Abstract
Cyber-criminals can distribute malware to control computers on a networked system and leverage these compromised computers to perform their malicious activities inside the network. Botnet-detection mechanisms, based on a detailed analysis of network traffic characteristics, provide a basis for defense against botnet attacks. We formulate the botnet defense problem as a zero-sum Stackelberg security game, allocating detection resources to deter botnet attacks taking into account the strategic response of cyber-criminals. We model two different botnet data-exfiltration scenarios, representing exfiltration on single or multiple paths. Based on the game model, we propose algorithms to compute an optimal detection resource allocation strategy with respect to these formulations. Our algorithms employ the double-oracle method to deal with the exponential action spaces for attacker and defender. Furthermore, we provide greedy heuristics to approximately compute an equilibrium of these botnet defense games. Finally, we conduct experiments based on both synthetic and real-world network topologies to demonstrate advantages of our game-theoretic solution compared to previously proposed defense policies.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
References
Bacher, P., Holz, T., Kotter, M., Wicherski, G.: Know your enemy: tracking botnets. Technical report (2005)
Baldwin, A., Gheyas, I., Ioannidis, C., Pym, D., Williams, J.: Contagion in cyber security attacks. J. Oper. Res. Soc. 68, 780–791 (2017)
Basilico, N., Gatti, N., Amigoni, F.: Leader-follower strategies for robotic patrolling in environments with arbitrary topologies. In: 8th International Conference on Autonomous Agents and Multiagent Systems, pp. 57–64 (2009)
Bensoussan, A., Kantarcioglu, M., Hoe, S.C.: A game-theoretical approach for finding optimal strategies in a botnet defense model. In: 1st Conference on Decision and Game Theory for Security, pp. 135–148 (2010)
Choi, H., Lee, H., Lee, H., Kim, H.: Botnet detection by monitoring group activities in DNS traffic. In: 7th IEEE International Conference on Computer and Information Technology, pp. 715–720. IEEE (2007)
Cooke, E., Jahanian, F., McPherson, D.: The zombie roundup: understanding, detecting, and disrupting botnets. In: Workshop on Steps to Reducing Unwanted Traffic on the Internet (SRUTI), pp. 39–44 (2005)
Demarest, J.: Taking down botnets. Statement before the Senate Judiciary Committee, Subcommittee on Crime and Terrorism (2014)
Faloutsos, M., Faloutsos, P., Faloutsos, C.: On power-law relationships of the Internet topology. ACM SIGCOMM Comput. Commun. Rev. 29(4), 251–262 (1999)
Fang, F., Nguyen, T.H., Pickles, R., Lam, W.Y., Clements, G.R., An, B., Singh, A., Tambe, M., Lemieux, A.: Deploying PAWS: field optimization of the protection assistant for wildlife security. In: 28th Conference on Innovative Applications of Artificial Intelligence, pp. 3966–3973 (2016)
Feily, M., Shahrestani, A., Ramadass, S.: A survey of botnet and botnet detection. In: 3rd International Conference on Emerging Security Information, Systems, and Technologies, pp. 268–273 (2009)
Gu, G., Perdisci, R., Zhang, J., Lee, W., et al.: BotMiner: clustering analysis of network traffic for protocol-and structure-independent botnet detection. In: 17th USENIX Security Symposium, pp. 139–154 (2008)
Gu, G., Porras, P.A., Yegneswaran, V., Fong, M.W., Lee, W.: BotHunter: detecting malware infection through IDS-driven dialog correlation. In: 16th USENIX Security Symposium, pp. 167–182 (2007)
Gu, G., Zhang, J., Lee, W.: BotSniffer: detecting botnet command and control channels in network traffic. In: 15th Annual Network and Distributed System Security Symposium (2008)
Holz, T., Engelberth, M., Freiling, F.: Learning more about the underground economy: a case-study of keyloggers and dropzones. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 1–18. Springer, Heidelberg (2009). doi:10.1007/978-3-642-04444-1_1
Jain, M., Korzhyk, D., Vaněk, O., Conitzer, V., Pěchouček, M., Tambe, M.: A double oracle algorithm for zero-sum security games on graphs. In: 10th International Conference on Autonomous Agents and MultiAgent Systems, pp. 327–334 (2011)
Kiekintveld, C., Jain, M., Tsai, J., Pita, J., Ordó/ nez, F., Tambe, M.: Computing optimal randomized resource allocations for massive security games. In: 8th International Conference on Autonomous Agents and Multi-Agent Systems, pp. 689–696 (2009)
Kolokoltsov, V., Bensoussan, A.: Mean-field-game model for botnet defense in cyber-security. Appl. Math. Optim. 74, 669–692 (2016)
Korzhyk, D., Yin, Z., Kiekintveld, C., Conitzer, V., Tambe, M.: Stackelberg vs. Nash in security games: an extended investigation of interchangeability, equivalence, and uniqueness. J. Artif. Intell. Res. 41, 297–327 (2011)
Letchford, J., Vorobeychik, Y.: Computing randomized security strategies in networked domains. Appl. Advers. Reason. Risk Model. 11, 06 (2011)
Mc Carthy, S.M., Sinha, A., Tambe, M., Manadhata, P.: Data exfiltration detection and prevention: virtually distributed POMDPs for practically safer networks. In: 7th Conference on Decision and Game Theory for Security, pp. 69–61 (2016)
McMahan, H.B., Gordon, G.J., Blum, A.: Planning in the presence of cost functions controlled by an adversary. In: 20th International Conference on Machine Learning, pp. 536–543 (2003)
Naveh, B., Contributors: JGraphT - a free java graph library (2009)
Peng, T., Leckie, C., Ramamohanarao, K.: Survey of network-based defense mechanisms countering the DoS and DDoS problems. ACM Comput. Surv. 39(1), 3 (2007)
Rocketfuel: Rocketfuel: an ISP topology mapping engine (2002)
Rossow, C., Andriesse, D., Werner, T., Stone-Gross, B., Plohmann, D., Dietrich, C.J., Bos, H.: SoK: P2PWNED – modeling and evaluating the resilience of peer-to-peer botnets. In: IEEE Symposium on Security and Privacy, pp. 97–111 (2013)
Shieh, E., An, B., Yang, R., Tambe, M., Baldwin, C., DiRenzo, J., Maule, B., Meyer, G.: PROTECT: a deployed game theoretic system to protect the ports of the United States. In: 11th International Conference on Autonomous Agents and Multiagent Systems, pp. 13–20 (2012)
Soper, B., Musacchio, J.: A botnet detection game. In: 52nd Annual Allerton Conference on Communication Control and Computing, pp. 294–303. IEEE (2014)
Soper, B.C.: Non-zero-sum, adversarial detection games in network security. Ph.D. thesis, University of California, Santa Cruz (2015)
Stinson, E., Mitchell, J.C.: Towards systematic evaluation of the evadability of bot/botnet detection methods. In: 2nd USENIX Workshop on Offensive Technologies (2008)
Stone-Gross, B., Abman, R., Kemmerer, R.A., Kruegel, C., Steigerwald, D.G., Vigna, G.: The underground economy of fake antivirus software. In: 10th Workshop on the Economics of Information Security (2011)
Stone-Gross, B., Cova, M., Cavallaro, L., Gilbert, B., Szydlowski, M., Kemmerer, R., Kruegel, C., Vigna, G.: Your botnet is my botnet: analysis of a botnet takeover. In: 16th ACM Conference on Computer and Communications Security, pp. 635–647 (2009)
Strayer, W.T., Lapsely, D., Walsh, R., Livadas, C.: Botnet detection based on network behavior. In: Lee, W., Wang, C., Dagon, D. (eds.) Botnet Detection: Countering the Largest Security Threat. Advances in Information Security, vol. 36, pp. 1–24. Springer, Boston (2008)
Sweeney, P.J.: Designing effective and stealthy botnets for cyber espionage and interdiction: finding the cyber high ground. Ph.D. thesis, September 2014
Tambe, M. (ed.): Security and Game Theory: Algorithms, Deployed Systems, Lessons Learned. Cambridge University Press, Cambridge (2011)
Van Eeten, M., Bauer, J.M., Asghari, H., Tabatabaie, S., Rand, D.: The role of Internet service providers in botnet mitigation an empirical analysis based on spam data. In: 9th Workshop on the Economics of Information Security (2010)
Vaněk, O., Yin, Z., Jain, M., Bošanskỳ, B., Tambe, M., Pěchouček, M.: Game-theoretic resource allocation for malicious packet detection in computer networks. In: 11th International Conference on Autonomous Agents and Multiagent Systems, pp. 905–912 (2012)
Venkatesan, S., Albanese, M., Cybenko, G., Jajodia, S.: A moving target defense approach to disrupting stealthy botnets. In: ACM Workshop on Moving Target, Defense, pp. 37–46 (2016)
Venkatesan, S., Albanese, M., Jajodia, S.: Disrupting stealthy botnets through strategic placement of detectors. In: IEEE Conference on Communications and Network Security (CNS), pp. 95–103 (2015)
Wang, P., Sparks, S., Zou, C.C.: An advanced hybrid peer-to-peer botnet. IEEE Trans. Dependable Secure Comput. 7(2), 113 (2010)
Acknowledgment
This work was supported in part by MURI grant W911NF-13-1-0421 from the US Army Research Office.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Nguyen, T., Wellman, M.P., Singh, S. (2017). A Stackelberg Game Model for Botnet Data Exfiltration. In: Rass, S., An, B., Kiekintveld, C., Fang, F., Schauer, S. (eds) Decision and Game Theory for Security. GameSec 2017. Lecture Notes in Computer Science(), vol 10575. Springer, Cham. https://doi.org/10.1007/978-3-319-68711-7_9
Download citation
DOI: https://doi.org/10.1007/978-3-319-68711-7_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-68710-0
Online ISBN: 978-3-319-68711-7
eBook Packages: Computer ScienceComputer Science (R0)