Alpcan, T., and T. Basar (2004) “A game theoretic analysis of intrusion detection in access control systems” Proceedings of 43 rd IEEE Conference on Decision and Control. A review by Matthew H. Henry October 12, 2005

Description of Game Network intrusion scenario Three players: –Intruder –Virtual Sensor Network (VSN) –Intrusion Detection System (IDS) Finite and dynamic games

Virtual Sensor Network Network of software sensors: S = {s 1, s 2, …, s max } Each sensor is an autonomous agent that either –Seeks to match known network intrusion activity signatures; or –Looks for anomalies in network usage that might indicate nefarious activity Each sensor reports findings to IDS core directly or via sensor hierarchy Sensors are “mobile” and can be instantiated and deployed at will by the IDS to monitor different subsystems In general, each sensor is capable of identifying one or more intrusion mechanisms The “strategy” of the VSN consists of a fixed probability distribution for each mode of attack and corresponds to the VSN output during that attack

The IDS and the Attacker The target system is decomposed into t max subsystems: {t 1, t 2, …, t max } There exist I max possible modes of attack: {I 1, I 2, …, I max } Each attack is an ordered pair: a k = (t i, I j ) The game, aside from the imperfect information afforded by the VSN, is a non-cooperative non-zero sum game played by the Attacker and the IDS –Attacker benefits from a successful intrusion and suffers a cost at being detected –The IDS benefits from a successful detection and suffers a penalty (in the form of network performance reduction) from a false positive – the IDS must manage a security tradeoff

Sensor Network Overlay on Protected System Attack LAN SCADA Control Center PCS 1 PCS 2 PCS M SCADA MTU 1 SCADA MTU N SCADA MTU 2 PCS m-1 PCS m PCS M-1 Process 1 Process 2 Process P Process p Process P-1 Intrusion Detection System (IDS) S S S S S SS S S S S S S S S S S S S S S S

Simple Example: single-move finite game Target system comprises a single subsystem and there exists a single possible mode of attack  a 0 = (1, 1) IDS strategy set includes two possible moves: {Take action against attacker, Do nothing} Attacker strategy set includes two possible moves: {Attack, Not attack} VSN “strategy” set includes two probability distributions: {[p 10, p 11 ], [p 00, p 01 ]}, where –p 10 = P(No attack detected | Attack occurred) –p 11 = P(Attack detected | Attack occurred) –p 00 = P(No attack detected | No attack occurred) –p 01 = P(Attack detected | No attack occurred) –Action taken when Attack Detected: Set Alarm

Simple Example: single-move finite game Unique Nash equilibrium in mixed strategies with probability distributions and payoffs shown above. (Solution found using GAMBIT)

Continuous Game Problems with finite game: –Exhibits poor scalability for large systems and high-dimensional action spaces –Payoff values must be separately defined for each possible outcome Propose continuous-kernel game with continuous strategy spaces and cost functions to improve scalability and generalization

Attacker Strategy Space Let A max denote the cardinality of the attack set of ordered pairs a k = (t i, I j ) The strategy space of the attacker is now a subset of  A max Attacker strategy u A  U A   A max, with elements u A i  0, i = 1, 2, …, A max

IDS Strategy Space Let R max denote the cardinality of the response set available to the IDS The strategy space of the IDS is now a subset of  R max IDS strategy u I  U I   R max, with elements u I i  0, i = 1, 2, …, R max

Virtual Sensor Network Sensor output as functions of attacker actions represented as a linear transformation P in the space U S   A max × A max The matrix P = [p ij ], i,j = 1…A max, maps attacker actions to sensor output Sensor output = ( u A ) T P  e.g. ideal P would be the Identity matrix: sensors perfectly detect and report attacker strategy Detection metric for attack a i : dq(i)= p ij /rowsum(p ij ) Define P = [p ij ] = [-p ij ] for i=j, [p ij ] otherwise  this provides positive cost for erroneous detection and negative cost (positive benefit) for correct detection

IDS Cost Function J I ( u A, u I, P) = γ( u A ) T PQu I (cost of false detection/benefit of correct detection) + ( u I ) T diag(  ) u I (cost of resource allocation) + ( c I ) T (Q u A – Q u I ) (cost of successful attack) γ – scalar gain for cost/benefit of false/correct detection Q – A max × R max matrix of binary values (0/1) that maps IDS response actions to attacks Q - A max × A max diagonal matrix with elements  1, signifying the degree of vulnerability of specific subsystems to attacks diag(  ) = diag([  1  2 …  Rmax ])– cost of response actions c I = [c I 1 c I 2 … c I Amax ] – cost of each attack to IDS

IDS Cost Function (Example) 2-Dimensional attack space: u A = [u A 1 u A 2 ] corresponding to one attack mode on two subsystems 1-dimensional IDS response space u I γ =1 Q = [1 1] T – IDS response is same for both attacks Q = 2-Dim Identity Matrix – both subsystems equally vulnerable to this attack diag(  ) =  = 1 c I = [1 2] – attack on subsystem 2 twice as costly as an attack on subsystem 1 P = [.8.2;.3.7]

Attacker Cost Function J A ( u A, u I, P) = -γ( u A ) T PQu I (cost of capture/benefit of successful intrusion) + ( u A ) T diag(  ) u A (cost of resource allocation) + ( c A ) T (Q u I – Q u A ) (benefit of successful attack) diag(  ) = diag([  1  2 …  A max ])– cost of attack resources c A = [c I 1 c I 2 … c I A max ] – benefit of each attack to attacker

“Optimal” Trajectories Minimizing the cost functions yield the following reaction functions u I ( u A, P) = [  I – γ[diag(2  )] -1 Q T P T u A ] + u A ( u I, P) = [  A + γ[diag(2  )] -1 PQ u I ] + Where –  I = [( c I Q) 1 /(2  1 )…( c I Q) Rmax /(2  Rmax )] –  A = [( c A Q) 1 /(2  1 )…( c A Q) Amax /(2  Amax )] –[] + indicates that negative elements are mapped to zero note: this is not best response in the sense of fictitious play since u A is unknown to the IDS, and u I is unknown to the Attacker

Nash Equilibrium Strategy pair ( u I*, u A* ) is in Nash equilibrium if they jointly minimize cost: – u I* = argmin uI { J I ( u A*, u I, P)} – u A* = argmin uA { J I ( u A, u I*, P)} The authors prove that a unique interior Nash equilibrium exists for constrained values of γ which force u I* to be positive in the equilibrium solution Their proof uses the convexity of the cost functions and derives a Hessian for the coupled cost vector [J I J A ] to show uniqueness of the interior solution

Repeated Games Incorporates dynamics associated with improving sensing capability (learning) and sensor reconfiguration (reallocation of IDS/VSN resources) Reflected in dynamic P matrix e.g. P(n+1)=[P(n)+2  (  +  )(diag(diag( u A)Q u I ) -  col(diag( u A )Q u I ))+  W(n)] N Where – , ,  are small positive constants –  ~ U([-1,1]) –W(n) = [w ij ]   Amax×Rmax, w ij are I.I.D. and ~ U([-1,1]), models transients and imperfections in the sensor grid –[] N maps the elements to the interval (0,1)

Repeated Games Given sensor network performance P(n), players optimizes next moves – similar to best response to expected cost Assumes some (limited?) mutual knowledge of P(n) and some estimation of opponent play history (?) Note: it is not clear from this paper how the estimates of opponent strategy or P(n) are made (in fact, the authors do not explicitly suggest that they are estimates – this is my inference) Any ideas?

Convergence to Nash Equilibrium Authors demonstrate that since N.E. exists for fixed P, it is sufficient for convergence to equilibrium with dynamic P to show convergence of P P converges for small positive  and  Both players have an incentive to vary strategies over time since, otherwise, the opponent of a player with an unchanging strategy will adapt to exploit weaknesses left open by the static strategy