Game-Theory-Based Active Defense for Intrusion Detection ...cse914/Sp2019/Papers/Paper8-wang... ·...

18

Game-Theory-Based Active Defense for Intrusion Detectionin Cyber-Physical Embedded Systems

KUN WANG and MIAO DU, Nanjing University of Posts and TelecommunicationsDEJUN YANG, Colorado School of MinesCHUNSHENG ZHU, University of British ColumbiaJIAN SHEN, Nanjing University of Information Science and TechnologyYAN ZHANG, Simula Research Laboratory & University of Oslo

Cyber-Physical Embedded Systems (CPESs) are distributed embedded systems integrated with various ac-tuators and sensors. When it comes to the issue of CPES security, the most significant problem is the securityof Embedded Sensor Networks (ESNs). With the continuous growth of ESNs, the security of transferringdata from sensors to their destinations has become an important research area. Due to the limitations inpower, storage, and processing capabilities, existing security mechanisms for wired or wireless networkscannot apply directly to ESNs. Meanwhile, ESNs are likely to be attacked by different kinds of attacks inindustrial scenarios. Therefore, there is a need to develop new techniques or modify the current securitymechanisms to overcome these problems. In this article, we focus on Intrusion Detection (ID) techniquesand propose a new attack-defense game model to detect malicious nodes using a repeated game approach.As a direct consequence of the game model, attackers and defenders make different strategies to achieveoptimal payoffs. Importantly, error detection and missing detection are taken into consideration in IntrusionDetection Systems (IDSs), where a game tree model is introduced to solve this problem. In addition, weanalyze and prove the existence of pure Nash equilibrium and mixed Nash equilibrium. Simulations showthat the proposed model can both reduce energy consumption by up to 50% compared with the existing AllMonitor (AM) model and improve the detection rate by up to 10% to 15% compared with the existing ClusterHead (CH) monitor model.

CCS Concepts: � Networks → Embedded sensor network; Attack-defense game model; � Generaland reference → Design

Additional Key Words and Phrases: Cyber-physical embedded systems, embedded sensor network, gametheory, intrusion detection, optimal active defense, network security

ACM Reference Format:Kun Wang, Miao Du, Dejun Yang, Chunsheng Zhu, Jian Shen, and Yan Zhang. 2016. Game theory-basedactive defense for intrusion detection in cyber-physical embedded systems. ACM Trans. Embed. Comput.Syst. 16, 1, Article 18 (October 2016), 21 pages.DOI: http://dx.doi.org/10.1145/2886100

Authors’ addresses: K. Wang and M. Du, Key Lab of Broadband Wireless Communication and Sensor Net-work Technology, Nanjing University of Posts and Telecommunications, Nanjing 210003, China; emails:[email protected], [email protected]; D. Yang, Department of Electrical Engineering and ComputerScience, Colorado School of Mines, Denver 80401 USA; email: [email protected]; C. Zhu, Department ofElectrical and Computer Engineering, The University of British Columbia, Vancouver, BC V6T 1Z4 Canada;email: [email protected]; J. Shen, School of Computer and Software, Nanjing University of Information Sci-ence and Technology, Nanjing 210044, China; email: [email protected]; Y. Zhang, University of Oslo, 1325,Norway and Simula Research Laboratory, Norway; email: [email protected] to make digital or hard copies of part or all of this work for personal or classroom use is grantedwithout fee provided that copies are not made or distributed for profit or commercial advantage and thatcopies show this notice on the first page or initial screen of a display along with the full citation. Copyrights forcomponents of this work owned by others than ACM must be honored. Abstracting with credit is permitted.To copy otherwise, to republish, to post on servers, to redistribute to lists, or to use any component of thiswork in other works requires prior specific permission and/or a fee. Permissions may be requested fromPublications Dept., ACM, Inc., 2 Penn Plaza, Suite 701, New York, NY 10121-0701 USA, fax +1 (212)869-0481, or [email protected]© 2016 ACM 1539-9087/2016/10-ART18 $15.00DOI: http://dx.doi.org/10.1145/2886100

ACM Transactions on Embedded Computing Systems, Vol. 16, No. 1, Article 18, Publication date: October 2016.

http://dx.doi.org/10.1145/2886100

http://dx.doi.org/10.1145/2886100

18:2 K. Wang et al.

1. INTRODUCTION

Cyber-Physical Embedded Systems (CPESs) are rapidly becoming a major computingparadigm for applications in environmental monitoring, infrastructure management,energy saving and innovation, healthcare, intelligent traffic management, and home-land security [Zhao et al. 2003; Lee 2008]. This is because not only are sensing andelectronic devices becoming extremely cheap and small in size but also they havethe potential to provide excellent data acquisition and decision-making capabilities.In addition, CPESs are expected to provide better robustness, including responses tounexpected conditions as well as critical situations [Lee 2008; Wang and Wu 2010].

Embedded Sensor Networks (ESNs) are important in CPESs, which are becomingubiquitous and are increasingly interconnected or networked, making them more vul-nerable to security attacks. A large class of these systems, such as Supervisory Controland Data Acquisition (SCADA) [Germano et al. 2015] and the Process Control System(PCS) [Kyoung et al. 2014], have real-time and safety constraints. Therefore, in addi-tion to satisfying these requirements, achieving system security emerges as a criticalchallenge to ensure that users can trust these embedded systems to perform correct op-erations. One objective in a secure system is to identify attacks by detecting anomaloussystem behaviors.

Security is an effective field in many aspects of computing. Security mechanismsaddress computing services, such as user access authentication and intrusion detectionand prevention [Kansal et al. 2007; Jonathan et al. 2010], as well as strategies for otherforms of attacks (e.g., denial of service) and data protection in storage, in emails, or toprovide secure transactions.

1.1. Application and Security of ESNs

As computer systems are embedded in more devices and their applications becomemore complex, they are becoming more vulnerable to attacks. Many of these systemsare wireless devices, making them more susceptible to interference and attacks. Ofparticular interest is to integrate an intrusion detection capability in a PCS [Jen et al.2013; Jian et al. 2015] and SCADA [Kirsch et al. 2014], which is the supervisory con-trol software serving as an interface to the controlled hardware. In addition, intrusiondetection is required in a sensor network’s base station, which is assumed to be thesource of all legal messages and hence must not be compromised if protocols for detect-ing denial-of-message attacks [Khanna et al. 2012] are to work properly.

One practical security defense technology of relevance to critical ESN applicationsis intrusion detection. Even though it is susceptible to many forms of intrusion, ESNscannot afford monitoring and analyzing of the network traffic for abnormalities at allconcentration points. This difficulty mainly roots in the inherently limited bandwidthand energy constraints in sensor nodes. In particular, deep packet inspection tech-niques typically deployed in conventional networks would take up too many resourcesfor ESNs. Instead, a practical ID solution for ESNs should attempt to detect abnormal-ity or malicious activities in the network by means of single or multiple collaboratingsensor nodes. Generally, this type of collaborative approach should be conducive toreliable coverage and efficiency in terms of energy, communication, and memoryrequirements [Jun et al. 2015; Hua et al. 2016], thus highlighting the importance ofoptimal resource allocation to provide an extensible approach to security in CPESs.

1.2. Motivation to Use ESNs in Intrusion Detection

The current technologies that integrate computations and interactions with the phys-ical world are typically derived from the fields of Embedded Systems and Real-TimeSystems. However, security measures have typically concentrated on physical access


Game-Theory-Based Active Defense for Intrusion Detection in CPESs 18:3

restrictions and software measures to disable a device if attempts to tamper with it aresuspected. Recent developments have changed this focus. On the one side, embeddedarchitectures provide a wider range of processing power [Dong and Xiang 2014], whichallows more complex security responses, especially for high-end embedded systems. Onthe other side, new application areas in embedded systems need secure communication.

ESNs are networks of embedded computers placed in the physical world that interactwith the environment. These embedded computers, or sensor nodes, are often physi-cally small and relatively inexpensive computers, each of which has some set of sensorsor actuators. Sensor nodes are networked, allowing them to communicate and cooper-ate with each other to monitor the environment and effect changes to it. Besides, ESNscan use Dynamic Power Management (DPM) [Weissel and Bellosa 2002] to guaranteethe working time of the nodes and reduce the energy consumption greatly in intrusiondetection (ID). Many research works target solving the problem of extending the net-work lifetime. The network lifetime is defined as the time of the first node failure dueto the exhaustion of energy. The number of data transmissions significantly affects theenergy efficiency of ESNs, especially for broadcasting data to the entire ESNs [Qinget al. 2015].

1.3. Motivation to Use Game Theory in Intrusion Detection

With the increasing development of network technology, network security issues arereceiving more and more attention. The Intrusion Detection System (IDS) is the firewallfor data encryption and other traditional security measures that protect the securityof the new generation of technology. However, because the invasion and the continuedexpansion of the scale of the network are constantly burgeoning, IDSs based on thetraditional pattern matching is no longer useful. The game-theory-based intrusiondetection system will effectively solve this problem; it is the third-generation intrusiondetection pattern matching technology that can meet the needs of the new IDSs.

Most of the existing IDSs have used central data analysis engines [Babar et al. 2013]or per-host data collection and analysis components [Ping et al. 2014]. Even systemsdesigned using software agents [Parikh and suhan 2008; Nadeem and Howarth 2013]have in practice implemented agents as separate processes. All of these methods aresubject to the following problems:

—They continuously use additional resources in the system they are monitoring, evenwithout any intrusions occurring.

—As the components of the intrusion detection system are put into effect as separateprocesses, they are subject to tampering. An intruder can disable or modify theprograms running on a system potentially, so that the intrusion detection system isuseless or unreliable.

Instead of depending mainly on heuristic solutions, there have been increasinginterests and efforts devoted recently to analytical methods for researching securityproblems, especially to unleash the theoretical performance behaviors, and expectedrequirements to design practical systems. Game theory is used to establish a math-ematical model to capture behavior in strategic situations [Ikram et al. 2014]. Afterthe intrusion detection system detects an attack, it will respond to minimize theloss of the system. For single-stage attacks, the process of finding the defenders’best responsive action to a detected attack and maximizing payoffs is a majorizationproblem. However, since attackers usually launch multistage attacks in reality andthe defenders do not know the attackers’ full strategies when making decisions tominimize the loss, the problem becomes finding the best strategy using game theory.

The second reason for using a game model is that it is more accurate in analyzing theattacker and the defender’s payoff, which can intuitively explain a series of problems


18:4 K. Wang et al.

Fig. 1. ESNs’ intrusion detection architecture in CPESs.

brought by the network intrusion. Furthermore, due to the rigor and accuracy of thegame theory, we can get an optimal choice compared with other methods, as long asthe right game model is established. We can analyze the Nash equilibrium through theprocess of the game and get the optimal strategy of the game, which is what the otherintrusion detection system cannot achieve.

Finally, the process of the game is both sides, not unilateral. This is another bigadvantage of game theory. We can use the payoffs of both offensive and defensive tojudge whether the invasion (or defense) is successful or not.Problem Statement: Figure 1 is ESNs’ intrusion detection architecture in CPSs. Inthis figure, devices with computational capability in the cyber world utilize gathereddata to finish computation about the physical objects and then provide results to otherdevices. CPS has better reliability, the core of which is the security of ESNs. Thereare many malicious node attacks on the defense system in ESNs, which interfere withthe normal nodes’ work and further affect the entire network environment. There arethree types of attack methods: purely distributed, purely centralized, and distributed-centralized. We focus on the following types of intrusion attacks: eavesdropping attacks,DoS attacks, and black hole attacks. The defense system needs to make differentresponses to different attack methods to ensure that the system is in a normal condition.We introduce the tool of game theory to set an attack-defense game model, aiming atfinding out the best strategy of the attackers and defenders through repeated games.

1.4. Contribution and Organization of the Article

The main contributions of this work can be summarized as follows:

—A repeated game model is considered to solve the IDS problem in ESNs, and amixed strategy is analyzed to achieve a dynamic equilibrium between attackers anddefenders.



—A game model is employed to stimulate both offensive and defensive strategies inorder to reduce energy consumption and improve the detection rate. Meanwhile, agame tree model is introduced to solve the error detection and missing detection.

The rest of the article is organized as follows. In Section 2, we give the related litera-ture from three aspects. The detailed operations of game theory and model analysis arepresented in Section 3. In Section 4, we design the game tree model to solve the prob-lem of error detection and missing detection. Section 5 provides simulation results tovalidate the performance of the proposed model. Finally, we draw the main conclusionsin Section 6.

2. RELATED WORK

In this section, we present the existing literature on cyber-physical systems, embeddedsensor networks, intrusion detection, and game theory. Then the novelty of our workis concluded.

2.1. Intrusion Detection in ESNs

Sensor networks have the potential to change not only the way we use, interact with,and view computers but also the way we use, interact with, and view the world aroundus. Recent advances in embedded system and wireless technologies have enabled theintegration of sensors and communication devices and made a rich design space ofnetworked sensors viable. Embedded system technologies have realized form-factor,low-power, and reliable sensing devices [Liqun and Bergmann 2012; Wang et al. 2014].On the other hand, large-scale sensor networks become practical with the growing pop-ularity of wireless technologies in ad hoc [Wang and Yu 2013] and multihop networks[Hairong et al. 2014; Huai et al. 2015]. As such networks are likely to be deployed inan unattended environment, security becomes a major concern.

Embedded computing and sensor systems are increasingly becoming an integralpart of today’s infrastructure. From jet engines to vending machines, our society relieson embedded computing and sensor systems to support numerous applications seam-lessly and reliably. This is especially true with respect to autonomous systems suchas unmanned aircraft, unmanned ground vehicles, robotics, medical operations, andindustrial automation [Kreibich et al. 2014; Wang et al. 2016; Wang et al. 2015]. How-ever, given society’s increasing reliance on embedded computing and sensor systems aswell as the applications they support, this introduces a new form of vulnerability intothis critical infrastructure that is only now beginning to be recognized as a significantthreat with potentially serious consequences.

Many IDS collaboration systems have been proposed in the literature, such asAbduvaliyev et al. [2013], Lin and Leneutre [2009], and Min and Keecheon [2012].They all assume IDSs cooperate honestly and unselfishly. The lack of trust infrastruc-ture leaves the systems vulnerable to malicious peers.

A few trust-based collaboration systems [Mitchell and Ray 2014] and distributedtrust management models [Mitchell and Ray 2014; Fung et al. 2013] have been pro-posed for effective IDS collaboration. However, none of these proposed models have ledto a study of incentives for IDS collaboration. Fung et al. [2011] proposed a trust man-agement system where IDSs exchange test messages to build trust among themselves.The feedback from the collaboration peers is evaluated and a numerical trust value isaccessed to predict the level of truthfulness of collaborators. A simple weighted aver-age model [Mitchell and Ray 2014] is used to predict the trust value, and a Bayesianstatistics model [Fung et al. 2013] is introduced to estimate the trust value as well asthe confidence level of the trust estimation.


18:6 K. Wang et al.

2.2. Game Theory in IDS

A variety of game-theoretic approaches have been applied to network resource alloca-tion in traditional routing networks and peer-to-peer (P2P) networks. In traditionalrouting networks, noncooperative game models, such as Moosavi and Bui [2014] andZiming et al. [2015], have been used in a dynamic resource allocation context; theauthors of these references have considered a network with a general topology whereeach source has a window-based end-to-end flow control. The available information fora user is the number of packets within the network not yet acknowledged. Each useraims to maximize his or her own throughput, with bounded delay, and hence facesa constrained optimization problem. The obtained equilibrium is decentralized sinceeach user has only local information on his or her own unacknowledged packets. Theirfocus has been on the maximal network performance with given resources instead ofincentive mechanisms. In P2P networks, Weaver et al. [2014] used a game-theoreticalapproach to achieve differentiated services allocation based on the peers’ contributionsto the community. Yan et al. [2009] proposed an optimal resource allocation schemefor file providers. A max-min optimization problem has been constructed to find theoptimal solution that achieves fairness in the resource allocation. Both works rely onan independent central reputation system. Reciprocity has not been incorporated. Also,the resilience and robustness of the system has not been their focus. Grothoff [2003]proposed a resource allocation economic model to deal with malicious nodes in P2Pnetworks. It depends solely on the trust values of the peer nodes, and the resource al-location is priority based on the trust value of the request sender. Grothoff ’s model caneffectively prevent malicious nodes from overusing the network resource since theirrequests will be dropped due to their low trust. It is also reciprocal altruistic. However,this model may result in unfairness since nodes with the highest trust may take theentire resource. Our model differs from the aforementioned ones in that we have madeuse of the pairwise nature of the network for designing scalable network algorithms,ensuring secure and resilient properties of the solution, and we provide fairness andreciprocal incentive compatibility in resource allocation.

Among different game models, stochastic (or Markov) games are of particular interestto quantify security problems. Stochastic security games are an extension of theirdeterministic counterparts and can capture the dynamic and unknown properties inreal-world security problems more effectively through the utilization of probabilitytheory [Babar et al. 2013]. The game environment is represented by a state space overwhich the stochastic game is played. Each state may indicate an operational modeof the underlying networked system (e.g., whether specific parts of the system areoperational or compromised). The game evolves in the state space probabilisticallyaccording to a defined stochastic process (with the Markov property). For instance,each state transition may correspond to an atomic step of an intrusion or a recoverymeasure taken by the defender.

Recently, game-theoretical methods have been used for intrusion detection where ina two-player context, the attacker (intruder) is one player and IDS is the other player.In Wang et al. [2015], noncooperative game frameworks were used to address differentaspects of intrusion detection. They put forward an approach that dynamically adjuststhe objects that the host-based IDS (HIDS) monitors, according to the expected attacksbased on noncooperative games. Wang and Wu [2012] provided a game-theoreticalmodel for IDSs to allocate collaboration resources, for achieving the goal of fairnessand incentive compatibility. In Mohi et al. [2009] and Liu et al. [2006], a Bayesiangame approach was utilized for intrusion detection in ad hoc networks. Specifically,a two-person non-zero-sum incomplete information game was formulated to providea framework for the IDS to minimize its loss based on its own belief. The reason for



Fig. 2. Attack-defense game model.

choosing a Bayesian game is that usually the interaction between an IDS and nodesis an incomplete information game, where the IDS is uncertain about the type of theother player. A Bayesian game provides the needed ability for the IDS to choose its ownstrategy, based on his or her belief about the type of his or her opponent.

In the traditional security mechanism, an intrusion detection system is often forcedto sacrifice and consume a lot of energy for the safety and reliability of the system. Afterthe introduction of the method of game theory, the problem will be greatly improved.

3. ATTACK-DEFENSE GAME MODEL

In this section, we set an attack-defense game model and define the payoff function.Then, the derivation of the Nash equilibrium is described in detail. Importantly, agame tree model is designed to solve error detection and missing detection. At last, thetheoretical analysis of this game model is illustrated.

3.1. Attack-Defense Game Model

The attack-defense game model is presented in Figure 2. The attackers and the de-fenders may choose their own strategies to gain their own payoffs. However, when anattacker launches the attacks, the defenders need to make timely responses and choosethe corresponding strategies to resist the attacks. In addition, the IDS needs to cor-rectly and accurately detect the attacks by solving the error detection and the missingdetection problems. We define the game G as G � {{A, I}, {SA,SI},UA,UI , T }, where{A, I} is the finite collection of players by N � {1, 2, . . . N}, wherein A � {A1, A2, . . . AN}represents attackers’ intrusion nodes and I � {I1, I2, . . . IM} represents IDS defend-ers’ defense nodes. {SA,SI} is an offensive and defensive strategy collection of players,wherein SA � {SA,1, SA,2, . . . SA,N} represents the offensive nodes’ strategies, which canlaunch various types of attack or not. SI � {SI,1, SI,2, . . . SI,M} represents the defensivenodes’ strategies, which can start the IDS or not. {UA,UI} is the payoffs’ collection of thegame, wherein UA represents the payoffs of offensive nodes’ action strategies and UIrepresents the payoffs of defensive nodes’ action strategies. T represents the numberof repeated games and T .= ∞. We consider the interaction between the attacker anddefender as a two-player game and study the existence of Nash equilibrium in thesegames and also show the payoffs of using the game-theoretic defense mechanisms.

Different players may have different desired game strategies S = {STA ,ST

I }. For ex-ample, malicious nodes may not attack when most of the defenders start the IDS. Eachplayer must pay the price and gain the payoffs for his or her own strategy. The costof a player includes the costs of starting the IDS (CT

m ), the average loss when node iis attacked (CT

i ), the costs of attackers’ attacking (CTa ), and the costs of attackers’ not

attacking (CTw ). The payoffs of a player consist of malicious nodes’ payoffs (Ua) and


18:8 K. Wang et al.

defensive nodes’ payoffs (Ui). We denote∏T

i = {CTm , CT

i , CTa , CT

w , Pa,Ua,Ui} ε {STA ,ST

I }as the payoff function

Pa =∞∑

T =1

∑i

CTi , (1)

where attackers’ payoffs are equal to the sum of all the attacked nodes’ loss. Due tothe balance of the payoffs and losses, we define the principles for whether one shouldattack or not as follows:

∞∑T =1

∑i

CTw < Pa −

∞∑T =1

∑i

CTa , (2)

where attackers who successfully attack gain greater payoffs than those who do notattack; otherwise, attackers will not attack;

∞∑T =1

∑i

CTi �

∞∑T =1

∑i

CTm , (3)

where the attacked nodes’ loss is far greater than the nodes’ who start the IDS. Individ-ual nodes independently choose defensive strategies, an attacker, and defensive nodesaccording to their own choice of offensive and defensive tactics; the payoff matrix fordifferent strategies is shown as follows:[ ∑∞

T =1∑

i(Pa − CTa ,Ui − CT

i )∑∞

T =1∑

i(−Ua,Ui − CTm )∑∞

T =1∑

i(CTw ,Ui)

∑∞T =1

∑i(C

Tw ,Ui − CT

m )

], (4)

where the columns in the matrix represent defenders’ possible action strategies andthe rows represent attackers’ possible action strategies. In each matrix, the left side ofthe entity represents attackers’ payoffs and the right represents defenders’ payoffs.

3.2. Pure Strategy Nash Equilibrium in Game Model

In the IDS attack-defense game model, according to Equation (2), the attackers alwaystry to attack in order to maximize their own payoffs. They will gain the biggest payoffswhen the defenders don’t start the IDS. However, attackers must worry about a worst-case scenario, in which the attacks are detected by the IDS; that is, the more frequentlythe attackers launch an attack, the higher the probability of being detected. Oncedetected by the IDS, Attackers will be isolated from the network, which suffers thehuge loss [Bradai and Afifi 2013]. Simultaneously, it is not wise for defenders to startthe IDS for a long time due to the IDS resources’ consumption. Defenders will gain thebiggest payoffs when the nodes don’t start the IDS, according to Equation (3), wherethe attacked loss is far greater than the consumption of starting the IDS. Therefore, thedefenders have to consider starting the IDS to detect the possibility of being attacked.

THEOREM 1. The game model has no pure strategy Nash equilibrium.

PROOF. According to Equations (1) and (2), the pure strategy Nash equilibrium isanalyzed as follows:

Pa −∞∑

T =1

∑i

CTa >

∞∑T =1

∑i

CTw (5)

∞∑T =1

∑i

−Ua <

∞∑T =1

∑i

CTw (6)



∞∑T =1

∑i

Ui − CTa <

∞∑T =1

∑i

Ui − CTm (7)

∞∑T =1

∑i

Ui >

∞∑T =1

∑i

Ui − CTm . (8)

For the attackers, according to Equations (5) and (6), attackers have no dominantstrategies. For the defenders, according to Equations (7) and (8), defenders have nodominant strategies either. Therefore, they will not choose fixed strategies. If we as-sume that the two sides of the game will choose fixed strategies, which means attackerswill choose a fixed node i to attack, then node i’s optimal strategy is to start the IDS.However, this makes the attackers gain worse payoffs; they must give up attackingnode i, which conflicts with the assumption. So the game has no pure strategy Nashequilibrium.

3.3. Mixed Strategy Nash Equilibrium in Game Model

We use δi to represent the probability of node i starting the IDS, σi to represent theprobability of attacking, (1 − δi) to represent the probability of not starting the IDS,and (1 −σi) to represent the probability of not attacking. Therefore, the mixed strategypayoffs are equivalent to pure strategy payoffs according to the weighted averageprobability.

Attackers’ mixed strategy is

UA =∞∑

T =1

∑i

(Pa − CT

a

)(1 − δi)σi + (−Ua)δiσi + CT

w (1 − σi)

=∞∑

T =1

∑i

(Pa − CT

a

)(1 − δi)σi − Uaδiσi + CT

w (1 − σi).

(9)

Defenders’ mixed strategy is

UI =∞∑

T =1

∑i

(Ui − CT

i

)(1 − δi)σi + (

Ui − CTm

)δiσi

+ Ui(1 − δi)(1 − σi) + (Ui − CT

m

)δi(1 − σi)

=∞∑

T =1

∑i

CTi δiσi + Ui − CT

mδi − CTi σi.

(10)

THEOREM 2. A mixed strategy Nash equilibrium exists in the game model.

PROOF. Using the extreme value method to solve the mixed strategy Nash equilib-rium, which derives Equations (9) and (10), respectively:

∂UA

∂σi=

∞∑T =1

∑i

(Pa − CT

a

)(1 − δi) − Uaδi − CT

w = 0 (11)

∂UI

∂δi=

∞∑T =1

∑i

CTi σi − CT

m = 0 (12)


18:10 K. Wang et al.

Table I. Attack-Defense Game Model Algorithm

Algorithm: Implementation of attack-defense game modelInputs: δi, σi, t = 0Outputs: Optimal Strategy1. Repeat{2. If CT

w ≥ Pa − CTa // attackers not attack

3. Else4. Find the active A � {A1, A2, . . . AN} of N attackers

and I � {I1, I2, . . . IM} of M defenders5. Recommend action A〉 ∈ SA � {SA,1, SA,2, . . . SA,N}

and I〉 ∈ SI � {SI,1, SI,2, . . . SI,M}6. Observe action A〉 and I〉7. If all attackers follow the recommendations8. δi increase, σi decrease9. Else10. δi decrease, σi increase11. End If12. End If13. t ← t + 1}

∞∑T =1

∑i

(Pa − CT

i + Ua)δi =

∞∑T =1

∑i

Pa − CTa − CT

w (13)

δi =∞∑

T =1

∑i

Pa − CTa − CT

w

Pa − CTi + Ua

(14)

σi =∞∑

T =1

∑i

CTm

CTi

. (15)

As a result, attackers’ and defenders’ mixed strategy Nash equilibrium is shown asfollows:

(δi, 1 − δi) =∞∑

T =1

∑i

(Pa − CT

a − CTw

Pa − CTi + Ua

,Ua − CT

w

Pa − CTi + Ua

)(16)

(σi, 1 − σi) =∞∑

T =1

∑i

(CT

m

CTi

,CT

i − CTm

CTi

). (17)

Attackers’ and defenders’ mixed strategies δi and σi are the relationship of in-verse proportion. When defenders’ mixed strategy starts the IDS and δi goes larger,the probability of being detected by the IDS also correspondingly increases, and at-tackers’ payoffs will greatly reduce correspondingly. In this case, for the attackers, thebest strategy is to reduce the attacking probability of σi. If defenders always start theIDS when the attack doesn’t occur, they will waste a lot of energy and resources. Mean-while, the life cycle of the network may decrease and defenders’ payoffs will greatlyreduce. Therefore, defenders will gradually reduce the probability of starting the IDSδi. We have the attack-defense algorithm in Table I. With the decreasing of δi, attackerswill be profitable, and then attackers will gradually increase the attacking probabil-ity of σi. Finally, attackers and defenders can achieve a dynamic equilibrium—Nashequilibrium [Mylvaganam et al. 2015].



Fig. 3. Illustration of the payoffs.

As a conclusion, for a rational attacker, when the attack doesn’t happen, the maliciousnodes can imitate the normal nodes to participate in normal network activity for thesake of more trust from other nodes. According to Equation (14), CT

w will increase withthe increasing of the degree of credibility. With the increasing of CT

w , the δi will bereducing. For a rational defender, according to Equation (15), when the cost of startingthe IDS CT

m is large, defenders will try to reduce starting the IDS. As a result, attackersmust increase the probability of attacking. With the increase of CT

m , σi will be increasing.In this attack-defense game model, in every period T , defenders need to re-evaluate

the previous stage of the payoffs to formulate a new defense strategy (δi, 1 − δi). In theinitial stage, to each node with larger CT

w , the probability of starting the IDS is lower.Once intruded nodes are detected, nodes close to the intrusion quickly reduce the valueof CT

w and improve the probability of starting the IDS to increase the defense rating.When a period of time without intrusion occurs, each node will gradually increase thevalues of CT

w to reduce the probability of starting the IDS. Nodes in ESNs are changingbetween attackers’ and defenders’ strategies in a dynamic balance, which makes fulluse of the limited resources and provides effective security protection at the same time.

4. OPTIMAL STRATEGIES

In this section, the IDS’s error detection and missing detection will be taken into con-sideration in the game model. We first analyze the extra payoffs of the game model.Subsequently, we set up the error detection and missing detection mixed probabilitymatrix and characterize attackers’ and defenders’ payoffs by means of defining theweight of different events. Finally, we analyze the payoffs between attackers and de-fenders via a game tree model.

4.1. Game Model Analysis: Payoffs

In the static game of traditional intrusion detection in ESNs, since the normal nodescannot judge the malicious node behavior strategies, ESNs can only choose to sacri-fice consumption and start all IDSs to ensure network security. Therefore, the ESNs’intrusion detection model of the repeated game can find a balance between energy con-sumption and safety based on game analysis of the nodes behaviors’ strategies, whichcan obtain more payoffs than the All Monitor (AM) model. Figure 3 shows the payoffs ofthe attackers and the defenders in different models. We can find that the game model



is beneficial not only to one of the players but also to the balanced relationship (i.e.,Nash equilibrium) between the attackers and the defenders.

There are λ nodes in an ESN, and the payoff of game model is

Ugame =∞∑

T =1

λ∑i=1

UI =∞∑

T =1

λ∑i=1

(CT

i δiσi + Ui − CTmδi − CT

i σi). (18)

Payoff of the AM model payoff is

Uall =∞∑

T =1

λ∑i=1

(Ui − CT

m

). (19)

Therefore, the increasing extra payoff is

U = Ugame − Uall

=∞∑

T =1

λ∑i=1

(CT


i σi) −

∞∑T =1

λ∑i=1

(Ui − CT

m

)

=∞∑

T =1

λ∑i=1

[(CT


i σi) − (

Ui − CTm

)]

=∞∑

T =1

λ∑i=1

[(CT

i δiσi + CTm (1 − δi) − CT

i σi)]

=∞∑

T =1

λ∑i=1

[(1 − δi)

(CT

m − CTi σi

)].

(20)

We derive and calculate the payoffs of the game model and the AM model in Equa-tions (18) and (19), respectively. In order to compare the performance of the game modelwith that of the AM model, we define the increased extra payoff in Equation (20) bysubtracting Equations (18) and (19). Then, simplifying Equation (20), we can obtainthe formula of the extra payoff. According to Equation (20), we can conclude that when∀iελ and δi = 1, then U = 0. When all the nodes adopt the strategy of starting theIDS, the whole network will obtain no extra payoffs. If the frequency of attackers is toohigh, it would lead to the ESNs’ higher level of protection inevitably. If the nodes startthe IDS too often, ESNs will consume a lot of resources for defense in consequence.Both attackers and defenders will obtain no extra payoffs. Therefore, as a rationaldefender, excessive protection cannot bring extra payoffs to the network. Meanwhile,as a rational attacker, excessive frequency of attacking is not a long-term strategy.

4.2. Game Tree Model Analysis: Error Detection and Missing Detection

There are only two specific strategies for attackers and defenders. SA = {NA, A} repre-sents attackers’ strategies, wherein NA represents not attack and A represents attack.SI = {NW, W} represents defenders’ strategies, wherein NW represents not alert andW represents alert. For example, we assume the IDS’s detection results mixed proba-bility matrix:

P =[

0.8 0.20.2 0.8

]. (21)

According to Equation (21), the rate of correct detection is 0.8 and the rate of falsealarm is 0.2. Figure 4 shows the game tree model [DaSilva et al. 2011] for IDS strategies.



Fig. 4. Game tree model for IDS strategies.

A game tree is a graphical representation of a sequential game. It provides informationabout the players, payoffs, strategies, and order of moves. The game tree consists ofnodes (or vertices), which are points at which players can take actions, connected byedges, which represent the actions that may be taken at that node. An initial (or root)node represents the first decision to be made. Every set of edges from the first nodethrough the tree eventually arrives at a terminal node, representing an end to the game.Each terminal node is labeled with the payoffs earned by each player if the game endsat that node. In Figure 4, we can intuitively and clearly find the different strategies ofthe attackers and the payoffs they can obtain by making these strategies. In addition,it is easier to define different weights for different events in the game tree model, whichis necessary to solve the error detection and missing detection problems. In this figure,attackers choose their strategies—attack or not—based on the analysis of existingESNs’ information. In the process of IDS implementation, the rate of correct detectionis 0.8 and the rate of false alarm is 0.2. Therefore, when attacks happen, the IDScan recognize attackers for 0.8 probability or omit attackers for 0.2 probability; whenattacks don’t happen, the IDS can recognize that the detected nodes are not attackersfor 0.8 probability or recognize the detected nodes are attackers for 0.2 probability.Because of the existence of error detections and missing detections, we need to takethese into account in the payoff function. Missing detections may cause more cost thanerror detections. As a result, we should normalize the payoffs into direct numericalrepresentation. If an attack happens, nodes in ESNs choose the strategy to send alerts,and then attackers’ and defenders’ payoffs are (−1, 1). If an attack happens, nodesin ESNs choose the strategy not to send alerts, and then attackers’ and defenders’



payoffs are (3,−3). If an attack doesn’t happen, nodes in ESNs choose the strategy tosend alerts, and then attackers’ and defenders’ payoffs are (1,−1). If an attack doesn’thappen, nodes in ESNs choose the strategy not to send alerts, and then attackers’ anddefenders’ payoffs are (0, 0). It is obvious that missing detections may cause more coststhan error detections. Therefore, nodes in ESNs must weigh the costs between missingdetections and error detections and use the most rational strategies.

According to whether the IDS generates the attack report, the different strate-gies exist between attackers and defenders. We denote � = {R+,R+,R−,R−,R∗,R∗,U+,U+,V+,V+} to represent different events in the game tree model. R+ repre-sents the event in which attackers launch an attack. R+ represents the event in whichattackers don’t launch an attack. R− represents the event in which the IDS generatesan attack report. R− represents the event in wich the IDS doesn’t generate attackreport. R∗ represents the event in which the IDS makes accurate judgments. R∗ repre-sents the event in which the IDS makes inaccurate judgments. U+ represents the eventin which nodes in ESNs send alerts when the IDS generates an attack report. U+ rep-resents the event in which nodes in ESNs don’t send alerts when the IDS generates anattack report. V+ represents the event in which nodes in ESNs send alerts when the IDSdoesn’t generate an attack report. V+ represents the event in which nodes in ESNs don’tsend alerts when the IDS doesn’t generate an attack report. The probability of eachevent is denoted by P() = {P(R+),P(R−),P(R∗),P(U+),P(V+),P(R+),P(R−),P(R∗)}.In Figure 4, we give an example when the rate of correct detection is 0.8 and the rate offalse alarm is 0.2. However, in the theoretical derivation, we consider that each eventplays a different role in the whole game. Consequently, we assume different weightsζ = {ζ1, ζ2, ζ3} for different events, which analyze the error detection and missing de-tection problems more accurately.

4.3. Mixed Strategy Nash Equilibrium in Game Tree Model

In the IDS attack-defense game tree model, the environment of the network is moresophisticated. In the process of both attackers’ and defenders’ repeat game, attackersσi will continue to change to a different mode of attacks to reduce the probability of theIDS’s detection and defenders δi will continue to change defensive strategies to improvethe detection rate of the IDS. With the change of attackers’ and defenders’ strategies,the mixed probability matrix P changes along with the time variability.

THEOREM 3. A mixed strategy Nash equilibrium exists in the game tree model.

PROOF. The event R− has two scenarios: one is the IDS makes accurate judgmentsand identifies the attackers and the other is the IDS makes inaccurate judgments andgenerates error alerts. The event R− has two scenarios as well: one is the IDS makesaccurate judgments that the attack doesn’t happen and the other is the IDS makesinaccurate judgments and omits the attackers:

P(R−) = P(R+)P(R∗) + P(R+)P(R∗) (22)

P(R−) = P(R+)P(R∗) + P(R+)P(R∗). (23)

Since the costs of error detection and missing detection in ESNs are different, nodesin ESNs must weigh the costs between these two mistakes. The events R− and R−include these two mistakes: error detection and missing detection, respectively. If theevent R− happens, its strategies mostly depend on P(R+)P(R∗), which means the IDScan only send alerts to ensure the least cost for ESNs. Therefore, we can improve thepayoffs via increasing the weights of P(R+)P(R∗) in the event R−. We can grant the



weights ζ1 for P(R+)P(R∗) and the weights ζ3 for P(R+)P(R∗). If event R− happens,we can grant the weights ζ2 for P(R+)P(R∗) and P(R+)P(R∗).

Then, in the scenario of event R−, the probability of sending alerts in ESNs is

P(U+) = ζ1P(R+)P(R∗)

ζ1P(R+)P(R∗) + ζ3P(R+)P(R∗). (24)

Then, in the scenario of event R−, the probability of sending alerts in ESNs is

P(V+) = ζ2P(R+)P(R∗)

ζ2P(R+)P(R∗) + ζ2P(R+)P(R∗). (25)

As a result, when the error detection and missing detection in the IDS exist in theESN, we need to use the game tree model to solve the intrusion problems. Nodes inESNs can take the balance of the costs caused by different mistakes into full consider-ation via (P(U+),P(U+)) and (P(V+),P(V+)). Then, the nodes can use the most rationalstrategies to maximize their payoffs and reduce the probability of the costs caused bythe error detection and missing detection.

5. PERFORMANCE EVALUATIONS

In this section, the performance of a game-theoretic IDS is verified. In the first part,we simulate and set up the experimental platform according to the actually embeddednetwork environment. Then the performance of the attack-defense game model is ana-lyzed and compared to existing related models. Finally, performance comparisons withthe All Monitor (AM) model and Cluster Head (CH) monitor model are demonstrated.

5.1. Simulation Setup

In this section, we design the platform by simulating the actually embedded networkenvironment. According to actual network models, we set up the experimental platformto verify the effect of the game-theoretic IDS.

The performance of the attack-defense game model is analyzed and compared withexisting related models. The simulation consists of two different parts: average residualenergy performance and detection rate performance. In the first part, we compare theperformance of our game model with the All Monitor (AM) model. Then the performanceof the detection rate is compared between our game model and the Cluster Head (CH)monitor model in three groups of different mixed strategies (δi, σi).

The simulation scenario is set as a two-dimensional monitoring area, whose edges are200m long. Two hundred nodes are scattered randomly. The initial energy of each nodeis 2.5J. Detailed simulation settings are listed in Table II. Two game model performancemetrics (i.e., average residual energy of nodes and detection rate) are utilized.

We set up the simulation platform to verify the effect of the game-theoretic IDSaccording to actual network models. As shown in Figure 5, the attackers could be insideintruders or outside intruders. They can both launch attacks for different servers orthe same servers, which further threatens the network security. Besides the firewalls,the IDS engines and agents can identify and respond to the malicious use of computerand network resources for ensuring network security. When an external intruder oran internal intruder suddenly attacks (i.e., eavesdropping, DoS (denial of service), andblack hole attacks) the network, the IDS manager uses an optimal defense strategy tomaintain and protect the stability and security of the embedded network through theresponse of multiple IDS engines.

Figures 6, 7, and 8 show that the slope of the energy consumption curves of thegame-theory-based attack-defense game model in the IDS are relatively smooth, which



Table II. Simulation Settings

Scene Parameter Parameter ValuesNetwork scale 200m× 200mNumber of nodes 200Simulation times 10minNode placement strategy Random placementPromiscuous mode YesNode movement NoInitial energy of nodes 2.5JWireless broadcast model Standard radioRadio signal energy 15.0dB mWireless receiving packet mode Error-free receptionCompared model CH monitor model, AM model

Fig. 5. Simulation platform.

Fig. 6. Energy consumption in mixed strategies (δi, σi) = (0.3, 0.7).





Fig. 9. Detection rate in mixed strategies (δi, σi) = (0.3, 0.7).

means the energy consumption is relatively slow. However, the slope of the AM model’senergy consumption curves are changing substantially. That is, the AM model’s energyconsumption far outweighs that of the attack-defense game model. In addition, differ-ent mixed strategies (δi, σi), (0.3, 0.7), (0.5, 0.5), (0.7, 0.3), result in different energyconsumption. Therefore, the game-theory-based attack-defense game model in the IDScan solve the contradiction of IDS and cyber resources.

Figures 9, 10, and 11 show that the CH monitor model’s detection rate is between60% and 80%. Most of the time the detection rate is about 70%, which means theperformance of the detection rate is unstable and in high randomness. In contrast, whenthe mixed strategies (δi, σi) = (0.3, 0.7), the game model’s detection rate is between 70%





Fig. 12. Overall payoffs of the game for the players.

and 80%, the mixed strategies (δi, σi) = (0.5, 0.5), the game model’s detection rate isbetween 80% and 90%, the mixed strategies (δi, σi) = (0.7, 0.3), and the game model’sdetection rate is between 80% and 95%.

In Figure 12, we compare the overall payoffs of the game model for players in threedifferent mixed strategies (δi, σi) = (0.3, 0.7), (δi, σi) = (0.5, 0.5), (δi, σi) = (0.7, 0.3). Thedefenders’ payoffs are generally and slightly higher than attackers’ payoffs, meaningthat the game model is more favorable and stable for the defenders. Moreover, we canalso find that the overall payoffs gap between the attackers and the defenders is notlarge, which shows that the game model is beneficial not only to one of the players but



also to the balance relationship (i.e., Nash equilibrium) between the attackers and thedefenders. We can conclude the following:

(1) The game model is more stable than the CH model and possesses better safetyperformance.

(2) The mixed strategies (δi, σi) can effectively improve the detection rate. We canconclude that when the mixed strategies (δi, σi) reach a dynamic balance, Nashequilibrium, the game model will achieve optimal performance at the same time.

6. CONCLUSIONS

In this article, we proposed a game-theory-based attack-defense game model to improvethe energy consumption and detection rate for ESNs in IDS. The key feature in thisattack-defense game model is using mixed strategies (δi, σi) to fairly achieve optimalperformance. Furthermore, attackers and defenders can change their own strategiesperiodically to reach their maximum payoffs, respectively. Simulation results showedthat the proposed game model can lead to a more fairly competitive environment for theIDS, where the model can increase the IDS’s payoffs, reduce energy consumption, andimprove stability. Therefore, the game-theoretic IDS can be applied to an embeddedscenario to protect the data and further ensure the safety of ESNs in CPESs.

ACKNOWLEDGMENTS

Qinglan project of Jiangsu Province; The projects 240079/F20 funded by the Research Council of Norway; theproject IoTSec – Security in IoT for Smart Grids, with number 248113/O70 part of the IKTPLUSS programfunded by the Norwegian Research Council. The authors would like to thank the NSFC (61572262, 61100213,61571233, 61373135, 61572172); SFDPH (20113223120007); NSF of Jiangsu Province (BK20141427); NUPT(NY214097); Priority Academic Program Development of Jiangsu Higher Education Institutions; Open Re-search Fund of Key Lab of Broadband Wireless Communication and Sensor Network Technology (NanjingUniversity of Posts and Telecommunications); and Ministry of Education (NYKL201507).

REFERENCES

A. Abduvaliyev, A. S. K. Pathan, Z. Jianying, R. Roman, and W. Wai Choong. 2013. On the vital areas ofintrusion detection systems in wireless sensor networks. Commun. Surveys Tuts. 15, 3, 1223–1237.

A. Bradai and H. Afifi. 2013. Game theoretic framework for reputation-based distributed intrusion detection.In Proceedings of the IEEE International Conference on Social Computing, pp. 558–563.

S. D. Babar, N. R. Prasad, and R. Prasad. 2013. Game theoretic modelling of WSN jamming attack anddetection mechanism. Proc. IEEE Int. Conf. WPMC. 34, 1, 1–5.

S. Chun Jen, C. Kuan Yu, L. Yu Huei, C. Wei Chung, L. Hsin Yu, and C. Ke Horng. 2013. A power cloudsystem (PCS) for high efficiency and enhanced transient response in SoC. IEEE Trans. Ind. Electron.28, 3, 1320–1330.

L. A. DaSilva, H. Bogucka, and A. B. MacKenzie. 2011. Game theory in wireless networks. IEEE Commun.Mag. 49, 8, 110–111.

X. Sheng Dong and W. Yu Xiang. 2014. Construction of tree network with limited delivery latency in homo-geneous wireless sensor networks. Wireless Pers. Commun. 78, 1, 231–246.

N. C. Ekneligoda and W. W. Weaver. 2014. Game-theoretic cold-start transient optimization in DC microgrids.IEEE.Trans. Ind. Electron. 61, 12, 6681–6690.

C. J. Fung, J. Zhang, I. Aib, and R. Boutaba. 2011. Dirichlet-based trust management for effective collabora-tive intrusion detection networks. IEEE Trans. Netw. 8, 2, 79–91.

C. J. Fung, Z. Jie, and R. Boutaba. 2012. Effective acquaintance management based on Bayesian learningfor distributed intrusion detection networks. IEEE Trans. Netw. Service Manag. 9, 3, 320–332.

E. Germano, L. Dias Knob, A. Araujo Wickboldt, J. Paschoal, and L.Gaspary. 2015. Capitalizing on SDN-based SCADA systems: An anti-eavesdropping case-study. In 2015 IFIP/IEEE International Symposiumon Integrated Network Management, pp. 165–173.

C. Grothoff. 2003. An excess-based economic model for resource allocation in peer-to-peer networks. IEEETrans. Internet Comput. 45, 3, 285–292.


https://www.iotsec.no/

http://www.forskningsradet.no/prognett-iktpluss/Homepage/1254002053513

http://www.forskningsradet.no


Y. Hairong, Z. Yan, P. Zhibo, and X. Li Da. 2014. Superframe planning and access latency of slotted mac forindustrial WSN in IoT environment. IEEE Trans. Ind. Inf. 10, 2, 1242–1251.

W. Ikram, S. Petersen, P. Orten, and N. F. Thornhill. 2014. Adaptive multi-channel transmission powercontrol for industrial wireless instrumentation. IEEE Trans. Ind. Informat. 10, 2, 978–990.

C. Isci, A. Buyuktosunoglu, C. Cher, P. Bose, and M. Martonosi. 2006. An analysis of efficient multi-coreglobal power management policies: Maximizing performance for a given power budget. In Proceedingsof the 39th Annual IEEE/ACM international Symposium on Microarchitecture, pp. 347–358.

L. B. Jonathan, D. D. Erik, T. H. Mohammad, and R. Daniela. 2010. Deploying sensor networks with guar-anteed fault tolerance. IEEE/ACM Trans. Netw. 18, 1, 216–228.

S. Jian, T. Hao Wen, W. Jin, W. Jin Wei, and L. Sungyoung. 2015. A novel routing protocol providing goodtransmission reliability in underwater sensor networks. J. Internet Technol. 16, 1, 171–178.

L. Kyoung Jun, L. Jong Pil, S. Dongsul, Y. Dong Wook, and K. HeeJe. 2014. A novel grid synchronization pllmethod based on adaptive low-pass notch filter for grid-connected PCS. IEEE Trans. Ind. Electron. 61,1, 292–301.

A. Kansal, H. Jason, S. Zahedi, and M. B. Srivastava. 2007. Power management in energy harvesting sensornetworks. ACM Trans. Embedd. Comput. Syst. 6, 4, 32–44.

J. Kirsch, S. Goose, Y. Amir, Dong Wei, and P. Skare. 2014. Survivable SCADA via intrusion-tolerant repli-cation. IEEE Trans. Smart Grid. 5, 1, 60–70.

S. Khanna, S. S. Venkatesh, O. Fatemieh, F. Khan, and C. A. Gunter. 2012. Adaptive selective verification:An efficient adaptive countermeasure to thwart DoS attacks. IEEE/ACM Trans. Netw. 20, 3, 715–728.

O. Kreibich, J. Neuzil, and R. Smid. 2014. Quality-based multiple-sensor fusion in an industrial wirelesssensor network for MCM. IEEE Trans. Ind. Electron. 61, 9, 4903–4911.

E. Lee. 2008. Cyber physical systems: Design challenges. Tech. Rep. No. UCB/EECS-2008-8, University ofCalifornia, Berkeley.

H. Liqun and N. W. Bergmann. 2012. Novel industrial wireless sensor networks for machine conditionmonitoring and fault diagnosis. IEEE Trans. Instrum. Meas. 61, 10, 2787–2798.

C. Lin and J. Leneutre. 2009. A game theoretical framework on intrusion detection in heterogeneous net-works,” IEEE Trans. Inf. Forens. Secur. 4, 2, 165–178.

Y. Liu and C. Comaniciu. 2006. A Bayesian game approach for intrusion detection in wireless ad hoc networks.In Proceedings of the IEEE International Conferences on Valuetools, pp. 1–5.

W. Min and K. Keecheon. 2012. Intrusion detection scheme using traffic prediction for wireless industrialnetworks. IEEE Trans. Commun. 14, 3, 310–318.

R. Mitchell and C. Ing Ray. 2014. Adaptive intrusion detection of malicious unmanned air vehicles usingbehavior rule specifications. IEEE Trans. Syst. Man Cybern. 44, 5, 593–604.

H. Moosavi and F. M. Bui. 2014. A game-theoretic framework for robust optimal intrusion detection inwireless sensor networks. IEEE Trans. Inf. Forens. Secur. 9, 9, 1367–1379.

M. Mohi, A. Movaghar, and P. M. Zadeh. 2009. A Bayesian game approach for preventing DoS attacks inwireless sensor networks. In Proceedings of the IEEE International Conference on Communications andMobile Computing, pp. 507–511.

T. Mylvaganam, M. Sassano, and A. Astolfi. 2015. Constructive ε -Nash equilibria for nonzero-sum differentialgames. IEEE Trans. Automat. Contr. 60, 4, 950–965.

A. Nadeem and M. P. Howarth. 2013. A survey of MANET intrusion detection and prevention approachesfor network layer attacks. Commun. Surveys Tuts. 15, 4, 2027–2045.

D. Parikh and C. T. Suhan. 2008. Data fusion and cost minimization for intrusion detection. IEEE Trans.Inf. Forens. Secur. 3, 3, 381–389.

G. Ping, W. Jin, L. Bing, and L. Sungyoung. 2014. A variable threshold-value authentication architecture forwireless mesh networks. J. Internet Technol., vol. 15, no. 6, pp. 929–936.

M. Ting Huai, Z. Jin Juan, T. Mei Li, T. Yuan, A. Al-Dhelaan, M. Al-Rodhaan, and L. Sungyoung. Socialnetwork and tag sources based augmenting collaborative recommender system. IEICE Trans. Inf. Syst.E98-D, 4, 902–910.

K. Wang and M. Wu. 2010. Cooperative communications based on trust model for mobile ad hoc networks,IET Inf. Secur. 4, 2, 68–79.

A. Weissel and F. Bellosa. 2002. Process cruise control: Eventdriven clock scaling for dynamic power man-agement. In Proceedings of the International Conference on Compilers, Architecture, and Synthesis forEmbedded Systems, pp. 240–246.

K. Wang, Y. Shao, L. Shu, G. Han, and C. Zhu. 2015. LDPA: A local data processing architecture in ambientassisted living communications, IEEE Commun. Mag. 53, 1, 56–63.



K. Wang, H. Lu, L. Shu, and J. J. P. C. Rodrigues. 2014. A context-aware system architecture for leak pointdetection in the large-scale petrochemical industry. IEEE Commun. Mag. 52, 6, 62–69.

K. Wang and Y. Yu. 2013. A query-matching mechanism over out-of-order event stream in IoT. Int. J. Ad HocUbiq. Comput. 13, 3/4, 197–208.

K. Wang, Z. Ouyang, R. Krishnan, L. Shu, and L. He. 2015. A game theory based energy management systemusing price elasticity for smart grids. IEEE Trans. Ind. Inf. 11, 6, 1607–1616.

K. Wang and M. Wu. 2012. Nash equilibrium of node cooperation based on metamodel for MANETs. J.Informat. Sci. Eng. 28, 2, 317–333.

K. Wang, Y. Shao, L. Shu, Y. Zhang, and C. Zhu. 2016. Mobile big data fault-tolerant processing for eHealthnetworks. IEEE Netw. 30, 1, 1–7.

R. Yong Jun, S. Jian, W. Jin, H. Jin, and L. Sungyoung. 2015. Mutual verifiable provable data auditing inpublic cloud storage. J. Internet Technol. 16, 2, 317–323.

Y. Yan, A. El-Atawy, and E. Al-Shaer. 2009. Ranking-based optimal resource allocation in peer-to-peernetworks. In Proceedings of the IEEE International Conferences on Computer Communications, pp. 1–6.

X. Zhi Hua, W. Xin Hui, S. Xing Ming, and W. Qian. 2016. A secure and dynamic multi-keyword ranked searchscheme over encrypted cloud data. IEEE Trans. Parallel Distrib. Syst. 27, 2, 340–352. DOI: 10.1109/TPDS.2015.2401003

P. Zhao Qing, Z. Yun, and S. Kwong. 2015. Efficient motion and disparity estimation optimization for low com-plexity multiview video coding. IEEE Trans. Broadcast. 61, 2, 166–176. DOI:10.1109/TBC.2015.2419824

Z. Ziming, S. Lambotharan, C. Woon Hau, and F. Zhong. 2015. A game theoretic optimization framework forhome demand management incorporating local energy resources. IEEE Trans. Ind. Inf. 11, 2, 353–362.

F. Zhao, C. Bailey-Kellog, and M. Fromherz. 2003. Physics-based encapsulation in embedded software fordistributed sensing and control applications. Proc. IEEE. 91, 1, 40–63.

Received October 2015; revised January 2016; accepted January 2016


Game-Theory-Based Active Defense for Intrusion Detection ...cse914/Sp2019/Papers/Paper8-wang... ·...

Documents

Transcript of Game-Theory-Based Active Defense for Intrusion Detection ...cse914/Sp2019/Papers/Paper8-wang... ·...