a game theoretic approach for active defense
DESCRIPTION
A Game Theoretic Approach for Active Defense. Peng Liu Lab. for Info. and Sys. Security University of Maryland, Baltimore County Baltimore, MD 21250 OASIS, March 2002. Evolution of Defensive Computing Systems. Survivability. - assessment - repair - isolation - PowerPoint PPT PresentationTRANSCRIPT
1
A Game Theoretic Approach for Active Defense
Peng LiuLab. for Info. and Sys. SecurityUniversity of Maryland, Baltimore CountyBaltimore, MD 21250
OASIS, March 2002
2
Evolution of Defensive Computing Systems
However, many existing defensive computing systems are passive!.
Prevention- authentication, access control, inference control, information flows, encryption, keys, signatures, ...
Intrusion Detection
- host-based, network-based, misuse detection, anomaly detection, ...
Survivability- assessment - repair - isolation -containment - replication - segmentation - masking - migration - quorums - voting- reconfiguration- … ...
3
Many IDS are passive
• Static intrusion detection -- fixed IDS configuration
• Adaptive intrusion detection -- reactive but not active
– adapting IDS configuration to the changing environment – most successful when new attacks follow the same trend
Passive -- the defense lags behind the offense.
4
Many existing intrusion tolerant systems are passive
An intrusion tolerant system
Tuner
Environment
goodaccesses
attacks
• Reactive adaptations work well when the environment gradually changes following the same trend • When the environment suddenly changes, the adaptation latency can be significant, during which the system is not stable and can perform very poorly
5
ITDB is passive
Authorized but malicious transactions
Mediator & DamageContainer
isolation
suspicious transactions
database
merge
Intrusion Detector
assess
repair
Repair managerdiscard
alarms
trails
trails
Tuner
alarms
malicious transactions
6
Active Defense Systems
An intrusion tolerant system
Tuner
Environment
goodaccesses
An attackingsystem
battle
7
A game theoretic approach for activedefense
An intrusion tolerant system
Game
An attackingsystem
Player 1
time
Player 2Attackstrategy
Defensestrategy
• The game should have multiple phases• The simplest case should be repeated games
Payoff-2 (D, A)Payoff-1 (D, A)
strategyspace
strategyspace
8
A simple game
• Rational players: maximum payoffs with minimum risks• Rational prediction -- Nash equilibrium -- (confess, confess)
– player 1’s predicted strategy is player 1’s best response to the predicted strategy of player 2, and vice versa– no single player wants to deviate from his or her predicted strategy
Prisoner 2
Deny Confess
Deny
Confess
Prisoner 1
-1, -1 -9, 0
0, -9 -6, -6
highrisk
Nashequilibrium
9
A motivating example
Merchant AcquiringBank
FraudDetection
Accountinformation
Issuing Bank
• credit card transactions• fraud detection
– a profile for each card (customer)– distance (transaction, profile) indicates the anomaly– raising several levels of alarms based on the distance using a set of thresholds
• challenge -- how to– minimize the fraud loss– minimize the denial-of-service
10
Anomaly Detection System Specification
11
A game for active fraud defense (1)
FraudDetectionSystemCustomer
Good guy
Bad guy
θ
1-θ
ProbabilityTypesPayoff
believes
Bayesian 2-player active defense game
ugood
ubad
uads = (1- θ)uads,good + θ uads, bad
12
A game for active fraud defense (2)
• Assumption: the profile of each customer is simply specified by the transaction amount
THPiamountifamountDoS
THPiamountifugood ||)(
||0
THPiamountif
THPiamountifamountubad ||0
||
THPiamountif
THPiamountifTHbu goodads ||0
||.,
THPiamountif
THPiamountifamountu badads ||0
||,
13
Attack Prediction Game
14
A naïve approach
• Assumption: the attacker knows Pi• The Nash Equilibrium is:
– when b=0• the FDS’s stategy is: TH=0• the good guy’s strategy is: amount=Pi• the bad guy’s strategy is: amount =Pi
– when b>0• there is no (pure strategy) Nash equilibrium• since the FDS wants to outguess the bad guy and vice versa
However, Pi is usually not completely known to the bad guy!
15
A probabilistic approach
• Assumption: the attacker only knows a distribution of Pi, e.g., a normal distribution• The Nash Equilibrium (TH*, Ag*, Ab*) must satisfy:
*|*| THPiAg
2
1)(max
r
rAbdxxfAb here
*),min(2
*),0max(1
THAbCLr
THAbr
),*,(.*..)1(max THPiAbhAbTHbTH
However, when b is very small:
|*|* PiAbTH 0
CLPi
Ab*
2TH
16
Adding more uncertainty
• Motivation: in many cases, the FDS is uncertain about the attacker’s strategy • Assumption: the attacker’s strategy is randomly distributed over an attack window [X, X+B] where B is fixed• The results are:
0
CLPi
X X+B
Question: which X is best for the bad guy?
17
Preliminary results (1)
Figure 1: The relationship between the attacker's strategy and ADS strategy, given different attacking
ranges
0102030405060708090
0 20 40 60 80 100
Threshold
Att
ack
er s
trat
eg
y
B=20B=40B=60
18
Preliminary results (2)
Figure 2b: The relationship between normal user's profile and IDS strategy, given different bandwidth rewards (B=40,
Sita=0.05)
-20
0
20
40
60
80
100
0 20 40 60 80 100
User profile
AD
S T
hres
hold
bandwidth=0.001bandwidth=0.06bandwidth=0.2
19
Preliminary results (3)
Figure 3b: The relationship between normal user's profile and attacker strategy, given different bandwidth rewards (B=40, Sita=0.05)
01020304050607080
0 20 40 60 80 100User profile
Att
acke
r S
trat
egy
bandw idth=0.001bandw idth=0.06bandw idth=0.2
20
Preliminary results (4)
Figure 4b: The relationship between normal user's profile and attacker success rate, given different bandwidth rewards (B=40, Sita=0.05)
0
0.2
0.4
0.6
0.8
1
0 20 40 60 80 100
User profile
Att
acke
r su
cces
s ra
te
bandw idth=0.001bandw idth=0.06bandw idth=0.2
21
The impact on false alarm rate and detection rate
• The false alarm rate is dependent on the behavior of the good guy
– If the good guy takes Nash strategies, the false alarm rate is 0
• The detection rate can be predicted using the Nash Equilibrium• Since in many practical defense systems there is incomplete information to compute the Nash Equilibrium, the false alarm rate is usually not zero, and the detection rate can only be approximately predicted
22
Suggestions to card holders
• Have multiple cards• Each card has converged usage
23
Broader Attack Prediction Applications
New types of attacksKnown types of
attacks
Valuable games
Not valuable games
New attacks
Attack Space
24
Example 1: new attacks
• There is a game for each new attack, however, – the attacker knows a lot about it but the defender knows very little– the attacker knows a lot about the Nash equilibrium, but the defender does not know– the attacker will not inform the defender what he or she knows
• As a result, the attacker can exploit the nature of asymmetric information sharing to win more! • The defender can start to play the game only after the new attack happens
25
Example 2: code red
Web server
Patch None
Code Red
None
Attacker
0, -1 10, -10
0, -1 0, 0
Nashequilibrium
Patch None
Code Red
None
-5, -1 5, -10
0, -1 0, 0
High probability of being captured
Low probability of being captured
26
Potential impact
• Nash equilibrium are rational predictions for attacks
• Nash equilibrium can guide better defensive system design
27
Questions?
Thank you!