Elsevier

Information Sciences

Volume 453, July 2018, Pages 346-363
Information Sciences

Game theoretical security detection strategy for networked systems

https://doi.org/10.1016/j.ins.2018.04.051Get rights and content

Abstract

In this paper, a game theoretical analysis method is presented to provide the optimal security detection strategies for heterogeneous networked systems. A two-stage game model is firstly established, in which the attacker and defender are considered as two players. In the first stage, the two players make decisions on whether to execute the attack/monitoring actions or to keep silence for each network unit. In the second stage, two important strategic varibles, i.e. the attack intensity and detection threshold, are cautiously determined. The necessary and sufficient conditions to ensure the existence of the Nash equilibriums for the game with complete information are rigorously analyzed. The results reflect that with limited resources and capacities, the defender (attacker) tends to perform defense (attack) actions and further allocate more defense (less attack) resources to the units with larger assets. Besides, Bayesian and robust Nash equilibrium analysis is provided for the game with incomplete information. Finally, a sampling based Nash equilibrium verification and calculation approach is proposed for the game model with continuous kernels. Thus the convexity restrictions can be relaxed and the computational complexity is effectively reduced, with comparison to the existing recursive calculation methods. Numerical examples are given to validate our theoretical results.

Introduction

Networked systems outperform traditional systems in many respects including achieving improved efficiency, cooperation and flexibility [17], [34], [35]. However, the involved network devices and communication links are often vulnerable to various cyber attacks, such as Denial of Service (DoS), computer viruses and bonnets. With the damaging effects of certain attack on a single unit expanded to the entire network, more severe system performance deterioration or even catastrophic events may be caused.

In the confrontation between an attacker and a defender, they can be regarded as two rational players who try to maximize their own payoffs by executing certain optimal strategies. This fact motivates us to investigate the security detection problem for networked systems based on game theoretical method in this paper. Note that available resources are always limited for both attacker and defender. Moreover, the networked systems are normally heterogeneous with respect to the security assets. Therefore, the two players should firstly determine which units deserve being allocated with attack and defense resources. Once the decisions are made, optimal attack intensity and detection threshold need be cautiously chosen in the second stage, as these two parameters are closely related to their security payoffs. In general, a higher threshold will result in a lower false alarm rate, whereas a higher missing alarm rate.

Based on above discussions, a two-stage game model is established for the networked systems to describe the confrontation between an attacker and a defender, where the attack intensity and detection threshold are selected as two strategic variables. We consider the game with complete information firstly. Both sufficient and necessary conditions for the existence of the Nash equilibrium are provided. The results reflect that due to the limited resources and capacities, the defender (attacker) tends to perform defense (attack) actions and further allocate more defense (less attack) resources to the units with larger assets. Since the attacker and defender may sometimes acquire only a vague knowledge of certain parameters for their opponents, the game with incomplete information is also investigated with Bayesian and robust Nash equilibrium analysis given. Besides, to efficiently calculate the Nash equilibrium for a game with utility functions expressed by continuous kernels, a novel sampling based method is proposed. Through uniform sampling, the feasible region is divided into a number of small grids. Then the existence of the Nash equilibrium can be verified by checking whether there are two points sufficiently close with each other. On the other hand, an approximate Nash equilibrium point can be obtained when the sizes of the grids are sufficiently small. Compared with [6], [9], [12], [18], the proposed calculation method can not only relax the convexity conditions of the utility functions, but also effectively reduce the computational complexity by avoiding solving complicated optimization problems in a recursive manner. The presented method will be an effective tool for the intelligent security detection of large scale networked systems. For example, it can be adopted to solve the defense resource allocation problem or to determine the best detection threshold. Furthermore, it can be utilized to handle different types of attacks, such as Distributed DoS (DDoS), DNS poisoning attack and false data injection attack, etc.

A number of results on game theory based intrusion detection have been reported with different network environments considered. In [3], [8], [13], [16], [20], [25], [31], [33], [37], the false and missing alarm rates are assumed to be known constants. In [3], some general intrusion detection problems are modeled as two-player non-cooperative strategic games and the Nash equilibriums are discussed explicitly. In [8], a game theoretical intrusion detection problem for heterogeneous networks is investigated. Inspired by [8], mix-strategic game theoretical analysis for detection of data confidentiality attack on smart-grid AMI is presented in [13]. Note that in [3], [8], [13], it is assumed that the defenders can always identify the malicious behaviors of the attackers. Clearly, such an assumption can hardly be satisfied in many cases. For example, malicious nodes in mobile ad hoc networks often disguise themselves as regular ones, which could easily lead to confusion for the defenders. To handle this issue, Bayesian games are utilized in intrusion detection by updating the defender’s belief to her/his opponent based on the past behaviors [11], [20]. In [26], a zero-sum stochastic game is formulated for a class of networks with linearly dependent nodes. In [27], a fictitious stochastic game with imperfect observations is presented, of which the convergence property of the game is explored. In [45], a multi-person stochastic game is investigated for the networks with states driven by a probability transition. For self-organizing ad hoc networks, some strategic games are presented to stimulate the cooperation among distinct regular nodes, based on which the hidden malicious nodes can be detected [4], [15], [23], [38], [39], [43]. In [46], a two-player Stackelberg stochastic game is analyzed for achieving the best response against the intrusion. In [44], a game theoretical method is proposed to solve the defense resource allocation problem among the detection nodes. In [36], a class of two-person zero-sum games, with transmitter and jammer, as the players is established for security problems of the flat-fading subchannels. In [10], a linearly constrained bimatrix zero-sum game is proposed to analyze the confrontation between the transmitter and jammer with imperfect information. In [32], [40], game theoretical analysis is presented with jamming defense issues well handled. Game theoretical methods have also been explored for intrusion detection in industrial applications including networked control systems [2], power networks [22]. Excellent surveys about this topic can be found in [19], [21], [24], [29].

The problem considered in this paper is different from the aforementioned results. Though attack intensity and detection threshold are two important factors affecting the payoffs of attackers and defenders in the game, they were seldom considered in the literature. Motivated by this, the two parameters are considered as two important strategies for the players in our game model. Besides, a two-stage game model is established by synthesizing the strategies of resource allocation and parameters setting, which makes the analysis more complicated with comparison to existed single-stage model.

Furthermore, there are some results on the reliability of the networked systems from the perspective of fault detection and diagnosis [5], [14], [30], [41]. Though the problem looks similarly to anomaly detection in this paper, they are essentially different in the following aspects. Firstly, fault detection and diagnosis normally adopt the analytical models or related data of the system dynamics to generate detection decisions while intrusion detection generally uses the network traffic or other communication information to detect the attacks. Secondly, in contrast to traditional anomaly detection framework as presented in [5], [14], [30], [41], our presented game theoretical detection method generates the decisions by considering the interactions between the attacker and defender.

The contributions of this paper can be summarized as follows.

  • (1)

    A more realistic two-stage game model is presented for the security confrontation that may occur on networked systems. In contrast to traditional intrusion detection methods, the false and missing alarm rates are not assumed to be constants. Moreover, the attack intensity and the detection threshold are considered as two key strategic variables.

  • (2)

    The existence and calculation of Nash equilibriums are discussed for the games with complete and incomplete information. Besides, optimal selections of attack intensity and detection threshold for achieving the maximum payoffs of the attackers and defenders are analyzed.

  • (3)

    A general sampling-based Nash equilibrium verification and calculation method is proposed for the games with continuous kernels, which can relax the convexity restrictions and effectively reduce the computational complexity with comparison to the existing recursive calculation methods.

The rest of this paper is organized as follows. In Section 2, some definitions are introduced and a two-stage game model is established. In Section 3, the existence and calculation of the Nash equilibrium for the presented game model are analyzed. In Section 4, a sampling based Nash equilibrium verification and calculation method is proposed for the game with continuous kernels. Simulation results are provided to show the effectiveness of our game theoretical analysis methods in Section 5, followed by the conclusion of the paper summarized in Section 6.

Section snippets

A two-stage game model

Networked system structures are commonly encountered in varieties of systems including networked control systems, wireless sensor arrays and intelligent transportation systems. Note that current networked systems are normally heterogeneous with respect to the security assets. For example, the distributed cache servers of the Domain Name Systems (DNS) are normally assigned with different network traffics, in which the more important servers are often assigned with more traffic. We consider a

Nash equilibrium analysis

This section will focus on the Nash equilibrium analysis for the concerned game model established in the above section. The games with complete and incomplete information will be considered sequentially. For the latter case, Bayesian and robust Nash equilibriums are analyzed according to different types of a priori knowledge of parametric uncertainties.

A sampling based Nash equilibrium verification and calculation method

In this section, a sampling based NE verification and calculation method is proposed for the games with general continuous kernels, as described in (7) and (8). Denote two functions LA(y) and LD(x) by LA(y)=argxmaxUA(a*,b*,x,y)LD(x)=argymaxUD(a*,b*,x,y)Then the NE x* and y* are either the intersection of two curves (LA(y), y), (x, LD(x)), or the fixed point of two operators LALD, LDLA, i.e. x*=LA(LD(x*)) and y*=LD(LA(y*)). A sampling based method is explored to find the intersection of two

A numerical example

Distributed denial of service (DDoS) is one of most important attacks that may happen to networked systems. It causes poor quality of network services by injecting massive meaningless packets. For example, Domain Name System (DNS) adopts distributed access query architecture, while it could be easily compromised by DDoS attack especially when Domain Name System Security Extensions (DNSSEC) are deployed. In order to defend against the damage from the DDoS attack, some kinds of statistical based

Conclusion

In this paper, we present a game theoretical analysis method to provide the optimal security detection strategy for heterogeneous networked systems. A more realistic game model is firstly established by considering the attack intensity and detection threshold as two strategies for the players. The necessary and sufficient conditions for the existence of the Nash equilibriums are then provided. A practical sampling-based method is finally proposed to calculate the Nash equilibriums, which can

Acknowledgment

This work was partly supported by the National Natural Science Foundation of China under Grant No. 61503088, 61673035, and the National Key Research and Development Program of China under grant no. 2017YFC0602000.

References (46)

  • A. Bradai et al.

    Game theoretic framework for reputation-based distributed intrusion detection

    Proceedings of the International Conference on Social Computing (SocialCom)

    (2013)
  • B. Balasubramanian et al.

    Fault tolerance in distributed systems using fused data structures

    IEEE Trans. Parallel Distrib. Syst.

    (2013)
  • T. Basar et al.

    Dynamic Non-Cooperative Game Theory

    (1999)
  • ChenL. et al.

    A game theoretical framework on intrusion detection in heterogeneous networks

    IEEE Trans. Inf. Forensics Secur.

    (2009)
  • D. Fudenberg et al.

    Game Theory

    (1991)
  • K. Firouzbakht et al.

    Linearly constrained bimatrix games in wireless communications

    IEEE Trans. Commun.

    (2016)
  • A. Garnaev et al.

    Anti-jamming strategy versus a low-power jamming attack when intelligence of adversary’s attack type is unknown

    IEEE Trans. Signal Inf. Process. Netw.

    (2016)
  • A. von Heusinger et al.

    Newtons method for computing a normalized equilibrium in the generalized Nash game through fixed point formulation

    Math. Progr.

    (2010)
  • Z. Ismail et al.

    A game theoretical analysis of data confidentiality attacks on smart-grid AMI

    IEEE J. Sel. Areas Commun.

    (2014)
  • C. Keliris et al.

    A distributed fault detection filtering approach for a class of interconnected continuous-time nonlinear systems

    IEEE Trans. Autom. Control

    (2013)
  • LiF. et al.

    Attack and flee: game-theory-based analysis on interactions among nodes in MANETs

    IEEE Trans. Syst. Man Cybern. Part B Cybern.

    (2010)
  • LianJ. et al.

    Passivity of switched recurrent neural networks with time-varying delays

    IEEE J. Neural Netw. Learn. Syst.

    (2015)
  • LiangX. et al.

    Game theory for network security

    IEEE Commun. Surv. Tutor.

    (2013)
  • Cited by (0)

    View full text