A game-theoretic approach to respond to attacker lateral movement

Mohammad A. Noureddine, Ahmed Fawaz, William H. Sanders, Tamer Başar

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

In the wake of an increasing number in targeted and complex attacks on enterprise networks, there is a growing need for timely, efficient and strategic network response. Intrusion detection systems provide network administrators with a plethora of monitoring information, but that information must often be processed manually to enable decisions on response actions and thwart attacks. This gap between detection time and response time, which may be months long, may allow attackers to move freely in the network and achieve their goals. In this paper, we present a game-theoretic approach for automatic network response to an attacker that is moving laterally in an enterprise network. To do so, we first model the system as a network services graph and use monitoring information to label the graph with possible attacker lateral movement communications. We then build a defense-based zero-sum game in which we aim to prevent the attacker from reaching a sensitive node in the network. Solving the matrix game for saddle-point strategies provides us with an effective way to select appropriate response actions. We use simulations to show that our engine can efficiently delay an attacker that is moving laterally in the network from reaching the sensitive target, thus giving network administrators enough time to analyze the monitoring data and deploy effective actions to neutralize any impending threats.

Original languageEnglish (US)
Title of host publicationDecision and Game Theory for Security - 7th International Conference, GameSec 2016, Proceedings
EditorsEmmanouil Panaousis, Milind Tambe, Tansu Alpcan, William Casey, Quanyan Zhu
PublisherSpringer-Verlag
Pages294-313
Number of pages20
ISBN (Print)9783319474120
DOIs
StatePublished - Jan 1 2016
Event7th International Conference on Decision and Game Theory for Security, GameSec 2016 - New York, United States
Duration: Nov 2 2016Nov 4 2016

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume9996 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Other

Other7th International Conference on Decision and Game Theory for Security, GameSec 2016
CountryUnited States
CityNew York
Period11/2/1611/4/16

Fingerprint

Lateral
Game
Monitoring
Intrusion detection
Labels
Industry
Engines
Communication
Attack
Movement
Matrix Game
Zero sum game
Effective Action
Intrusion Detection
Wake
Graph in graph theory
Saddlepoint
Response Time
Engine
Target

ASJC Scopus subject areas

  • Theoretical Computer Science
  • Computer Science(all)

Cite this

Noureddine, M. A., Fawaz, A., Sanders, W. H., & Başar, T. (2016). A game-theoretic approach to respond to attacker lateral movement. In E. Panaousis, M. Tambe, T. Alpcan, W. Casey, & Q. Zhu (Eds.), Decision and Game Theory for Security - 7th International Conference, GameSec 2016, Proceedings (pp. 294-313). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 9996 LNCS). Springer-Verlag. https://doi.org/10.1007/978-3-319-47413-7_17

A game-theoretic approach to respond to attacker lateral movement. / Noureddine, Mohammad A.; Fawaz, Ahmed; Sanders, William H.; Başar, Tamer.

Decision and Game Theory for Security - 7th International Conference, GameSec 2016, Proceedings. ed. / Emmanouil Panaousis; Milind Tambe; Tansu Alpcan; William Casey; Quanyan Zhu. Springer-Verlag, 2016. p. 294-313 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 9996 LNCS).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Noureddine, MA, Fawaz, A, Sanders, WH & Başar, T 2016, A game-theoretic approach to respond to attacker lateral movement. in E Panaousis, M Tambe, T Alpcan, W Casey & Q Zhu (eds), Decision and Game Theory for Security - 7th International Conference, GameSec 2016, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 9996 LNCS, Springer-Verlag, pp. 294-313, 7th International Conference on Decision and Game Theory for Security, GameSec 2016, New York, United States, 11/2/16. https://doi.org/10.1007/978-3-319-47413-7_17
Noureddine MA, Fawaz A, Sanders WH, Başar T. A game-theoretic approach to respond to attacker lateral movement. In Panaousis E, Tambe M, Alpcan T, Casey W, Zhu Q, editors, Decision and Game Theory for Security - 7th International Conference, GameSec 2016, Proceedings. Springer-Verlag. 2016. p. 294-313. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). https://doi.org/10.1007/978-3-319-47413-7_17
Noureddine, Mohammad A. ; Fawaz, Ahmed ; Sanders, William H. ; Başar, Tamer. / A game-theoretic approach to respond to attacker lateral movement. Decision and Game Theory for Security - 7th International Conference, GameSec 2016, Proceedings. editor / Emmanouil Panaousis ; Milind Tambe ; Tansu Alpcan ; William Casey ; Quanyan Zhu. Springer-Verlag, 2016. pp. 294-313 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).
@inproceedings{9443079d3c3c4d518a38ba6ad4481fcc,
title = "A game-theoretic approach to respond to attacker lateral movement",
abstract = "In the wake of an increasing number in targeted and complex attacks on enterprise networks, there is a growing need for timely, efficient and strategic network response. Intrusion detection systems provide network administrators with a plethora of monitoring information, but that information must often be processed manually to enable decisions on response actions and thwart attacks. This gap between detection time and response time, which may be months long, may allow attackers to move freely in the network and achieve their goals. In this paper, we present a game-theoretic approach for automatic network response to an attacker that is moving laterally in an enterprise network. To do so, we first model the system as a network services graph and use monitoring information to label the graph with possible attacker lateral movement communications. We then build a defense-based zero-sum game in which we aim to prevent the attacker from reaching a sensitive node in the network. Solving the matrix game for saddle-point strategies provides us with an effective way to select appropriate response actions. We use simulations to show that our engine can efficiently delay an attacker that is moving laterally in the network from reaching the sensitive target, thus giving network administrators enough time to analyze the monitoring data and deploy effective actions to neutralize any impending threats.",
author = "Noureddine, {Mohammad A.} and Ahmed Fawaz and Sanders, {William H.} and Tamer Başar",
year = "2016",
month = "1",
day = "1",
doi = "10.1007/978-3-319-47413-7_17",
language = "English (US)",
isbn = "9783319474120",
series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",
publisher = "Springer-Verlag",
pages = "294--313",
editor = "Emmanouil Panaousis and Milind Tambe and Tansu Alpcan and William Casey and Quanyan Zhu",
booktitle = "Decision and Game Theory for Security - 7th International Conference, GameSec 2016, Proceedings",

}

TY - GEN

T1 - A game-theoretic approach to respond to attacker lateral movement

AU - Noureddine, Mohammad A.

AU - Fawaz, Ahmed

AU - Sanders, William H.

AU - Başar, Tamer

PY - 2016/1/1

Y1 - 2016/1/1

N2 - In the wake of an increasing number in targeted and complex attacks on enterprise networks, there is a growing need for timely, efficient and strategic network response. Intrusion detection systems provide network administrators with a plethora of monitoring information, but that information must often be processed manually to enable decisions on response actions and thwart attacks. This gap between detection time and response time, which may be months long, may allow attackers to move freely in the network and achieve their goals. In this paper, we present a game-theoretic approach for automatic network response to an attacker that is moving laterally in an enterprise network. To do so, we first model the system as a network services graph and use monitoring information to label the graph with possible attacker lateral movement communications. We then build a defense-based zero-sum game in which we aim to prevent the attacker from reaching a sensitive node in the network. Solving the matrix game for saddle-point strategies provides us with an effective way to select appropriate response actions. We use simulations to show that our engine can efficiently delay an attacker that is moving laterally in the network from reaching the sensitive target, thus giving network administrators enough time to analyze the monitoring data and deploy effective actions to neutralize any impending threats.

AB - In the wake of an increasing number in targeted and complex attacks on enterprise networks, there is a growing need for timely, efficient and strategic network response. Intrusion detection systems provide network administrators with a plethora of monitoring information, but that information must often be processed manually to enable decisions on response actions and thwart attacks. This gap between detection time and response time, which may be months long, may allow attackers to move freely in the network and achieve their goals. In this paper, we present a game-theoretic approach for automatic network response to an attacker that is moving laterally in an enterprise network. To do so, we first model the system as a network services graph and use monitoring information to label the graph with possible attacker lateral movement communications. We then build a defense-based zero-sum game in which we aim to prevent the attacker from reaching a sensitive node in the network. Solving the matrix game for saddle-point strategies provides us with an effective way to select appropriate response actions. We use simulations to show that our engine can efficiently delay an attacker that is moving laterally in the network from reaching the sensitive target, thus giving network administrators enough time to analyze the monitoring data and deploy effective actions to neutralize any impending threats.

UR - http://www.scopus.com/inward/record.url?scp=84994823927&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84994823927&partnerID=8YFLogxK

U2 - 10.1007/978-3-319-47413-7_17

DO - 10.1007/978-3-319-47413-7_17

M3 - Conference contribution

AN - SCOPUS:84994823927

SN - 9783319474120

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 294

EP - 313

BT - Decision and Game Theory for Security - 7th International Conference, GameSec 2016, Proceedings

A2 - Panaousis, Emmanouil

A2 - Tambe, Milind

A2 - Alpcan, Tansu

A2 - Casey, William

A2 - Zhu, Quanyan

PB - Springer-Verlag

ER -