Presentation is loading. Please wait.

Presentation is loading. Please wait.

Game Strategies in Network Security

Published byAlícia Duarte Osório Modified over 6 years ago

Similar presentations

Presentation on theme: "Game Strategies in Network Security"— Presentation transcript:

1 Game Strategies in Network Security
Kong-wei Lye1, Jeannete M. Wing2 1Department of Electrical and Computer Engineering, 2Computer Science Department, Carnegie Mellon University Int. Journal Inf. Security (2005) 4, 71-86 Presented by Franson, C.W. Chen 2018/11/18

2 Agenda Introduction Networks as stochastic games Nash Equilibrium
Attack and response scenarios Nash equilibria results Discussion Conclusions and future work Nash 均衡 2018/11/18

3 Introduction (1/3) Government agencies, banks, retailers, schools, and a growing number of goods and service providers today all use the Internet as an integral way of conducting their daily business. Individuals, good or bad, can also easily connect to the Internet. Security specialists have long been interested in knowing what an intruder can do to a computer network and what can be done to prevent or counteract attacks. 2018/11/18

4 Introduction (2/3) Private Public Workstation Attacker File Server
Web Server Firewall Border router Internet Access Remote administration Public Private 2018/11/18

5 Introduction (3/3) For our illustration purposes, we assume that the firewall rules are lax and the operating systems are insufficiently hardened. It is thus possible for an attacker to succeed in several different attacks. This setup would be the game board for the attacker and the administrator. 2018/11/18

6 Networks as stochastic games
2018/11/18

7 Networks as stochastic games
Game theory has been used in many other problems involving attackers and defenders. The attacker can gain rewards, and the administrator can suffer damages. We can model a team of attackers at different locations as the same as an omnipresent attacker, and similarly for the defenders. 2018/11/18

8 Stochastic game model (1/2)
2018/11/18

9 Stochastic game model (2/2)
High discount factor It means the player is concerned about rewards far into the future. An attacker with a long-term objective who plans well and takes into consideration what damage he can do not only at present but far into the future Low discount factor It means he is only concerned about rewards in the immediate future. An attacker has a short-term objective and is only concerned about causing damage at the present time. 2018/11/18

10 Network state (1/3) A node in the graph is a physical entity.
An edge in the graph represents a direct communication path. E N F W l EW l WF l NW l FW We model the external world as a single computer (node E) and represent the Web server, file server, and workstation by nodes W, F, and N. 2018/11/18

11 Network state (2/3) – Node State
Each node X (where X ∈ {E,W,F,N}) has a node state nX =<P, a, d> to represent information about hardware and software configurations. P ⊆{f, h, n, p, s, v, d} a ∈ {u, c} d ∈ {c, i} 2018/11/18

12 Network state (3/3) – Traffic State
The traffic state t =< {l XY } >, where X, Y ∈ {E,W,F,N}, captures the traffic information for the whole network. l XY ∈ {0, 1/3 , 2/3 , 1} and indicates the load carried on the link between nodes X and Y. A value of 1 indicates maximum capacity. The full state space in our example has a size of |nW| × |nF| × |nN| × |t| = (128 × 2 × 2)3×44 ≈ 32 billion states, but there are only 18 states relevant to our application here. 2018/11/18

13 Actions (1/2) An action pair (one from the attacker and one from the administrator) causes the system to move from one state to another in a probabilistic manner. Attacker’s Actions : Attack_httpd, Attack_ftpd, Continue_attacking, Deface_website_leave, Install_sniffer, Run_DoS_virus, Crack_file_server_root_password, Crack_workstation_root_password, Capture_data, Shutdown_network, ø (where ø denotes inaction.) 2018/11/18

14 Actions (2/2) Administrator’s Actions :
Remove_compromised_account_restart_httpd, Restore_website_remove_compromised_account, Remove_virus_and_compromised_account, Install_sniffer_detector, Remove_sniffer_detector, Remove_compromised_account_restart_ftpd, Remove_compromised_account_sniffer, ø . 2018/11/18

15 State transition probabilities
This paper assigns state transition probabilities based on the intuition and experience of our network manager. In practice, case studies, statistics, simulations, and knowledge engineering can provide the required probabilities. When the network is in state Normal_operation and neither the attacker nor administrator takes any action, it will tend to stay in the same state. 2018/11/18

16 Costs and rewards There are costs (negative values) and rewards (positive values) associated with the actions of the administrator and attacker. The reward for an attacker’s action is mostly defined in terms of the amount of effort the administrator has to make to bring the network from one state to another. There are also some transitions in which the cost to the administrator is not the same magnitude as the reward to the attacker. 2018/11/18

17 Nash Equilibrium 2018/11/18

18 Notations (1/4) 2018/11/18

19 Notations (2/4) 2018/11/18

20 Notations (3/4) 2018/11/18

21 Notations (4/4) 2018/11/18

22 Nash Equilibrium At this equilibrium, there is no mutual incentive for either one of the players to deviate from their equilibrium strategies             and   . Every general-sum discounted stochastic game has at least one Nash equilibrium in stationary strategies. 2018/11/18

23 Nonlinear Programming (1/3)
2018/11/18

24 Nonlinear Programming (2/3)
2018/11/18

25 Nonlinear Programming (3/3)
A solution to NLP-1 that minimizes its objective function to 0 is a Nash solution of the game. 2018/11/18

26 Attack and response scenarios
2018/11/18

27 Deface Web site E N F W l EW l WF l FN l NW Noraml_operation
<<(f,h),u,i>,<(f,n),u,i>,<(p),u,i> <1/3,1/3,1/3,1/3>> Attack_httpd,1,10 Httpd_attacked <<(f,h),u,i>,<(f,n),u,i>,<(p),u,i> <1+/3,1/3,1/3,1/3>> Continue_attacking,0.5,0 Httpd_hacked <<(f),c,i>,<(f,n),u,i>,<(p),u,i> <1/3,1/3,1/3,1/3>> Continue_attacking,0.5,0 Deface_website_leave,1,99 Website_defaced <<(f,h),c,c>,<(f,n),u,i>,<(p),u,i> <1/3,1/3,1/3,1/3>> 2018/11/18

28 Denial of Service E N F W l EW l WF l FN l NW Webserver_sniffer
<<(f,h,s),c,i>,<(f,n),u,i>,<(p),u,i> <1/3,1/3,1/3,1/3>> Run_DoS_virus,1,30 Webserver_DoS_1 <<(f,h,s,v),c,i>,<(f,n),u,i>,<(p),u,i> <1/3,2/3,1/3,2/3>> Ø,0.8,30 Webserver_DoS_2 <<(f,h,s,v),c,i>,<(f,n),u,i>,<(p),u,i> <1/3,1,1/3,1>> Ø,0.8,30 Network_shut_down <<(s,v),c,i>,<(),u,i>,<(),u,i> <0,0,0,0>> 2018/11/18

29 Stealing confidential data
W l EW l WF l FN l NW Noraml_operation <<(f,h),u,i>,<(f,n),u,i>,<(p),u,i> <1/3,1/3,1/3,1/3>> Attack_ftpd,1,10 Ftpd_attacked <<(f,h),u,i>,<(f,n),u,i>,<(p),u,i> <1+/3,1+/3,1/3,1/3>> Continue_attacking,0.5,0 Ftpd_hacked <<(h),c,i>,<(f,n),u,i>,<(p),u,i> <1/3,1/3,1/3,1/3>> Continue_attacking,0.5,0 Install_sniffer,0.5,10 Webserver_sniffer <<(f,h,s),c,i>,<(f,n),u,i>,<(p),u,i> <1/3,1/3,1/3,1/3>> 2018/11/18

30 Stealing confidential data
W l EW l WF l FN l NW Webserver_sniffer <<(f,h,s),c,i>,<(f,n),u,i>,<(p),u,i> <1/3,1/3,1/3,1/3>> Crack_workstation_root_pw,0.9,50 Workstation_hacked <<(f,h,s),c,i>,<(f,n),u,i>,<(p),c,i> <1/3,1/3,1/3,1/3>> Capture_data,1,999 Workstation_data_stolen_1 <<(f,h,s),c,i>,<(f,n),u,i>,<(p),c,c> <1+/3,1/3,1/3,1+/3>> Shutdown_network,1,60 Network_shut_down <<(s,v),c,i>,<(),u,i>,<(),c,c> <0,0,0,0>> 2018/11/18

31 Recovery (Scenario 1, 2) E N F W l EW l WF l FN l NW Noraml_operation
<<(f,h),u,i>,<(f,n),u,i>,<(p),u,i> <1/3,1/3,1/3,1/3>> Remove_virus_and_ compromised_account,1,-30 Restore_website_remove_ compromised_account,1,-99 Webserver_DoS_1 <<(f,h,s,v),c,i>,<(f,n),u,i>,<(p),u,i> <1/3,2/3,1/3,2/3>> Website_deface <<(f,h),c,c>,<(f,n),u,i>,<(p),u,i> <1/3,1/3,1/3,1/3>> Remove_virus_and_ compromised_account,1,-60 Scenario 1 and 2 Webserver_DoS_2 <<(f,h,s,v),c,i>,<(f,n),u,i>,<(p),u,i> <1/3,1,1/3,1>> 2018/11/18

32 Recovery (Scenario 3) E N F W l EW l WF l FN l NW
Workstation_data_stolen_1 <<(f,h,s),c,i>,<(f,n),u,i>,<(p),c,c> <1/3,1/3,1/3,1/3>> Remove_sniffer_and compromised_account,1,-20 Workstation_data_stolen_2 <<(f,h),c,i>,<(f,n),u,i>,<(p),u,c> <1/3,1/3,1/3,1/3>> Scenario 3 Important data have been stolen, and no action allows him to undo this situation. 2018/11/18

33 Recovery (Ftpd_attack)
N F W l EW l WF l FN l NW Ftpd_attacked_detector <<(f,h,d),u,i>,<(f,n),u,i>,<(p),u,i> <2/3,2/3,1/3,1/3>> Install_sniffer_detector,0.5,-10 Ftpd_attacked <<(f,h),u,i>,<(f,n),u,i>,<(p),u,i> <1+/3,1+/3,1/3,1/3>> Ftpd_hacked <<(h),c,i>,<(f,n),u,i>,<(p),u,i> <1/3,1/3,1/3,1/3>> ø,0.5,-10 Attacker and administrator can engage in real-time game play. Install_sniffer_detector,0.5,-10 Webserver_sniffer_detector <<(f,h,s,d),c,i>,<(f,n),u,i>,<(p),u,i> <1/3,1/3,1/3,1/3>> 2018/11/18

34 Nash equilibria results
2018/11/18

35 We implemented the nonlinear program mentioned(NLP-1) in MATLAB.
The players take actions only at discrete time instants. We add the inaction ø to the action set for such a state so that the action sets are all of the same cardinality. 2018/11/18

36 First Nash Equilibrium
State Strategies State Values Attacker Administrator 1 Normal_operation [ ] [ ] 210.2 –206.8 2 Httpd_attacked 202.2 –191.1 3 Ftpd_attacked [ ] 176.9 –189.3 4 Ftpd_attacked_detector [ ] [ ] 165.8 –173.8 5 Httpd_hacked [ ] [ ] 197.4 –206.4 6 Ftpd_hacked [ ] [ ] 204.8 –203.5 7 Website_defaced 80.4 –80.0 8 Webserver_sniffer [ ] [ ] 716.3 –715.1 9 Webserver_sniffer_detector [ ] 148.2 –185.4 10 Webserver_DOS_1 106.7 –106.1 11 Webserver_DOS_2 96.5 –96.0 12 Network_shutdown 13 Fileserver_hacked [ ] 1065.5 –1049.2 14 Fileserver_data_stolen_1 94.4 –74.0 15 Workstation_hacked [ ] [ ] 16 Workstation_data_stolen_1 17 Fileserver_data_stolen_2 18 Workstation_data_stolen_2 Normal_operation [ ] [ ] Httpd_hacked [ ] [ ] Httpd_hacked [ ] [ ] Fileserver_hacked [ ] [ ] Workstation_hacked [ ] [ ] 2018/11/18

37 Second Nash Equilibrium
State Strategies State Values Attacker Administrator 1 Normal_operation [ ] [ ] 212.7 –79.6 2 Httpd_attacked [ ] [ ] 204.6 –166.9 3 Ftpd_attacked [ ] 179.1 –141.0 4 Ftpd_attacked_detector [ ] [ ] 167.7 –80.8 5 Httpd_hacked [ ] [ ] 199.2 –177.4 6 Ftpd_hacked [ ] [ ] 207.9 –175.0 7 Website_defaced [ ] [ ] 81.4 –70.7 8 Webserver_sniffer [ ] [ ] 719.0 –690.0 9 Webserver_sniffer_detector [ ] 150.2 –83.7 10 Webserver_DOS_1 [ ] [ ] 140.5 –93.7 11 Webserver_DOS_2 [ ] [ ] 97.7 –84.8 12 Network_shutdown [ ] [ ] 13 Fileserver_hacked [ ] 1066.1 –1043.2 14 Fileserver_data_stolen_1 95.1 –66.5 15 Workstation_hacked [ ] 16 Workstation_data_stolen_1 17 Fileserver_data_stolen_2 [ ] [ ] 18 Workstation_data_stolen_2 [ ] [ ] Attack_httpd Continue_attacking Remove_compromised_account_restart_httpd Deface_website Restore_website_remove_compromised_account 2018/11/18

38 Third Nash Equilibrium
State Strategies State Values Attacker Administrator 1 Normal_operation [ ] [ ] 224.2 –28.6 2 Httpd_attacked [ ] [ ] 218.1 –161.0 3 Ftpd_attacked [ ] [ ] 199.2 –163.0 4 Ftpd_attacked_detector [ ] 179.3 –145.3 5 Httpd_hacked [ ] 232.3 –155.8 6 Ftpd_hacked [ ] [ ] 218.9 –169.2 7 Website_defaced [ ] [ ] 85.8 –69.1 8 Webserver_sniffer [ ] [ ] 730.7 –685.7 9 Webserver_sniffer_detector [ ] 159.3 –42.9 10 Webserver_DOS_1 [ ] –52.9 11 Webserver_DOS_2 [ ] [ ] 171.5 –82.9 12 Network_shutdown [ ] [ ] -69.1 13 Fileserver_hacked [ ] 1068.9 –1042.2 14 Fileserver_data_stolen_1 98.6 –65.3 15 Workstation_hacked [ ] 16 Workstation_data_stolen_1 17 Fileserver_data_stolen_2 [ ] [ ] 18 Workstation_data_stolen_2 [ ] [ ] Install_sniffer_detector 2018/11/18

39 Discussion 2018/11/18

40 Strengths of our approach
Modeling it as a general-sum stochastic game allows us to find multiple Nash equilibria. Because a network system is not perfectly secure, this game theoretic formulation of the security problem allows the administrator to discover the potential attack strategies of an attacker as well as best defense strategies against them. 2018/11/18

41 Limitations of our approach
We are interested in only a small subnet of state. It may be difficult to assign the costs/rewards for the actions and the transition probabilities. It is difficult to model the actions of the players, in particular the attacker. 2018/11/18

42 Conclusions and future work
2018/11/18

43 Conclusion This paper has shown how the network security problem can be modeled as a general-sum stochastic game, and using the nonlinear program NLP-1 to compute multiple Nash equilibria, each denoting best strategies (best responses) for both players. This analysis allows us to discover strategies that an attacker could use and helps us in planning future software and hardware upgrades that will strengthen weak points in the network. 2018/11/18

44 Future Work The authors wish to develop a systematic method for decomposing large models into smaller manageable components, and then compose the overall best response for each player from the strategies for the components. They hope to experiment with network examples that are larger and more complicated than the one given here. 2018/11/18

45 Thanks for your listening.
2018/11/18

46 Attacker’s action numbers and names
State Name 1 2 3 Normal_operation Attack_httpd Attack_ftpd φ Httpd_attacked Continue_attacking Ftpd_attacked 4 Ftpd_attacked_detector 5 Httpd_hacked Deface_website Install_sniffer 6 Ftpd_hacked 7 Website_defaced 8 Webserver_sniffer Run_DOS_virus Crack_file_server_ root_pw Crack_workstation_root_pw 9 Webserver_sniffer_detector 10 Webserver_DOS_1 11 Webserver_DOS_2 12 Network_shutdown 13 Fileserver_hacked Capture_data 14 Fileserver_data_stolen_1 Shutdown_network 15 Workstation_hacked 16 Workstation_data_stolen_1 17 Fileserver_data_stolen_2 18 Workstation_data_stolen_2 2018/11/18

47 Administrator’s action numbers and names
State Name 1 2 3 Normal_operation φ Httpd_attacked Ftpd_attacked Install_sniffer_ detector 4 Ftpd_attacked_detector Remove_sniffer_detector 5 Httpd_hacked Remove_compromised_ account_restart_httpd Install_sniffer_detector 6 Ftpd_hacked Remove_compromised_ account_restart_ftpd 7 Website_defaced Restore_website_remove_ compromised_account 8 Webserver_sniffer 9 Webserver_sniffer_detector Remove_sniffer_and_compromised_account 10 Webserver_DOS_1 Remove_virus_and_compromised_account 11 Webserver_DOS_2 12 Network_shutdown 13 Fileserver_hacked 14 Fileserver_data_stolen_1 15 Workstation_hacked 16 Workstation_data_stolen_1 17 Fileserver_data_stolen_2 18 Workstation_data_stolen_2 2018/11/18

Download ppt "Game Strategies in Network Security"

Similar presentations

ETHICAL HACKING A LICENCE TO HACK

ETHICAL HACKING A LICENCE TO HACK
Congestion Games with Player- Specific Payoff Functions Igal Milchtaich, Department of Mathematics, The Hebrew University of Jerusalem, 1993 Presentation.

Congestion Games with Player- Specific Payoff Functions Igal Milchtaich, Department of Mathematics, The Hebrew University of Jerusalem, 1993 Presentation.
Markov Game Analysis for Attack and Defense of Power Networks Chris Y. T. Ma, David K. Y. Yau, Xin Lou, and Nageswara S. V. Rao.

Markov Game Analysis for Attack and Defense of Power Networks Chris Y. T. Ma, David K. Y. Yau, Xin Lou, and Nageswara S. V. Rao.
Ch 7-1 Working with workgroups-1. Objectives Working with workgroups Creating a workgroup Determining whether to use centralized or group sharing.

Ch 7-1 Working with workgroups-1. Objectives Working with workgroups Creating a workgroup Determining whether to use centralized or group sharing.
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.

Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
Bottleneck Routing Games in Communication Networks Ron Banner and Ariel Orda Department of Electrical Engineering Technion- Israel Institute of Technology.

Bottleneck Routing Games in Communication Networks Ron Banner and Ariel Orda Department of Electrical Engineering Technion- Israel Institute of Technology.
Detecting Network Intrusions via Sampling : A Game Theoretic Approach Presented By: Matt Vidal Murali Kodialam T.V. Lakshman July 22, 2003 Bell Labs, Lucent.

Detecting Network Intrusions via Sampling : A Game Theoretic Approach Presented By: Matt Vidal Murali Kodialam T.V. Lakshman July 22, 2003 Bell Labs, Lucent.
Design of an Intrusion Response System using Evolutionary Computation Rohit Parti.

Design of an Intrusion Response System using Evolutionary Computation Rohit Parti.
Security Issues on Distributed Systems 7 August, 1999 S 1 Prepared by : Lorrien K. Y. Lau Student I.D. : 97077200 7 August 1999 The Chinese University.

Security Issues on Distributed Systems 7 August, 1999 S 1 Prepared by : Lorrien K. Y. Lau Student I.D. : August 1999 The Chinese University.
Game Strategies in Network Security Kong-wei Lye and Jeannette M. Wing Carnegie Mellon University Pittsburgh, Pennsylvania, U.S.A.

Game Strategies in Network Security Kong-wei Lye and Jeannette M. Wing Carnegie Mellon University Pittsburgh, Pennsylvania, U.S.A.
March 24, 2003Upadhyaya – IWIA 20031 A Tamper-resistant Framework for Unambiguous Detection of Attacks in User Space Using Process Monitors R. Chinchani.

March 24, 2003Upadhyaya – IWIA A Tamper-resistant Framework for Unambiguous Detection of Attacks in User Space Using Process Monitors R. Chinchani.
Computer Networks IGCSE ICT Section 4.

Computer Networks IGCSE ICT Section 4.
Economics of Malware: Epidemic Risk Model, Network Externalities and Incentives. Marc Lelarge (INRIA-ENS) WEIS, University College London, June 2009.

Economics of Malware: Epidemic Risk Model, Network Externalities and Incentives. Marc Lelarge (INRIA-ENS) WEIS, University College London, June 2009.
Design Elements for Perimeter Security UNIT-10. Firewall and Router  The firewall and the router are two of the most common perimeter security components.

Design Elements for Perimeter Security UNIT-10. Firewall and Router  The firewall and the router are two of the most common perimeter security components.
Game theoretic models for detecting network intrusions OPLab 1.

Game theoretic models for detecting network intrusions OPLab 1.
Presenter: Jen-Hua Chi Advisor: Frank, Yeong-Sung Lin

Presenter: Jen-Hua Chi Advisor: Frank, Yeong-Sung Lin
AIS, 20141 Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)

AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)
NOBEL WP2 2004. Szept. 2-3. Stockholm Game Theory in Inter-domain Routing LÓJA Krisztina - SZIGETI János - CINKLER Tibor BME TMIT Budapest,

NOBEL WP Szept Stockholm Game Theory in Inter-domain Routing LÓJA Krisztina - SZIGETI János - CINKLER Tibor BME TMIT Budapest,
SECURITY ZONES. Security Zones  A security zone is a logical grouping of resources, such as systems, networks, or processes, that are similar in the.

SECURITY ZONES. Security Zones  A security zone is a logical grouping of resources, such as systems, networks, or processes, that are similar in the.
Module 4: Planning, Optimizing, and Troubleshooting DHCP

Module 4: Planning, Optimizing, and Troubleshooting DHCP

Similar presentations

Ads by Google