Out-Learning Attackers: A Game Theoretic Approach to Cyber Defense

Abstract

In this project we have constructed a Markov Decision Process (MDP) model to demonstrate the value of not always expelling attackers found in a defender's information system. We have developed models to extract qualitative insights into the interaction of a defender trying to classify an attacker and an attacker trying to evade classification. In particular, we have developed a model in which the attacker chooses an attack rate and the defender chooses a detection threshold to apply after a fixed set of observations. In the model we show that often pure strategy equilibria do not exist. In a related model we allow the defender to dynamically adjust the observation window as he collects data, as in the well known sequential probability ratio test. We show numerically that equilibria appear to exist in the model. In a related model, we restructure the attacker's strategy to be a distribution across the number of hits to try in N steps (a mixed strategy). We show that the equilibrium can be computed efficiently, and we use that fact to extract qualitative insights. One insight is that the defender also ends up using a randomized detection threshold in Nash equilibrium, since with any fixed threshold the attacker will often just attack at a level just below the threshold. This finding suggests that defenders, and hence designers of security software, should consider using randomized detection and classification thresholds. Finally, our methodology allows us to efficiently analyze a broad class of games that are like zero-games except that one player has an extra additive term in their payoff function that only depends on their action. This finding makes a broader class of game models applicable to security settings analyzable.

Document Details

Document Type

Technical Report

Publication Date

Apr 01, 2013

Accession Number

ADA583626

Entities

Tags