Abstract
One of the particularly daunting issues in the cybersecurity domain is information leakage of business or consumer data, which is often triggered by multi-stage attacks and advanced persistent threats. While the technical community is working on improved system designs to prevent and mitigate such attacks, a significant residual risk remains that attacks succeed and may not even be detected, i.e., they are stealthy.
Our objective is to inform security policy design for the mitigation of stealthy information leakage attacks. Such a policy mechanism advises system owners on the optimal timing to reset defense mechanisms, e.g., changing cryptographic keys or passwords, reinstalling systems, installing new patches, or reassigning security staff.
We follow a game-theoretic approach and propose a model titled FlipLeakage. In our proposed model, an attacker will incrementally and stealthily take ownership of a resource (e.g., similar to advanced persistent threats). While her final objective is a complete compromise of the system, she may derive some utility during the preliminary phases of the attack. The defender can take a costly recovery move and has to decide on its optimal timing.
Our focus is on the scenario when the defender can only partially eliminate the foothold of the attacker in the system. Further, the defender cannot undo any information leakage that has already taken place during an attack. We derive optimal strategies for the agents in FlipLeakage and present numerical analyses and graphical visualizations.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
Note that in our model, we do not consider the case where a software vendor has the ability to conduct out-of-schedule security updates. We are going to consider this issue in future work.
References
Blackwell, D.: The noisy duel, one bullet each, arbitrary accuracy. Technical report, The RAND Corporation, D-442 (1949)
Bowers, K.D., Dijk, M., Griffin, R., Juels, A., Oprea, A., Rivest, R.L., Triandopoulos, N.: Defending against the unknown enemy: applying FlipIt to system security. In: Grossklags, J., Walrand, J. (eds.) GameSec 2012. LNCS, vol. 7638, pp. 248–263. Springer, Heidelberg (2012). doi:10.1007/978-3-642-34266-0_15
Experian, Small business doesn’t mean small data: Experian data breach resolution advises small businesses to be prepared for a data breach (2013). https://www.experianplc.com/media/news/
Falliere, N., Murchu, L., Chien, E.: W32.Stuxnet Dossier. Technical report, Symantec Corp., Security Response (2011)
Farhang, S., Manshaei, M.H., Esfahani, M.N., Zhu, Q.: A dynamic Bayesian security game framework for strategic defense mechanism design. In: Poovendran, R., Saad, W. (eds.) GameSec 2014. LNCS, vol. 8840, pp. 319–328. Springer, Heidelberg (2014). doi:10.1007/978-3-319-12601-2_18
Feng, X., Zheng, Z., Hu, P., Cansever, D., Mohapatra, P.: Stealthy attacks meets insider threats: a three-player game model. In: Proceedings of MILCOM (2015)
Grossklags, J., Christin, N., Chuang, J.: Secure or insure? A game-theoretic analysis of information security games. In: Proceedings of the 17th International World Wide Web Conference, pp. 209–218 (2008)
Grossklags, J., Reitter, D.: How task familiarity and cognitive predispositions impact behavior in a security game of timing. In: Proceedings of the 27th IEEE Computer Security Foundations Symposium (CSF), pp. 111–122 (2014)
Hu, P., Li, H., Fu, H., Cansever, D., Mohapatra, P.: Dynamic defense strategy against advanced persistent threat with insiders. In: Proceedings of the 34th IEEE International Conference on Computer Communications (INFOCOM) (2015)
Johnson, B., Grossklags, J., Christin, N., Chuang, J.: Uncertainty in interdependent security games. In: Alpcan, T., Buttyán, L., Baras, J.S. (eds.) GameSec 2010. LNCS, vol. 6442, pp. 234–244. Springer, Heidelberg (2010). doi:10.1007/978-3-642-17197-0_16
Johnson, B., Laszka, A., Grossklags, J.: Games of timing for security in dynamic environments. In: Khouzani, M.H.R., Panaousis, E., Theodorakopoulos, G. (eds.) GameSec 2015. LNCS, vol. 9406, pp. 57–73. Springer, Heidelberg (2015). doi:10.1007/978-3-319-25594-1_4
Joyce, R.: Disrupting nation state hackers (2016). https://www.youtube.com/watch?v=bDJb8WOJYdA
Laszka, A., Felegyhazi, M., Buttyan, L.: A survey of interdependent information security games. ACM Comput. Surv. 47(2), 23:1–23:38 (2014)
Laszka, A., Horvath, G., Felegyhazi, M., Buttyán, L.: FlipThem: modeling targeted attacks with FlipIt for multiple resources. In: Poovendran, R., Saad, W. (eds.) GameSec 2014. LNCS, vol. 8840, pp. 175–194. Springer, Heidelberg (2014). doi:10.1007/978-3-319-12601-2_10
Laszka, A., Johnson, B., Grossklags, J.: Mitigating covert compromises. In: Chen, Y., Immorlica, N. (eds.) WINE 2013. LNCS, vol. 8289, pp. 319–332. Springer, Heidelberg (2013). doi:10.1007/978-3-642-45046-4_26
Laszka, A., Johnson, B., Grossklags, J.: Mitigation of targeted and non-targeted covert attacks as a timing game. In: Das, S.K., Nita-Rotaru, C., Kantarcioglu, M. (eds.) GameSec 2013. LNCS, vol. 8252, pp. 175–191. Springer, Heidelberg (2013). doi:10.1007/978-3-319-02786-9_11
Laszka, A., Johnson, B., Schöttle, P., Grossklags, J., Böhme, R.: Secure team composition to Thwart insider threats, cyber-espionage. ACM Trans. Internet Technol. 14(2–3), 19:1–19:22 (2014)
Leslie, D., Sherfield, C., Smart, N.P.: Threshold FlipThem: when the winner does not need to take all. In: Khouzani, M.H.R., Panaousis, E., Theodorakopoulos, G. (eds.) GameSec 2015. LNCS, vol. 9406, pp. 74–92. Springer, Heidelberg (2015). doi:10.1007/978-3-319-25594-1_5
Manshaei, M.H., Zhu, Q., Alpcan, T., Bacşar, T., Hubaux, J.-P.: Game theory meets network security and privacy. ACM Comput. Surv. 45(3), 25:1–25:39 (2013)
Microsoft, Microsoft security bulletin. https://technet.microsoft.com/en-us/security/bulletin/dn602597.aspx
Nadella, S.: Enterprise security in a mobile-first, cloud-first world (2015). http://news.microsoft.com/security2015/
Nochenson, A., Grossklags, J.: A behavioral investigation of the FlipIt game. In: 12th Workshop on the Economics of Information Security (WEIS) (2013)
Oracle, Oracle critical patch updates. http://www.oracle.com/technetwork/topics/security/alerts-086861.html
Pal, R., Huang, X., Zhang, Y., Natarajan, S., Hui, P.: On security monitoring in SDNS: a strategic outlook. Technical report
Pawlick, J., Farhang, S., Zhu, Q.: Flip the cloud: cyber-physical signaling games in the presence of advanced persistent threats. In: Khouzani, M.H.R., Panaousis, E., Theodorakopoulos, G. (eds.) GameSec 2015. LNCS, vol. 9406, pp. 289–308. Springer, Heidelberg (2015). doi:10.1007/978-3-319-25594-1_16
Pham, V., Cid, C.: Are we compromised? Modelling security assessment games. In: Grossklags, J., Walrand, J. (eds.) GameSec 2012. LNCS, vol. 7638, pp. 234–247. Springer, Heidelberg (2012). doi:10.1007/978-3-642-34266-0_14
Pu, Y., Grossklags, J.: An economic model and simulation results of app adoption decisions on networks with interdependent privacy consequences. In: Poovendran, R., Saad, W. (eds.) GameSec 2014. LNCS, vol. 8840, pp. 246–265. Springer, Heidelberg (2014). doi:10.1007/978-3-319-12601-2_14
Radzik, T.: Results and problems in games of timing. In: Fergusons, T.S., Shapleys, L.S., MacQueen, J.B. (eds.) Statistics, Probability and Game Theory: Papers in Honor of David Blackwell. Lecture Notes-Monograph Series, vol. 30, pp. 269–292. Institute of Mathematical Statistics, Hayward (1996)
Van Dijk, M., Juels, A., Oprea, A., Rivest, R.: FlipIt: the game of “stealthy takeover”. J. Cryptol. 26(4), 655–713 (2013)
Wellman, M.P., Prakash, A.: Empirical game-theoretic analysis of an adaptive cyber-defense scenario (preliminary report). In: Poovendran, R., Saad, W. (eds.) GameSec 2014. LNCS, vol. 8840, pp. 43–58. Springer, Heidelberg (2014). doi:10.1007/978-3-319-12601-2_3
Zhang, M., Zheng, Z., Shroff, N.: Stealthy attacks and observable defenses: a game theoretic model under strict resource constraints. In: Proceedings of the IEEE Global Conference on Signal and Information Processing (GlobalSIP), pp. 813–817 (2014)
Acknowledgments
We appreciate the comments from the anonymous reviewers. An earlier version of this paper benefited from the constructive feedback from Aron Laszka. All remaining errors are our own.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Proof
A Proof
1.1 A.1 Proof of Lemma 1
Based on our payoff calculation, i.e., Eq. 13, as well as the quantified parameters, i.e., \(g_{\mathcal {A}}(.)\), \(f_{\mathcal {A}}(.)\), and \(f_{\alpha }(.)\), the defender’s payoff is:
To find the maximizing time between two consecutive defender’s moves (if there exist any), we take the partial derivative of Eq. 21 with respect to \(\delta _{\mathcal {D}}\) and solve it for equality to 0 as follows:
Note that Eq. 18 is neither increasing nor decreasing on \(\delta _{\mathcal {D}}\). Therefore, we have three possibilities for the above equation: (1) no solution, (2) one solution, and (3) more than one solution. When there is no solution, the defender’s best response is to drop out of the game. In the case of one solution, the defender moves periodically with \(\delta _{\mathcal {D}}\), i.e., the solution of Eq. 18 if the resulting payoff is non-negative. When there is more than one solution, the defender plays periodically with the solution with the highest non-negative payoff. Otherwise, the defender drops out of the game. \(\square \)
1.2 A.2 Proof of Lemma 2
In order to calculate the attacker’s payoff, we first calculate the following based on Eq. 12.
According to Eq. 14, the attacker’s payoff is as follows.
The attacker moves right after the defender if her payoff is positive, i.e., \(u_{\mathcal {A}}(\delta _{\mathcal {D}}) > 0 \). If the attacker’s payoff is negative, her reward is lower than her cost. Then, a rational player does not have any incentive to actively participate in the game. Hence, the attacker drops out of the game. If \(u_{\mathcal {A}}(\delta _{\mathcal {D}}) = 0 \), the attacker is indifferent between moving right after the defender or dropping out of the game. By considering Eq. 24 and \(u_{\mathcal {A}}(\delta _{\mathcal {D}}) \ge 0 \), we can derive Eq. 20. \(\square \)
1.3 A.3 Proof of Theorem 1
In Lemma 1, we have provided the best response for the defender. The defender has two choices: periodic move or dropping out of the game. Similarly, according to Lemma 2, the attacker has two choices for her best response: she moves right after the defender or drops out of the game. Note that Nash equilibrium is a mutual best response.
In doing so, we first consider the case where the defender’s best response is to drop out of the game (this means that Eq. 18 does not have any solution(s) giving non-negative payoff(s)). Therefore, the attacker’s best choice is to move only once at the beginning of the game.
The other choice for the defender, according to Lemma 1, is to move periodically when Eq. 18 has a solution which yields a positive payoff. By calculating \(\delta ^{\star }_{\mathcal {D}}\) using this equation, we insert this value to Eq. 20 and compare it with \(c_{\mathcal {A}}\). Based on Lemma 2, the attacker has two possible choices. First, if \(c_{\mathcal {A}} \le M(\delta _{\mathcal {D}})\), the attacker will initiate her attack right after the defender’s move. Hence, the Nash equilibrium is to move periodically from the defender side and the attacker should initiate her attack right after the defender’s move. Second, if \(c_{\mathcal {A}} > M(\delta _{\mathcal {D}})\), the attacker will drop out of the game. In this case, the best response for the defender is to never move. Since he controls the resource all the time without spending any cost. But, if the defender never moves, then it is beneficial for the attacker to move at the beginning of the game. Hence, this situation is not a Nash equilibrium. \(\square \)
Rights and permissions
Copyright information
© 2016 Springer International Publishing AG
About this paper
Cite this paper
Farhang, S., Grossklags, J. (2016). FlipLeakage: A Game-Theoretic Approach to Protect Against Stealthy Attackers in the Presence of Information Leakage. In: Zhu, Q., Alpcan, T., Panaousis, E., Tambe, M., Casey, W. (eds) Decision and Game Theory for Security. GameSec 2016. Lecture Notes in Computer Science(), vol 9996. Springer, Cham. https://doi.org/10.1007/978-3-319-47413-7_12
Download citation
DOI: https://doi.org/10.1007/978-3-319-47413-7_12
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-47412-0
Online ISBN: 978-3-319-47413-7
eBook Packages: Computer ScienceComputer Science (R0)