A Game Theoretic Approach for Active Defense

1. A Game Theoretic Approach for Active Defense Peng Liu Lab. for Info. and Sys. Security University of Maryland, Baltimore County Baltimore, MD 21250 OASIS, March 2002

2. Evolution of Defensive Computing Systems Survivability - assessment - repair - isolation -containment - replication - segmentation - masking - migration - quorums - voting - reconfiguration - … ... Intrusion Detection Prevention - authentication, access control, inference control, information flows, encryption, keys, signatures, ... - host-based, network-based, misuse detection, anomaly detection, ... However, many existing defensive computing systems are passive!.

3. Many IDS are passive Static intrusion detection -- fixed IDS configuration Adaptive intrusion detection -- reactive but not active adapting IDS configuration to the changing environment most successful when new attacks follow the same trend Passive -- the defense lags behind the offense.

4. Many existing intrusion tolerant systems are passive Environment Tuner attacks An intrusion tolerant system Reactive adaptations work well when the environment gradually changes following the same trend When the environment suddenly changes, the adaptation latency can be significant, during which the system is not stable and can perform very poorly good accesses

5. ITDB is passive Authorized but malicious transactions Tuner alarms Mediator & Damage Container Intrusion Detector trails suspicious transactions malicious transactions merge isolation database assess repair alarms discard Repair manager trails

6. Active Defense Systems Environment An attacking system Tuner battle An intrusion tolerant system good accesses

7. A game theoretic approach for activedefense Game Player 1 Player 2 Defense strategy Attack strategy An intrusion tolerant system An attacking system strategy space strategy space The game should have multiple phases The simplest case should be repeated games Payoff-1 (D, A) Payoff-2 (D, A) time

8. A simple game Prisoner 2 high risk Deny Confess Deny -1, -1 -9, 0 Nash equilibrium Prisoner 1 Confess -6, -6 0, -9 Rational players: maximum payoffs with minimum risks Rational prediction -- Nash equilibrium -- (confess, confess) player 1’s predicted strategy is player 1’s best response to the predicted strategy of player 2, and vice versa no single player wants to deviate from his or her predicted strategy

9. A motivating example Fraud Detection Acquiring Bank Merchant credit card transactions fraud detection a profile for each card (customer) distance (transaction, profile) indicates the anomaly raising several levels of alarms based on the distance using a set of thresholds challenge -- how to minimize the fraud loss minimize the denial-of-service Account information Issuing Bank

10. Anomaly Detection System Specification

11. A game for active fraud defense (1) Payoff Types Probability Good guy believes ugood 1-θ Fraud Detection System θ Customer ubad Bad guy uads = (1- θ)uads,good + θ uads, bad Bayesian 2-player active defense game

12. A game for active fraud defense (2) Assumption: the profile of each customer is simply specified by the transaction amount

13. Attack Prediction Game

14. A naïve approach Assumption: the attacker knows Pi The Nash Equilibrium is: when b=0 the FDS’s stategy is: TH=0 the good guy’s strategy is: amount=Pi the bad guy’s strategy is: amount =Pi when b>0 there is no (pure strategy) Nash equilibrium since the FDS wants to outguess the bad guy and vice versa However, Pi is usually not completely known to the bad guy!

15. A probabilistic approach here Assumption: the attacker only knows a distribution of Pi, e.g., a normal distribution The Nash Equilibrium (TH*, Ag*, Ab*) must satisfy: CL Ab* Pi However, when b is very small: 2TH 0

16. Adding more uncertainty Motivation: in many cases, the FDS is uncertain about the attacker’s strategy Assumption: the attacker’s strategy is randomly distributed over an attack window [X, X+B] where B is fixed The results are: CL Pi X X+B 0 Question: which X is best for the bad guy?

17. Preliminary results (1)

18. Preliminary results (2)

19. Preliminary results (3)

20. Preliminary results (4)

21. The impact on false alarm rate and detection rate The false alarm rate is dependent on the behavior of the good guy If the good guy takes Nash strategies, the false alarm rate is 0 The detection rate can be predicted using the Nash Equilibrium Since in many practical defense systems there is incomplete information to compute the Nash Equilibrium, the false alarm rate is usually not zero, and the detection rate can only be approximately predicted

22. Suggestions to card holders Have multiple cards Each card has converged usage

23. Broader Attack Prediction Applications Attack Space Valuable games New attacks Not valuable games New types of attacks Known types of attacks

24. Example 1: new attacks There is a game for each new attack, however, the attacker knows a lot about it but the defender knows very little the attacker knows a lot about the Nash equilibrium, but the defender does not know the attacker will not inform the defender what he or she knows As a result, the attacker can exploit the nature of asymmetric information sharing to win more! The defender can start to play the game only after the new attack happens

25. Example 2: code red Web server Attacker Patch None 0, -1 10, -10 Code Red Low probability of being captured None 0, 0 0, -1 Patch None High probability of being captured -5, -1 5, -10 Code Red None 0, 0 0, -1 Nash equilibrium

26. Potential impact Nash equilibrium are rational predictions for attacks Nash equilibrium can guide better defensive system design

27. Questions? Thank you!