Keywords

1 Introduction

With the rapid development of Internet, the imminence of how to design an effective network attack-defense strategy is proposed. Nash Equilibrium Strategy (NES) is a relative optimal attack-defense strategy, which means neither the attacker nor the defender is willing to change the current situation. Social Optimal Strategy (SOS) is a global optimal one, which means to minimize the damages caused by the attacker. How to find NES and SOS effectively is far from having been completely solved.

In 1990s, game-theoretic approaches have provided quantitative solutions for NES and SOS [7, 10, 12, 15] in various network security scenarios. Static game can model the scenarios in which the attacker and the defender have no idea on the action chosen by the adversary [5]. Stochastic game can model the scenarios which involve probabilistic transitions through network states caused by the offensive-defensive actions [6, 8, 14]. Markov game [16] can model the scenarios in which the future offensive-defensive behaviors will impact on the present offensive-defensive action choice [4, 17]. Bayesian game can model the scenarios with incomplete information set and the attacker and the defender use Bayesian analysis in predicting the outcome [3, 9, 11].

We are the first, to our knowledge, to present a probabilistic value-passing CCS (PVCCS) approach to model and analyze a typical network security scenario with one attacker and one defender. PVCCS is a common formal language for modelling concurrent systems with precise semantics. A network system is supposed to be composed of three participants: one attacker, one defender and the network environment in which the hardware and software services are under consideration. Our model represents the network as a state transition system. We use processes in PVCCS to represent all possible behaviors of the participants at each state, assign each state with a process depicting all possible offensive-defensive interactions currently. A model is established on the processes transitions and is minimized by probabilistic bisimulation. To increase the reusability, we abstract the minimized model to a finite hierarchical graph, where each strongly connected component can be processed in parallel. Two algorithms based on backward induction are designed to compute NES and SOS respectively. We illustrate the efficiency of our approach by an example introduced in [8].

The major contributions of our work are:

  1. (1)

    establish a reactive model for PVCCS to model network security;

  2. (2)

    minimize and abstract the model to reduce the search space and optimize the complexity of the concerned algorithms;

  3. (3)

    propose two algorithms to find NES and SOS respectively. The novelty lies in combing nontrivially graph-theoretic methods with backward induction, which avails high reusability and makes the backward induction possible in the setting of some infinite paths.

Compared with game-theoretic approaches, our approach features in:

  1. (1)

    scalability with the fundamental support from probabilistic bisimulation;

  2. (2)

    filtering the invalid NESs from the results obtained by game-theoretic approach;

  3. (3)

    high efficiency benefiting from reusability, parallelization, minimized model;

  4. (4)

    can be extended to a uniform model to analyze various security scenarios.

In the remaining sections, we establish a reactive model for PVCCS and modelling for network security (Sect. 2); present the formal definitions of NES and SOS, as well as the corresponding algorithms (Sect. 3); illustrate our method by a case study (Sect. 4); discuss the conclusion (Sect. 5). Due to lack of space, we omit all proofs for the correctness of the algorithms. Interested readers can refer to the online paper: http://arxiv.org/abs/1507.06769.

2 Modelling Network Security Based on PVCCS

2.1 Reactive Model for PVCCS (PVCCSR)

Syntax: Let \(\mathbf {\mathcal {A}}\) be a set of channel names ranged over by a, and \(\mathbf {\mathcal {\overline{A}}}\) be the set of co-names, i.e., \(\mathbf {\mathcal {\overline{A}}}=\{\overline{a}\mid a\in \mathbf {\mathcal {A}}\}\). \(\mathbf {Label}=\mathcal {A} \cup \mathcal {\overline{A}}\). \(\mathbf {Var}\) is a set of value variables ranged over by x and \(\mathbf {Val}\) is a value set ranged over by v. \(\mathbf {e}\) and \(\mathbf {b}\) denote the value expression and the boolean expression respectively. The set of actions, ranged over by \(\alpha \), \(\mathbf {Act}=\{a(x)\mid a\in \mathcal {A}\}\cup \{\overline{a}(\mathbf {e})\mid \overline{a}\in \mathcal {\overline{A}}\}\cup \{\tau \}\), where \(\tau \) is the silent action. \(\mathbf {\mathcal {K}}\) and \(\mathbf {\mathcal {X}}\) are a set of process identifiers and a set of process variables respectively. \(R\subseteq \mathcal {A}\), I, J are index sets, and \(\alpha _{\textit{i}}\ne \alpha _{\textit{j}}\) if \(i\ne j\). \(\sum \) and \(\sum \limits ^{\dot{}}\) are summation notations for processes and real numbers respectively. \(\mathbf {Pr}\) is the set of processes in PVCCSR and is defined inductively as follows:

$$\begin{aligned} \begin{aligned} \mathbf {Pr}\,{:}{:}=&Nil\mid \underset{i\in I}{\sum }\underset{j\in J}{\sum }[p_{\textit{ij}}]\alpha _{\textit{i}}.P_{\textit{ij}}\mid P_1|P_2\mid P\backslash R \mid \textit{if}~\mathbf {b}~\textit{then}~P_1~\textit{else}~P_2 \mid A(x)\\ \alpha \,{:}{:}=&a(x)\mid \overline{a}(\mathbf {e}) \end{aligned} \end{aligned}$$

where \(\forall i\in I\), \(p_{\textit{ij}}\in (0,1]\), \(\sum \limits ^{\dot{}}_{{j\in I}}{p_{\textit{ij}}=1}\). The process constant is defined as \(A(x)\mathop {=}\limits ^{\textit{def}}P\), where P contains no process variables and no free value variables except x.

Likewise the meaning for each process in [2], we just explain \({\sum \limits _{i\in I}{\sum \limits _{j\in J}}}[p_{\textit{ij}}]\alpha _{\textit{i}}.P_{\textit{ij}}\). It means \(P_{\textit{ij}}\) will be chosen with probability \(p_{\textit{ij}}\) after performing the prefix action \(\alpha _{\textit{i}}\). There are two kinds of prefixes: input prefix a(x) and output prefix \(\overline{a}(\mathbf {e})\).

Semantics: Table 1 shows the operational semantics of PVCCSR, where \(P\mathop {\rightarrow }\limits ^{\alpha [p]}Q\) describes a transition from P to Q with probability p by performing action \(\alpha \). \(P\{\mathbf {e}/x\}\) means substituting \(\mathbf {e}\) for every free occurrences of x in P. \(chan:\mathbf {Act}\rightarrow \mathcal {A}\), i.e. \(chan(a(x))=chan(\overline{a}(\mathbf {e}))=a\). \(\wp \) is the powerset operator and \(\mathbf {Pr}/\mathcal {R}\) is a set of equivalence classes induced by the equivalence relation \(\mathcal {R}\) over \(\mathbf {Pr}\). \(\mu :(\mathbf {Pr}\times Act\times \wp (\mathbf {Pr}))\rightarrow [0,1]\) is given by \(\forall \alpha \in Act\), \(\forall P\in \mathbf {Pr}\), \(\forall C\subseteq \mathbf {Pr}\), \(\mu (P,\alpha ,C)=\dot{\sum }\{p|P\mathop {\longrightarrow }\limits ^{\alpha [p]}Q,~Q\in C\}\).

Table 1. Operational semantics of PVCCSR
Full size table

Definition 1

An equivalence relation \(\mathcal {R}\subseteq \mathbf {Pr} \times \mathbf {Pr}\) is a probabilistic bisimulation if \((P, Q)\in \mathcal {R}\) implies: \(\forall C\in \mathbf {Pr}/\mathcal {R}\), \(\forall \alpha \in Act\), \(\mu (P, \alpha , C)=\mu (Q, \alpha , C)\). P and Q are probabilistic bisimilar, written as \(P\sim Q\), if there exists a probabilistic bisimulation \(\mathcal {R}\) s.t. \(P\mathcal {R}Q\).

2.2 Network Security Model Based on PVCCSR

S is the set of network states, ranged over by \(s_{\textit{i}}\); \(A^{a}\) and \(A^{d}\) denote the set of action value for the attacker and the defender; state transition probability is a function \(\dot{p}:S\times A^{a}\times A^{d}\times S\rightarrow [0,1]\); each transition is weighted by the benefit of the attacker (the damages caused by the attack) and that of the defender (the time for the recovery), which is formalized as a function \(\dot{r}: S\times A^{a}\times A^{d}\rightarrow \mathbb {R}_1\times \mathbb {R}_2\), where \(\mathbb {R}\) is the real number set.

In our model, \(\mathcal {A}=\{Attc,\textit{Defd},Tell_a, Tell_d\}\), \(\mathbf {Label}=\mathcal {A}\cup \overline{\mathcal {A}}\cup \{\overline{Log}\}\cup \{\overline{Rec}\}\). \(\mathbf {Val}=A^a\cup A^d\cup T\), \(T \subseteq \mathbb {R}\times \mathbb {R}\). \(\mathbf {Act}=Act^a\cup Act^d\cup Act^n\), where \(Act^a\), \(Act^d\) and \(Act^n\) denote the action sets of the attacker, the defender and the network environment respectively.

$$\begin{aligned} \begin{aligned} Act^a=&\{\overline{Attc}(u)\mid u\in A^a \}\cup \{Tell_a(x)\mid x\in \mathbf {Var}\}\\ Act^d=&\{\overline{\textit{Defd}}(v)\mid v\in A^d \}\cup \{Tell_d(x)\mid x\in \mathbf {Var}\}\\ Act^n=&\{Attc(x)\mid x\in \mathbf {Var} \}\cup \{\textit{Defd}(x)\mid x\in \mathbf {Var} \}\cup \{\overline{Tell_a}(x)\mid x\in \mathbf {Var}\cup A^d \}\\&\cup \{\overline{Tell_d}(x)\mid x\in \mathbf {Var}\cup A^a \}\cup \{\overline{Log}(x,y)\mid x\in A^a\cup \mathbf {Var}, y\in A^d\cup \mathbf {Var}\}.\\&\cup \{\overline{Rec}(\dot{r}(s,u,v))\mid s\in S, u\in A^a, v\in A^d\}\\ \end{aligned} \end{aligned}$$

\(\overline{Attc}(u)\) (or \(\overline{\textit{Defd}}(v)\)) means launching attack u (or defense v); Attc(x) (or \(\textit{Defd}(x)\)) means the attack (or defense) works; \(\overline{Tell_d}(x)\) (or \(\overline{Tell_a}(x)\)) means the network environment responses to the attack (or defense); \(Tell_{ a}(x)\) (or \(Tell_{ d}(x)\)) means the attacker (or defender) monitors the network; \(\overline{Log}(x,y)\) means a log file is generated to record the attack-defense behaviors; \(\overline{Rec}(\dot{r}(s,u,v))\) means recording the benefit of the attacker and the defender caused by this transition.

\(\textit{pA}_{i}\), \(\textit{pD}_{i}\) and \(\textit{pN}_{i}\), describing all possible behaviors of the attacker, the defender and the network environment at \(s_{\textit{i}}\) respectively, are defined as follows:

$$\begin{aligned} \textit{pA}_{i}\mathop {=}\limits ^{\textit{def}}&\underset{u\in A^a(s_{\textit{i}})}{\sum }\overline{Attc}(u).Tell_a(y).Nil,~~~~~~ \textit{pD}_{i}\mathop {=}\limits ^{\textit{def}}~Tell_d(x).\underset{v\in A^d(s_{\textit{i}})}{\sum }\overline{\textit{Defd}}(v).Nil\\ \textit{pN}_{i}\mathop {=}\limits ^{\textit{def}}&~Attc(x).\overline{Tell_d}(x).\textit{Defd}(y).\overline{Tell_a}(y). Tr_{\textit{i}}(x,y)\\ Tr_{\textit{i}}(x,y)\mathop {=}\limits ^{\textit{def}}&\underset{\begin{array}{c} u\in A^a(s_{\textit{i}})\\ v\in A^d(s_{\textit{i}}) \end{array}}{\sum }\overline{Log}(u,v).(if~(x=u,y=v)~ then\\ {}&\underset{j\in I}{\sum }[\dot{p}(s_{\textit{i}},u,v,s_{\textit{j}})] \overline{Rec}(\dot{r}(s_{\textit{i}},u,v)). (\textit{pA}_j|\textit{pD}_j|\textit{pN}_j)~else~Nil) \end{aligned}$$

The process assigned to each state \(s_{\textit{i}}\) is defined as

$$G_{\textit{i}}\mathop {=}\limits ^{\textit{def}}(\textit{pA}_i|\textit{pD}_i|\textit{pN}_i) \backslash R,~ R=\{Attc,\textit{Defd},Tell_a,Tell_d\}$$

The network state transition system is generated on the processes transitions. Minimize via probabilistic bisimulation and shrink via path contraction [1], we obtain a new labeled directed graph named as ConTS. The vertex set of ConTS, denoted by V, is ranged over by the process \(G_{ i}\). The edge set, denoted by E, is ranged over by \(e_{ ij}\) if there is a multi-transition from \(G_{ i}\) to \(G_{ j}\). Each edge is labeled by the action values transferred, the transition probability and the weight pair of this transition, denoted by \(L(e_{\textit{ij}})=(L_{\textit{Act}}(e_{\textit{ij}}), L_{\textit{TranP}}(e_{\textit{ij}}),L_{\textit{WeiP}}(e_{ ij}))\) Footnote 1

3 Analyzing Properties as Graph Theory Approach

3.1 NES and SOS

Definition 2

\(\forall G_{\textit{i}}\in V\), an execution of \(G_{\textit{i}}\), denoted by \(\pi _{\textit{i}}\), is a walk starting from \(G_{\textit{i}}\) and ending with a cycle, on which every vertex’s out-degree is 1. \(\pi _{\textit{i}}[j]\) denotes the subsequence of \(\pi _{\textit{i}}\) starting from \(G_{\textit{j}}\), where \(G_{\textit{j}}\) is a vertex on \(\pi _{\textit{i}}\).

Definition 3

The payoff to the attacker (or the defender) on execution \(\pi _{\textit{i}}\), denoted by \(PF^a(\pi _{\textit{i}})\) (or \(PF^d(\pi _{\textit{i}})\)), is the discount sum of \(L^a_{\textit{WeiP}}(e)\) (or \(L^d_{\textit{WeiP}}(e)\)) \(\forall e\) on \(\pi _{ i}\). \(\beta \in (0,1)\) is a discount factor. The net payoff on \(\pi _{\textit{i}}\) is denoted as \(PF^{\textit{S}}(\pi _{\textit{i}})\), and \(PF^{\textit{S}}(\pi _{\textit{i}})=PF^a(\pi _{\textit{i}})+ PF^d(\pi _{\textit{i}})\).

Definition 4

\(\pi _{\textit{i}}\) is a Nash Equilibrium Execution (NEE) of \(G_{\textit{i}}\) if it satisfies:

$$\begin{aligned} PF^a(\pi _{\textit{i}})&=\underset{e_{\textit{ij}}\in E(G_{\textit{i}})}{\max }\{L_{\textit{WeiP}}^a({e_{\textit{ij}}})+ \beta \cdot L_{\textit{TranP}}(e_{\textit{ij}})\cdot PF^a(\pi _{\textit{j}})\} \\ PF^d(\pi _{\textit{i}})&=\underset{e_{\textit{ij}}\in E(G_{\textit{i}})}{\max }\{L_{\textit{WeiP}}^d({e_{\textit{ij}}})+ \beta \cdot L_{\textit{TranP}}(e_{\textit{ij}})\cdot PF^d(\pi _{\textit{j}}) \} \end{aligned}$$

where \(\pi _{\textit{j}}\) is the NEE of \(G_{\textit{j}}\). It is defined coinductively [13].

Definition 5

\(\pi _{\textit{i}}\) is a Social Optimal Execution (SOE) of \(G_{\textit{i}}\), if it satisfies:

$$PF^{\textit{S}}(\pi _{\textit{i}})=\underset{e_{\textit{ij}}\in E(G_{\textit{i}})}{\min }\{L_{\textit{WeiP}}^S({e_{\textit{ij}}})+\beta \cdot L_{\textit{TranP}}(e_{\textit{ij}})\cdot PF^S(\pi _{\textit{j}})\}$$

where \(\pi _{\textit{j}}\) is the SOE of \(G_{\textit{j}}\). It is defined coinductively.

Definition 6

Strategy is a subgraph of ConTS in which the out-degree of each vertex is 1.

Definition 7

Nash Equilibrium Strategy (NES) is a strategy in which every \(G_{\textit{i}}\)’s execution is its NEE.

Definition 8

Social Optimal Strategy (SOS) is a strategy in which every \(G_{\textit{i}}\)’s execution is its SOE.

3.2 Algorithms

Under the same framework, we propose two algorithms to compute NES and SOS respectively. In this section, we just give the outline as follows:

  1. (1)

    Abstract the ConTS into a directed acyclic graph through graph-theoretic methods by viewing each strongly connected component as one cluster. \(\textit{Leave}\) denotes the cluster with zero out-degree, and \(\textit{NonLeave}\) denotes others;

  2. (2)

    Find the NES (or SOS) for all Leaves firstly. The key point of finding the NES (or SOS) for a \(\textit{Leave}\) is to find a cycle in this \(\textit{Leave}\) which is a NEE (or SOE) of every vertex on it;

  3. (3)

    Compute the NES (or SOS) for NonLeaves backward inductively. It is the same as the method in game theory which is used to compute the NES (or SOS) in finite dynamic games [10].

4 Case Study

The details of the example can be found in [8]. It is a local network connected to Internet (see Fig. 1). We assume the firewall is unreliable, so the attacker may steal or damage data stored in private file systems. We instantiate \(\textit{pA}_{ i}\), \(\textit{pD}_{ i}\), \(\textit{pN}_{ i}\) and \(G_{ i}\) for each \(s_{ i}\) and find three pairs of probabilistic bisimilar states. Fig. 2 shows the ConTS. We implement the algorithms by Java on the machine with 3.4GHz Inter(R) Core(TM) i72.99G RAM. Two NESs and one SOS are obtained, shown in Figs. 3, 4 and 5 respectively. Compare with the results obtained in [8] by game-theoretic approach: (1) we filter the third NES obtained in [8] which is invalid, because there has no practical transitions at \(s_3\) and \(s_6\) in this NES; (2) our model is smaller than the game model in [8]. Time consumed to compute NES and SOS by our approach is shown in Table 2.

Fig. 1.
figure 1

Example

Full size image
Fig. 2.
figure 2

ConTS of Example

Full size image
Fig. 3.
figure 3

Nash Equilibrium strategy 1

Full size image
Fig. 4.
figure 4

Nash Equilibrium strategy 2

Full size image
Fig. 5.
figure 5

Social Optimal strategy

Full size image
Table 2. Time consumed by our approach
Full size table

5 Conclusion

We proposed a PVCCS based approach for modeling and analyzing a typical network security scenario with one attacker and one defender. Extension of this method might provide a uniform framework for various network security scenarios. We designed two algorithms for computing Nash Equilibrium strategy and Social Optimal strategy based on backward induction and on graph-theoretic methods. Advantages of these algorithms are also discussed.