Markov modeling of moving target defense games

We introduce a Markov-model-based framework for Moving Target Defense (MTD) analysis. The framework allows modeling of broad range of MTD strategies, provides general theorems about how the probability of a successful adversary defeating an MTD strategy is related to the amount of time/cost spent by the adversary, and shows how a multi-level composition of MTD strategies can be analyzed by a straightforward combination of the analysis for each one of these strategies. Within the proposed framework we define the concept of security capacity which measures the strength or effectiveness of an MTD strategy: the security capacity depends on MTD specific parameters and more general system parameters. We apply our framework to two concrete MTD strategies

Markov Decision Process for Modeling Social Engineering Attacks and Finding Optimal Attack Strategies

It is important to comprehend the attacker\u27s behavior and capacity in order to build a stronger fortress and thus be able to protect valuable assets more effectively. Prior to launching technical and physical attacks, an attacker may enter the reconnaissance stage and gather sensitive information. To collect such valuable data, one of the most effective approaches is through conducting social engineering attacks, borrowing techniques from deception theory. As a result, it is of utmost importance to understand when an attacker behaves truthfully and when the attacker opts to be deceitful. This paper models attacker\u27s states using the Markov Decision Process (MDP) and studies the attacker\u27s decision for launching deception attacks in terms of cooperation and deception costs. The study is performed through MDP modeling, where the states of attackers are modeled along with the permissible actions that can be taken. We found that the optimal policy regarding being deceitful or truthful depends on the cost associated with deception and how much the attacker can afford to take the risk of launching deception attacks. More specifically, we observed that when the cost of cooperation is low (e.g., 10%), by taking MDP optimal policy, the attacker cooperates with the victim as much as possible in order to gain their trust; whereas, when the cost of cooperation is high (e.g., 50%), the attacker takes deceptive action earlier in order to minimize the cost of interactions while maximizing the impact of the attack. We report four case studies and simulations through which we demonstrate the trade-off between cooperative and deceptive actions in accordance with their costs to attackers

Cybersecurity Games: Mathematical Approaches for Cyber Attack and Defense Modeling

Cyber-attacks targeting individuals and enterprises have become a predominant part of the computer/information age. Such attacks are becoming more sophisticated and prevalent on a day-to-day basis. The exponential growth of cyber plays and cyber players necessitate the inauguration of new methods and research for better understanding the cyber kill chain, particularly with the rise of advanced and novel malware and the extraordinary growth in the population of Internet residents, especially connected Internet of Things (IoT) devices. Mathematical modeling could be used to represent real-world cyber-attack situations. Such models play a beneficial role when it comes to the secure design and evaluation of systems/infrastructures by providing a better understanding of the threat itself and the attacker\u27s conduct during the lifetime of a cyber attack. Therefore, the main goal of this dissertation is to construct a proper theoretical framework to be able to model and thus evaluate the defensive strategies/technologies\u27 effectiveness from a security standpoint. To this end, we first present a Markov-based general framework to model the interactions between the two famous players of (network) security games, i.e., a system defender and an attacker taking actions to reach its attack objective(s) in the game. We mainly focus on the most significant and tangible aspects of sophisticated cyber attacks: (1) the amount of time it takes for the adversary to accomplish its mission and (2) the success probabilities of fulfilling the attack objective(s) by translating attacker-defender interactions into well-defined games and providing rigorous cryptographic security guarantees for a system given both players\u27 tactics and strategies. We study various attack-defense scenarios, including Moving Target Defense (MTD) strategies, multi-stage attacks, and Advanced Persistent Threats (APT). We provide general theorems about how the probability of a successful adversary defeating a defender’s strategy is related to the amount of time (or any measure of cost) spent by the adversary in such scenarios. We also introduce the notion of learning in cybersecurity games and describe a general game of consequences meaning that each player\u27s chances of making a progressive move in the game depend on its previous actions. Finally, we walk through a malware propagation and botnet construction game in which we investigate the importance of defense systems\u27 learning rates to fight against the self-propagating class of malware such as worms and bots. We introduce a new propagation modeling and containment strategy called the learning-based model and study the containment criterion for the propagation of the malware based on theoretical and simulation analysis