Title: Game Strategies in Network Security
1Game Strategiesin Network Security
- Kong-wei Lye1, Jeannete M. Wing2
- 1Department of Electrical and Computer
Engineering, - 2Computer Science Department,
- Carnegie Mellon University
- Int. Journal Inf. Security (2005) 4, 71-86
- Presented by Franson, C.W. Chen
2Agenda
- Introduction
- Networks as stochastic games
- Nash Equilibrium
- Attack and response scenarios
- Nash equilibria results
- Discussion
- Conclusions and future work
3Introduction (1/3)
- Government agencies, banks, retailers, schools,
and a growing number of goods and service
providers today all use the Internet as an
integral way of conducting their daily business.
Individuals, good or bad, can also easily connect
to the Internet. - Security specialists have long been interested in
knowing what an intruder can do to a computer
network and what can be done to prevent or
counteract attacks.
4Introduction (2/3)
Access
Remote administration
Private
Public
5Introduction (3/3)
- For our illustration purposes, we assume that the
firewall rules are lax and the operating systems
are insufficiently hardened. - It is thus possible for an attacker to succeed in
several different attacks. - This setup would be the game board for the
attacker and the administrator.
6Networks as stochastic games
7Networks as stochastic games
- Game theory has been used in many other problems
involving attackers and defenders. - The attacker can gain rewards, and the
administrator can suffer damages. - We can model a team of attackers at different
locations as the same as an omnipresent attacker,
and similarly for the defenders.
8Stochastic game model (1/2)
9Stochastic game model (2/2)
- High discount factor
- It means the player is concerned about rewards
far - into the future. An attacker with a long-term
- objective who plans well and takes into
- consideration what damage he can do not only at
- present but far into the future
- Low discount factor
- It means he is only concerned about rewards in
the - immediate future. An attacker has a short-term
- objective and is only concerned about causing
- damage at the present time.
10Network state (1/3)
- A node in the graph is a physical entity.
- An edge in the graph represents a direct
communication path.
- We model the external world as a single computer
(node E) and represent the Web server, file
server, and workstation by nodes W, F, and N.
11Network state (2/3) Node State
- Each node X (where X ? E,W,F,N) has a node
state nX ltP, a, dgt to represent information
about hardware and software configurations. - P ?f, h, n, p, s, v, d
- a ? u, c
- d ? c, i
12Network state (3/3) Traffic State
- The traffic state t lt l XY gt, where X, Y ?
E,W,F,N, captures the traffic information for
the whole network. - l XY ? 0, 1/3 , 2/3 , 1 and indicates the load
carried on the link between nodes X and Y. A
value of 1 indicates maximum capacity. - The full state space in our example has a size of
nW nF nN t (128 2 2)344 32
billion states, but there are only 18 states
relevant to our application here.
13Actions (1/2)
- An action pair (one from the attacker and one
from the administrator) causes the system to move
from one state to another in a probabilistic
manner. - Attackers Actions
- Attack_httpd, Attack_ftpd, Continue_attacking,
- Deface_website_leave, Install_sniffer,
- Run_DoS_virus, Crack_file_server_root_password,
- Crack_workstation_root_password, Capture_data,
- Shutdown_network, ø (where ø denotes inaction.)
14Actions (2/2)
- Administrators Actions
- Remove_compromised_account_restart_httpd,
- Restore_website_remove_compromised_account,
- Remove_virus_and_compromised_account,
- Install_sniffer_detector, Remove_sniffer_detector,
- Remove_compromised_account_restart_ftpd,
- Remove_compromised_account_sniffer, ø .
15State transition probabilities
- This paper assigns state transition probabilities
based on the intuition and experience of our
network manager. In practice, case studies,
statistics, simulations, and knowledge
engineering can provide the required
probabilities. - When the network is in state Normal_operation and
neither the attacker nor administrator takes any
action, it will tend to stay in the same state.
16Costs and rewards
- There are costs (negative values) and rewards
(positive values) associated with the actions of
the administrator and attacker. - The reward for an attackers action is mostly
defined in terms of the amount of effort the
administrator has to make to bring the network
from one state to another. - There are also some transitions in which the cost
to the administrator is not the same magnitude as
the reward to the attacker.
17Nash Equilibrium
18Notations (1/4)
19Notations (2/4)
20Notations (3/4)
21Notations (4/4)
22Nash Equilibrium
- At this equilibrium, there is no mutual incentive
for either one of the players to deviate from
their equilibrium strategies
and . - Every general-sum discounted stochastic game has
at least one Nash equilibrium in stationary
strategies.
23Nonlinear Programming (1/3)
24Nonlinear Programming (2/3)
25Nonlinear Programming (3/3)
A solution to NLP-1 that
minimizes its objective function to 0 is a Nash
solution of the game.
26Attack and response scenarios
27Deface Web site
Noraml_operation ltlt(f,h),u,igt,lt(f,n),u,igt,lt(p),u,i
gt lt1/3,1/3,1/3,1/3gtgt
Attack_httpd,1,10
Httpd_attacked ltlt(f,h),u,igt,lt(f,n),u,igt,lt(p),u,igt
lt1/3,1/3,1/3,1/3gtgt
Continue_attacking,0.5,0
Httpd_hacked ltlt(f),c,igt,lt(f,n),u,igt,lt(p),u,igt lt1/3
,1/3,1/3,1/3gtgt
Continue_attacking,0.5,0
Deface_website_leave,1,99
Website_defaced ltlt(f,h),c,cgt,lt(f,n),u,igt,lt(p),u,igt
lt1/3,1/3,1/3,1/3gtgt
28Denial of Service
Webserver_sniffer ltlt(f,h,s),c,igt,lt(f,n),u,igt,lt(p),
u,igt lt1/3,1/3,1/3,1/3gtgt
Run_DoS_virus,1,30
Webserver_DoS_1 ltlt(f,h,s,v),c,igt,lt(f,n),u,igt,lt(p),
u,igt lt1/3,2/3,1/3,2/3gtgt
Ø,0.8,30
Webserver_DoS_2 ltlt(f,h,s,v),c,igt,lt(f,n),u,igt,lt(p),
u,igt lt1/3,1,1/3,1gtgt
Ø,0.8,30
Network_shut_down ltlt(s,v),c,igt,lt(),u,igt,lt(),u,igt lt
0,0,0,0gtgt
29Stealing confidential data
Noraml_operation ltlt(f,h),u,igt,lt(f,n),u,igt,lt(p),u,i
gt lt1/3,1/3,1/3,1/3gtgt
Attack_ftpd,1,10
Ftpd_attacked ltlt(f,h),u,igt,lt(f,n),u,igt,lt(p),u,igt lt
1/3,1/3,1/3,1/3gtgt
Continue_attacking,0.5,0
Ftpd_hacked ltlt(h),c,igt,lt(f,n),u,igt,lt(p),u,igt lt1/3,
1/3,1/3,1/3gtgt
Continue_attacking,0.5,0
Install_sniffer,0.5,10
Webserver_sniffer ltlt(f,h,s),c,igt,lt(f,n),u,igt,lt(p),
u,igt lt1/3,1/3,1/3,1/3gtgt
30Stealing confidential data
Webserver_sniffer ltlt(f,h,s),c,igt,lt(f,n),u,igt,lt(p),
u,igt lt1/3,1/3,1/3,1/3gtgt
Crack_workstation_root_pw,0.9,50
Workstation_hacked ltlt(f,h,s),c,igt,lt(f,n),u,igt,lt(p)
,c,igt lt1/3,1/3,1/3,1/3gtgt
Capture_data,1,999
Workstation_data_stolen_1 ltlt(f,h,s),c,igt,lt(f,n),u,
igt,lt(p),c,cgt lt1/3,1/3,1/3,1/3gtgt
Shutdown_network,1,60
Network_shut_down ltlt(s,v),c,igt,lt(),u,igt,lt(),c,cgt lt
0,0,0,0gtgt
31Recovery (Scenario 1, 2)
Noraml_operation ltlt(f,h),u,igt,lt(f,n),u,igt,lt(p),u,i
gt lt1/3,1/3,1/3,1/3gtgt
Remove_virus_and_ compromised_account,1,-30
Restore_website_remove_ compromised_account,1,-99
Webserver_DoS_1 ltlt(f,h,s,v),c,igt,lt(f,n),u,igt,lt(p),
u,igt lt1/3,2/3,1/3,2/3gtgt
Website_deface ltlt(f,h),c,cgt,lt(f,n),u,igt,lt(p),u,igt
lt1/3,1/3,1/3,1/3gtgt
Remove_virus_and_ compromised_account,1,-60
Webserver_DoS_2 ltlt(f,h,s,v),c,igt,lt(f,n),u,igt,lt(p),
u,igt lt1/3,1,1/3,1gtgt
32Recovery (Scenario 3)
Workstation_data_stolen_1 ltlt(f,h,s),c,igt,lt(f,n),u,
igt,lt(p),c,cgt lt1/3,1/3,1/3,1/3gtgt
Remove_sniffer_and compromised_account,1,-20
Workstation_data_stolen_2 ltlt(f,h),c,igt,lt(f,n),u,igt
,lt(p),u,cgt lt1/3,1/3,1/3,1/3gtgt
Important data have been stolen, and no
action allows him to undo this situation.
33Recovery (Ftpd_attack)
Ftpd_attacked_detector ltlt(f,h,d),u,igt,lt(f,n),u,igt,
lt(p),u,igt lt2/3,2/3,1/3,1/3gtgt
Install_sniffer_detector,0.5,-10
Ftpd_attacked ltlt(f,h),u,igt,lt(f,n),u,igt,lt(p),u,igt lt
1/3,1/3,1/3,1/3gtgt
Ftpd_hacked ltlt(h),c,igt,lt(f,n),u,igt,lt(p),u,igt lt1/3,
1/3,1/3,1/3gtgt
ø,0.5,-10
Install_sniffer_detector,0.5,-10
Webserver_sniffer_detector ltlt(f,h,s,d),c,igt,lt(f,n)
,u,igt,lt(p),u,igt lt1/3,1/3,1/3,1/3gtgt
34Nash equilibria results
35- We implemented the nonlinear program
mentioned(NLP-1) in MATLAB. - The players take actions only at discrete time
instants. - We add the inaction ø to the action set for such
a state so that the action sets are all of the
same cardinality.
36First Nash Equilibrium
State Strategies Strategies State Values State Values
State Attacker Administrator Attacker Administrator
1 Normal_operation 1.00 0.00 0.00 0.33 0.33 0.33 210.2 206.8
2 Httpd_attacked 1.00 0.00 0.00 0.33 0.33 0.33 202.2 191.1
3 Ftpd_attacked 0.65 0.00 0.35 1.00 0.00 0.00 176.9 189.3
4 Ftpd_attacked_detector 0.40 0.12 0.48 0.93 0.07 0.00 165.8 173.8
5 Httpd_hacked 0.33 0.10 0.57 0.67 0.19 0.14 197.4 206.4
6 Ftpd_hacked 0.12 0.00 0.88 0.96 0.00 0.04 204.8 203.5
7 Website_defaced 0.33 0.33 0.33 0.33 0.33 0.33 80.4 80.0
8 Webserver_sniffer 0.00 0.50 0.50 0.33 0.33 0.34 716.3 715.1
9 Webserver_sniffer_detector 0.34 0.33 0.33 1.00 0.00 0.00 148.2 185.4
10 Webserver_DOS_1 0.33 0.33 0.33 1.00 0.00 0.00 106.7 106.1
11 Webserver_DOS_2 0.34 0.33 0.33 1.00 0.00 0.00 96.5 96.0
12 Network_shutdown 0.33 0.33 0.33 0.33 0.33 0.33 80.4 80.0
13 Fileserver_hacked 1.00 0.00 0.00 0.35 0.34 0.31 1065.5 1049.2
14 Fileserver_data_stolen_1 1.00 0.00 0.00 1.00 0.00 0.00 94.4 74.0
15 Workstation_hacked 1.00 0.00 0.00 0.31 0.32 0.37 1065.5 1049.2
16 Workstation_data_stolen_1 1.00 0.00 0.00 1.00 0.00 0.00 94.4 74.0
17 Fileserver_data_stolen_2 0.33 0.33 0.33 0.33 0.33 0.33 80.4 80.0
18 Workstation_data_stolen_2 0.33 0.33 0.33 0.33 0.33 0.33 80.4 80.0
Normal_operation 1.00 0.00 0.00 0.33
0.33 0.33 210.2 -206.8
Httpd_hacked 0.33 0.10 0.57 0.67 0.19
0.14
Httpd_hacked 0.77 0.23 0.00 0.78 0.22
0.00
Fileserver_hacked 1.00 0.00 0.00 0.35
0.34 0.31 1065.5 -1049.2
Workstation_hacked 1.00 0.00 0.00 0.31 0.32
0.37 1065.5 -1049.2
37Second Nash Equilibrium
State Strategies Strategies State Values State Values
State Attacker Administrator Attacker Administrator
1 Normal_operation 0.13 0.00 0.87 0.26 0.22 0.52 212.7 79.6
2 Httpd_attacked 1.00 0.00 0.00 0.27 0.30 0.43 204.6 166.9
3 Ftpd_attacked 0.12 0.32 0.56 1.00 0.00 0.00 179.1 141.0
4 Ftpd_attacked_detector 0.12 0.00 0.88 0.93 0.07 0.00 167.7 80.8
5 Httpd_hacked 0.91 0.06 0.04 0.66 0.20 0.13 199.2 177.4
6 Ftpd_hacked 0.10 0.00 0.90 0.70 0.23 0.08 207.9 175.0
7 Website_defaced 0.39 0.26 0.34 0.23 0.35 0.41 81.4 70.7
8 Webserver_sniffer 0.00 0.53 0.47 0.34 0.42 0.24 719.0 690.0
9 Webserver_sniffer_detector 0.34 0.34 0.33 1.00 0.00 0.00 150.2 83.7
10 Webserver_DOS_1 0.24 0.40 0.35 0.52 0.29 0.19 140.5 93.7
11 Webserver_DOS_2 0.33 0.39 0.28 0.00 0.59 0.41 97.7 84.8
12 Network_shutdown 0.34 0.32 0.34 0.29 0.26 0.45 81.4 70.7
13 Fileserver_hacked 1.00 0.00 0.00 0.11 0.41 0.48 1066.1 1043.2
14 Fileserver_data_stolen_1 1.00 0.00 0.00 1.00 0.00 0.00 95.1 66.5
15 Workstation_hacked 1.00 0.00 0.00 0.33 0.24 0.43 1066.1 1043.2
16 Workstation_data_stolen_1 1.00 0.00 0.00 1.00 0.00 0.00 95.1 66.5
17 Fileserver_data_stolen_2 0.39 0.25 0.36 0.31 0.42 0.26 81.4 70.7
18 Workstation_data_stolen_2 0.23 0.50 0.27 0.25 0.42 0.33 81.4 70.7
Attack_httpd
Continue_attacking
Remove_compromised_account_restart_httpd
Deface_website
Restore_website_remove_compromised_account
38Third Nash Equilibrium
State Strategies Strategies State Values State Values
State Attacker Administrator Attacker Administrator
1 Normal_operation 0.04 0.00 0.96 0.33 0.36 0.31 224.2 28.6
2 Httpd_attacked 1.00 0.00 0.00 0.35 0.32 0.34 218.1 161.0
3 Ftpd_attacked 0.20 0.11 0.69 0.77 0.23 0.00 199.2 163.0
4 Ftpd_attacked_detector 0.96 0.01 0.04 1.00 0.00 0.00 179.3 145.3
5 Httpd_hacked 1.00 0.00 0.00 0.00 0.89 0.11 232.3 155.8
6 Ftpd_hacked 0.10 0.00 0.90 0.96 0.00 0.04 218.9 169.2
7 Website_defaced 0.42 0.37 0.21 0.27 0.30 0.43 85.8 69.1
8 Webserver_sniffer 0.00 0.49 0.51 0.33 0.35 0.32 730.7 685.7
9 Webserver_sniffer_detector 0.31 0.32 0.38 1.00 0.00 0.00 159.3 42.9
10 Webserver_DOS_1 0.27 0.29 0.44 1.00 0.00 0.00 179.3 52.9
11 Webserver_DOS_2 0.38 0.29 0.34 0.90 0.05 0.06 171.5 82.9
12 Network_shutdown 0.36 0.21 0.43 0.18 0.40 0.42 85.8 -69.1
13 Fileserver_hacked 1.00 0.00 0.00 0.29 0.28 0.43 1068.9 1042.2
14 Fileserver_data_stolen_1 1.00 0.00 0.00 1.00 0.00 0.00 98.6 65.3
15 Workstation_hacked 1.00 0.00 0.00 0.39 0.24 0.36 1068.9 1042.2
16 Workstation_data_stolen_1 1.00 0.00 0.00 1.00 0.00 0.00 98.6 65.3
17 Fileserver_data_stolen_2 0.31 0.48 0.21 0.31 0.37 0.32 85.8 69.1
18 Workstation_data_stolen_2 0.39 0.36 0.25 0.38 0.37 0.25 85.8 69.1
Install_sniffer_detector
39Discussion
40Strengths of our approach
- Modeling it as a general-sum stochastic game
allows us to find multiple Nash equilibria. - Because a network system is not perfectly secure,
this game theoretic formulation of the security
problem allows the administrator to discover the
potential attack strategies of an attacker as
well as best defense strategies against them.
41Limitations of our approach
- We are interested in only a small subnet of
state. - It may be difficult to assign the costs/rewards
for the actions and the transition probabilities. - It is difficult to model the actions of the
players, in particular the attacker.
42Conclusions and future work
43Conclusion
- This paper has shown how the network security
problem can be modeled as a general-sum
stochastic game, and using the nonlinear program
NLP-1 to compute multiple Nash equilibria, each
denoting best strategies (best responses) for
both players. - This analysis allows us to discover strategies
that an attacker could use and helps us in
planning future software and hardware upgrades
that will strengthen weak points in the network.
44Future Work
- The authors wish to develop a systematic method
for decomposing large models into smaller
manageable components, and then compose the
overall best response for each player from the
strategies for the components. - They hope to experiment with network examples
that are larger and more complicated than the one
given here.
45Thanks for your listening.
46Attackers action numbers and names Attackers action numbers and names Attackers action numbers and names
State Name 1 2 3
1 Normal_operation Attack_httpd Attack_ftpd f
2 Httpd_attacked Continue_attacking f f
3 Ftpd_attacked Continue_attacking f f
4 Ftpd_attacked_detector Continue_attacking f f
5 Httpd_hacked Deface_website Install_sniffer f
6 Ftpd_hacked Install_sniffer f f
7 Website_defaced f f f
8 Webserver_sniffer Run_DOS_virus Crack_file_server_ root_pw Crack_workstation_root_pw
9 Webserver_sniffer_detector f f f
10 Webserver_DOS_1 f f f
11 Webserver_DOS_2 f f f
12 Network_shutdown f f f
13 Fileserver_hacked Capture_data f f
14 Fileserver_data_stolen_1 Shutdown_network f f
15 Workstation_hacked Capture_data f f
16 Workstation_data_stolen_1 Shutdown_network f f
17 Fileserver_data_stolen_2 f f f
18 Workstation_data_stolen_2 f f f
47Administrators action numbers and names Administrators action numbers and names Administrators action numbers and names
State Name 1 2 3
1 Normal_operation f f f
2 Httpd_attacked f f f
3 Ftpd_attacked Install_sniffer_ detector f f
4 Ftpd_attacked_detector Remove_sniffer_detector f f
5 Httpd_hacked Remove_compromised_ account_restart_httpd Install_sniffer_detector f
6 Ftpd_hacked Remove_compromised_ account_restart_ftpd Install_sniffer_detector f
7 Website_defaced Restore_website_remove_ compromised_account f f
8 Webserver_sniffer f f f
9 Webserver_sniffer_detector Remove_sniffer_and_compromised_account f f
10 Webserver_DOS_1 Remove_virus_and_compromised_account f f
11 Webserver_DOS_2 Remove_virus_and_compromised_account f f
12 Network_shutdown Remove_virus_and_compromised_account f f
13 Fileserver_hacked f f f
14 Fileserver_data_stolen_1 Remove_sniffer_and_compromised_account f f
15 Workstation_hacked f f f
16 Workstation_data_stolen_1 Remove_sniffer_and_compromised_account f f
17 Fileserver_data_stolen_2 f f f
18 Workstation_data_stolen_2 f f f