Out-Learning Attackers: A Game Theoretic Approach to Cyber Defense
Final performance rept. 1 Feb 2009-30 Nov 2012
CALIFORNIA UNIV SANTA CRUZ
Pagination or Media Count:
In this project we have constructed a Markov Decision Process MDP model to demonstrate the value of not always expelling attackers found in a defenders information system. We have developed models to extract qualitative insights into the interaction of a defender trying to classify an attacker and an attacker trying to evade classification. In particular, we have developed a model in which the attacker chooses an attack rate and the defender chooses a detection threshold to apply after a fixed set of observations. In the model we show that often pure strategy equilibria do not exist. In a related model we allow the defender to dynamically adjust the observation window as he collects data, as in the well known sequential probability ratio test. We show numerically that equilibria appear to exist in the model. In a related model, we restructure the attackers strategy to be a distribution across the number of hits to try in N steps a mixed strategy. We show that the equilibrium can be computed efficiently, and we use that fact to extract qualitative insights. One insight is that the defender also ends up using a randomized detection threshold in Nash equilibrium, since with any fixed threshold the attacker will often just attack at a level just below the threshold. This finding suggests that defenders, and hence designers of security software, should consider using randomized detection and classification thresholds. Finally, our methodology allows us to efficiently analyze a broad class of games that are like zero-games except that one player has an extra additive term in their payoff function that only depends on their action. This finding makes a broader class of game models applicable to security settings analyzable.
- Computer Systems Management and Standards