stochastic information flow tracking games with ...faculty.washington.edu › sm15 › pub ›...

Stochastic Information Flow Tracking Games with Partial Knowledge Shruti Misra 1 ,Shana Moothedath 1 ,Hossein Hosseini 1 , Joey Allen 2 , Linda Bushnell 1 , Wenke Lee 2 , Radha Poovendran 1 1 Department of 1 Electrical and Computer Engineering, University of Washington, Seattle, 2 School of Computer Science, Georgia Institute of Technology, Atlanta ADAPT Actionable Defense against Advanced Persistent Threats Motivation Problem Formulation Approach Our approach consists of the following steps: Numerical Study References 1. D.Sahabandu,S.Moothedath, J.Allen, A.Clark, L.Bushnell, W.Lee, and R. Poovendran, “A game theoretic approach for dynamic information flow tracking with conditional branching,” in American Control Conference (ACC), 2019. 2. D.Sahabandu, B. Xiao, A. Clark, S. Lee, W. Lee, and R. Poovendran, "DIFT games: dynamic information flow tracking games for advanced persistent threats,” in IEEE Conference on Decision and Control (CDC), 2018 Future Work Alternating Optimization Partial Input Convex Neural Network Architecture The game formulated has the following properties: The dynamic interaction between the adversary and the defender can be modeled as a stochastic dynamic game. o The attacker chooses transition (at) to reach the destination. o The defender decides whether to trap the flow or not (dt). o Probability of state transition captures the rate of false negatives. Ø Stochastic Ø Nonzero sum Ø Incomplete and imperfect information Ø Payoff Functions There exists a Nash Equilibrium (NE) for the proposed game. AIM: Model a DIFT-based defense mechanism against APTs that: o Captures the trade-off between detection accuracy and resource efficiency. o Accounts for rate of false negatives. v Advanced Persistent Threats (APTs) have emerged as a security threat to vital organizations such as national defense. v Some examples of APTs are Stuxnet Worm (2010), Deep Panda (2015) and GhostNet (2009). v Dynamic Information Flow Tracking (DIFT) is a flow tracking-based mechanism that is widely used to detect APTs. § Characterize the convex approximation factor for the payoff functions of both players. § Analyze the trade-off between obtaining a good convex approximation vs. the accuracy of the partial input convex neural networks. § Investigate other learning-based approaches to solve the game. The payoff functions are non-concave with respect to the player strategies. Convergence Results Sensitivity Analysis We test our approach on a random information flow graph and an IFG of a ScreenGrab attack obtained by the Refinable Attack Investigation System (RAIN) . ScreenGrab Attack Random Graph

Upload: others

Post on 23-Jun-2020

6 views

Category:

Documents

0 download

Report

Download

Embed Size (px):

TRANSCRIPT

Page 1: Stochastic Information Flow Tracking Games with ...faculty.washington.edu › sm15 › pub › MURI_1.pdf · §Investigate other learning-based approaches to solve the game. The payoff

Stochastic Information Flow Tracking Games with Partial KnowledgeShruti Misra1,Shana Moothedath1,Hossein Hosseini1, Joey Allen2, Linda Bushnell1, Wenke Lee2, Radha Poovendran1

1Department of 1Electrical and Computer Engineering, University of Washington, Seattle, 2School of Computer Science, Georgia Institute of Technology, Atlanta

ADAPTActionable Defenseagainst Advanced PersistentThreats

Motivation

Problem FormulationApproachOur approach consists of the following steps:

Numerical Study

References

1. D.Sahabandu,S.Moothedath, J.Allen, A.Clark, L.Bushnell, W.Lee, and R. Poovendran, “A game theoretic approach for dynamic information flow tracking with conditional branching,” in American Control Conference (ACC), 2019.

2. D.Sahabandu, B. Xiao, A. Clark, S. Lee, W. Lee, and R. Poovendran, "DIFT games: dynamic information flow tracking games for advanced persistent threats,” in IEEE Conference on Decision and Control (CDC), 2018

BRAND ARCHITECTUREBlock I Logo & Illinois Wordmark | Version 2.0

Future Work

Alternating Optimization

Partial Input Convex Neural Network Architecture

The game formulated has the following properties:

The dynamic interaction between the adversary and the defender can be modeled as a stochastic dynamic game.

o The attacker chooses transition (at) to reach the destination.o The defender decides whether to trap the flow or not (dt).o Probability of state transition captures the rate of

false negatives.

Ø StochasticØ Nonzero sum

Ø Incomplete and imperfect information

Ø Payoff Functions

There exists a Nash Equilibrium (NE) for the proposed game.

AIM: Model a DIFT-based defense mechanism against APTs that:

o Captures the trade-off between detection accuracy and resource efficiency.

o Accounts for rate of false negatives.

v Advanced Persistent Threats (APTs) have emerged as a securitythreat to vital organizations such as national defense.

v Some examples of APTs are Stuxnet Worm (2010), Deep Panda (2015) and GhostNet (2009).

v Dynamic Information Flow Tracking (DIFT) is a flow tracking-based mechanism that is widely used to detect APTs.

§ Characterize the convex approximation factor for the payoff functions of both players.

§ Analyze the trade-off between obtaining a good convex approximation vs. the accuracy of the partial input convex neural networks.

§ Investigate other learning-based approaches to solve the game.

The payoff functions are non-concave with respect to the player strategies.

Convergence Results Sensitivity Analysis

We test our approach on a random information flow graph and an IFG of a ScreenGrab attack obtained by the Refinable Attack Investigation System (RAIN) .

ScreenGrabAttack

Random Graph

Real Payoff

Payoff Magazine 1115 Web

Welcome to the new Payoff

Payoff Your Mortgage Early

2009 01 payoff magazine

ECE16513 SM15 Lecture 1

Technology's Payoff

2007 11 payoff magazine

Payoff Matrix

COOK1 - faculty.washington.edu