Sandra König

Defending Against Advanced Persistent Threats Using Game-Theory

Advanced persistent threats (APT) combine a variety of different attack forms ranging from social engineering to technical exploits. The diversity and usual stealthiness of APT turns them into a central problem of contemporary practical system security, since information on attacks, the current system status or the attacker’s incentives is often vague, uncertain and in many cases even unavailable. Game theory is a natural approach to model the conflict between the attacker and the defender, and this work investigates a generalized class of matrix games as a risk mitigation tool for an advanced persistent threat (APT) defense. Unlike standard game and decision theory, our model is tailored to capture and handle the full uncertainty that is immanent to APTs, such as disagreement among qualitative expert risk assessments, unknown adversarial incentives and uncertainty about the current system state (in terms of how deeply the attacker may have penetrated into the system’s protective shells already). Practically, game-theoretic APT models can be derived straightforwardly from topological vulnerability analysis, together with risk assessments as they are done in common risk management standards like the ISO 31000 family. Theoretically, these models come with different properties than classical game theoretic models, whose technical solution presented in this work may be of independent interest.

Uncertainty in Games: Using Probability-Distributions as Payoffs

Many decision problems ask for optimal behaviour in (often competitive) situations, where optimality is understood as maximal revenue. The axiomatic approach of von Neumann and Morgenstern establishes the existence of suitable revenue functions, assuming an ordered revenue space. A prominent materialization of this is game theory, where utility functions map actions of several players onto comparable payoffs, typically real numbers. Inspired by an application of that theory to risk management in utility networks, we observed that the usual game-theoretic models are inapplicable due to intrinsic randomness of the effects that an action has. This uncertainty comes from physical and environmental factors that affect the game-play outside of any players influence. To tackle such scenarios, we introduce games in which the payoffs are entire probability distributions (rather than numbers). Towards a sound decision theory, we define a total ordering on a restricted subset of probability distribution functions, and demonstrate how optimal decisions and even basic game theory can be (re)established over abstract revenue spaces of probability distributions. Our results belong to the category of risk control, and are applicable to contemporary security risk management, where decisions must be made under uncertainty and the effects of management actions are almost never deterministic.

Decisions with Uncertain Consequences—A Total Ordering on Loss-Distributions

Decisions are often based on imprecise, uncertain or vague information. Likewise, the consequences of an action are often equally unpredictable, thus putting the decision maker into a twofold jeopardy. Assuming that the effects of an action can be modeled by a random variable, then the decision problem boils down to comparing different effects (random variables) by comparing their distribution functions. Although the full space of probability distributions cannot be ordered, a properly restricted subset of distributions can be totally ordered in a practically meaningful way. We call these loss-distributions, since they provide a substitute for the concept of loss-functions in decision theory. This article introduces the theory behind the necessary restrictions and the hereby constructible total ordering on random loss variables, which enables decisions under uncertainty of consequences. Using data obtained from simulations, we demonstrate the practical applicability of our approach.

On the Cost of Game Playing: How to Control the Expenses in Mixed Strategies.

Game theory typically assumes rational behavior of the players when looking for optimal solutions. Still in case of a mixed equilibrium, it allows players to choose any strategy from the mix in each repetition of the game as long as the optimal frequencies are met in the long run. Which strategy is chosen in a specific round may not be purely random but also depend on what strategy has just been played.

A Stochastic Framework for Prediction of Malware Spreading in Heterogeneous Networks

The infection of ICT systems with malware has become an increasing threat in the past years. In most cases, large-scale cyber-attacks are initiated by the establishment of a botnet, by infecting a large number of computers with malware to launch the actual attacks subsequently with help of the infected victim machines (e.g., a distributed denial-of-service or similar). To prevent such an infection, several methodologies and technical solutions like firewalls, malware scanners or intrusion detection systems are usually applied. Nevertheless, malware becomes more sophisticated and is often able to surpass these preventive actions. Hence, it is more relevant for ICT risk managers to assess the spreading of a malware infection within an organization’s network. In this paper, we present a novel framework based on stochastic models from the field of disease spreading to describe the propagation of malware within a network, with an explicit account for different infection routes (phishing emails, network shares, etc.). This approach allows the user not only to estimate the number of infected nodes in the network but also provides a simple criterion to check whether an infection may grow into a epidemic. Unlike many other techniques, our framework is not limited to a particular communication technology, but can unify different types of infection channels (e.g., physical, logical and social links) within the same model. We will use three simple examples to illustrate the functionalities of the framework.

Risk Propagation Analysis and Visualization using Percolation Theory

This article presents a percolation-based approach for the analysis of risk propagation, using malware spreading as a showcase example. Conventional risk management is often driven by human (subjective) assessment of how one risk influences the other, respectively, how security incidents can affect subsequent problems in interconnected (sub)systems of an infrastructure. Using percolation theory, a well-established methodology in the fields of epidemiology and disease spreading, a simple simulation-based method is described to assess risk propagation system-atically. This simulation is formally analyzed using percolation theory, to obtain closed form criteria that help predicting a pandemic incident propagation (or a propagation with average-case bounded implications). The method is designed as a security decision support tool, e.g., to be used in security operation centers. For that matter, a flexible visualization technique is devised, which is naturally induced by the percolation model and the simulation algorithm that derives from it. The main output of the model is a graphical visualization of the infrastructure (physical or logical topology). This representation uses color codes to indicate the likelihood of problems to arise from a security incident that initially occurs at a given point in the system. Large likelihoods for problems thus indicate “hotspots”, where additional action should be taken.

Password Security as a Game of Entropies

We consider a formal model of password security, in which two actors engage in a competition of optimal password choice against potential attacks. The proposed model is a multi-objective two-person game. Player 1 seeks an optimal password choice policy, optimizing matters of memorability of the password (measured by Shannon entropy), opposed to the difficulty for player 2 of guessing it (measured by min-entropy), and the cognitive efforts of player 1 tied to changing the password (measured by relative entropy, i.e., Kullback–Leibler divergence). The model and contribution are thus twofold: (i) it applies multi-objective game theory to the password security problem; and (ii) it introduces different concepts of entropy to measure the quality of a password choice process under different angles (and not a given password itself, since this cannot be quality-assessed in terms of entropy). We illustrate our approach with an example from everyday life, namely we analyze the password choices of employees.

Protecting Water Utility Networks from Advanced Persistent Threats: A Case Study

The sovereignty and wellbeing of nations is highly dependent on the continuous and uninterrupted operation of critical infrastructures. Thus, the protection of utilities that provision critical services (e.g., water, electricity, telecommunications) is of vital importance given the severity imposed by any failure of these services. Recent security incidents in the context of critical infrastructures indicate that threats in such environments appear to be increasing both in frequency and intensity. The complexity of typical critical infrastructures is among the factors that make these environments vulnerable to threats. One of the most problematic types of threat is an advanced persistent threat (an APT). This usually refers to a sophisticated, targeted, and costly attack that employs multiple attack vectors to gain access to the target system, then to operate in stealth mode when penetration is achieved, and to exfiltrate data or cause failures inside the system. In this chapter, we demonstrate how a set of processes developed in the context of HyRiMs risk management framework can assist in minimizing the damage caused to a utility organization that is subjected to an APT style of attack. Specifically, the framework is demonstrated using data from a real-world water utility network and an industrial control system (ICS) testbed, and in which optimal defensive strategies are investigated.

On the transmission capacity of quantum networks

We provide various results about the transmission capacity of quantum networks. Our primary focus is on algorithmic methods to efficiently compute upper-bounds to the traffic that the network can handle at most, and to compute lower-bounds on the likelihood that a customer has to wait for service due to network congestion. This establishes analogous assertions as derived from Erlang B or Erlang C models for standard telecommunications. Our proposed methods, while specifically designed for quantum networks, do neither hinge on a particular quantum key distribution technology nor on any particular routing scheme. We demonstrate the feasibility of our approach using a worked example. Moreover, we explicitly consider two different architectures for quantum key management, one of which employs individual key-buffers for each relay connection, the other using a shared key-buffer for every transmission. We devise specific methods for analyzing the network performance depending on the chosen key-buffer architecture, and our experiments led to quite different results for the two variants.

A Simulation Tool for Cascading Effects in Interdependent Critical Infrastructures

Critical infrastructures are a core part in modern society, supplying essential goods and services for our everyday life. Therefore, any incident compromising the operation of a critical infrastructure can directly affect the social life. Moreover, due to the increasing interconnections between critical infrastructures, any incident can have cascading effects on other infrastructures as well. In this article, we present a novel simulation framework which allows to model the interdependencies and thus also the cascading effects among critical infrastructures. This framework builds upon stochastic processes describing, on the one hand, the relations between the critical infrastructures and, on the other hand, the random and sometimes arbitrary propagation of the consequences. This existing framework is extended and implemented in OMNeT++, which allows an easy and swift implementation of the mathematical algorithms and also provides a built-in visualization of the propagation of consequences within the critical infrastructure network. The goal is to support risk and security officers within the critical infrastructure in their decisions.