Deception in Honeynets: A Game-Theoretic Analysis

Similar documents
ABriefIntroductiontotheBasicsof Game Theory

10 Torque. Lab. What You Need To Know: Physics 211 Lab

Matlab Simulink Implementation of Switched Reluctance Motor with Direct Torque Control Technique

Noncrossing Trees and Noncrossing Graphs

OPTIMAL SCHEDULING MODELS FOR FERRY COMPANIES UNDER ALLIANCES

An Auction Based Mechanism for On-Demand Transport Services

Design Engineering Challenge: The Big Dig Contest Platter Strategies: Ball Liberation

CORESTA RECOMMENDED METHOD N 68

A Force Platform Free Gait Analysis

The Study About Stopping Distance of Vehicles

Multiple Vehicle Driving Control for Traffic Flow Efficiency

Cheat-Proof Playout for Centralized and Distributed Online Games

Rearranging trees for robust consensus

Alternate stable states in coupled fishery-aquaculture systems. Melissa Orobko

The Solution to the Bühlmann - Straub Model in the case of a Homogeneous Credibility Estimators

British Prime Minister Benjamin Disraeli once remarked that

EC-FRM: An Erasure Coding Framework to Speed up Reads for Erasure Coded Cloud Storage Systems

A Deceleration Control Method of Automobile for Collision Avoidance based on Driver's Perceptual Risk

Performance Characteristics of Parabolic Trough Solar Collector System for Hot Water Generation

Color Encodings: srgb and Beyond

UNIVERSITÀ DEGLI STUDI DI PADOVA. Dipartimento di Scienze Economiche Marco Fanno

A CONCEPTUAL WHEELED ROBOT FOR IN-PIPE INSPECTION Ioan Doroftei, Mihaita Horodinca, Emmanuel Mignon

EcoMobility World Festival 2013 Suwon: an analysis of changes in citizens awareness and satisfaction

Incorporating Location, Routing and Inventory Decisions in Dual Sales Channel - A Hybrid Genetic Approach

Bubble clustering and trapping in large vortices. Part 1: Triggered bubbly jets investigated by phase-averaging

Rotor Design and Analysis of Stall-regulated Horizontal Axis Wind Turbine

An integrated supply chain design model with random disruptions consideration

A Machine Vision based Gestural Interface for People with Upper Extremity Physical Impairments

Multi-Robot Flooding Algorithm for the Exploration of Unknown Indoor Environments

Design and Simulation Model for Compensated and Optimized T-junctions in Microstrip Line

Wind and extremely long bridges a challenge for computer aided design

A Collision Risk-Based Ship Domain Method Approach to Model the Virtual Force Field

CS3350B Computer Architecture. Lecture 6.2: Instructional Level Parallelism: Hazards and Resolutions

Depth-first search and strong connectivity in Coq

MODELLING THE INTERACTION EFFECTS OF THE HIGH-SPEED TRAIN TRACK BRIDGE SYSTEM USING ADINA

A Three-Axis Magnetic Sensor Array System for Permanent Magnet Tracking*

THE IMPACTS OF CONGESTION ON COMMERCIAL VEHICLE TOUR CHARACTERISTICS AND COSTS

arxiv:cs/ v1 [cs.ds] 8 Dec 1998

Lesson 33: Horizontal & Vertical Circular Problems

Lecture Topics. Overview ECE 486/586. Computer Architecture. Lecture # 9. Processor Organization. Basic Processor Hardware Pipelining

PREDICTION OF THIRD PARTY DAMAGE FAILURE FREQUENCY FOR PIPELINES TRANSPORTING MIXTURES OF NATURAL GAS AND HYDROGEN Zhang, L. 1, Adey, R.A.

Experimental and Numerical Studies on Fire Whirls

Complexity of Data Tree Patterns over XML Documents

Follow this and additional works at:

Carnegie Mellon University Forbes Ave., Pittsburgh, PA command as a point on the road and pans the camera in

Installation and Operation Instructions

A Cache Model of the Block Correlations Directed Cache Replacement Algorithm

Target Allocation Study for Formation Ship-ToAir Missile System Based on the Missile Fire. Zone Division

Multi-Robot Forest Coverage

Sight Distance. The availability of sufficient sight distance for the driver to see ahead is critical to the design of a safe highway.

SHRiMP: Accurate Mapping of Short Color-space Reads

Quadratic Modeling Exercises

Efficient Algorithms for finding a Trunk on a Tree Network and its Applications

Morrison Drive tel. Ottawa, ON, Canada K2H 8S fax. com

Numerical study of super-critical carbon dioxide flow in steppedstaggered

FALL PROTECTION PROGRAM

Cyclostrophic Balance in Surface Gravity Waves: Essay on Coriolis Effects

Supply Chain Risk Exposure Evaluation Network

POSSIBLE AND REAL POWERFLOWS IN CONNECTED DIFFERENTIAL GEAR DRIVES WITH η 0 <i pq <1/η 0 INNER RATIO

READING AREA TRANSPORTATION STUDY BICYCLE AND PEDESTRIAN TRANSPORTATION PLAN ADOPTED NOVEMBER 18, 2010

Session 6. Global Imbalances. Growth. Macroeconomics in the Global Economy. Saving and Investment: The World Economy

PlacesForBikes City Ratings Methodology. Overall City Rating

Range Extension Control System for Electric Vehicles Based on Front and Rear Driving Force Distribution Considering Load Transfer

Data Sheet. Linear bearings

f i r e - p a r t s. c o m

High Axial Load Capacity, High speed, Long life. Spherical Roller Bearings

I. FORMULATION. Here, p i is the pressure in the bubble, assumed spatially uniform,

DETC A NEW MODEL FOR WIND FARM LAYOUT OPTIMIZATION WITH LANDOWNER DECISIONS

Trends in Cycling, Walking & Injury Rates in New Zealand

Faster Nearest Neighbors: Voronoi Diagrams and k-d Trees

VIBRATION INDUCED DROPLET GENERATION FROM A LIQUID LAYER FOR EVAPORATIVE COOLING IN A HEAT TRANSFER CELL. A Thesis Presented to The Academic Faculty

Asteroid body-fixed hovering using nonideal solar sails

0ur Ref:CL/Mech/ Cal /BID-01(11-12) Date: 29 July 2011

TLV493D-A1B6 3D Magnetic Sensor

PREDICTION OF ELECTRICAL PRODUCTION FROM WIND ENERGY IN THE MOROCCAN SOUTH

THE performance disparity between processor speed and the

A Method of Hand Contour Tracking based on GVF, Corner and Optical flow Ke Du1, a, Ying Shi1,b, Jie Chen2,c, MingJun Sun1, Jie Chen1, ShuHai Quan1

Electrical Equipment of Machine Tools

Bicycle and Pedestrian Master Plan

RELATED RATE WORD PROBLEMS

ELECTRICAL INSTALLATION CERTIFICATE [BS 7671:2008 as amended] Details of of the the Installation. For Design. For Construction

RESOLUTION No A RESOLUTION OF THE CITY OF SALISBURY, MARYLAND AUTHORIZING THE MAYOR TO ENTER INTO AN AGREEMENT BETWEEN THE CITY OF

How can you compare lengths between the customary and metric systems? 6 ft. ACTIVITY: Customary Measure History

MODEL 1000S DIGITAL TANK GAUGE

Theoretical and Experimental Study of Gas Bubbles Behavior

Torque. Physics 2. Prepared by Vince Zaccone For Campus Learning Assistance Services at UCSB

APPLICATION TO HOST A TOURNAMENT OR GAMES

Example. The information set is represented by the dashed line.

North Tahoe Division Projects & Assessments AUGUST 2015

Providing solutions for your most demanding applications

Fundamental Algorithms for System Modeling, Analysis, and Optimization

APPLICATION TO HOST A TOURNAMENT OR GAMES

STUDY OF IRREGULAR WAVE-CURRENT-MUD INTERACTION

Experiment #10 Bio-Physics Pre-lab Comments, Thoughts and Suggestions

DECO THEORY - BUBBLE MODELS

APPLICATION TO HOST A TOURNAMENT OR GAMES

DYNAMICS OF WATER WAVES OVER FRINGING CORAL REEFS

Experiment #10 Bio-Physics Pre-lab Questions

{Recall that 88 ft = 60 mi so 88 ft x h = 1 s h s 60 mi General Atomics Sciences Education Foundation All rights reserved.

A Physical Prototype of an Automotive Magnetorheological Differential

Transcription:

Poceedings of te 7 IEEE Woksop on Infomation Assuance United States Militay Academy, West Point, NY, - June 7 Deception in Honeynets: A Game-Teoetic Analysis Nandan Gag and Daniel Gosu Abstact Recently, oneynets became one of te main tools fo undestanding te caacteistics of malicious attacks and te beavio of te attackes. Howeve te attackes may identify te oneypots and avoid attacking tem. Tus te oneynet administatos must be able to deceive te attackes and induce tem to attack te oneypots. In tis pape we popose a game teoetic famewok fo modeling deception in oneynets. Te famewok is based on extensive games of impefect infomation. We study te equilibium solutions of tese games and sow ow tey ae used to detemine te stategies of te attacke and te oneynet system. Index Tems - deception, game teoy, oneynets, secuity I. Intoduction A oneypot as defined by te Honeynet Poject [] is an infomation system esouce wose value lies in unautoized access o illicit use of tat esouce. In tis pape we conside a oneypot to be a ost tat is left unpotected and available to te attackes. By extension we conside tat a oneynet is composed of a set of inteconnected oneypots. Tese systems ae caefully monitoed in ode to lean new vulneabilities, tools and tecniques used to gain access. Honeynets ae useful fo analyzing lage-scale attacks suc as woms, viuses and botnets and ave little value fo analyzing specialized attacks tageted to a paticula ost. Recently wit te incease in te fequency of Intenet attacks seveal eseac goups and oganizations developed and deployed oneynet systems. Te idea beind oneynets is te use of deception, a classical counte intelligence tecnique wic was and is still used extensively by te intelligence oganizations. Te compute secuity community began consideing tis idea only ecently, [] being te fist known efeence mentioning it. Depending on te level of inteactions between te attacke and te monitoed system, oneynets can be classified into two categoies: low-inteaction oneynets and ig-inteaction oneynets. Low-inteaction oneynets simulate a minimal set of system functionalities suc as te netwok stack. Te main advantage of low-inteaction Manuscipt eceived Januay, 7 Nandan Gag is wit te Dept. of Compute Science, Wayne State Univesity, Detoit, MI 48 USA (email: nandang@wayne.edu) Daniel Gosu is wit te Dept. of Compute Science, Wayne State Univesity, Detoit, MI 48 USA (pone: -577-57; fax: -577-6868; email: dgosu@cs.wayne.edu) oneynets is tei scalability, allowing te monitoing of undeds of tousand of IP addesses. Te majo disadvantage is tat tey cannot monito in detail te attacke s actions once te ost is compomised. Hig-inteaction oneynets simulate all te functionalities of a eal system tus allowing te gateing of muc ice infomation on te attacke s actions. Te disadvantage of using iginteaction oneynets is tei ig cost and difficult management. Wen te oneypot is a eal macine wit its own IP addess we call it a pysical oneypot. If te oneypot is a simulated ost ten we ave a vitual oneypot. Te pysical oneypots ae vey expensive to install and maintain and ae not scalable, wile te vitual oneypots ae scalable and inexpensive. Attackes ave cetain ways to pobe te netwok attempting to identify te oneypots []. Many cuent oneynet deployments do not use specific stategies to pevent te mapping of oneypots by te attackes. Wen a ost is pobed, it gives some esponse. Tis esponse is valuable to te attacke as se gains infomation about te oneynet. One way a defende can avoid te mapping of oneypots is to clevely manipulate te esponse to te pobe and deceive te attacke. Ou goal in tis pape is to povide a game teoetical famewok fo modeling and caacteizing deception in oneynets. A. Related Wok Low-inteaction oneypots usually monito a lage ange of IP addesses and tey ave been vey successful in identifying lage scale wom outbeaks [4], undestanding distibuted denial-of-sevice attacks [5] and ceating intusion detection signatues [6]. Netwok telescopes [7], [8], [9] ae examples of successful deployments tat passively monito inbound packets witout completing te TCP andsake. isink [9] is a measuement system deployed to monito backgound adiation wic employs active espondes wo emulate te eal netwok beavio an attacke expects. Honeyd [] is a low-inteaction system tat simulates te netwoking stack of diffeent compute systems. In ode to simulate eal netwoks it ceates vitual netwoks consisting of abitaily outing topologies. Te simplest way to implement ig-inteaction oneypots is to ave individual seves fo eac monitoed IP addess. Since tis appoac is vey expensive ecently seveal eseaces poposed te use of vitual macine ISBN 9-9999-9999-9/99/ $. c 7 IEEE

envionments to implement multiple oneypots on a single seve [], []. Tese systems ae easy to manage and ave a educed deployment cost wile tey povide all functionalities of a eal system. Vable et al. [] pesented Potemkin, a pototype oneynet tat uses te vitual macine appoac suppoting ove 64, oneypots using only few pysical seves. Deception tecniques fo defending infomation systems ave been investigated by seveal eseaces. Coen [] povides a compeensive discussion of deception issues fo infomation potection. Among te conclusions of te above study is tat deception is a valuable tool fo intusion detection and it as a positive effect on te defense and a negative effect on te attackes. Te auto stessed te need fo igoous matematical analysis of deception in infomation potection. Coen and Koike [4] sows ow deception can be used to contol te pat of a compute system attack. Deception Toolkit (DTK) [] is a collection of scipts tat allows te emulation of diffeent known vulneabilities in ode to deceive te attackes. Rowe et al. [5] suggested te use of fake oneypots to scae away possible attackes. Tey also discuss te escalation of oneypot anti-oneypot tecniques. Rowe [6] pesented seveal tools fo evaluating oneypot deceptions. B. Contibutions Te contibution of tis pape consists of a game teoetic famewok fo modeling and analyzing deception in oneynets. We popose and analyze a stategic game model fo te oneynet system. We detemine te equilibium solutions fo tis model and analyze te coesponding stategies of te attacke and te defende. We also popose te use of extensive games of impefect infomation to analyze deception stategies in oneynets. We sow ow te poposed game can be used to model te attacke-oneynet inteactions. We analyze te mixed stategy equilibium solutions of te poposed game and caacteize te deception moves of te defende and te coesponding attacke s actions. To ou knowledge, tis is te fist wok poposing a model of te attacke-oneynet inteactions based on an extensive game of impefect infomation. C. Oganization Te est of te pape is stuctued as follows. In Sect. II we descibe a pototype stategic fom game tat models te attacke and te oneynet system. In Sect. III we popose te oneynet deception games in extensive fom and discuss tei popeties. In Sect. IV we daw conclusions and pesent futue diections. II. A Pototype Honeynet Game in Stategic Fom We conside te attacke and te oneynet system as playes in a stategic noncoopeative game. We denote te attacke by A and te defende, wic is te oneynet system, by D. Te oneynet is assumed to be composed of k oneypot osts out of n possible osts witin a block of IP addesses. Te attacke must coose to attack one of tese osts. Te goal of te attacke is to attack a ost tat is not a oneypot wile te goal of te defende is to ave a oneypot attacked by te attacke. In tis initial model we assume tat te attacke and te defende make tei decisions independently and witout any knowledge of te opponent playe s moves. We call te game tat models tis situation a (n, k)-oneynet game, denoted as HG(n,k). Definition : A (n,k)-oneynet game consists of: (i) te set of playes N = {A,D}. (ii) te set of actions fo eac playe: (a) A D = {(x,x,...,x n ) k vecto components ae and n k components ae }. If x i = ten D places a oneypot at position (addess) i. If x i = ten D places a egula ost at position i. (b) A A = {j j =,...,n}. A cooses to attack ost j. (iii) te payoff functions of eac playe: { c if x j =, u A ((x,x,...,x n ),j) = () c if x j = u D ((x,x,...,x n ),j) = { c if x j =, c if x j = wee c i >, fo i {,}. Te paamete c epesents te payoff gained by te defende and also te loss incued by te attacke if te attacke attacks a oneypot. Te paamete c epesents te payoff gained by te attacke and also te loss incued by te defende if te attacke attacks a egula ost. As an example we conside a (, )-oneynet game, HG(,). Te payoff matix fo tis game is given below. In tis matix te ow playe is A and te column playe is D. Te fist component of te payoff pais given in te matix epesents te payoff to A wile te second component epesents te payoff to D. (, ) (, ) c, c c, c c, c c, c One solution concept fo stategic games is te Nas equilibium [7], [8]. An action pofile is a tuple wit an enty containing te action fo eac playe. An action pofile is a Nas equilibium wen no playe can do bette by alteing e action. Definition (Nas equilibium [9]) An action pofile a = (a,a,...,a n) is a Nas equilibium, if () u i (a ) u i (a i,a i) fo evey action a i of playe i, () ISBN 9-9999-9999-9/99/ $. c 7 IEEE

wee ( a i is an action pofile ) witout playe i, i.e., a i = a,...,a i,a i+,...,a n. Any cange of action by playe i will educe e payoff and consequently se will coose not to alte e action. As can be seen fom te payoff matix above, HG(,) does not ave a Nas equilibium in pue stategies. Tus we need to conside mixed stategies since fo a finite stategic game we will always be able to find a Nas equilibium in mixed stategies [9]. A mixed stategy of a playe is a pobability distibution ove te playe s pue stategies. In te following we fomally define te concept of Nas equilibium in mixed stategies. Definition (Mixed stategy Nas equilibium [9]) Te mixed stategy pofile α is a mixed stategy Nas equilibium if u i (α ) u i (α i,α i ), fo evey mixed stategy α i of playe i, wee α i is te action pofile witout playe i, i.e., α i = ( α,...,α i,α i+,...,α n). A pue stategy is a mixed stategy wit an action tat as pobability. In te case of HG(,) we denote by a i, i {,} te pue stategy of A in wic A attacks ost i, and by d i, i {,} te pue stategy of D in wic D places a oneypot at ost i (i.e., d = (,) and d = (,)). We denote by α A (a i ) te pobability assigned by te mixed stategy α A of te attacke to its stategy a i ; and by α D (d i ) te pobability assigned by te mixed stategy α D of te attacke to its stategy d i. It can be sown tat te Nas equilibium in mixed stategies is given by (((α A (a ),α A (a )),(α D (d ),α D (d ))) = ((, ),(, )). Te Nas equilibium in mixed stategies of HG(, ) coesponds to te intuitive solution in wic te attacke is attacking ost and ost wit equal pobability and te defende is placing te oneypot at ost o ost wit equal pobability. Te equilibium analysis of te geneal game HG(n, k) is as follows. A as n pue stategies {a,...,a n }, wee stategy a i means A attacks ost i. D as m = ( n k) ways to place k oneypots at n osts, wee {x,x,...,x n } is te vecto denoting te placement of oneypots. We denote te pue stategies of D by d j,j = {,...,m}. Using te payoff function in Definition we see tat tee is no Nas equilibium in pue stategies. Intuitively wen A attacks node j, D would obtain a ige payoff if se cooses a stategy d i, in wic x j =. Howeve in tat case A is bette off attacking some ote node l j. Tus tee is no pue stategy equilibium fo HG(n, k). To calculate te mixed stategy equilibia of HG(n,k), we conside te pobabilities assigned to eac pue stategy by te playes (as mentioned above in HG(,) example). Let c D ij denote te payoff of D wen A selects stategy a j and D selects stategy d i. Te expected payoff Ei D eceived by D wen playing d i is Ei D = n j= α A(a j )c D ij Te total expected payoff of D will be: E D = m α D (d i )Ei D (4) i= It can be seen tat to maximize E D, D as to play all α D (d i ) equally, because of te symmetical payoffs. Tis means tat at te equilibium in mixed stategies te pobability α D (d i ) wit wic D selects stategy d i is equal to /m, i.e., α D (d i ) = /m, i =,...,m. Intuitively, we can see tat if D can incease its payoff by inceasing te pobability of playing stategy d i and deceasing te pobability of playing stategies d i ten, it will be able to maximize its payoff by setting d i = and d i =, wic will be a pue stategy. Howeve, we ave aleady seen tat tee is no pue stategy equilibium fo tis game. Tus te mixed stategy Nas equilibium fo tis game is wen bot playes, te attacke and te defende, play all tei stategies wit equal pobabilities. Since tis is a one-sot game te attacke and te defende coose tei stategies independently and so te defende cannot influence te stategies of te attacke. Te games poposed in tis section do not conside deception stategies, but tey ae te pototype games tat will be extended in te next section into games tat take into account deception moves. III. Honeynet Deception Games We extend te games studied in te pevious section to allow deception moves by te defende (oneynet). Examples of deception moves ae: make it evident to te attacke tat te system is a oneypot but in fact it is a egula ost (we call tese fake oneypots ), o ide te oneypot suc tat te attacke believes it is a egula ost. Tese can be acieved by diffeent tecniques some of tem being descibed in [5], [6]. In tis section we popose a game teoetic model consideing two playes, te Attacke and te Defende (oneynet). As in te pevious section we assume tat te oneynet is composed of k oneypots out of n possible osts witin a block of IP addesses. As mentioned ealie, te attacke pobes te osts and analyzes tei esponses to identify oneypots. A cleve defende will espond to te pobes in a way tat te attacke does not gain infomation on wete te ost is a egula one o a oneypot. Te esponse of te ost depends on wete te ost is a oneypot (diffeent esponses by low-inteaction and ig-inteaction oneypots) o a egula ost. Te esponse of te oneypot may be geneated suc tat to conceal te identity of te oneypot. Howeve, it is safe to assume tat afte a few pobes an attacke can successfully identify tat a ost is a oneypot, i.e., te defende cannot infinitely deceive te attacke in believing a ost to be egula ost, wen in fact it is a oneypot. Te goal of te attacke is to identify and attack a ost tat is not a oneypot wile te goal of te defende is to conceal te oneypot (make it appea as a egula ost) and ISBN 9-9999-9999-9/99/ $. c 7 IEEE

ave te oneypot attacked by te attacke. Even if te attacke does not attack te oneypot, te defende gates cucial infomation if it can make te attacke pobe te oneypot as muc as possible. In te poposed model te attacke and te defende make tei decisions sequentially by consideing te opponent playe s moves. We model tis scenaio as a game wit sequential moves. Te fist move is made by te defende, in wic se decides ow to place te k oneypots among te n possible osts. Tee ae ( n k) diffeent ways in wic k oneypots can be placed into n positions. Next te attacke decides wat ost to pobe out of te n possible osts. Te next move is by te defende, wo esponds to te pobe of te attacke. In ou model te defende as two types of esponses, and wee esponse means tat te ost being pobed is a egula ost and te esponse means te ost being pobed is a oneypot. It sould be noted tat tese esponses may not epesent te actual state of te ost, i.e., te defende may lie to deceive te attacke. Depending on te esponse of te defende, se may coose to pobe te same ost again o pobe some ote ost. Te game continues wit altenative moves by te attacke and te defende in te fom of pobes and esponses, until te attacke pobes and te defende poduces esponses γ times. Afte γ stages (pobe-esponse) te attacke makes te final move in wic se cooses to eite attack a ost o not attack any ost. In te intemediate stages of te game te payoffs ae computed based on wete te attacke pobes a oneypot o a egula ost. Te payoff of te attacke and te defende in te final move (by te attacke) ae based on wete te attacke attacks a oneypot o a egula ost o cooses not to attack. Te total payoff is te sum of te payoffs of intemediate moves and te final move. In te above game te final move by te attacke is made afte γ pobes to te osts, independent of te ost being pobed. Anote scenaio wic can be consideed is te one in wic te attacke makes te final move afte se as pobed a ost at least γ times. In tat case te total numbe of pobes made by te attacke will be geate tan o equal to γ. In te following, we conside only te fist scenaio, in wic te attacke makes te final move afte γ pobes, iespective of te ost pobed. We call te game tat models tis situation a (n, k, γ)-oneynet deception game, denoted as HDG(n,k,γ). Since a stategic fom game model does not captue te sequential natue of te decision making pocess, we will model te inteactions between te attacke and te system as an extensive fom game. An extensive fom game is a dynamic model tat expesses te sequential stuctue of decision making. In ode to ave a clea and manageable way to explain te concepts used in ou game teoetic modeling we fist pesent a paticula vesion of te geneal game, HDG(,,), in wic afte one pobe te attacke D : A : A : D : D : D :4 D :5 : : : : :4 :4 :5 :5 Fig.. HDG(,,) game,,,,,,,,,,,, decides to attack one of te osts o not. Late on we will descibe te geneal game. Fig. depicts a HDG(,,) game in extensive fom. In tis figue te moves ae indicated above te oizontal lines. Te game as fou stages: (i) D - Te defende (D) decides te position of te oneypot to be at ost o ost (denoted by actions and, espectively). Tis infomation is not known to te attacke, tus HDG(,,) is a game of impefect infomation. (ii) A - Te attacke (A) pobes one of te osts ( o ). (iii) D - Te defende poduces a esponse to te pobe of te attacke ( =egula ost, o =oneypot). (iv) - Te attacke eite attacks one of te osts ( o ) o does not attack at all (). Te stategies of te defende ae as follows: (i) Deception stategies: Wen a ost is pobed, espond wit wen te ost is an actual oneypot (i.e., conceal te oneypot), o espond wit wen te ost is an actual egula ost (i.e., sow a fake oneypot). An example of suc stategy is wen D places a oneypot at ost i.e., cooses move (), A pobes ost and D esponds wit. ISBN 9-9999-9999-9/99/ $. c 7 IEEE 4

(ii) Disclosue stategies: Wen a ost is pobed, espond wit te actual status of te ost, i.e., wit wen te ost is an actual egula ost and wit wen te ost is an actual oneypot. An example of suc stategy is wen D places a oneypot at ost i.e., cooses move (), A pobes ost and D esponds wit. A seies of actions in an extensive game is called a sequence. Fomally B = (a...a n ) is a sequence if action a i was taken duing stage i. Te game in Fig. as 8 suc sequences: (), (), (,), (,), (,), (,), (,,), (,,),..., (,,,), (,,,). Te sequence (,,,) indicates tat D places a oneypot at ost, A pobes ost, D eplies tat ost is a egula ost and ten A does not attack any ost. A sequence as istoies. Te sequence (,,,) as five subistoies:, (), (, ), (,, ), and (,,, ). Te istoies, (), (,) and (,,) ae pope subistoies of (,,,); subistoy (,,,) is a teminal istoy. Te teminal istoies ae annotated wit pefeences. Te pefeence of teminal istoy l is a tuple of payoffs u i (l), one fo eac playe. Te pefeence tuple indicates te payoff of A and D. Te fist component of te tuple in Fig. is te payoff to A wile te second component is te payoff to D. Te payoff function u i (l), i {A,D} gives te pefeence of te playes given teminal istoy l. Playe i, i {A, D} pefes teminal istoy l to l, if u i (l ) > u i (l) and is indiffeent between istoies l and l if u i (l ) = u i (l). In te game epesented in Fig., D pefes istoy (,,,) to (,,,) as u D (,,,) > u D (,,,). HDG(n, k, γ) is a game wit impefect infomation since all te playes do not ave pecise infomation about te pevious actions of all te ote playes at all stages of te game. Specifically, te attacke does not know ow te defende as placed te oneypots in te fist stage of te game. To epesent tis lack of infomation in te model, te notion of infomation set is used. Let us denote by H i te set of istoies afte wic playe i moves. An infomation set is a patition of H i. Te collection of infomation sets is called te infomation patition of playe i. Wen making a move, playe i is infomed about te infomation set tat as occued but not about te exact istoy witin tat set. In Fig. te infomation set is given below te stage label in te fomat x : y wee x efes to te playe numbe (x = is te attacke and x = is te defende) and y denotes te numbe of te infomation set. In HDG(,, ) game, te attacke knows te infomation set : = {(),()} afte stage D, but not wic one of te two istoies, () and (), as occued. Fomally an extensive-fom game can be defined as follows: Definition 4: (Extensive-Fom Game wit impefect Infomation) [] An extensive-fom game wit impefect infomation consists of te following: Action A s payoff D s payoff A pobes a oneypot -5 5 A pobes a egula ost A attacks a oneypot - A attacks a egula ost - A cooses not to attack TABLE I Payoffs fo HDG(n, k, γ) game (i) Te set of playes; (ii) Te set of teminal istoies; (iii) A function P(l) tat assigns a playe to te move afte subistoy l; (iv) Fo eac playe, te infomation patition (a patition of te set of istoies assigned to tat playe) (v) Pefeences ove te set of lotteies (i.e., pobability distibutions) ove teminal istoies, fo eac playe. We fomally define te HDG(,,) game in extensive fom (Fig. ) as follows: (i) {A,D} is te set of playes; (ii) {(,,,), (,,,), (,,,), (,,,), (,,,), (,,,), (,,,), (,,,), (,,,), (,,,), (,,,), (,,,), (,,,), (,,,), (,,,), (,,,), (,,,), (,,,), (,,,), (,,,), (,,,), (,,,), (,,,), (,,,)} is te set of teminal istoies; (iii) Te function P() suc tat P(D) = D,P(A) = A, P(D) = D, and P() = A, wee D, A, D and ae te stages of te game as descibed ealie; (iv) Infomation patitions: All istoies afte wic te defende moves ae contained in individual infomation sets, wic means tat te defende obseves all actions of te attacke; te attacke s infomation patition afte stage D consists of te istoies {(),()} and afte stage D consists of {{(,,),(,,)}, {(,,),(,,)}, {(,,),(,,)} and {(,,),(,,)}}, wic means tat at any point in te game, te attacke cannot distinguis wic ost is a oneypot and wic one is a egula ost. (v) Te pefeences ove te teminal istoies ae calculated accoding to Table I. Wen te attacke pobes a oneypot, it povides some infomation to te defende so te payoff of te attacke in tis case is -5 and tat of te defende is 5. If te attacke pobes a egula ost se does not povide any infomation to te defende and te defende does not get any benefit, tus bot eceive a payoff of. Te payoffs fo all te actions of te attacke ae summaized in te table. Te final pefeences ae te sums of te intemediate payoffs afte stages A and. Fo ISBN 9-9999-9999-9/99/ $. c 7 IEEE 5

example, conside teminal istoy (,,,). Te defende places te oneypot at ost and te attacke pobes ost, tus te attacke obtains an intemediate payoff of 5 and te defende obtains an intemediate payoff of 5. Howeve, in te final move te attacke attacks ost and tus obtains a payoff of in tat stage, making e total payoff of 5 + = 5. Te defende obtains afte stage and e total payoff is 5 = 5. As we mentioned ealie, te objective of a playe is to maximize e payoff. Playes ae not isolated; te actions of te defende influence and ae influenced by te actions of te attacke. Let A(I i ) denote te actions available to playe i at infomation set I i. A function wic assigns an action a i A(I i ) to eac of i s infomation sets I i is called a pue stategy of playe i in an extensive game. A mixed stategy of a playe in an extensive game is a pobability distibution ove te playe s pue stategies. We denote te mixed stategy (α i ) of playe i = {A,D} at infomation set I i as a vecto of pobabilities, wee eac pobability coesponds to te available actions in te ode in wic te actions ae given in te game definition. Tus wen te defende as a mixed stategy of playing bot te moves ( and ) at infomation set : will be denoted by α D ( : ). Te solution concept fo extensive fom games tat we conside in tis study is te mixed stategy Nas equilibium. Tis equilibium is a steady state in wic no playe can unilateally incease e payoff. It is fomally defined as follows: Definition 5: (Nas equilibium of extensive game) [] Te mixed stategy pofile α in an extensive game is called a Nas equilibium in mixed stategies if, fo eac playe i and evey ote mixed stategy α i of playe i, playe i s expected payoff to α is at least as muc as is expected payoff to (α i,α i ) wee α i denotes te stategy pofile of all playes except playe i. Te Nas equilibia of an extensive game ae often computed by constucting te stategic fom of te game and analyzing it as a stategic game []. We used Gambit [], a softwae tool fo solving games, to compute te equilibia of HDG(,, ). Gambit computed seveal Nas equilibia in mixed stategies. We will pesent and discuss only one of tese equilibia of te HDG(,,) game wic is sown in Fig.. In te figue te pobability of an action being played in tis paticula mixed stategy equilibium is sown below te oizontal lines epesenting te actions of te playes. Te mixed stategy equilibium sown in te figue can be epesented as α D ( : ) = α D ( : ) = α D ( : ) = α D ( : 4) = α D ( : 5) = (,), α D ( : ) = (,), α D ( : ) = α D ( : ) = α D ( : 4) = (,,), α D ( : 5) = (,,). Tis stategy implies tat at stage D, te defende cooses one of te configuations wit equal pobability (bot ), because se as te same expected payoff fo bot actions. Te attacke pobes one of te two osts wit equal pobability, since se does not ave any infomation about te placement of te oneypots. At stage D, te defende plays te deception stategy wit pobability. Tis means tat wen a egula ost is pobed, te defende esponds wit alf of te time to deceive te attacke. Similaly wen a oneypot is pobed, it esponds wit alf of te time. Tis way te attacke can be deceived to attack a oneypot. Wen te attacke pobes ost, wateve esponse se gets, se attacks ost and ost wit equal pobability. Tis is safe fo te attacke because se does not know wic node is a oneypot. Wen te attacke pobes ost and eceives te esponse, te attacke cooses not to attack, to avoid te isk of attacking te oneypot. Howeve wen se eceives te esponse, se attacks ost and ost wit equal pobability. Tis paticula stategy is suitable fo an attacke wo wants to avoid te isk to a cetain degee. Te geneal HDG(n,k,γ) game can be fomally defined as follows: (i) {A,D} is te set of playes; (ii) Te set of teminal istoies is denoted by set of vectos {(x,x,...,x m ) m = γ+, wee x i is te action taken by te playe at stage i of te game }. Te actions available to te playes ae as follows: (a) x = {(y y...y n ) k vecto components ae and n k components ae }. If y i = ten D places a oneypot at position (addess) i and if y i = ten ( D places a egula ost at position i. Tee ae q = n ) k suc combinations possible. We call tis vecto a configuation and denote configuations by c t t = {,...,q} (b) x i = j,j {,...,n}, ae te actions available to A in intemediate stages (i is even, i m) wee A cooses to pobe ost j out of n osts. (c) x i = {,}, ae te actions available to D in diffeent stages (i is odd, i ) ( denotes D s esponse to te pobe tat x i is egula ost, denotes a oneypot (migt be a deception move)). (d) x m = j,j {,...,n + } in wic A cooses to attack ost j (j = n + means no attack). (iii) Te function P(l) suc tat P( ) = D, P(l) = A, if te last action in subistoy l was taken by D else P(l) = D. In ote wods, D and A play altenatively, stating wit D and te last action is taken by A. (iv) Te infomation sets in te infomation patition of D consists of individual istoies {{(x,x )}, {(x,x,x,x 4 )},...,{(x,x,...,x m )}}. Te infomation patition of A as all istoies wit diffeent values of x but same values of (x,...,x m ) gouped in te same infomation set. Fomally, te infomation patition of A is {{(c t )}, {(c t,,)}, {(c t,,)}, {(c t,,)},..., (c t,n,,...,) t = ISBN 9-9999-9999-9/99/ $. c 7 IEEE 6

{,...,q}} (v) Te pefeences ove te teminal istoies ae calculated by summing te intemediate payoffs (given in Table I) coesponding to te actions in te teminal istoy. Since te infomation sets in wic D moves contain individual istoies, te defende obseves all actions of te attacke. Howeve eac infomation set of te attacke contains q istoies, eac istoy coesponding to diffeent configuations. Fo example, if n =,k =,γ =, tee ae diffeent configuations, c =,c = and c =. Te infomation patition of te defende is as follows { {(φ)}, {(,)}, {(,)}, {(,)}, {(,)}, {(,)}, {(,)}, {(,)}, {(,)}, {(,)}} Eac infomation set of te attacke will contain istoies wit diffeent values of c t but te same values fo te ote actions, i.e. { {(),(),()}, {(,,), (,,), (,,)}, {(,,), (,,), (,,)}, {(,,), (,,), (,,)}, {(,,), (,,), (,,)}}. Tis means tat at any point in time, te attacke cannot identify te placement of oneypots and egula osts in te system. Tis geneal game model allows us to analyze te inteactions of te attacke and te defende. Since te equilibium solutions epesent accuate pedictions of ow te attacke and te defende beave in te oneynet system, tey ae used to detemine te best stategies of te attacke and te defende. IV. Conclusions We poposed a game teoetic famewok fo modeling deception in oneynets. Te famewok is based on extensive games of impefect infomation. We studied te equilibium solutions of tese games and sowed ow tey ae used to detemine te stategies of te oneynet system. Tee ae seveal ideas fo futue wok tat stem fom tis initial study of game teoetic models fo oneynets. We plan to investigate and caacteize into moe details te geneal deception game poposed in tis pape. We also plan to investigate ote types of games in wic te attacke as patial infomation on te oneypots placement. [6] C. Keibic and J. Cowcoft, Honeycomb - ceating intusion detection sugnatues using oneypots, ACM SIGCOMM Compute Communications Review, vol. 4, no., pp. 5 56, 4. [7] D. Mooe, C. Sannon, G. M. Voelke, and S. Savage, Netwok telescopes: Tecnical epot, Tecnical Repot CS4-795, UCSD, July 4. [8] R. Pang, V. Yegneswaan, P. Bafod, V. Paxson, and L. Peteson, Caacteistics of intenet backgound adiation, in Poc. of te Intenet Measuement Confeence, pp. 7 4, Octobe 4. [9] V. Yegneswaan, P. Bafod, and D. Plonka, On te design and use of intenet sinks fo netwok abuse monitoing, in Poc. of te Symposium on Recent Advances in Intusion Detection, Septembe 4. [] N. Povos, A vitual oneypot famewok, in Poc. of te t USENIX Secuity Symposium, pp. 8 84, August 4. [] M. Vable, J. Ma, J. Cen, D. Mooe, E. Vandekieft, A. C. Snoeen, G. M. Voelke, and S. Savage, Scalability, fidelity, and containment in te potemkin vitual oneyfam, in Poc. of te t ACM Symposium on Opeating Systems Pinciples, pp. 48 6, Octobe 5. [] L. K. Yan, Vitual oneynets evisited, in Poc. of te IEEE Woksop on Infomation Assuance, pp. 9, June 5. [] F. Coen, A note on te ole of deception in infomation potection, Computes and Secuity, vol. 7, no. 6, pp. 48 56, 998. [4] F. Coen, Leading attackes toug attack gaps wit deceptions, Computes and Secuity, vol., no. 5, pp. 4 4,. [5] N. C. Rowe, B. T. Duong, and E. J. Custy, Fake oneypots: A defensive tactic fo cybespace, in Poc. of te IEEE Woksop on Infomation Assuance, pp., June 6. [6] N. C. Rowe, Measuing te effectiveness of oneypot countecountedeception, in Poc. of te 9t Hawaii Intenational Confeence on System Sciences, Januay 6. [7] J. F. Nas, Equilibium point in n-peson games, Poc. Nat l Academy of Sciences of te United States of Am., vol. 6, pp. 48 49, Jan. 95. [8] J. F. Nas, Non-coopeative games, Annals of Mat., vol. 54, no., pp. 86 95, 95. [9] M. Osbone and A. Rubinstein, A Couse in Game Teoy. Cambidge, Mass.: MIT Pess, 994. [] M. Osbone, An Intoduction to Game Teoy. New Yok, NY: Oxfod Univesity Pess, 4. [] R. D. McKelvey, A. McLennan, and T. Tuocy, Gambit: Softwae Tools fo Game Teoy. Vesion.7..: ttp://econweb.tamu.edu/gambit, 7. Refeences [] Honeynet Poject, Know You Enemy: Leaning about Secuity Teats. Boston, MA: Peason Education Inc., second ed., 4. [] B. Ceswick, An evening wit befed, in wic a acke is lued, endued, and studied, in Poc. of te Winte Usenix Confeence, Januay 99. [] J. Betencout, J. Fanklin, and M. Venon, Mapping intenet sensos wit pobe esponse attacks, in Poceedings of te USENIX Secuity Symposium, pp. 9 8, August 5. [4] D. Mooe, V. Paxson, S. Savage, C. Sannon, S. Stanifod, and N. Weave, Inside te slamme wom, IEEE Secuity and Pivacy, vol., pp. 9, July. [5] D. Mooe, C. Sannon, D. J. Bown, G. M. Voelke, and S. Savage, Infeing intenet denial-of-sevice activity, ACM Tans. Comput. Syst., vol. 4, no., pp. 5 9, 6. ISBN 9-9999-9999-9/99/ $. c 7 IEEE 7

2024 © sportdocbox.com Privacy Policy | Terms of Service | Feedback