1.00 0.00 0.00 150.2 83.7
10 Webserver_DOS_1 0.24 0.40 0.35 0.52 0.29 0.19 140.5 93.7
11 Webserver_DOS_2 0.33 0.39 0.28 0.00 0.59 0.41 97.7 84.8
12 Network_shutdown 0.34 0.32 0.34 0.29 0.26 0.45 81.4 70.7
13 Fileserver_hacked 1.00 0.00 0.00 0.11 0.41 0.48 1066.1 1043.2
14 Fileserver_data_stolen_1 1.00 0.00 0.00 1.00 0.00 0.00 95.1 66.5
15 Workstation_hacked 1.00 0.00 0.00 0.33 0.24 0.43 1066.1 1043.2
16 Workstation_data_stolen_1 1.00 0.00 0.00 1.00 0.00 0.00 95.1 66.5
17 Fileserver_data_stolen_2 0.39 0.25 0.36 0.31 0.42 0.26 81.4 70.7
18 Workstation_data_stolen_2 0.23 0.50 0.27 0.25 0.42 0.33 81.4 70.7
Attack_httpd
Continue_attacking
Remove_compromised_account_restart_httpd
Deface_website
Restore_website_remove_compromised_account
38
Third Nash Equilibrium
State Strategies Strategies State Values State Values
State Attacker Administrator Attacker Administrator
1 Normal_operation 0.04 0.00 0.96 0.33 0.36 0.31 224.2 28.6
2 Httpd_attacked 1.00 0.00 0.00 0.35 0.32 0.34 218.1 161.0
3 Ftpd_attacked 0.20 0.11 0.69 0.77 0.23 0.00 199.2 163.0
4 Ftpd_attacked_detector 0.96 0.01 0.04 1.00 0.00 0.00 179.3 145.3
5 Httpd_hacked 1.00 0.00 0.00 0.00 0.89 0.11 232.3 155.8
6 Ftpd_hacked 0.10 0.00 0.90 0.96 0.00 0.04 218.9 169.2
7 Website_defaced 0.42 0.37 0.21 0.27 0.30 0.43 85.8 69.1
8 Webserver_sniffer 0.00 0.49 0.51 0.33 0.35 0.32 730.7 685.7
9 Webserver_sniffer_detector 0.31 0.32 0.38 1.00 0.00 0.00 159.3 42.9
10 Webserver_DOS_1 0.27 0.29 0.44 1.00 0.00 0.00 179.3 52.9
11 Webserver_DOS_2 0.38 0.29 0.34 0.90 0.05 0.06 171.5 82.9
12 Network_shutdown 0.36 0.21 0.43 0.18 0.40 0.42 85.8 -69.1
13 Fileserver_hacked 1.00 0.00 0.00 0.29 0.28 0.43 1068.9 1042.2
14 Fileserver_data_stolen_1 1.00 0.00 0.00 1.00 0.00 0.00 98.6 65.3
15 Workstation_hacked 1.00 0.00 0.00 0.39 0.24 0.36 1068.9 1042.2
16 Workstation_data_stolen_1 1.00 0.00 0.00 1.00 0.00 0.00 98.6 65.3
17 Fileserver_data_stolen_2 0.31 0.48 0.21 0.31 0.37 0.32 85.8 69.1
18 Workstation_data_stolen_2 0.39 0.36 0.25 0.38 0.37 0.25 85.8 69.1
Install_sniffer_detector
39
Discussion
40
Strengths of our approach
  • Modeling it as a general-sum stochastic game
    allows us to find multiple Nash equilibria.
  • Because a network system is not perfectly secure,
    this game theoretic formulation of the security
    problem allows the administrator to discover the
    potential attack strategies of an attacker as
    well as best defense strategies against them.

41
Limitations of our approach
  • We are interested in only a small subnet of
    state.
  • It may be difficult to assign the costs/rewards
    for the actions and the transition probabilities.
  • It is difficult to model the actions of the
    players, in particular the attacker.

42
Conclusions and future work
43
Conclusion
  • This paper has shown how the network security
    problem can be modeled as a general-sum
    stochastic game, and using the nonlinear program
    NLP-1 to compute multiple Nash equilibria, each
    denoting best strategies (best responses) for
    both players.
  • This analysis allows us to discover strategies
    that an attacker could use and helps us in
    planning future software and hardware upgrades
    that will strengthen weak points in the network.

44
Future Work
  • The authors wish to develop a systematic method
    for decomposing large models into smaller
    manageable components, and then compose the
    overall best response for each player from the
    strategies for the components.
  • They hope to experiment with network examples
    that are larger and more complicated than the one
    given here.

45
Thanks for your listening.
46
Attackers action numbers and names Attackers action numbers and names Attackers action numbers and names
State Name 1 2 3
1 Normal_operation Attack_httpd Attack_ftpd f
2 Httpd_attacked Continue_attacking f f
3 Ftpd_attacked Continue_attacking f f
4 Ftpd_attacked_detector Continue_attacking f f
5 Httpd_hacked Deface_website Install_sniffer f
6 Ftpd_hacked Install_sniffer f f
7 Website_defaced f f f
8 Webserver_sniffer Run_DOS_virus Crack_file_server_ root_pw Crack_workstation_root_pw
9 Webserver_sniffer_detector f f f
10 Webserver_DOS_1 f f f
11 Webserver_DOS_2 f f f
12 Network_shutdown f f f
13 Fileserver_hacked Capture_data f f
14 Fileserver_data_stolen_1 Shutdown_network f f
15 Workstation_hacked Capture_data f f
16 Workstation_data_stolen_1 Shutdown_network f f
17 Fileserver_data_stolen_2 f f f
18 Workstation_data_stolen_2 f f f
47
Administrators action numbers and names Administrators action numbers and names Administrators action numbers and names
State Name 1 2 3
1 Normal_operation f f f
2 Httpd_attacked f f f
3 Ftpd_attacked Install_sniffer_ detector f f
4 Ftpd_attacked_detector Remove_sniffer_detector f f
5 Httpd_hacked Remove_compromised_ account_restart_httpd Install_sniffer_detector f
6 Ftpd_hacked Remove_compromised_ account_restart_ftpd Install_sniffer_detector f
7 Website_defaced Restore_website_remove_ compromised_account f f
8 Webserver_sniffer f f f
9 Webserver_sniffer_detector Remove_sniffer_and_compromised_account f f
10 Webserver_DOS_1 Remove_virus_and_compromised_account f f
11 Webserver_DOS_2 Remove_virus_and_compromised_account f f
12 Network_shutdown Remove_virus_and_compromised_account f f
13 Fileserver_hacked f f f
14 Fileserver_data_stolen_1 Remove_sniffer_and_compromised_account f f
15 Workstation_hacked f f f
16 Workstation_data_stolen_1 Remove_sniffer_and_compromised_account f f
17 Fileserver_data_stolen_2 f f f
18 Workstation_data_stolen_2 f f f
Write a Comment
User Comments (0)