Abstract
In the wake of an increasing number in targeted and complex attacks on enterprise networks, there is a growing need for timely, efficient and strategic network response. Intrusion detection systems provide network administrators with a plethora of monitoring information, but that information must often be processed manually to enable decisions on response actions and thwart attacks. This gap between detection time and response time, which may be months long, may allow attackers to move freely in the network and achieve their goals. In this paper, we present a game-theoretic approach for automatic network response to an attacker that is moving laterally in an enterprise network. To do so, we first model the system as a network services graph and use monitoring information to label the graph with possible attacker lateral movement communications. We then build a defense-based zero-sum game in which we aim to prevent the attacker from reaching a sensitive node in the network. Solving the matrix game for saddle-point strategies provides us with an effective way to select appropriate response actions. We use simulations to show that our engine can efficiently delay an attacker that is moving laterally in the network from reaching the sensitive target, thus giving network administrators enough time to analyze the monitoring data and deploy effective actions to neutralize any impending threats.
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
The Bro network security monitor (2014). https://www.bro.org/
Lateral movement: How do threat actors move deeper into your network. Technical report, Trend Micro (2003)
Albert, R., Barabási, A.: Statistical mechanics of complex networks. Rev. Mod. Phys. 74, 47–97 (2002)
Alpcan, T., Başar, T.: A game theoretic approach to decision and analysis in network intrusion detection. In: Proceedings of the 42nd IEEE Conference on Decision and Control, vol. 3, pp. 2595–2600, December 2003
Alpcan, T., Başar, T.: Network Security: A Decision and Game-Theoretic Approach. Cambridge University Press, New York (2010)
Bloem, M., Alpcan, T., Başar, T.: Intrusion response as a resource allocation problem. In: Proceedings of the 45th IEEE Conference on Decision and Control, pp. 6283–6288, December 2006
Brewer, R.: Advanced persistent threats: minimizing the damage. Netw. Secur. 2014(4), 5–9 (2014)
Bronk, C., Tikk-Rangas, E.: Hack or attack? Shamoon and the evolution of cyber conflict, February 2013. http://ssrn.com/abstract=2270860
Csardi, G., Nepusz, T.: The iGraph software package for complex network research. InterJ. Complex Syst. 1695(5), 1–9 (2006)
Di Pietro, R., Mancini, L.V. (eds.): Intrusion Detection Systems. Springer, New York (2008)
Hutchins, E.M., Cloppert, M.J., Amin, R.M.: Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains. In: Leading Issues in Information Warfare and Security Research, vol. 1, p. 80 (2011)
Jones, E., Oliphant, T., Peterson, P.: SciPy: open source scientific tools for Python (2001). http://www.scipy.org/. Accessed 16 June 2016
Langner, R.: Stuxnet: dissecting a cyberwarfare weapon. IEEE Secur. Priv. 9(3), 49–51 (2011)
Lee, R.M., Assante, M.J., Conway, T.: Analysis of the cyber attack on the Ukrainian power grid. SANS Industrial Control Systems (2016)
Manshaei, M.H., Zhu, Q., Alpcan, T., Başar, T., Hubaux, J.: Game theory meets network security, privacy. ACM Comput. Surv. 45(3), 25:1–25:39 (2013)
McKelvey, R.D., McLennan, A.M., Turocy, T.L.: Gambit: software tools for game theory. Technical report, Version 15.1.0 (2016)
Nekovee, M.: Worm epidemics in wireless ad hoc networks. New J. Phys. 9(6), 189 (2007)
Nguyen, K.C., Alpcan, T., Başar, T.: Fictitious play with time-invariant frequency update for network security. In: Proceedings of the IEEE International Conference on Control Applications, pp. 65–70, September 2010
Penrose, M.: Random Geometric Graphs, vol. 5. Oxford University Press, Oxford (2003)
Roesch, M.: Snort: lightweight intrusion detection for networks. In: Proceedings of USENIX, LISA 1999, pp. 229–238 (1999)
Shameli-Sendi, A., Ezzati-Jivan, N., Jabbarifar, M., Dagenais, M.: Intrusion response systems: survey and taxonomy. Int. J. Comput. Sci. Netw. Secur 12(1), 1–14 (2012)
Simmons, C.B., Shiva, S.G., Bedi, H.S., Shandilya, V.: ADAPT: a game inspired attack-defense and performance metric taxonomy. In: Janczewski, L.J., Wolfe, H.B., Shenoi, S. (eds.) SEC 2013. IAICT, vol. 405, pp. 344–365. Springer, Heidelberg (2013). doi:10.1007/978-3-642-39218-4_26
Stakhanova, N., Basu, S., Wong, J.: A taxonomy of intrusion response systems. Int. J. Inf. Comput. Secur. 1(1–2), 169–184 (2007)
Trend Micro: Understanding targeted attacks: six components oftargeted attacks, November 2015. http://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/targeted-attacks-six-components. Accessed 06 May 2016
Waxman, B.M.: Routing of multipoint connections. IEEE J. Sel. Areas Commun. 6(9), 1617–1622 (1988)
Weaver, N., Paxson, V., Staniford, S., Cunningham, R.: A taxonomy of computer worms. In: Proceedings of the 2003 ACM Workshop on Rapid Malcode, pp. 11–18. ACM, New York (2003)
Zhu, Q., Başar, T.: Dynamic policy-based IDS configuration. In: Proceedings of the 48th IEEE Conference on Decision and Control, pp. 8600–8605, December 2009
Zonouz, S.A., Khurana, H., Sanders, W.H., Yardley, T.M.: RRE: a game-theoretic intrusion response and recovery engine. IEEE Trans. Parallel Distrib. Syst. 25(2), 395–406 (2014)
Acknowledgment
This work was supported in part by the Office of Naval Research (ONR) MURI grant N00014-16-1-2710. The authors would like to thank Jenny Applequist for her editorial comments.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing AG
About this paper
Cite this paper
Noureddine, M.A., Fawaz, A., Sanders, W.H., Başar, T. (2016). A Game-Theoretic Approach to Respond to Attacker Lateral Movement. In: Zhu, Q., Alpcan, T., Panaousis, E., Tambe, M., Casey, W. (eds) Decision and Game Theory for Security. GameSec 2016. Lecture Notes in Computer Science(), vol 9996. Springer, Cham. https://doi.org/10.1007/978-3-319-47413-7_17
Download citation
DOI: https://doi.org/10.1007/978-3-319-47413-7_17
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-47412-0
Online ISBN: 978-3-319-47413-7
eBook Packages: Computer ScienceComputer Science (R0)