A Game Theoretic Approach for Active Defense

1
A Game Theoretic Approach for Active Defense

• Peng Liu
• Lab. for Info. and Sys. Security
• University of Maryland, Baltimore County
• Baltimore, MD 21250
• OASIS, March 2002

2
Evolution of Defensive Computing Systems
Survivability
- assessment - repair - isolation
-containment - replication
- segmentation -
masking - migration
- quorums - voting -
reconfiguration - ...
Intrusion Detection
Prevention
- authentication, access control, inference
control, information flows, encryption, keys,
signatures, ...
- host-based, network-based, misuse detection,
anomaly detection, ...
However, many existing defensive computing
systems are passive!.
3
Many IDS are passive

• Static intrusion detection -- fixed IDS
  configuration
• Adaptive intrusion detection -- reactive but not
  active
• adapting IDS configuration to the changing
  environment
• most successful when new attacks follow the same
  trend

Passive -- the defense lags behind the offense.
4
Many existing intrusion tolerant systems are
passive
Environment
Tuner
attacks
An intrusion tolerant system
good accesses

• Reactive adaptations work well when the
  environment gradually changes following the same
  trend
• When the environment suddenly changes, the
  adaptation latency can be significant, during
  which the system is not stable and can perform
  very poorly

5
ITDB is passive
Authorized but malicious transactions
Tuner
alarms
Mediator Damage Container
Intrusion Detector
trails
suspicious transactions
malicious transactions
merge
isolation
database
assess
repair
alarms
discard
Repair manager
trails
6
Active Defense Systems
Environment
An attacking system
Tuner
battle
An intrusion tolerant system
good accesses
7
A game theoretic approach for activedefense
Game
Player 1
Player 2
Attack strategy
Defense strategy
An intrusion tolerant system
An attacking system
strategy space
strategy space
Payoff-2 (D, A)
Payoff-1 (D, A)
time

• The game should have multiple phases
• The simplest case should be repeated games

8
A simple game
Prisoner 2
high risk
Deny
Confess
Deny
-1, -1
-9, 0
Nash equilibrium
Prisoner 1
Confess
-6, -6
0, -9

• Rational players maximum payoffs with minimum
  risks
• Rational prediction -- Nash equilibrium --
  (confess, confess)
• player 1s predicted strategy is player 1s best
  response to the predicted strategy of player 2,
  and vice versa
• no single player wants to deviate from his or
  her predicted strategy

9
A motivating example
Fraud Detection
Acquiring Bank
Merchant

• credit card transactions
• fraud detection
• a profile for each card (customer)
• distance (transaction, profile) indicates the
  anomaly
• raising several levels of alarms based on the
  distance using a set of thresholds
• challenge -- how to
• minimize the fraud loss
• minimize the denial-of-service

Account information
Issuing Bank
10
Anomaly Detection System Specification
11
A game for active fraud defense (1)
Probability
Types
Payoff
Good guy
believes
1-?
ugood
Fraud Detection System
?
Customer
ubad
Bad guy
uads (1- ?)uads,good ? uads, bad
Bayesian 2-player active defense game
12
A game for active fraud defense (2)

• Assumption the profile of each customer is
  simply specified by the transaction amount

13
Attack Prediction Game
14
A naïve approach

• Assumption the attacker knows Pi
• The Nash Equilibrium is
• when b0
• the FDSs stategy is TH0
• the good guys strategy is amountPi
• the bad guys strategy is amount Pi
• when bgt0
• there is no (pure strategy) Nash equilibrium
• since the FDS wants to outguess the bad guy and
  vice versa

However, Pi is usually not completely known to
the bad guy!
15
A probabilistic approach

• Assumption the attacker only knows a
  distribution of Pi, e.g., a normal distribution
• The Nash Equilibrium (TH, Ag, Ab) must
  satisfy

here
CL
Ab
Pi
However, when b is very small
2TH
0
16
Adding more uncertainty

• Motivation in many cases, the FDS is uncertain
  about the attackers strategy
• Assumption the attackers strategy is randomly
  distributed over an attack window X, XB where
  B is fixed
• The results are

CL
Pi
X
XB
0
Question which X is best for the bad guy?
17
Preliminary results (1)
18
Preliminary results (2)
19
Preliminary results (3)
20
Preliminary results (4)
21
The impact on false alarm rate and detection rate

• The false alarm rate is dependent on the
  behavior of the good guy
• If the good guy takes Nash strategies, the false
  alarm rate is 0
• The detection rate can be predicted using the
  Nash Equilibrium
• Since in many practical defense systems there is
  incomplete information to compute the Nash
  Equilibrium, the false alarm rate is usually not
  zero, and the detection rate can only be
  approximately predicted

22
Suggestions to card holders

• Have multiple cards
• Each card has converged usage

23
Broader Attack Prediction Applications
Attack Space
Valuable games
New attacks
Not valuable games
New types of attacks
Known types of attacks
24
Example 1 new attacks

• There is a game for each new attack, however,
• the attacker knows a lot about it but the
  defender knows very little
• the attacker knows a lot about the Nash
  equilibrium, but the defender does not know
• the attacker will not inform the defender what
  he or she knows
• As a result, the attacker can exploit the nature
  of asymmetric information sharing to win more!
• The defender can start to play the game only
  after the new attack happens

25
Example 2 code red
Web server
Attacker
Patch
None
0, -1
10, -10
Code Red
Low probability of being captured
None
0, 0
0, -1
Patch
None
High probability of being captured
-5, -1
5, -10
Code Red
None
0, 0
0, -1
Nash equilibrium
26
Potential impact

• Nash equilibrium are rational predictions for
  attacks
• Nash equilibrium can guide better defensive
  system design

27
Questions?
Thank you!