research-article

Public Access

SHARE: A Stackelberg Honey-Based Adversarial Reasoning Engine

Authors:

Sushil Jajodia,

V. S. SubrahmanianAuthors Info & Claims

ACM Transactions on Internet Technology (TOIT), Volume 18, Issue 3

Article No.: 30, Pages 1 - 41

https://doi.org/10.1145/3137571

Published: 07 March 2018 Publication History

Abstract

A “noisy-rich” (NR) cyber-attacker (Lippmann et al. 2012) is one who tries all available vulnerabilities until he or she successfully compromises the targeted network. We develop an adversarial foundation, based on Stackelberg games, for how NR-attackers will explore an enterprise network and how they will attack it, based on the concept of a system vulnerability dependency graph. We develop a mechanism by which the network can be modified by the defender to induce deception by placing honey nodes and apparent vulnerabilities into the network to minimize the expected impact of the NR-attacker’s attacks (according to multiple measures of impact). We also consider the case where the adversary learns from blocked attacks using reinforcement learning. We run detailed experiments with real network data (but with simulated attack data) and show that Stackelberg Honey-based Adversarial Reasoning Engine performs very well, even when the adversary deviates from the initial assumptions made about his or her behavior. We also develop a method for the attacker to use reinforcement learning when his or her activities are stopped by the defender. We propose two stopping policies for the defender: Stop Upon Detection allows the attacker to learn about the defender’s strategy and (according to our experiments) leads to significant damage in the long run, whereas Stop After Delay allows the defender to introduce greater uncertainty into the attacker, leading to better defendability in the long run.

References

[1]

L. Ablon, M. C. Libicki, and A. Golay. 2014. Markets for Cybercrime Tools and Stole Data: Hackers Bazaar. Technical Report. Retrieved from http://www.rand.org/pubs/research_reports/RR610.html.

[2]

Palvi Aggarwal, Zahid Maqbool, Antra Grover, V. S. Pammi, Saumya Singh, and Varun Dutt. 2015. Cyber security: A game-theoretic analysis of defender and attacker strategies in defacing-website games. In Proceedings of the International Conference on Cyber Situational Awareness, Data Analytics and Assessment (CyberSA’15). IEEE, 1--8.

[3]

Tansu Alpcan and Tamer Baar. 2010. Network Security: A Decision and Game-Theoretic Approach (1st ed.). Cambridge University Press.

Digital Library

[4]

Bo An, David Kempe, Christopher Kiekintveld, Eric Shieh, Satinder Singh, Milind Tambe, and Yevgeniy Vorobeychik. 2012. Security games with limited surveillance. In Proceedings of the Association for the Advancement of Artificial Intelligence Conference on Artificial Intelligence (AAAI’12). 1241--1248.

Digital Library

[5]

Ning Bao and John Musacchio. 2009. Optimizing the decision to expel attackers from an information system. In Proceedings of the 47th Annual Allerton Conference on Communication, Control, and Computing. 644--651.

Digital Library

[6]

Tamer Başar and Geert Jan Olsder. 1998. Dynamic Noncooperative Game Theory. SIAM.

[7]

Steve Beattie, Seth Arnold, Crispin Cowan, Perry Wagle, Chris Wright, and Adam Shostack. 2002. Timing the application of security patches for optimal uptime. In Proceedings of the Large Installation System Administration Conference (LISA’02), Vol. 2. 233--242.

Digital Library

[8]

Maya Bercovitch, Meir Renford, Lior Hasson, Asaf Shabtai, Lior Rokach, and Yuval Elovici. 2011. HoneyGen: An automated honeytokens generator. In Proceedings of the IEEE Conference on Intelligence and Security Informatics (ISI’11). IEEE, 131--136.

[9]

Anita Borkar, Akshaya Salunke, Ankita Barabde, and N. P. Karlekar. 2011. Honeypot: A survey of technologies, tools and deployment. In Proceedings of the International Conference on Web Engineering and Technology (ICWET’11). ACM, New York, NY, 1357--1357.

Digital Library

[10]

Jin-Yi Cai, Vinod Yegneswaran, Chris Alfeld, and others. 2009. An Attacker-Defender Game for Honeynets. Springer, Berlin, 7--16.

Digital Library

[11]

R. M. Campbell, K. Padayachee, and T. Masombuka. 2015. A survey of honeypot research: Trends and opportunities. In Proceedings of the 2015 10th International Conference for Internet Technology and Secured Transactions (ICITST’15). 208--212.

[12]

Huseyin Cavusoglu, Hasan Cavusoglu, and Jun Zhang. 2006. Economics of security patch management. In Proceedings of the Workshop on the Economics of Information Security (WEIS’06).

[13]

Hasan Cavusoglu, Huseyin Cavusoglu, and Jun Zhang. 2008. Security patch management: Share the burden or share the damage? Manage. Sci. 54, 4 (2008), 657--670.

Digital Library

[14]

Kalyanmoy Deb, Amrit Pratap, Sameer Agarwal, and T. Meyarivan. 2000. A fast elitist multi-objective genetic algorithm: NSGA-II. IEEE Trans. Evol. Comput. 6, 2 (2000), 182--197.

Digital Library

[15]

Rinku Dewri, Nayot Poolsappasit, Indrajit Ray, and Darrell Whitley. 2007. Optimal security hardening using multi-objective optimization on attack tree models of networks. In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS’07). ACM, 204--213.

Digital Library

[16]

Rinku Dewri, Indrajit Ray, Nayot Poolsappasit, and Darrell Whitley. 2012. Optimal security hardening on attack tree models of networks: A cost-benefit analysis. Int. J. Inf. Secur. 11, 3 (2012), 167--188.

Digital Library

[17]

Gurpreet Dhillon and Gholamreza Torkzadeh. 2001. Value-focused assessment of information system security in organizations. In Proceedings of the International Conference on Information Systems (ICIS’01), Veda C. Storey, Sumit Sarkar, and Janice I. DeGross (Eds.). Association for Information Systems, 561--566.

[18]

John P. Dickerson, Gerardo I. Simari, V. S. Subrahmanian, and Sarit Kraus. 2010. A graph-theoretic approach to protect static and moving targets from adversaries. In Proceedings of the International Conference on Autonomous Agents and Multiagent Systems (AAMAS’10), Vol. 1. IFAAMAS, 299--306.

Digital Library

[19]

Karel Durkota, Viliam Lisy, Branislav Bošansky, and Christopher Kiekintveld. 2015. Optimal network security hardening using attack graph games. In Proceedings of the 24th International Conference on Artificial Intelligence (IJCAI’15). AAAI Press, 526--532. http://dl.acm.org/citation.cfm?id=2832249.2832322.

Digital Library

[20]

Tobias Friedrich and Frank Neumann. 2014. Maximizing Submodular Functions under Matroid Constraints by Multi-objective Evolutionary Algorithms. Springer, 922--931.

[21]

Parke Godfrey, Ryan Shipley, and Jarek Gryz. 2007. Algorithms and analyses for maximal vector computation. Int. J. VLDB 16, 1 (2007), 5--28.

Digital Library

[22]

Sergiu Hart. 1992. Games in extensive and strategic forms. In Handbook of Game Theory with Economic Applications (1 ed.), R. J. Aumann and S. Hart (Eds.). Vol. 1. Elsevier, 19--40.

[23]

Eric M. Hutchins, Michael J. Cloppert, and Rohan M. Amin. 2011. Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains. In Proceedings of the 6th Annual International Conference on Information Warfare and Security 1 (2011), 80.

[24]

Sushil Jajodia and Steven Noel. 2010. Topological vulnerability analysis. In Cyber Situational Awareness, Sushil Jajodia, Peng Liu, Vipin Swarup, and Cliff Wang (Eds.). Advances in Information Security, Vol. 46. Springer, 139--154.

[25]

Sushil Jajodia, Steven Noel, Pramod Kalapa, Massimiliano Albanese, and John Williams. 2011. Cauldron: Mission-centric cyber situational awareness with defense in depth. In Proceedings of the Military Communications Conference (MILCOM’11).

[26]

Sushil Jajodia, Paulo Shakarian, V. S. Subrahmanian, Vipin Swarup, and Cliff Wang (Eds.). 2015. Cyber Warfare—Building the Scientific Foundation. Advances in Information Security, Vol. 56. Springer.

Digital Library

[27]

Ralph L. Keeney. 1992. Value-Focused Thinking: A Path to Creative Decisionmaking/Ralph L. Keeney. Harvard University Press, Cambridge, MA, xvi, 416.

[28]

Ralph L. Keeney. 1996. Value-focused thinking: Identifying decision opportunities and creating alternatives. Eur. J. Operat. Res. 92, 3 (1996), 537--549.

[29]

Christopher Kiekintveld, Manish Jain, Jason Tsai, James Pita, Fernando Ordóñez, and Milind Tambe. 2009a. Computing optimal randomized resource allocations for massive security games. In Proceedings of the International Conference on Autonomous Agents and Multiagent Systems (AAMAS’09). 689--696. http://dl.acm.org/citation.cfm?id=1558013.1558108.

Digital Library

[30]

Christopher Kiekintveld, Manish Jain, Jason Tsai, James Pita, Fernando Ordóñez, and Milind Tambe. 2009b. Computing optimal randomized resource allocations for massive security games. In Proceedings of the International Conference on Autonomous Agents and Multiagent Systems (AAMAS’09). 689--696.

Digital Library

[31]

Christopher Kiekintveld, Viliam Lisý, and Radek Píbil. 2015. Game-theoretic foundations for the strategic use of honeypots in network security. In Cyber Warfare—Building the Scientific Foundation. 81--101.

[32]

A. Kim and M. H. Kang. 2011. Determining Asset Criticality for Cyber Defense. Retrieved from www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA550373.

[33]

Levente Kocsis and Csaba Szepesvári. 2006. Bandit based monte-carlo planning. In Proceedings of the 17th European Conference on Machine Learning (ECML’06). Springer-Verlag, Berlin, 282--293.

Digital Library

[34]

Dmytro Korzhyk, Zhengyu Yin, Christopher Kiekintveld, Vincent Conitzer, and Milind Tambe. 2011. Stackelberg vs. nash in security games: An extended investigation of interchangeability, equivalence, and uniqueness. In Proceedings of the 9th International Conference on Autonomous Agents and Multiagent Systems (AAMAS’10). 1139–1146.

[35]

Hsiang-Tsung Kung, Fabrizio Luccio, and Franco P. Preparata. 1975. On finding the maxima of a set of vectors. J. ACM 22, 4 (1975), 469--476.

Digital Library

[36]

Joshua Letchford and Yevgeniy Vorobeychik. 2013. Optimal interdiction of attack plans. In Proceedings of the International Conference on Autonomous Agents and Multiagent Systems (AAMAS’13). 199--206. http://dl.acm.org/citation.cfm?id=2484920.2484955.

Digital Library

[37]

R. P. Lippmann, J. F. Riordan, T. H. Yu, and K. K. Watson. 2012. Continuous Security Metrics for Prevalent Network Threats: Introduction and First Four Metrics. Technical Report. DTIC Document.

[38]

J. Lou, A. M. Smith, and Y. Vorobeychik. 2017. Multidefender security games. IEEE Intell. Syst. 32, 1 (Jan 2017), 50--60.

Digital Library

[39]

Kong-wei Lye and Jeannette M. Wing. 2005. Game strategies in network security. Int. J. Inf. Secur. 4, 1-2 (2005), 71--86.

Digital Library

[40]

Rebecca T. Mercuri. 2003. Analyzing security costs. Commun. ACM 46, 6 (2003), 15--18.

Digital Library

[41]

J. Mirkovic and P. Reiher. 2004. A taxonomy of DDoS attack and DDoS defense mechanisms. ACM SIGCOMM Comput. Commun. Rev. 34, 2 (2004), 39--53.

Digital Library

[42]

NIST. 2017. National Vulnerability Database. Retrieved from http://nvd.nist.gov.

[43]

Praveen Paruchuri, Jonathan P. Pearce, Janusz Marecki, Milind Tambe, Fernando Ordonez, and Sarit Kraus. 2008. Playing games for security: An efficient exact algorithm for solving bayesian stackelberg games. In Proceedings of the International Conference on Autonomous Agents and Multiagent Systems (AAMAS’08). 895--902.

Digital Library

[44]

James Pita, Manish Jain, Janusz Marecki, Fernando Ordóñez, Christopher Portway, Milind Tambe, Craig Western, Praveen Paruchuri, and Sarit Kraus. 2008. Deployed ARMOR protection: The application of a game theoretic model for security at the los angeles international airport. In Proceedings of the International Conference on Autonomous Agents and Multiagent Systems (AAMAS’08). 125--132.

Digital Library

[45]

Nayot Poolsappasit, Rinku Dewri, and Indrajit Ray. 2012. Dynamic security risk management using bayesian attack graphs. IEEE Trans. Depend. Secur. Comput. 9, 1 (2012), 61--74.

Digital Library

[46]

Fabien Pouget and Marc Dacier. 2003. Honeypot, honeynet: A comparative survey. In Institut EurÃl’com.

[47]

Chao Qian, Yang Yu, and Zhi-Hua Zhou. 2015. On constrained boolean pareto optimization. In Proceedings of the 24th International Conference on Artificial Intelligence (IJCAI’15). AAAI Press, 389--395.

Digital Library

[48]

Edoardo Serra, Sushil Jajodia, Andrea Pugliese, Antonino Rullo, and V. S. Subrahmanian. 2015. Pareto-optimal adversarial defense of enterprise systems. ACM Trans. Inf. Syst. Secur. 17, 3, Article 11 (March 2015), 39 pages.

Digital Library

[49]

Asaf Shabtai, Yuval Elovici, and Lior Rokach. 2012. Data leakage detection/prevention solutions. In A Survey of Data Leakage Detection and Prevention Solutions. Springer, 17--37.

[50]

Paulo Shakarian, Damon Paulo, Massimiliano Albanese, and Sushil Jajodia. 2014. Keeping intrudors at large: A graph-theoretic approach to reducing the probability of successful network intrusions. In Proceedings of the International Conference on Security and Cryptography (SECRYPT’14). 19--30.

[51]

K. G. Srinivasa. 2012. Application of Genetic Algorithms for Detecting Anomaly in Network Intrusion Detection Systems. Springer, Berlin, 582--591.

[52]

Colin Tankard. 2011. Advanced persistent threats and how to monitor and deter them. Network Security 2011, 8, 16--19.

[53]

The MITRE Corporation. 2011. Common Weakness Scoring System (CWSS™). Retrieved from http://cwe.mitre.org/cwss/.

[54]

Eduardo Viegas, Altair Olivo Santin, Andre Franca, Ricardo Jasinski, Volnei A. Pedroni, and Luiz S. Oliveira. 2017. Towards an energy-efficient anomaly-based intrusion detection engine for embedded systems. IEEE Trans. Comput. 66, 1 (2017), 163--177.

Digital Library

[55]

Darrell Whitley, Soraya Rana, and Robert B. Heckendorn. 1998. The island model genetic algorithm: On separability, population size and convergence. J. Comput. Inf. Technol. 7 (1998), 33--47.

Cited By

Wang SPei QXiao YShao FYuan SChu JLiao R(2024)Probabilistic models for evaluating network edge's resistance against scan and foothold attackIET Communications10.1049/cmu2.12774Online publication date: 23-Apr-2024
https://doi.org/10.1049/cmu2.12774
Wolfson OGiri PJajodia STrajcevski G(2023)Geographic-Region Monitoring by Drones in Adversarial EnvironmentsACM Transactions on Spatial Algorithms and Systems10.1145/36110099:3(1-36)Online publication date: 2-Aug-2023
https://dl.acm.org/doi/10.1145/3611009
Yang XSmahi ALi HLu PZhang HLi S(2023)Triple methods-based empirical assessment of the effectiveness of adaptive cyber defenses in the cloudThe Journal of Supercomputing10.1007/s11227-022-04984-579:8(8634-8667)Online publication date: 1-May-2023
https://dl.acm.org/doi/10.1007/s11227-022-04984-5
Show More Cited By

Index Terms

SHARE: A Stackelberg Honey-Based Adversarial Reasoning Engine

Recommendations

Pareto-Optimal Adversarial Defense of Enterprise Systems

The National Vulnerability Database (NVD) maintained by the US National Institute of Standards and Technology provides valuable information about vulnerabilities in popular software, as well as any patches available to address these vulnerabilities. ...
Detecting Insider Theft of Trade Secrets

Trusted insiders who misuse their privileges to gather and steal sensitive information represent a potent threat to businesses. Applying access controls to protect sensitive information can reduce the threat but has significant limitations. Even if ...
A Tale of Three Cyber-Defense Workshops

The National Cyber Defense Initiative (NCDI) has been working behind the scenes to help inform the US research agenda for strategic cyber defense. An important part of the NDCI's activities has been sponsorship of three workshops: the 2006 Safe-...

Comments

Information & Contributors

Information

Published In

cover image ACM Transactions on Internet Technology

ACM Transactions on Internet Technology Volume 18, Issue 3

Special Issue on Artificial Intelligence for Secruity and Privacy and Regular Papers

August 2018

314 pages

ISSN:1533-5399

EISSN:1557-6051

DOI:10.1145/3185332

Editor:
Munindar P. Singh
Department of Computer Science, North Carolina State University

Issue’s Table of Contents

Copyright © 2018 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 07 March 2018

Accepted: 01 August 2017

Revised: 01 August 2017

Received: 01 September 2016

Published in TOIT Volume 18, Issue 3

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed

Funding Sources

Maryland Procurement Office
ARO
ONR

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

17
Total Citations
View Citations
539
Total Downloads

Downloads (Last 12 months)73
Downloads (Last 6 weeks)7

Reflects downloads up to 14 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Wang SPei QXiao YShao FYuan SChu JLiao R(2024)Probabilistic models for evaluating network edge's resistance against scan and foothold attackIET Communications10.1049/cmu2.12774Online publication date: 23-Apr-2024
https://doi.org/10.1049/cmu2.12774
Wolfson OGiri PJajodia STrajcevski G(2023)Geographic-Region Monitoring by Drones in Adversarial EnvironmentsACM Transactions on Spatial Algorithms and Systems10.1145/36110099:3(1-36)Online publication date: 2-Aug-2023
https://dl.acm.org/doi/10.1145/3611009
Yang XSmahi ALi HLu PZhang HLi S(2023)Triple methods-based empirical assessment of the effectiveness of adaptive cyber defenses in the cloudThe Journal of Supercomputing10.1007/s11227-022-04984-579:8(8634-8667)Online publication date: 1-May-2023
https://dl.acm.org/doi/10.1007/s11227-022-04984-5
Yang XSmahi ALi HZhang HLi S(2022)SPM: A Novel Hierarchical Model for Evaluating the Effectiveness of Combined ACDs in a Blockchain-Based Cloud EnvironmentApplied Sciences10.3390/app1218923012:18(9230)Online publication date: 14-Sep-2022
https://doi.org/10.3390/app12189230
Zhang YLiu FChen H(2022)Optimal strategy selection for attack graph games using deep reinforcement learning2022 IEEE 24th Int Conf on High Performance Computing & Communications; 8th Int Conf on Data Science & Systems; 20th Int Conf on Smart City; 8th Int Conf on Dependability in Sensor, Cloud & Big Data Systems & Application (HPCC/DSS/SmartCity/DependSys)10.1109/HPCC-DSS-SmartCity-DependSys57074.2022.00135(823-830)Online publication date: Dec-2022
https://doi.org/10.1109/HPCC-DSS-SmartCity-DependSys57074.2022.00135
Miao SLi YPan Q(2022)Honeypot Active Defense Technology for UAV Cyber Range2022 China Automation Congress (CAC)10.1109/CAC57257.2022.10054946(30-35)Online publication date: 25-Nov-2022
https://doi.org/10.1109/CAC57257.2022.10054946
Zenitani K(2022)A multi-objective cost–benefit optimization algorithm for network hardeningInternational Journal of Information Security10.1007/s10207-022-00586-721:4(813-832)Online publication date: 1-Aug-2022
https://dl.acm.org/doi/10.1007/s10207-022-00586-7
Fairbanks JOrbe APatterson CLayne JSerra EScheepers M(2021)Identifying ATT&CK Tactics in Android Malware Control Flow Graph Through Graph Representation Learning and Interpretability2021 IEEE International Conference on Big Data (Big Data)10.1109/BigData52589.2021.9671343(5602-5608)Online publication date: 15-Dec-2021
https://doi.org/10.1109/BigData52589.2021.9671343
Tan JZhang HZhang HHu HLei CQin Z(2021)Optimal Temporospatial Strategy Selection Approach to Moving Target Defense: A FlipIt Differential Game ModelComputers & Security10.1016/j.cose.2021.102342(102342)Online publication date: May-2021
https://doi.org/10.1016/j.cose.2021.102342
Li HShen WZheng ZEl Fallah Seghrouchni ASukthankar GAn BYorke-Smith N(2020)Spatial-Temporal Moving Target Defense: A Markov Stackelberg Game ModelProceedings of the 19th International Conference on Autonomous Agents and MultiAgent Systems10.5555/3398761.3398847(717-725)Online publication date: 5-May-2020
https://dl.acm.org/doi/10.5555/3398761.3398847
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Media

Figures

Other

Tables

View Issue’s Table of Contents