A fictitious play‐based response strategy for multistage intrusion defense systems
dc.contributor.author | Luo, Yi | en_US |
dc.contributor.author | Szidarovszky, Ferenc | en_US |
dc.contributor.author | Al‐nashif, Youssif | en_US |
dc.contributor.author | Hariri, Salim | en_US |
dc.date.accessioned | 2014-03-05T18:18:49Z | |
dc.date.available | 2015-04-16T14:24:20Z | en_US |
dc.date.issued | 2014-03 | en_US |
dc.identifier.citation | Luo, Yi; Szidarovszky, Ferenc; Al‐nashif, Youssif ; Hariri, Salim (2014). "A fictitious playâ based response strategy for multistage intrusion defense systems." Security and Communication Networks 7(3): 473-491. | en_US |
dc.identifier.issn | 1939-0114 | en_US |
dc.identifier.issn | 1939-0122 | en_US |
dc.identifier.uri | https://hdl.handle.net/2027.42/106062 | |
dc.description.abstract | The recent developments of advanced intrusion detection systems in the cyber security field provide opportunities to proactively protect the computer network systems and minimize the impacts of attackers on network operations. This paper is intended to assist the network defender find its best actions to defend against multistage attacks. The possible sequences of interactions between the attackers and the network defender are modeled as a two‐player non‐zero‐sum non‐cooperative dynamic multistage game with incomplete information. The players are assumed to be rational. They take turns in making decisions by considering previous and possible future interactions with the opponent and use Bayesian analysis after each interaction to update their knowledge about the opponents. We propose a Dynamic game tree‐based Fictitious Play (DFP) approach to describe the repeated interactive decisions of the players. Each player finds its best moves at its decision nodes of the game tree by using multi‐objective analysis. All possibilities are considered with their uncertain future interactions, which are based on learning of the opponent's decision process (including risk attitude and objectives). Instead of searching the entire game tree, appropriate future time horizons are dynamically determined for both players. In the DFP approach, the defender keeps tracking the opponent's actions, predicts the probabilities of future possible attacks, and then chooses its best moves. Thus, a new defense algorithm, called Response by DFP (RDFP), is developed. Numerical experiments show that this approach significantly reduces the damage caused by multistage attacks and it is also more efficient than other related algorithms. Copyright © 2013 John Wiley & Sons, Ltd. In the cybersecurity field, the possible sequences of interactions between the attackers and the network defender are modeled as a two‐player non‐zero‐sum non‐cooperative dynamic multi‐stage game with incomplete information. Based on the recent developments of advanced intrusion detection systems, a new defense algorithm, called Response by Dynamic game tree‐based Fictitious Play (RDFP), is developed for the defender to consider previous and possible future interactions with the attackers, update his/her knowledge about the opponents, and find the best defending strategies quickly. | en_US |
dc.publisher | Kluwer Academic Publishers | en_US |
dc.publisher | Wiley Periodicals, Inc. | en_US |
dc.subject.other | Fictitious Play | en_US |
dc.subject.other | Intrusion Defense | en_US |
dc.subject.other | Decision Making Under Uncertainty | en_US |
dc.title | A fictitious play‐based response strategy for multistage intrusion defense systems | en_US |
dc.type | Article | en_US |
dc.rights.robots | IndexNoFollow | en_US |
dc.subject.hlbsecondlevel | Computer Science | en_US |
dc.subject.hlbtoplevel | Engineering | en_US |
dc.description.peerreviewed | Peer Reviewed | en_US |
dc.description.bitstreamurl | http://deepblue.lib.umich.edu/bitstream/2027.42/106062/1/sec730.pdf | |
dc.identifier.doi | 10.1002/sec.730 | en_US |
dc.identifier.source | Security and Communication Networks | en_US |
dc.identifier.citedreference | Zonouz SA, Khurana H, Sanders WH, Yardley TM. RRE: a game‐theoretic intrusion response and recovery engine. Proceedings of the 39th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN09, 2009; 439 – 448. | en_US |
dc.identifier.citedreference | Szidarovszky F, Bahill AT. Linear Systems Theory ( 2nd edn ). CRC Press: Boca Raton, FL, 1999. | en_US |
dc.identifier.citedreference | Foo B, Wu YS, Mao YC, Bagchi S, Spafford E. ADEPTS: adaptive intrusion response using attack graphs in an e‐commerce environment. Proceedings of the 2005 International Conference on Dependable Systems and Networks, DSN05, 2005; 508 – 517. | en_US |
dc.identifier.citedreference | Toth T, Kruegel C. Evaluating the impact of automated intrusion response mechanisms. Proceedings of the 18th Annual Computer Security Applications Conference, ACSAC02, 2002; 301 – 310. | en_US |
dc.identifier.citedreference | Stakhanova N, Basu S, Wong J. A taxonomy of intrusion response systems. International Journal of Information and Computer Security 2007; 1 ( 1/2 ): 169 – 184. | en_US |
dc.identifier.citedreference | Foo B, Glause MW, Howard GM, Wu YS, Bagchi S, Spafford EH. Intrusion response systems: a survey. In Information Assurance: Dependability and Security in Networked Systems, Spafford EH (ed.). Morgan Kaufmann Publishers: Burlington, MA, 2008; 377 – 412. | en_US |
dc.identifier.citedreference | Lye K, Wing J. Game strategies in network security. International Journal of Information Security 2005; 4 ( 1‐2 ): 71 – 86. | en_US |
dc.identifier.citedreference | Filar F, Vrieze K. Competitive Markov Decision Processes. Springer‐Verlag: New York, 1996. | en_US |
dc.identifier.citedreference | Fudenberg D, Tirole J. Game Theory. MIT Press: Cambridge, MA, 1991. | en_US |
dc.identifier.citedreference | Shen D, Chen G, Blasch E, Tadda G. Adaptive Markov game theoretic data fusion approach for cyber network defense. Proceedings of the 2007 IEEE Military Communications Conference, MILCOM07, 2007; 1 – 7. | en_US |
dc.identifier.citedreference | Carin L, Cybenko G, Hughes J. Cybersecurity strategies: the QuERIES methodology. Computer 2008; 41 ( 8 ): 20 – 26. | en_US |
dc.identifier.citedreference | Luo Y, Szidarovszky F, Al‐Nashif Y, Hariri S. Game tree based partially observable stochastic game model for intrusion defense systems (IDS). Proceedings of the 2009 IIE Annual Conference and Expo, IERC09, 2009; 880 – 885. | en_US |
dc.identifier.citedreference | Zhang Z, Ho P. Janus: a dual‐purpose analytical model for understanding, characterizing and countermining multistage collusive attacks in enterprise networks. Journal of Network and Computer Applications 2009; 32 ( 3 ): 710 – 720. | en_US |
dc.identifier.citedreference | Ourston D, Matzner S, Stump W, Hopkins B. Coordinated Internet attacks: responding to attack complexity. Journal of Computer Security 2004; 12 ( 2 ): 165 – 190. | en_US |
dc.identifier.citedreference | Liu P, Zang W, Yu M. Incentive‐based modeling and inference of attack intent, objectives, and strategies. ACM Transactions on Information and System Security 2005; 8 ( 1 ): 78 – 118. | en_US |
dc.identifier.citedreference | Alpcan T, Basar T. Network Security: A Decision and Game Theoretic Approach. Cambridge University Press: Cambridge, U.K, 2011. | en_US |
dc.identifier.citedreference | Buttyan L, Hubaux JP. Security and Cooperation in Wireless Networks. Cambridge University Press: Cambridge, U.K, 2008. | en_US |
dc.identifier.citedreference | Ourston D, Matzner S, Stump W, Hopkins B. Applications of hidden Markov models to detecting multistage network attacks. Proceedings of the 36th Hawaii International Conference on System Sciences, HICSS03, 2003. | en_US |
dc.identifier.citedreference | Richardson BT, Chavez L. National SCADA test bed consequence modeling tool. SANDIA report, http://energy.sandia.gov/wp/wp‐content/gallery/uploads/Consequence_Modeling_Tool_Report_Final.pdf | en_US |
dc.identifier.citedreference | Szidarovszky F, Gershon M, Duckstein L. Techniques for Multiobjective Decision Making in Systems Management. Elsevier: Amsterdam, The Netherlands, 1986. | en_US |
dc.identifier.citedreference | Forman EH, Gass SI. The analytic hierarchy process – an exposition. Operations Research 2001; 49 ( 4 ): 469 – 486. | en_US |
dc.identifier.citedreference | Forgo F, Szep J, Szidarovszky F. Introduction to the Theory of Games. Kluwer Academic Publishers: Dordrecht, The Netherlands, 1999. | en_US |
dc.identifier.citedreference | Alazzawe A, Nawaz A, Bayraktar MM. Game theory and intrusion detection systems. http://www.qatar.cmu.edu/iliano/courses/06S‐GMU‐ISA767/project/papers/alazzawe‐mehmet‐nawaz.pdf | en_US |
dc.identifier.citedreference | Stewart B. Skating on Stilts, Why We Aren't Stopping Tomorrow's Terrorism. Hoover Institution Press: Stanford, CA, 2010. | en_US |
dc.identifier.citedreference | Chen H, Al‐Nashif Y, Qu G, Hariri S. Self‐configuration of network security. Proceedings of the 11th IEEE International Enterprise Distributed Object Computing Conference, EDOC07, 2007; 97 – 108. | en_US |
dc.identifier.citedreference | Al‐Nashif Y, Kumar A, Hariri S, Luo Y, Szidarovszky F, Qu G. Multi‐level intrusion detection system (ML‐IDS). Proceedings of the 2008 International Conference on Autonomic Computing, ICAC08, 2008; 131 – 140. | en_US |
dc.identifier.citedreference | Al‐Nashif Y. Multi‐level anomaly based autonomic intrusion detection system. Doctoral dissertation, retrieved from ProQuest Dissertations and Theses, 2008. | en_US |
dc.identifier.citedreference | Jin H, Vel O, Zhang K, Liu N. Knowledge discovery from honeypot data for monitoring malicious attacks. Lecture Notes in Artificial Intelligence 2008; 5360: 470 – 481. | en_US |
dc.identifier.citedreference | Fudenberg D, Levine DK. The Theory of Learning in Games. MIT Press: Cambridge, MA, 1998. | en_US |
dc.identifier.citedreference | McGill WL, Ayyub BM, Kaminskiy M. Risk analysis for critical asset protection. Risk Analysis 2007; 27 ( 5 ): 1265 – 1281. | en_US |
dc.identifier.citedreference | Luo Y, Szidarovszky F, Al‐Nashif Y, Hariri S. A game theory based risk and impact analysis method for intrusion defense systems. Proceedings of the Seventh ACS/IEEE International Conference on Computer Systems and Applications, AICCSA09, 2009; 975 – 982. | en_US |
dc.identifier.citedreference | Samuelson PA. The fundamental approximation theorem of portfolio analysis in terms of means, variances and higher moments. The Review of Economic Studies 1970; 37 ( 4 ): 537 – 542. | en_US |
dc.owningcollname | Interdisciplinary and Peer-Reviewed |
Files in this item
Remediation of Harmful Language
The University of Michigan Library aims to describe library materials in a way that respects the people and communities who create, use, and are represented in our collections. Report harmful or offensive language in catalog records, finding aids, or elsewhere in our collections anonymously through our metadata feedback form. More information at Remediation of Harmful Language.
Accessibility
If you are unable to use this file in its current format, please select the Contact Us link and we can modify it to make it more accessible to you.