FlipLeakage: A Game-Theoretic Approach to Protect Against Stealthy Attackers in the Presence of Information Leakage

Abstract

One of the particularly daunting issues in the cybersecurity domain is information leakage of business or consumer data, which is often triggered by multi-stage attacks and advanced persistent threats. While the technical community is working on improved system designs to prevent and mitigate such attacks, a significant residual risk remains that attacks succeed and may not even be detected, i.e., they are stealthy.

Our objective is to inform security policy design for the mitigation of stealthy information leakage attacks. Such a policy mechanism advises system owners on the optimal timing to reset defense mechanisms, e.g., changing cryptographic keys or passwords, reinstalling systems, installing new patches, or reassigning security staff.

We follow a game-theoretic approach and propose a model titled FlipLeakage. In our proposed model, an attacker will incrementally and stealthily take ownership of a resource (e.g., similar to advanced persistent threats). While her final objective is a complete compromise of the system, she may derive some utility during the preliminary phases of the attack. The defender can take a costly recovery move and has to decide on its optimal timing.

Our focus is on the scenario when the defender can only partially eliminate the foothold of the attacker in the system. Further, the defender cannot undo any information leakage that has already taken place during an attack. We derive optimal strategies for the agents in FlipLeakage and present numerical analyses and graphical visualizations.

A Proof

1.1 A.1 Proof of Lemma 1

Based on our payoff calculation, i.e., Eq. 13, as well as the quantified parameters, i.e., \(g_{\mathcal {A}}(.)\), \(f_{\mathcal {A}}(.)\), and \(f_{\alpha }(.)\), the defender’s payoff is:

(21)

To find the maximizing time between two consecutive defender’s moves (if there exist any), we take the partial derivative of Eq. 21 with respect to \(\delta _{\mathcal {D}}\) and solve it for equality to 0 as follows:

(22)

Note that Eq. 18 is neither increasing nor decreasing on \(\delta _{\mathcal {D}}\). Therefore, we have three possibilities for the above equation: (1) no solution, (2) one solution, and (3) more than one solution. When there is no solution, the defender’s best response is to drop out of the game. In the case of one solution, the defender moves periodically with \(\delta _{\mathcal {D}}\), i.e., the solution of Eq. 18 if the resulting payoff is non-negative. When there is more than one solution, the defender plays periodically with the solution with the highest non-negative payoff. Otherwise, the defender drops out of the game.   \(\square \)

1.2 A.2 Proof of Lemma 2

In order to calculate the attacker’s payoff, we first calculate the following based on Eq. 12.

(23)

According to Eq. 14, the attacker’s payoff is as follows.

(24)

The attacker moves right after the defender if her payoff is positive, i.e., \(u_{\mathcal {A}}(\delta _{\mathcal {D}}) > 0 \). If the attacker’s payoff is negative, her reward is lower than her cost. Then, a rational player does not have any incentive to actively participate in the game. Hence, the attacker drops out of the game. If \(u_{\mathcal {A}}(\delta _{\mathcal {D}}) = 0 \), the attacker is indifferent between moving right after the defender or dropping out of the game. By considering Eq. 24 and \(u_{\mathcal {A}}(\delta _{\mathcal {D}}) \ge 0 \), we can derive Eq. 20.   \(\square \)

1.3 A.3 Proof of Theorem 1

In Lemma 1, we have provided the best response for the defender. The defender has two choices: periodic move or dropping out of the game. Similarly, according to Lemma 2, the attacker has two choices for her best response: she moves right after the defender or drops out of the game. Note that Nash equilibrium is a mutual best response.

In doing so, we first consider the case where the defender’s best response is to drop out of the game (this means that Eq. 18 does not have any solution(s) giving non-negative payoff(s)). Therefore, the attacker’s best choice is to move only once at the beginning of the game.

The other choice for the defender, according to Lemma 1, is to move periodically when Eq. 18 has a solution which yields a positive payoff. By calculating \(\delta ^{\star }_{\mathcal {D}}\) using this equation, we insert this value to Eq. 20 and compare it with \(c_{\mathcal {A}}\). Based on Lemma 2, the attacker has two possible choices. First, if \(c_{\mathcal {A}} \le M(\delta _{\mathcal {D}})\), the attacker will initiate her attack right after the defender’s move. Hence, the Nash equilibrium is to move periodically from the defender side and the attacker should initiate her attack right after the defender’s move. Second, if \(c_{\mathcal {A}} > M(\delta _{\mathcal {D}})\), the attacker will drop out of the game. In this case, the best response for the defender is to never move. Since he controls the resource all the time without spending any cost. But, if the defender never moves, then it is beneficial for the attacker to move at the beginning of the game. Hence, this situation is not a Nash equilibrium.   \(\square \)