A "noisy-rich" (NR) cyber-attacker (Lippmann et al. 2012) is one who tries all available vulnerabilities until he or she successfully compromises the targeted network. We develop an adversarial foundation, based on Stackelberg games, for how NR-attackers will explore an enterprise network and how they will attack it, based on the concept of a system vulnerability dependency graph. We develop a mechanism by which the network can be modified by the defender to induce deception by placing honey nodes and apparent vulnerabilities into the network to minimize the expected impact of the NR-attacker's attacks (according to multiple measures of impact). We also consider the case where the adversary learns from blocked attacks using reinforcement learning. We run detailed experiments with real network data (but with simulated attack data) and show that Stackelberg Honey-based Adversarial Reasoning Engine performs very well, even when the adversary deviates from the initial assumptions made about his or her behavior. We also develop a method for the attacker to use reinforcement learning when his or her activities are stopped by the defender. We propose two stopping policies for the defender: Stop Upon Detection allows the attacker to learn about the defender's strategy and (according to our experiments) leads to significant damage in the long run, whereas Stop After Delay allows the defender to introduce greater uncertainty into the attacker, leading to better defendability in the long run.
Bibliographical noteFunding Information:
Parts of this work were funded by ARO Grants W911NF11103, W911NF09102, W911NF-13-1-0421, and W911NF-13-1-0317; by ONR Grant N00014-13-1-0703; and by the Maryland Procurement Office under contract number H98230-14-C-0137. Authors’ addresses: S. Jajodia, Center for Secure Information Systems, George Mason University, 4400 University Drive, Fairfax, VA, USA; email: firstname.lastname@example.org; N. Park, Department of Software and Information Systems, University of North Carolina, Charlotte, NC, USA; email: email@example.com; E. Serra, Computer Science Department, Boise State University, Boise, ID, USA; email: firstname.lastname@example.org; V. S. Subrahmanian, Computer Science Department, Dartmouth College, Hanover, NH, USA; email: email@example.com. Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from firstname.lastname@example.org. © 2018 ACM 1533-5399/2018/03-ART30 $15.00 https://doi.org/10.1145/3137571
© 2018 ACM.
All Science Journal Classification (ASJC) codes
- Computer Networks and Communications