Stochastic Information Flow Tracking Games with ...faculty.washington.edu › sm15 › pub ›...
Transcript of Stochastic Information Flow Tracking Games with ...faculty.washington.edu › sm15 › pub ›...
Stochastic Information Flow Tracking Games with Partial KnowledgeShruti Misra1,Shana Moothedath1,Hossein Hosseini1, Joey Allen2, Linda Bushnell1, Wenke Lee2, Radha Poovendran1
1Department of 1Electrical and Computer Engineering, University of Washington, Seattle, 2School of Computer Science, Georgia Institute of Technology, Atlanta
ADAPTActionable Defenseagainst Advanced PersistentThreats
Motivation
Problem FormulationApproachOur approach consists of the following steps:
Numerical Study
References
1. D.Sahabandu,S.Moothedath, J.Allen, A.Clark, L.Bushnell, W.Lee, and R. Poovendran, “A game theoretic approach for dynamic information flow tracking with conditional branching,” in American Control Conference (ACC), 2019.
2. D.Sahabandu, B. Xiao, A. Clark, S. Lee, W. Lee, and R. Poovendran, "DIFT games: dynamic information flow tracking games for advanced persistent threats,” in IEEE Conference on Decision and Control (CDC), 2018
BRAND ARCHITECTUREBlock I Logo & Illinois Wordmark | Version 2.0
Future Work
Alternating Optimization
Partial Input Convex Neural Network Architecture
The game formulated has the following properties:
The dynamic interaction between the adversary and the defender can be modeled as a stochastic dynamic game.
o The attacker chooses transition (at) to reach the destination.o The defender decides whether to trap the flow or not (dt).o Probability of state transition captures the rate of
false negatives.
Ø StochasticØ Nonzero sum
Ø Incomplete and imperfect information
Ø Payoff Functions
There exists a Nash Equilibrium (NE) for the proposed game.
AIM: Model a DIFT-based defense mechanism against APTs that:
o Captures the trade-off between detection accuracy and resource efficiency.
o Accounts for rate of false negatives.
v Advanced Persistent Threats (APTs) have emerged as a securitythreat to vital organizations such as national defense.
v Some examples of APTs are Stuxnet Worm (2010), Deep Panda (2015) and GhostNet (2009).
v Dynamic Information Flow Tracking (DIFT) is a flow tracking-based mechanism that is widely used to detect APTs.
§ Characterize the convex approximation factor for the payoff functions of both players.
§ Analyze the trade-off between obtaining a good convex approximation vs. the accuracy of the partial input convex neural networks.
§ Investigate other learning-based approaches to solve the game.
The payoff functions are non-concave with respect to the player strategies.
Convergence Results Sensitivity Analysis
We test our approach on a random information flow graph and an IFG of a ScreenGrab attack obtained by the Refinable Attack Investigation System (RAIN) .
ScreenGrabAttack
Random Graph