Abstract
Advanced persistent threats (APTs) consist of multiple attack stages between entry and exit points of the attack. In each stage of the attack, the adversary gathers more privileges, resources, and information about the system and uses this information to gain access to the targeted data of the next stage to reach the final goal. APTs are not only persistent but also stealthy and hence difficult to detect. The persistent nature of APTs, however, creates information flows in the system that can be monitored. One monitoring mechanism is Dynamic Information Flow Tracking (DIFT), which taints and tracks malicious information flows through a system and inspects the flows at designated traps. Since tainting all flows in the system will incur prohibitive resource costs, efficient tagging policies are needed to decide which flows to tag in order to maximize the probability of APT detection while minimizing resource overhead. At present such an analytical model for DIFT for multi-stage APT detection does not exist. In this paper, we propose a game theoretic framework modeling real-time detection of multi-stage APTs via DIFT. We formulate a two-player (APT vs DIFT) nonzero-sum stochastic game with incomplete information to obtain an optimal tagging policy. Our game model consists of a sequence of stages, where each stage of the game corresponds to a stage in the attack. At each stage, the goal of the APT is to reach a particular destination, corresponding to a targeted resource or privilege, while the goal of the defender is to detect the APT. We first derive an efficient algorithm to find locally optimal strategies for both players. We then characterize the best responses of both players and present algorithms to find the best responses. Finally, we validate our results on a real-world attack data set obtained using the Refinable Attack INvestigation (RAIN) framework for a ScreenGrab attack.
This work was supported by ONR grant N00014-16-1-2710 P00002
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Bencsáth, B., Pék, G., Buttyán, L., Felegyhazi, M.: The cousins of Stuxnet: Duqu, Flame, and Gauss. Future Internet 4(4), 971–1003 (2012)
Bhatt, P., Yano, E.T., Gustavsson, P.: Towards a framework to detect multi-stage advanced persistent threats attacks. In: Proceedings of the IEEE International Symposium on Service Oriented System Engineering, Oxford, United Kingdom, pp. 390–395 (2014)
Buchbinder, N., Feldman, M., Seffi, J., Schwartz, R.: A tight linear time (1/2)-approximation for unconstrained submodular maximization. SIAM J. Comput. 44(5), 1384–1402 (2015)
Cesa-Bianchi, N., Lugosi, G.: Prediction, Learning, and Games. Cambridge University Press, Cambridge (2006)
Chow, J., Pfaff, B., Garfinkel, T., Christopher, K., Rosenblum, M.: Understanding data lifetime via whole system simulation. In: Proceedings of the USENIX Security Symposium, San Diego, USA, pp. 321–336 (2004)
Enck, W., et al.: TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. ACM Trans. Comput. Syst. 32(2), 5 (2014)
Falliere, N., Murchu, L.O., Chien, E.: W32. stuxnet dossier. White paper, Symantec Corporation Security Response 5(6), 29 (2011)
Hassan, W.U., Lemay, M., Aguse, N., Bates, A., Moyer, T.: Towards scalable cluster auditing through grammatical inference over provenance graphs. In: Proceedings of Network and Distributed Systems Security Symposium, San Diego, USA (2018)
Hu, P., Li, H., Fu, H., Cansever, D., Mohapatra, P.: Dynamic defense strategy against advanced persistent threat with insiders. In: Proceedings of the IEEE Conference on Computer Communications, Hong Kong, pp. 747–755 (2015)
Ji, Y., et al.: RAIN: refinable attack investigation with on-demand inter-process information flow tracking. In: Proceedings of the ACM SIGSAC Conference on Computer and Communications Security, Dallas, USA, pp. 377–390 (2017)
Lee, P., Clark, A., Alomair, B., Bushnell, L., Poovendran, R.: A host takeover game model for competing malware. In: Proceedings of the IEEE Conference on Decision and Control, Osaka, Japan, pp. 4523–4530 (2015)
Nash, J.F.: Equilibrium points in n-person games. Proc. Nat. Acad. Sci. 36(1), 48–49 (1950)
Sahabandu, D., Xiao, B., Clark, A., Lee, S., Lee, W., Poovendran, R.: DIFT games: dynamic information flow tracking games for advanced persistent threats (2018, Submitted )
Sood, A.K., Enbody, R.J.: Targeted cyberattacks: a superset of advanced persistent threats. IEEE secur. priv. 11(1), 54–61 (2013)
Suh, G.E., Lee, J.W., Zhang, D., Devadas, S.: Secure program execution via dynamic information flow tracking. In: ACM Sigplan Notices., vol. 39, pp. 85–96 (2004)
Tivadar, M., Balázs, B., Istrate, C.: A closer look at MiniDuke (2011). http://labs.bitdefender.com/wp-content/uploads/downloads/2013/04/MiniDuke_Paper_Final.pdf. Accessed 20 May 2013
Van Dijk, M., Juels, A., Oprea, A., Rivest, R.L.: FlipIt: the game of “stealthy takeover”. J. Cryptol. 26(4), 655–713 (2013)
Virvilis, N., Gritzalis, D., Apostolopoulos, T.: Trusted computing vs. advanced persistent threats: can a defender win this game? In: Proceedings of the IEEE International Conference on Ubiquitous Intelligence and Computing and International Conference on Autonomic and Trusted Computing, Fukuoka, Japan, pp. 396–403 (2013)
de Vries, J., Hoogstraaten, H., van den Berg, J., Daskapan, S.: Systems for detecting advanced persistent threats: a development roadmap using intelligent data analysis. In: Proceedings of the IEEE International Conference on Cyber Security, Washington, DC, USA, pp. 54–61 (2012)
Yin, H., Song, D., Egele, M., Kruegel, C., Kirda, E.: Panorama: capturing system-wide information flow for malware detection and analysis. In: Proceedings of the ACM conference on Computer and communications security, Whistler, Canada, pp. 116–127 (2007)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer Nature Switzerland AG
About this paper
Cite this paper
Moothedath, S., Sahabandu, D., Clark, A., Lee, S., Lee, W., Poovendran, R. (2018). Multi-stage Dynamic Information Flow Tracking Game. In: Bushnell, L., Poovendran, R., Başar, T. (eds) Decision and Game Theory for Security. GameSec 2018. Lecture Notes in Computer Science(), vol 11199. Springer, Cham. https://doi.org/10.1007/978-3-030-01554-1_5
Download citation
DOI: https://doi.org/10.1007/978-3-030-01554-1_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-01553-4
Online ISBN: 978-3-030-01554-1
eBook Packages: Computer ScienceComputer Science (R0)