Game Strategies in Network Security Kong-wei Lye1, Jeannete M. Wing2 1Department of Electrical and Computer Engineering, 2Computer Science Department, Carnegie Mellon University Int. Journal Inf. Security (2005) 4, 71-86 Presented by Franson, C.W. Chen 2018/11/18

Agenda Introduction Networks as stochastic games Nash Equilibrium Attack and response scenarios Nash equilibria results Discussion Conclusions and future work Nash 均衡 2018/11/18

Introduction (1/3) Government agencies, banks, retailers, schools, and a growing number of goods and service providers today all use the Internet as an integral way of conducting their daily business. Individuals, good or bad, can also easily connect to the Internet. Security specialists have long been interested in knowing what an intruder can do to a computer network and what can be done to prevent or counteract attacks. 2018/11/18

Introduction (2/3) Private Public Workstation Attacker File Server Web Server Firewall Border router Internet Access Remote administration Public Private 2018/11/18

Introduction (3/3) For our illustration purposes, we assume that the firewall rules are lax and the operating systems are insufficiently hardened. It is thus possible for an attacker to succeed in several different attacks. This setup would be the game board for the attacker and the administrator. 2018/11/18

Networks as stochastic games 2018/11/18

Networks as stochastic games Game theory has been used in many other problems involving attackers and defenders. The attacker can gain rewards, and the administrator can suffer damages. We can model a team of attackers at different locations as the same as an omnipresent attacker, and similarly for the defenders. 2018/11/18

Stochastic game model (1/2) 2018/11/18

Stochastic game model (2/2) High discount factor It means the player is concerned about rewards far into the future. An attacker with a long-term objective who plans well and takes into consideration what damage he can do not only at present but far into the future Low discount factor It means he is only concerned about rewards in the immediate future. An attacker has a short-term objective and is only concerned about causing damage at the present time. 2018/11/18

Network state (1/3) A node in the graph is a physical entity. An edge in the graph represents a direct communication path. E N F W l EW l WF l NW l FW We model the external world as a single computer (node E) and represent the Web server, file server, and workstation by nodes W, F, and N. 2018/11/18

Network state (2/3) – Node State Each node X (where X ∈ {E,W,F,N}) has a node state nX =<P, a, d> to represent information about hardware and software configurations. P ⊆{f, h, n, p, s, v, d} a ∈ {u, c} d ∈ {c, i} 2018/11/18

Network state (3/3) – Traffic State The traffic state t =< {l XY } >, where X, Y ∈ {E,W,F,N}, captures the traffic information for the whole network. l XY ∈ {0, 1/3 , 2/3 , 1} and indicates the load carried on the link between nodes X and Y. A value of 1 indicates maximum capacity. The full state space in our example has a size of |nW| × |nF| × |nN| × |t| = (128 × 2 × 2)3×44 ≈ 32 billion states, but there are only 18 states relevant to our application here. 2018/11/18

Actions (1/2) An action pair (one from the attacker and one from the administrator) causes the system to move from one state to another in a probabilistic manner. Attacker’s Actions : Attack_httpd, Attack_ftpd, Continue_attacking, Deface_website_leave, Install_sniffer, Run_DoS_virus, Crack_file_server_root_password, Crack_workstation_root_password, Capture_data, Shutdown_network, ø (where ø denotes inaction.) 2018/11/18

Actions (2/2) Administrator’s Actions : Remove_compromised_account_restart_httpd, Restore_website_remove_compromised_account, Remove_virus_and_compromised_account, Install_sniffer_detector, Remove_sniffer_detector, Remove_compromised_account_restart_ftpd, Remove_compromised_account_sniffer, ø . 2018/11/18

State transition probabilities This paper assigns state transition probabilities based on the intuition and experience of our network manager. In practice, case studies, statistics, simulations, and knowledge engineering can provide the required probabilities. When the network is in state Normal_operation and neither the attacker nor administrator takes any action, it will tend to stay in the same state. 2018/11/18

Costs and rewards There are costs (negative values) and rewards (positive values) associated with the actions of the administrator and attacker. The reward for an attacker’s action is mostly defined in terms of the amount of effort the administrator has to make to bring the network from one state to another. There are also some transitions in which the cost to the administrator is not the same magnitude as the reward to the attacker. 2018/11/18

Nash Equilibrium 2018/11/18

Notations (1/4) 2018/11/18

Notations (2/4) 2018/11/18

Notations (3/4) 2018/11/18

Notations (4/4) 2018/11/18

Nash Equilibrium At this equilibrium, there is no mutual incentive for either one of the players to deviate from their equilibrium strategies 　　　　　 　　　　　 and 　 . Every general-sum discounted stochastic game has at least one Nash equilibrium in stationary strategies. 2018/11/18

Nonlinear Programming (1/3) 2018/11/18

Nonlinear Programming (2/3) 2018/11/18

Nonlinear Programming (3/3) A solution to NLP-1 that minimizes its objective function to 0 is a Nash solution of the game. 2018/11/18

Attack and response scenarios 2018/11/18

Deface Web site E N F W l EW l WF l FN l NW Noraml_operation <<(f,h),u,i>,<(f,n),u,i>,<(p),u,i> <1/3,1/3,1/3,1/3>> Attack_httpd,1,10 Httpd_attacked <<(f,h),u,i>,<(f,n),u,i>,<(p),u,i> <1+/3,1/3,1/3,1/3>> Continue_attacking,0.5,0 Httpd_hacked <<(f),c,i>,<(f,n),u,i>,<(p),u,i> <1/3,1/3,1/3,1/3>> Continue_attacking,0.5,0 Deface_website_leave,1,99 Website_defaced <<(f,h),c,c>,<(f,n),u,i>,<(p),u,i> <1/3,1/3,1/3,1/3>> 2018/11/18

Denial of Service E N F W l EW l WF l FN l NW Webserver_sniffer <<(f,h,s),c,i>,<(f,n),u,i>,<(p),u,i> <1/3,1/3,1/3,1/3>> Run_DoS_virus,1,30 Webserver_DoS_1 <<(f,h,s,v),c,i>,<(f,n),u,i>,<(p),u,i> <1/3,2/3,1/3,2/3>> Ø,0.8,30 Webserver_DoS_2 <<(f,h,s,v),c,i>,<(f,n),u,i>,<(p),u,i> <1/3,1,1/3,1>> Ø,0.8,30 Network_shut_down <<(s,v),c,i>,<(),u,i>,<(),u,i> <0,0,0,0>> 2018/11/18

Stealing confidential data W l EW l WF l FN l NW Noraml_operation <<(f,h),u,i>,<(f,n),u,i>,<(p),u,i> <1/3,1/3,1/3,1/3>> Attack_ftpd,1,10 Ftpd_attacked <<(f,h),u,i>,<(f,n),u,i>,<(p),u,i> <1+/3,1+/3,1/3,1/3>> Continue_attacking,0.5,0 Ftpd_hacked <<(h),c,i>,<(f,n),u,i>,<(p),u,i> <1/3,1/3,1/3,1/3>> Continue_attacking,0.5,0 Install_sniffer,0.5,10 Webserver_sniffer <<(f,h,s),c,i>,<(f,n),u,i>,<(p),u,i> <1/3,1/3,1/3,1/3>> 2018/11/18

Stealing confidential data W l EW l WF l FN l NW Webserver_sniffer <<(f,h,s),c,i>,<(f,n),u,i>,<(p),u,i> <1/3,1/3,1/3,1/3>> Crack_workstation_root_pw,0.9,50 Workstation_hacked <<(f,h,s),c,i>,<(f,n),u,i>,<(p),c,i> <1/3,1/3,1/3,1/3>> Capture_data,1,999 Workstation_data_stolen_1 <<(f,h,s),c,i>,<(f,n),u,i>,<(p),c,c> <1+/3,1/3,1/3,1+/3>> Shutdown_network,1,60 Network_shut_down <<(s,v),c,i>,<(),u,i>,<(),c,c> <0,0,0,0>> 2018/11/18

Recovery (Scenario 1, 2) E N F W l EW l WF l FN l NW Noraml_operation <<(f,h),u,i>,<(f,n),u,i>,<(p),u,i> <1/3,1/3,1/3,1/3>> Remove_virus_and_ compromised_account,1,-30 Restore_website_remove_ compromised_account,1,-99 Webserver_DoS_1 <<(f,h,s,v),c,i>,<(f,n),u,i>,<(p),u,i> <1/3,2/3,1/3,2/3>> Website_deface <<(f,h),c,c>,<(f,n),u,i>,<(p),u,i> <1/3,1/3,1/3,1/3>> Remove_virus_and_ compromised_account,1,-60 Scenario 1 and 2 Webserver_DoS_2 <<(f,h,s,v),c,i>,<(f,n),u,i>,<(p),u,i> <1/3,1,1/3,1>> 2018/11/18

Recovery (Scenario 3) E N F W l EW l WF l FN l NW Workstation_data_stolen_1 <<(f,h,s),c,i>,<(f,n),u,i>,<(p),c,c> <1/3,1/3,1/3,1/3>> Remove_sniffer_and compromised_account,1,-20 Workstation_data_stolen_2 <<(f,h),c,i>,<(f,n),u,i>,<(p),u,c> <1/3,1/3,1/3,1/3>> Scenario 3 Important data have been stolen, and no action allows him to undo this situation. 2018/11/18

Recovery (Ftpd_attack) N F W l EW l WF l FN l NW Ftpd_attacked_detector <<(f,h,d),u,i>,<(f,n),u,i>,<(p),u,i> <2/3,2/3,1/3,1/3>> Install_sniffer_detector,0.5,-10 Ftpd_attacked <<(f,h),u,i>,<(f,n),u,i>,<(p),u,i> <1+/3,1+/3,1/3,1/3>> Ftpd_hacked <<(h),c,i>,<(f,n),u,i>,<(p),u,i> <1/3,1/3,1/3,1/3>> ø,0.5,-10 Attacker and administrator can engage in real-time game play. Install_sniffer_detector,0.5,-10 Webserver_sniffer_detector <<(f,h,s,d),c,i>,<(f,n),u,i>,<(p),u,i> <1/3,1/3,1/3,1/3>> 2018/11/18

Nash equilibria results 2018/11/18

We implemented the nonlinear program mentioned(NLP-1) in MATLAB. The players take actions only at discrete time instants. We add the inaction ø to the action set for such a state so that the action sets are all of the same cardinality. 2018/11/18

First Nash Equilibrium State Strategies State Values Attacker Administrator 1 Normal_operation [ 1.00 0.00 0.00 ] [ 0.33 0.33 0.33 ] 210.2 –206.8 2 Httpd_attacked 202.2 –191.1 3 Ftpd_attacked [ 0.65 0.00 0.35 ] 176.9 –189.3 4 Ftpd_attacked_detector [ 0.40 0.12 0.48 ] [ 0.93 0.07 0.00 ] 165.8 –173.8 5 Httpd_hacked [ 0.33 0.10 0.57 ] [ 0.67 0.19 0.14 ] 197.4 –206.4 6 Ftpd_hacked [ 0.12 0.00 0.88 ] [ 0.96 0.00 0.04 ] 204.8 –203.5 7 Website_defaced 80.4 –80.0 8 Webserver_sniffer [ 0.00 0.50 0.50 ] [ 0.33 0.33 0.34 ] 716.3 –715.1 9 Webserver_sniffer_detector [ 0.34 0.33 0.33 ] 148.2 –185.4 10 Webserver_DOS_1 106.7 –106.1 11 Webserver_DOS_2 96.5 –96.0 12 Network_shutdown 13 Fileserver_hacked [ 0.35 0.34 0.31 ] 1065.5 –1049.2 14 Fileserver_data_stolen_1 94.4 –74.0 15 Workstation_hacked [ 1.00 0.00 0.00 ] [ 0.31 0.32 0.37 ] 16 Workstation_data_stolen_1 17 Fileserver_data_stolen_2 18 Workstation_data_stolen_2 Normal_operation [1.00 0.00 0.00] [0.33 0.33 0.33] 210.2 -206.8 Httpd_hacked [0.77 0.23 0.00] [0.78 0.22 0.00] Httpd_hacked [0.33 0.10 0.57] [0.67 0.19 0.14] Fileserver_hacked [1.00 0.00 0.00] [0.35 0.34 0.31] 1065.5 -1049.2 Workstation_hacked [1.00 0.00 0.00] [0.31 0.32 0.37] 1065.5 -1049.2 2018/11/18

Second Nash Equilibrium State Strategies State Values Attacker Administrator 1 Normal_operation [ 0.13 0.00 0.87 ] [ 0.26 0.22 0.52 ] 212.7 –79.6 2 Httpd_attacked [ 1.00 0.00 0.00 ] [ 0.27 0.30 0.43 ] 204.6 –166.9 3 Ftpd_attacked [ 0.12 0.32 0.56 ] 179.1 –141.0 4 Ftpd_attacked_detector [ 0.12 0.00 0.88 ] [ 0.93 0.07 0.00 ] 167.7 –80.8 5 Httpd_hacked [ 0.91 0.06 0.04 ] [ 0.66 0.20 0.13 ] 199.2 –177.4 6 Ftpd_hacked [ 0.10 0.00 0.90 ] [ 0.70 0.23 0.08 ] 207.9 –175.0 7 Website_defaced [ 0.39 0.26 0.34 ] [ 0.23 0.35 0.41 ] 81.4 –70.7 8 Webserver_sniffer [ 0.00 0.53 0.47 ] [ 0.34 0.42 0.24 ] 719.0 –690.0 9 Webserver_sniffer_detector [ 0.34 0.34 0.33 ] 150.2 –83.7 10 Webserver_DOS_1 [ 0.24 0.40 0.35 ] [ 0.52 0.29 0.19 ] 140.5 –93.7 11 Webserver_DOS_2 [ 0.33 0.39 0.28 ] [ 0.00 0.59 0.41 ] 97.7 –84.8 12 Network_shutdown [ 0.34 0.32 0.34 ] [ 0.29 0.26 0.45 ] 13 Fileserver_hacked [ 0.11 0.41 0.48 ] 1066.1 –1043.2 14 Fileserver_data_stolen_1 95.1 –66.5 15 Workstation_hacked [ 0.33 0.24 0.43 ] 16 Workstation_data_stolen_1 17 Fileserver_data_stolen_2 [ 0.39 0.25 0.36 ] [ 0.31 0.42 0.26 ] 18 Workstation_data_stolen_2 [ 0.23 0.50 0.27 ] [ 0.25 0.42 0.33 ] Attack_httpd Continue_attacking Remove_compromised_account_restart_httpd Deface_website Restore_website_remove_compromised_account 2018/11/18

Third Nash Equilibrium State Strategies State Values Attacker Administrator 1 Normal_operation [ 0.04 0.00 0.96 ] [ 0.33 0.36 0.31 ] 224.2 –28.6 2 Httpd_attacked [ 1.00 0.00 0.00 ] [ 0.35 0.32 0.34 ] 218.1 –161.0 3 Ftpd_attacked [ 0.20 0.11 0.69 ] [ 0.77 0.23 0.00 ] 199.2 –163.0 4 Ftpd_attacked_detector [ 0.96 0.01 0.04 ] 179.3 –145.3 5 Httpd_hacked [ 0.00 0.89 0.11 ] 232.3 –155.8 6 Ftpd_hacked [ 0.10 0.00 0.90 ] [ 0.96 0.00 0.04 ] 218.9 –169.2 7 Website_defaced [ 0.42 0.37 0.21 ] [ 0.27 0.30 0.43 ] 85.8 –69.1 8 Webserver_sniffer [ 0.00 0.49 0.51 ] [ 0.33 0.35 0.32 ] 730.7 –685.7 9 Webserver_sniffer_detector [ 0.31 0.32 0.38 ] 159.3 –42.9 10 Webserver_DOS_1 [ 0.27 0.29 0.44 ] –52.9 11 Webserver_DOS_2 [ 0.38 0.29 0.34 ] [ 0.90 0.05 0.06 ] 171.5 –82.9 12 Network_shutdown [ 0.36 0.21 0.43 ] [ 0.18 0.40 0.42 ] -69.1 13 Fileserver_hacked [ 0.29 0.28 0.43 ] 1068.9 –1042.2 14 Fileserver_data_stolen_1 98.6 –65.3 15 Workstation_hacked [ 0.39 0.24 0.36 ] 16 Workstation_data_stolen_1 17 Fileserver_data_stolen_2 [ 0.31 0.48 0.21 ] [ 0.31 0.37 0.32 ] 18 Workstation_data_stolen_2 [ 0.39 0.36 0.25 ] [ 0.38 0.37 0.25 ] Install_sniffer_detector 2018/11/18

Discussion 2018/11/18

Strengths of our approach Modeling it as a general-sum stochastic game allows us to find multiple Nash equilibria. Because a network system is not perfectly secure, this game theoretic formulation of the security problem allows the administrator to discover the potential attack strategies of an attacker as well as best defense strategies against them. 2018/11/18

Limitations of our approach We are interested in only a small subnet of state. It may be difficult to assign the costs/rewards for the actions and the transition probabilities. It is difficult to model the actions of the players, in particular the attacker. 2018/11/18

Conclusions and future work 2018/11/18

Conclusion This paper has shown how the network security problem can be modeled as a general-sum stochastic game, and using the nonlinear program NLP-1 to compute multiple Nash equilibria, each denoting best strategies (best responses) for both players. This analysis allows us to discover strategies that an attacker could use and helps us in planning future software and hardware upgrades that will strengthen weak points in the network. 2018/11/18

Future Work The authors wish to develop a systematic method for decomposing large models into smaller manageable components, and then compose the overall best response for each player from the strategies for the components. They hope to experiment with network examples that are larger and more complicated than the one given here. 2018/11/18

Thanks for your listening. 2018/11/18

Attacker’s action numbers and names State Name 1 2 3 Normal_operation Attack_httpd Attack_ftpd φ Httpd_attacked Continue_attacking Ftpd_attacked 4 Ftpd_attacked_detector 5 Httpd_hacked Deface_website Install_sniffer 6 Ftpd_hacked 7 Website_defaced 8 Webserver_sniffer Run_DOS_virus Crack_file_server_ root_pw Crack_workstation_root_pw 9 Webserver_sniffer_detector 10 Webserver_DOS_1 11 Webserver_DOS_2 12 Network_shutdown 13 Fileserver_hacked Capture_data 14 Fileserver_data_stolen_1 Shutdown_network 15 Workstation_hacked 16 Workstation_data_stolen_1 17 Fileserver_data_stolen_2 18 Workstation_data_stolen_2 2018/11/18

Administrator’s action numbers and names State Name 1 2 3 Normal_operation φ Httpd_attacked Ftpd_attacked Install_sniffer_ detector 4 Ftpd_attacked_detector Remove_sniffer_detector 5 Httpd_hacked Remove_compromised_ account_restart_httpd Install_sniffer_detector 6 Ftpd_hacked Remove_compromised_ account_restart_ftpd 7 Website_defaced Restore_website_remove_ compromised_account 8 Webserver_sniffer 9 Webserver_sniffer_detector Remove_sniffer_and_compromised_account 10 Webserver_DOS_1 Remove_virus_and_compromised_account 11 Webserver_DOS_2 12 Network_shutdown 13 Fileserver_hacked 14 Fileserver_data_stolen_1 15 Workstation_hacked 16 Workstation_data_stolen_1 17 Fileserver_data_stolen_2 18 Workstation_data_stolen_2 2018/11/18