Skip to main content
SpringerLink
Log in

A Game-Theoretic Approach to Respond to Attacker Lateral Movement

  • Conference paper
  • First Online:
Decision and Game Theory for Security (GameSec 2016)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9996))

Included in the following conference series:

Abstract

In the wake of an increasing number in targeted and complex attacks on enterprise networks, there is a growing need for timely, efficient and strategic network response. Intrusion detection systems provide network administrators with a plethora of monitoring information, but that information must often be processed manually to enable decisions on response actions and thwart attacks. This gap between detection time and response time, which may be months long, may allow attackers to move freely in the network and achieve their goals. In this paper, we present a game-theoretic approach for automatic network response to an attacker that is moving laterally in an enterprise network. To do so, we first model the system as a network services graph and use monitoring information to label the graph with possible attacker lateral movement communications. We then build a defense-based zero-sum game in which we aim to prevent the attacker from reaching a sensitive node in the network. Solving the matrix game for saddle-point strategies provides us with an effective way to select appropriate response actions. We use simulations to show that our engine can efficiently delay an attacker that is moving laterally in the network from reaching the sensitive target, thus giving network administrators enough time to analyze the monitoring data and deploy effective actions to neutralize any impending threats.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. The Bro network security monitor (2014). https://www.bro.org/

  2. Lateral movement: How do threat actors move deeper into your network. Technical report, Trend Micro (2003)

    Google Scholar 

  3. Albert, R., Barabási, A.: Statistical mechanics of complex networks. Rev. Mod. Phys. 74, 47–97 (2002)

    Article  MathSciNet  MATH  Google Scholar 

  4. Alpcan, T., Başar, T.: A game theoretic approach to decision and analysis in network intrusion detection. In: Proceedings of the 42nd IEEE Conference on Decision and Control, vol. 3, pp. 2595–2600, December 2003

    Google Scholar 

  5. Alpcan, T., Başar, T.: Network Security: A Decision and Game-Theoretic Approach. Cambridge University Press, New York (2010)

    Book  MATH  Google Scholar 

  6. Bloem, M., Alpcan, T., Başar, T.: Intrusion response as a resource allocation problem. In: Proceedings of the 45th IEEE Conference on Decision and Control, pp. 6283–6288, December 2006

    Google Scholar 

  7. Brewer, R.: Advanced persistent threats: minimizing the damage. Netw. Secur. 2014(4), 5–9 (2014)

    Article  Google Scholar 

  8. Bronk, C., Tikk-Rangas, E.: Hack or attack? Shamoon and the evolution of cyber conflict, February 2013. http://ssrn.com/abstract=2270860

  9. Csardi, G., Nepusz, T.: The iGraph software package for complex network research. InterJ. Complex Syst. 1695(5), 1–9 (2006)

    Google Scholar 

  10. Di Pietro, R., Mancini, L.V. (eds.): Intrusion Detection Systems. Springer, New York (2008)

    Google Scholar 

  11. Hutchins, E.M., Cloppert, M.J., Amin, R.M.: Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains. In: Leading Issues in Information Warfare and Security Research, vol. 1, p. 80 (2011)

    Google Scholar 

  12. Jones, E., Oliphant, T., Peterson, P.: SciPy: open source scientific tools for Python (2001). http://www.scipy.org/. Accessed 16 June 2016

  13. Langner, R.: Stuxnet: dissecting a cyberwarfare weapon. IEEE Secur. Priv. 9(3), 49–51 (2011)

    Article  Google Scholar 

  14. Lee, R.M., Assante, M.J., Conway, T.: Analysis of the cyber attack on the Ukrainian power grid. SANS Industrial Control Systems (2016)

    Google Scholar 

  15. Manshaei, M.H., Zhu, Q., Alpcan, T., Başar, T., Hubaux, J.: Game theory meets network security, privacy. ACM Comput. Surv. 45(3), 25:1–25:39 (2013)

    Article  MATH  Google Scholar 

  16. McKelvey, R.D., McLennan, A.M., Turocy, T.L.: Gambit: software tools for game theory. Technical report, Version 15.1.0 (2016)

    Google Scholar 

  17. Nekovee, M.: Worm epidemics in wireless ad hoc networks. New J. Phys. 9(6), 189 (2007)

    Article  Google Scholar 

  18. Nguyen, K.C., Alpcan, T., Başar, T.: Fictitious play with time-invariant frequency update for network security. In: Proceedings of the IEEE International Conference on Control Applications, pp. 65–70, September 2010

    Google Scholar 

  19. Penrose, M.: Random Geometric Graphs, vol. 5. Oxford University Press, Oxford (2003)

    Book  MATH  Google Scholar 

  20. Roesch, M.: Snort: lightweight intrusion detection for networks. In: Proceedings of USENIX, LISA 1999, pp. 229–238 (1999)

    Google Scholar 

  21. Shameli-Sendi, A., Ezzati-Jivan, N., Jabbarifar, M., Dagenais, M.: Intrusion response systems: survey and taxonomy. Int. J. Comput. Sci. Netw. Secur 12(1), 1–14 (2012)

    Google Scholar 

  22. Simmons, C.B., Shiva, S.G., Bedi, H.S., Shandilya, V.: ADAPT: a game inspired attack-defense and performance metric taxonomy. In: Janczewski, L.J., Wolfe, H.B., Shenoi, S. (eds.) SEC 2013. IAICT, vol. 405, pp. 344–365. Springer, Heidelberg (2013). doi:10.1007/978-3-642-39218-4_26

    Chapter  Google Scholar 

  23. Stakhanova, N., Basu, S., Wong, J.: A taxonomy of intrusion response systems. Int. J. Inf. Comput. Secur. 1(1–2), 169–184 (2007)

    Google Scholar 

  24. Trend Micro: Understanding targeted attacks: six components oftargeted attacks, November 2015. http://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/targeted-attacks-six-components. Accessed 06 May 2016

  25. Waxman, B.M.: Routing of multipoint connections. IEEE J. Sel. Areas Commun. 6(9), 1617–1622 (1988)

    Article  Google Scholar 

  26. Weaver, N., Paxson, V., Staniford, S., Cunningham, R.: A taxonomy of computer worms. In: Proceedings of the 2003 ACM Workshop on Rapid Malcode, pp. 11–18. ACM, New York (2003)

    Google Scholar 

  27. Zhu, Q., Başar, T.: Dynamic policy-based IDS configuration. In: Proceedings of the 48th IEEE Conference on Decision and Control, pp. 8600–8605, December 2009

    Google Scholar 

  28. Zonouz, S.A., Khurana, H., Sanders, W.H., Yardley, T.M.: RRE: a game-theoretic intrusion response and recovery engine. IEEE Trans. Parallel Distrib. Syst. 25(2), 395–406 (2014)

    Article  Google Scholar 

Download references

Acknowledgment

This work was supported in part by the Office of Naval Research (ONR) MURI grant N00014-16-1-2710. The authors would like to thank Jenny Applequist for her editorial comments.

Author information

Authors and Affiliations

  1. Department of Computer Science, University of Illinois at Urbana-Champaign, 1308 W. Main Street, Urbana, IL, 61801, USA

    Mohammad A. Noureddine

  2. Department of Electrical and Computer Engineering, University of Illinois at Urbana-Champaign, 1308 W. Main Street, Urbana, IL, 61801, USA

    Ahmed Fawaz, William H. Sanders & Tamer Başar

  3. Coordinated Science Laboratory, University of Illinois at Urbana-Champaign, 1308 W. Main Street, Urbana, IL, 61801, USA

    Mohammad A. Noureddine, Ahmed Fawaz, William H. Sanders & Tamer Başar

Authors
  1. Mohammad A. Noureddine
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Ahmed Fawaz
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. William H. Sanders
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Tamer Başar
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Mohammad A. Noureddine .

Editor information

Editors and Affiliations

  1. New York University , New York, New York, USA

    Quanyan Zhu

  2. The University of Melbourne , Melbourne, Victoria, Australia

    Tansu Alpcan

  3. University of Brighton , Brighton, United Kingdom

    Emmanouil Panaousis

  4. University of Southern California , Los Angeles, California, USA

    Milind Tambe

  5. Carnegie Mellon University , Pittsburgh, New York, USA

    William Casey

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing AG

About this paper

Cite this paper

Noureddine, M.A., Fawaz, A., Sanders, W.H., Başar, T. (2016). A Game-Theoretic Approach to Respond to Attacker Lateral Movement. In: Zhu, Q., Alpcan, T., Panaousis, E., Tambe, M., Casey, W. (eds) Decision and Game Theory for Security. GameSec 2016. Lecture Notes in Computer Science(), vol 9996. Springer, Cham. https://doi.org/10.1007/978-3-319-47413-7_17

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-47413-7_17

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-47412-0

  • Online ISBN: 978-3-319-47413-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation