May 10, 2019 –
Title: A Markov-based Approach to Model Cyber Attack and Defense Games
Student: Mohammad Hadi Valizadeh
Major Advisor: Prof. Marten van Dijk
Associate Advisors: Prof. Benjamin Fuller and Prof. Walter Krawec
Date/Time: Friday, May 10, 2019 3:00-4:00 P.M.
Location: ITE 401
Cyber-attacks targeting individuals or enterprises have become a predominant part of the computer/information age. Such attacks are becoming more sophisticated (qualitative aspects) and prevalent (quantitative aspects) on a day-to-day basis. The exponential growth of cyber plays and cyber players necessitate the inauguration of new methods and research for better understanding the “cyber kill chain,” particularly with the rise of advanced and novel malware (e.g., Stuxnet, WannaCry ransomware crypto worm, the Mirai and its variants) and the extraordinary growth in the population of Internet residents, especially connected Internet of Things (IoT) devices.
Mathematical models can help the security community to understand the threat better and therefore being able to analyze the attacker’s conducts during the lifetime of a cyber-attack and provide an authentic response to adversarial actions. The sparse amount of research on modeling and evaluating defensive systems’ efficiency (especially from a security perspective), however, warrants the need for constructing a proper theoretical framework. Such a framework allows the community to be able to evaluate the defensive technologies’ effectiveness from a security standpoint.
In this regard, we propose a Markov-based general framework to model the interactions between the two famous players of network security games, i.e., a defender (taking advantage of common security tools and technologies such as Intrusion Detection and Prevention Systems (IDPSes), Firewalls, and Honeypots (HPs)) and an attacker (and possibly its agents) who takes actions to reach its attack objective(s) in the game. We mainly focus on the most significant and tangible aspects of sophisticated cyber-attacks: (1) the amount of time it takes for the adversary to accomplish its mission and (2) the success probabilities of fulfilling the attack objectives. Therefore, our goal is to translate attacker-defender interactions into a well-defined game so that we can provide rigorous cryptographic security guarantees for a system given both players’ tactics and strategies.
We study various attack-defense scenarios including moving target defense (MTD) strategies, and advanced persistence threats (APT). We provide general theorems about how the probability of a successful adversary defeating a defender's strategy is related to the amount of time/cost spent by the adversary in such scenarios. We also introduce the notion of learning in cybersecurity games and describe a general “game of consequences” meaning that each player’s (mainly the attacker) chances of making a progressive move in the game depends on its previous actions. As an ongoing project, we are studying a malware propagation and botnet construction game in which we investigate the importance of defense mechanisms’ learning rates to fight against the self-propagating class of malware such as worms and bots. To this end, we intend to introduce a new propagation model based on the interactions between an adversary (and its agents) who wishes to construct a zombie army of a specific size, and a defender taking advantage of common security tools and technologies in the network environment.