Autonomous Agents and Multi-Agent Systems

, Volume 33, Issue 4, pp 430–456 | Cite as

A game-theoretic approach for selecting optimal time-dependent thresholds for anomaly detection

  • Amin Ghafouri
  • Aron Laszka
  • Waseem Abbas
  • Yevgeniy Vorobeychik
  • Xenofon KoutsoukosEmail author


Adversaries may cause significant damage to smart infrastructure using malicious attacks. To detect and mitigate these attacks before they can cause physical damage, operators can deploy anomaly detection systems (ADS), which can alarm operators to suspicious activities. However, detection thresholds of ADS need to be configured properly, as an oversensitive detector raises a prohibitively large number of false alarms, while an undersensitive detector may miss actual attacks. This is an especially challenging problem in dynamical environments, where the impact of attacks may significantly vary over time. Using a game-theoretic approach, we formulate the problem of computing optimal detection thresholds which minimize both the number of false alarms and the probability of missing actual attacks as a two-player Stackelberg security game. We provide an efficient dynamic programming-based algorithm for solving the game, thereby finding optimal detection thresholds. We analyze the performance of the proposed algorithm and show that its running time scales polynomially as the length of the time horizon of interest increases. In addition, we study the problem of finding optimal thresholds in the presence of both random faults and attacks. Finally, we evaluate our result using a case study of contamination attacks in water networks, and show that our optimal thresholds significantly outperform fixed thresholds that do not consider that the environment is dynamical.


Anomaly detection systems Game theory Smart infrastructure Stackelberg security game Random faults 



Funding was provided by National Science Foundation (Grant No. CNS-1238959).


  1. 1.
    Alippi, C., & Roveri, M. (2006). An adaptive CUSUM-based test for signal change detection. In: Proceedings of the 2006 IEEE ISCAS, pp. 5752–5755Google Scholar
  2. 2.
    Alpcan, T., & Basar, T. (2003). A game theoretic approach to decision and analysis in network intrusion detection. In: Proceedings of the 42nd IEEE Conference on Decision and Control (CDC), IEEE, vol 3, pp. 2595–2600Google Scholar
  3. 3.
    Alpcan, T., & Başar, T. (2004). A game theoretic analysis of intrusion detection in access control systems. In: Proceedings of the 43rd IEEE Conference on Decision and Control (CDC), IEEE, vol 2, pp. 1568–1573Google Scholar
  4. 4.
    Arad, J., et al. (2013). A dynamic thresholds scheme for contaminant event detection in water distribution systems. Water Research, 47, 1899–1908.CrossRefGoogle Scholar
  5. 5.
    Basseville, M., & Nikiforov, I. V. (1993). Detection of abrupt changes: Theory and application (Vol. 104). Englewood Cliffs: Prentice Hall.zbMATHGoogle Scholar
  6. 6.
    CANARY. (2010). Canary: A water quality event detection tool., [Online; Accessed October 20, 2016]
  7. 7.
    Chandola, V., Banerjee, A., & Kumar, V. (2009). Anomaly detection: A survey. ACM Computing Surveys (CSUR), 41(3), 15.CrossRefGoogle Scholar
  8. 8.
    Deng, Y., Jiang, W., & Sadiq, R. (2011). Modeling contaminant intrusion in water distribution networks: A new similarity-based dst method. Expert Systems with Applications, 38(1), 571–578.CrossRefGoogle Scholar
  9. 9.
    Di Nardo, A., et al. (2013). Water network protection from intentional contamination by sectorization. Water Resources Management, 27(6), 1837–1850.CrossRefGoogle Scholar
  10. 10.
    Estiri, M., & Khademzadeh, A. (2010). A theoretical signaling game model for intrusion detection in wireless sensor networks. In: Proceedings of the 14th NETWORKS, IEEE, pp. 1–6Google Scholar
  11. 11.
    Ghafouri, A., Abbas, W., Laszka, A., Vorobeychik, Y., & Koutsoukos, X. (2016). Optimal thresholds for anomaly-based intrusion detection in dynamical environments. In: Proceedings of the 7th Conference on Decision and Game Theory for Security (GameSec), pp. 415–434Google Scholar
  12. 12.
    Gibbons, R. D. (1999). Use of combined shewhart-cusum control charts for ground water monitoring applications. Ground Water, 37(5), 682–691.CrossRefGoogle Scholar
  13. 13.
    Gleick, P. H. (2006). Water and terrorism. Water Policy, 8(6), 481–503.CrossRefGoogle Scholar
  14. 14.
    Hall, J., et al. (2007). On-line water quality parameters as indicators of distribution system contamination. Journal—American Water Works Association, 99(1), 66–77.CrossRefGoogle Scholar
  15. 15.
    Hart, D., et al. (2007). CANARY: A water quality event detection algorithm development tool. In: Proceedings of the World Environmental and Water Resources CongressGoogle Scholar
  16. 16.
    Klise, K.A., & McKenna, S.A. (2006). Water quality change detection: Multivariate algorithms. In: Proceedings of the International Society for Optical Engineering, Defense and Security Symposium, International Society for Optics and PhotonicsGoogle Scholar
  17. 17.
    Korzhyk, D., Yin, Z., Kiekintveld, C., Conitzer, V., & Tambe, M. (2011). Stackelberg vs. nash in security games: An extended investigation of interchangeability, equivalence, and uniqueness. Journal of Artificial Intelligence Research, 41, 297–327.MathSciNetCrossRefzbMATHGoogle Scholar
  18. 18.
    Laszka, A., Johnson, B., & Grossklags, J. (2013). Mitigating covert compromises: A game-theoretic model of targeted and non-targeted covert attacks. In: Proceedings of the 9th Conference on Web and Internet Economics (WINE), pp 319–332Google Scholar
  19. 19.
    Luo, Y., Li, Z., & Wang, Z. (2009). Adaptive cusum control chart with variable sampling intervals. Computational Statistics & Data Analysis, 53, 2693–2701.MathSciNetCrossRefzbMATHGoogle Scholar
  20. 20.
    Mac Nally, R., & Hart, B. (1997). Use of cusum methods for water-quality monitoring in storages. Environmental Science & Technology, 31(7), 2114–2119.CrossRefGoogle Scholar
  21. 21.
    Mayer, P.W., et al. (1999). Residential end uses of waterGoogle Scholar
  22. 22.
    McKenna, S. A., Wilson, M., & Klise, K. A. (2008). Detecting changes in water quality data. Journal—American Water Works Association, 100(1), 74.CrossRefGoogle Scholar
  23. 23.
    Page, E. (1954). Continuous inspection schemes. Biometrika, 41(1/2), 100–115.MathSciNetCrossRefzbMATHGoogle Scholar
  24. 24.
    Paruchuri, P., Pearce, J.P., Marecki, J., Tambe, M., Ordonez, F., & Kraus, S. (2008). Playing games for security: An efficient exact algorithm for solving bayesian stackelberg games. In: International Conference on Autonomous Agents and Multiagent Systems, International Foundation for Autonomous Agents and Multiagent Systems, pp. 895–902Google Scholar
  25. 25.
    Patcha, A., & Park, J.M. (2004). A game theoretic approach to modeling intrusion detection in mobile ad hoc networks. In: Proceedings of the 5th Annual IEEE SMC Information Assurance Workshop, IEEE, pp. 280–284Google Scholar
  26. 26.
    Pawlick, J., Farhang, S., & Zhu, Q. (2015). Flip the cloud: Cyber-physical signaling games in the presence of advanced persistent threats. In: Proceedings of the 6th International Conference on Decision and Game Theory for Security (GameSec), Springer, pp. 289–308Google Scholar
  27. 27.
    Pedregosa, F., et al. (2011). Scikit-learn: Machine learning in Python. Journal of Machine Learning Research, 12, 2825–2830.MathSciNetzbMATHGoogle Scholar
  28. 28.
    Perelman, L., et al. (2012). Event detection in water distribution systems from multivariate water quality time series. Environmental Science & Technology, 46, 8212–8219.CrossRefGoogle Scholar
  29. 29.
    Shen, S., Li, Y., Xu, H., & Cao, Q. (2011). Signaling game based strategy of intrusion detection in wireless sensor networks. Computers & Mathematics with Applications, 62(6), 2404–2416.MathSciNetCrossRefzbMATHGoogle Scholar
  30. 30.
    Tambe, M. (Ed.). (2011). Security and game theory: Algorithms, deployed systems, lessons learned. Cambridge: Cambridge University Press.zbMATHGoogle Scholar
  31. 31.
    Urbina, D.I., et al. (2016). Limiting the impact of stealthy attacks on industrial control systems. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, ACM, pp. 1092–1105Google Scholar
  32. 32.
    Van Dijk, M., et al. (2013). Flipit: The game of “stealthy takeover”. Journal of Cryptology, 26(4), 655–713.MathSciNetCrossRefzbMATHGoogle Scholar
  33. 33.
    Verdier, G., et al. (2008). Adaptive threshold computation for cusum-type procedures in change detection and isolation problems. Computational Statistics & Data Analysis, 52(9), 4161–4174.MathSciNetCrossRefzbMATHGoogle Scholar

Copyright information

© Springer Science+Business Media, LLC, part of Springer Nature 2019

Authors and Affiliations

  1. 1.Institute for Software Integrated SystemsVanderbilt UniversityNashvilleUSA
  2. 2.Department of Computer ScienceUniversity of HoustonHoustonUSA
  3. 3.Department of Electrical EngineeringInformation Technology UniversityLahorePakistan

Personalised recommendations