Skip to main content
SpringerLink
Log in
Book cover

International Conference on Decision and Game Theory for Security

GameSec 2018: Decision and Game Theory for Security pp 80–101Cite as

Multi-stage Dynamic Information Flow Tracking Game

  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11199))

Abstract

Advanced persistent threats (APTs) consist of multiple attack stages between entry and exit points of the attack. In each stage of the attack, the adversary gathers more privileges, resources, and information about the system and uses this information to gain access to the targeted data of the next stage to reach the final goal. APTs are not only persistent but also stealthy and hence difficult to detect. The persistent nature of APTs, however, creates information flows in the system that can be monitored. One monitoring mechanism is Dynamic Information Flow Tracking (DIFT), which taints and tracks malicious information flows through a system and inspects the flows at designated traps. Since tainting all flows in the system will incur prohibitive resource costs, efficient tagging policies are needed to decide which flows to tag in order to maximize the probability of APT detection while minimizing resource overhead. At present such an analytical model for DIFT for multi-stage APT detection does not exist. In this paper, we propose a game theoretic framework modeling real-time detection of multi-stage APTs via DIFT. We formulate a two-player (APT vs DIFT) nonzero-sum stochastic game with incomplete information to obtain an optimal tagging policy. Our game model consists of a sequence of stages, where each stage of the game corresponds to a stage in the attack. At each stage, the goal of the APT is to reach a particular destination, corresponding to a targeted resource or privilege, while the goal of the defender is to detect the APT. We first derive an efficient algorithm to find locally optimal strategies for both players. We then characterize the best responses of both players and present algorithms to find the best responses. Finally, we validate our results on a real-world attack data set obtained using the Refinable Attack INvestigation (RAIN) framework for a ScreenGrab attack.

This work was supported by ONR grant N00014-16-1-2710 P00002

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

References

  1. Bencsáth, B., Pék, G., Buttyán, L., Felegyhazi, M.: The cousins of Stuxnet: Duqu, Flame, and Gauss. Future Internet 4(4), 971–1003 (2012)

    Article  Google Scholar 

  2. Bhatt, P., Yano, E.T., Gustavsson, P.: Towards a framework to detect multi-stage advanced persistent threats attacks. In: Proceedings of the IEEE International Symposium on Service Oriented System Engineering, Oxford, United Kingdom, pp. 390–395 (2014)

    Google Scholar 

  3. Buchbinder, N., Feldman, M., Seffi, J., Schwartz, R.: A tight linear time (1/2)-approximation for unconstrained submodular maximization. SIAM J. Comput. 44(5), 1384–1402 (2015)

    Article  MathSciNet  Google Scholar 

  4. Cesa-Bianchi, N., Lugosi, G.: Prediction, Learning, and Games. Cambridge University Press, Cambridge (2006)

    Book  Google Scholar 

  5. Chow, J., Pfaff, B., Garfinkel, T., Christopher, K., Rosenblum, M.: Understanding data lifetime via whole system simulation. In: Proceedings of the USENIX Security Symposium, San Diego, USA, pp. 321–336 (2004)

    Google Scholar 

  6. Enck, W., et al.: TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. ACM Trans. Comput. Syst. 32(2), 5 (2014)

    Article  Google Scholar 

  7. Falliere, N., Murchu, L.O., Chien, E.: W32. stuxnet dossier. White paper, Symantec Corporation Security Response 5(6), 29 (2011)

    Google Scholar 

  8. Hassan, W.U., Lemay, M., Aguse, N., Bates, A., Moyer, T.: Towards scalable cluster auditing through grammatical inference over provenance graphs. In: Proceedings of Network and Distributed Systems Security Symposium, San Diego, USA (2018)

    Google Scholar 

  9. Hu, P., Li, H., Fu, H., Cansever, D., Mohapatra, P.: Dynamic defense strategy against advanced persistent threat with insiders. In: Proceedings of the IEEE Conference on Computer Communications, Hong Kong, pp. 747–755 (2015)

    Google Scholar 

  10. Ji, Y., et al.: RAIN: refinable attack investigation with on-demand inter-process information flow tracking. In: Proceedings of the ACM SIGSAC Conference on Computer and Communications Security, Dallas, USA, pp. 377–390 (2017)

    Google Scholar 

  11. Lee, P., Clark, A., Alomair, B., Bushnell, L., Poovendran, R.: A host takeover game model for competing malware. In: Proceedings of the IEEE Conference on Decision and Control, Osaka, Japan, pp. 4523–4530 (2015)

    Google Scholar 

  12. Nash, J.F.: Equilibrium points in n-person games. Proc. Nat. Acad. Sci. 36(1), 48–49 (1950)

    Article  MathSciNet  Google Scholar 

  13. Sahabandu, D., Xiao, B., Clark, A., Lee, S., Lee, W., Poovendran, R.: DIFT games: dynamic information flow tracking games for advanced persistent threats (2018, Submitted )

    Google Scholar 

  14. Sood, A.K., Enbody, R.J.: Targeted cyberattacks: a superset of advanced persistent threats. IEEE secur. priv. 11(1), 54–61 (2013)

    Google Scholar 

  15. Suh, G.E., Lee, J.W., Zhang, D., Devadas, S.: Secure program execution via dynamic information flow tracking. In: ACM Sigplan Notices., vol. 39, pp. 85–96 (2004)

    Article  Google Scholar 

  16. Tivadar, M., Balázs, B., Istrate, C.: A closer look at MiniDuke (2011). http://labs.bitdefender.com/wp-content/uploads/downloads/2013/04/MiniDuke_Paper_Final.pdf. Accessed 20 May 2013

  17. Van Dijk, M., Juels, A., Oprea, A., Rivest, R.L.: FlipIt: the game of “stealthy takeover”. J. Cryptol. 26(4), 655–713 (2013)

    Article  MathSciNet  Google Scholar 

  18. Virvilis, N., Gritzalis, D., Apostolopoulos, T.: Trusted computing vs. advanced persistent threats: can a defender win this game? In: Proceedings of the IEEE International Conference on Ubiquitous Intelligence and Computing and International Conference on Autonomic and Trusted Computing, Fukuoka, Japan, pp. 396–403 (2013)

    Google Scholar 

  19. de Vries, J., Hoogstraaten, H., van den Berg, J., Daskapan, S.: Systems for detecting advanced persistent threats: a development roadmap using intelligent data analysis. In: Proceedings of the IEEE International Conference on Cyber Security, Washington, DC, USA, pp. 54–61 (2012)

    Google Scholar 

  20. Yin, H., Song, D., Egele, M., Kruegel, C., Kirda, E.: Panorama: capturing system-wide information flow for malware detection and analysis. In: Proceedings of the ACM conference on Computer and communications security, Whistler, Canada, pp. 116–127 (2007)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Electrical Engineering, University of Washington, Seattle, WA, 98195, USA

    Shana Moothedath, Dinuka Sahabandu & Radha Poovendran

  2. Department of Electrical and Computer Engineering, Worcester Polytechnic Institute, Worcester, MA, 01609, USA

    Andrew Clark

  3. College of Computing, Georgia Institute of Technology, Atlanta, GA, 30332, USA

    Sangho Lee & Wenke Lee

Authors
  1. Shana Moothedath
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Dinuka Sahabandu
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Andrew Clark
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Sangho Lee
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Wenke Lee
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Radha Poovendran
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Shana Moothedath .

Editor information

Editors and Affiliations

  1. University of Washington, Seattle, WA, USA

    Linda Bushnell

  2. University of Washington, Seattle, WA, USA

    Radha Poovendran

  3. University of Illinois at Urbana–Champaign, Urbana, IL, USA

    Tamer Başar

Rights and permissions

Reprints and permissions

Copyright information

© 2018 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Moothedath, S., Sahabandu, D., Clark, A., Lee, S., Lee, W., Poovendran, R. (2018). Multi-stage Dynamic Information Flow Tracking Game. In: Bushnell, L., Poovendran, R., Başar, T. (eds) Decision and Game Theory for Security. GameSec 2018. Lecture Notes in Computer Science(), vol 11199. Springer, Cham. https://doi.org/10.1007/978-3-030-01554-1_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-01554-1_5

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-01553-4

  • Online ISBN: 978-3-030-01554-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation