Game Theory-Based Approach for Defense Against APTs

Abstract

The sophistication of Advanced Persistent Threats (APTs) targeting industrial ecosystems has increased dramatically in recent years. This makes mandatory to develop advanced security services beyond traditional solutions, being Opinion Dynamics one of them. This novel approach proposes a multi-agent collaborative framework that permits to trace an APT throughout its entire life-cycle, as formerly analyzed. In this paper, we introduce TI&TO, a two-player game between an attacker and defender that represents a realistic scenario where both compete for the control of the resources within a modern industrial architecture. By validating this technique using game theory, we demonstrate that Opinion Dynamics consists in an effective first measure to deter and minimize the impact of an APT against the infrastructure in most cases. To achieve this, both attacker and defense models are formalized and an equitable score system is applied, to latter run several simulation test cases with different strategies and network configurations.

Appendices

A Instantiation of \(\varPsi \), \(\varUpsilon \) and \(\varTheta \) Values

In Sect. 3.3 we have presented an ordered set of probabilities \(\varTheta \) that are mapped to the different attack stages to represent the cost that every movement of the attacker implies, which is summarized in Table 2. There are multiple reasons behing this mapping, that are summarized as follows:

1. 1.

   We assign the lowest level of detection probability (\(\theta _1\)) only to the devices in the neighbourhood of the affected node in a lateral movement, since some discovery queries will normally raise subtle network alerts.

2. 2.

   The second lowest probability of detection (\(\theta _2\)) is linked to the elements that are the target of a lateral movement, because these connections usually leverage stealthy techniques to go unnoticed.

3. 3.

   An initial intrusion causes a mild detection probability \(\theta _3\), since the attacker either makes use of zero-day vulnerabilities or social engineering techniques, which is a crucial stage for the attacker to be successful at breaking into the network through the ‘patient zero’.

4. 4.

   \(\theta _4\) and \(\theta _5\) are assigned to devices (from the IT and OT section, respectively) causing the delivery of malware to establish a connection to an uncompromised node in a lateral movement. In specific, since the heterogeneity of traffic is lower and the criticality of the resources in that segment is greater, anomalies are likely to be detected when compared to the IT section. On the other hand, \(\theta _5\) is also assigned to the involved nodes in a link removal stage, since it is an evident anomaly sensed by both agents.

5. 5.

   The highest probability of detection (\(\theta _6\)) is assigned to the last stage of the APT, as it usually causes major disruption in the functionality of a device or the attacker manages to connect to an external network to exfiltrate information, which is easily detected.

Considering a realistic scenario and according to the methodology explained in [8], we have assigned values for this ordered set and also for \(\varPsi \) and \(\varUpsilon \) sets, which regulate the criticality and vulnerability of resources in our simulations. This instantiation of values is shown in Table 4. For the interest of realism and to represent a certain level of randomness in the accuracy of the detection mechanisms that every agent embodies, these values will also include a random deviation in the experiments, with a maximum value of \(\pm 0.1\).

Table 4. Instances of the \(\varPsi ,\varUpsilon ,\varTheta \) ordered sets used in the simulations

B Example of Game Instance with Defender Victory

We have seen that the best results for the defender are achieved when two hops of distance are considered and honeypots are also introduced. In this case, the use of these two tools (besides the redundancy) are enough as to win most of the games. The rationale behind this result is simple: when the attacker attempts to compromise one of this fake nodes, a great anomaly is generated which is detected by the defender, as long as he or she manages to cover a wide area that contains the current position of the attacker (i.e., when 2 or more hops of distance are leveraged by the local Opinion Dynamics). This behavior is shown in Fig. 7: in this network, the attacker traverses the nodes and then they are immediately healed (they are labeled with an ‘X’ when they are attacked and ‘H’ when they are healed, along with the anomaly measured by Opinion Dynamics). In the last movement, the attacker attempts to compromise a honeypot (depicted with a diamond shape) and the defender manages to locate and eradicate the infection. Since the defender does not possess any other compromised node, the game is over.

Fig. 7.

Example of defender-win after the attacker compromises a honeypot

C Correctness Proof of TI&TO

This section presents the correctness proof of TI&TO for the different cases that may occur during a certain game instance. This problem is solved when these conditions are met:

1. 1.

   The attacker can find an IT/OT device to compromise within the infrastructure.

2. 2.

   The defender is able to trace the threat and heal a node, thanks to the Opinion Dynamics detection.

3. 3.

   The game system is able to properly finish in a finite time (termination condition).

The first requirement is satisfied since we assume that the attacker can perform different attack stages to define his/her strategy over the game board (assuming \(V\ne \oslash \)), such as lateral movements, links removal or destruction. The modus operandi of the attacker is systematic, beginning with a random node \(v_0 \in V_{IT}\cup V_{OT}\) at \(t=0\) which is compromised (see Algorithm 1). Then, A penetrates the infrastructure to ultimately gain control of the operational or corporate network, where a certain node is finally disrupted (\(V_{OT}\)) after a set of \(\sigma \) lateral movements. In an intermediate time t of the game, the attacker can execute a new stage as long as there is at least one node \(v_a\) such that \(N_{v_a}(t)=1\), which becomes the new attackedNode in Algorithm 1. When the state of all nodes is set to zero, the game terminates.

The second requirement is also met with the inclusion of intrusion detection solutions on every agent \(a_i \in A\) that facilitate the correlation of events. With the local execution of the Opinion Dynamics correlation from \(t=1\) on the node that presents the greatest anomaly (using one or two hops of distance), we ensure that the agents associated with the resulting subgraph of nodes will have an opinion \(x_i(t) \ge 0\). According to Algorithm 2, this means that D will heal the node with maximum opinion if that value surpasses the threshold (0.5, as explained in Sect. 3.4), setting its state back to zero and updating the detection area. Otherwise, he/she will remain idle during that turn.

We can demonstrate the third requirement (corresponding to the termination of the approach) through induction. More precisely, we specify the initial conditions and the base case, namely:

• Precondition: We assume the attacker models an APT perpetrated against the infrastructure defined by graph G(V, E) where \(V\ne \oslash \), following the strategy explained in Algorithm 1. On the other side, the defender leverages Opinion Dynamics to visualize the threat evolution across the infrastructure and eventually repair nodes, following the procedure described in Algorithm 2.

• Postcondition: The attacker reaches the network G(V, E) and compromises at least one node in V such that \(S^A \ne \oslash \) and continues to compromise more devices in the loop in Algorithm 1, to achieve \(numSteps=\sigma \). Player D executes Opinion Dynamics to detect and heal the most affected nodes after executing the correlation. The game evolves until any of the termination states (see Sect. 3.2) are reached.

• Case 1: \(numSteps=\sigma \), but gameState is still set to zero. In this case, player A has successfully traversed the network having \(Victims \ne \oslash \). Therefore, he/she needs to launch the Destruction movement over the attackedNode. This makes gameState comply with \(TS_1\) temporarily until the defender moves. If D manages to heal attackedNode and \(Victims=\oslash \), then the game also terminates, with \(TS_3\).

• Case 2: \(numSteps < \sigma \). In this case, the next stage in \(S^A\) implies a lateral movement. If the attacker is still in the first section where the first intrusion took place (whether IT or OT), he/she must locate a firewall to perpetrate the other section before increasing numSteps. After this, the defender can make his/her movement and potentially heal a node, which can make the attacker remove a link in the following iteration. If the node healed is attackedNode, the attacker must choose another node in Victims, resetting \(numSteps=0\). In the event that \(Victims=\oslash \), then the game terminates with state \(TS_2\).

• Induction: If we assume that we are in step t (\(t \ge 1\)) in the loop in Algorithm 1, then Case 1 is going to be considered until A completes his/her strategy (\(TS_1\) or \(TS_3\)). In any other case, Case 2 applies until achieving \(numSteps=\sigma \) (hence applying Case 1 again) or \(Victims=\oslash \). In this last case, the game finishes with \(TS_2\).