TY - GEN
T1 - A game-theoretic approach to respond to attacker lateral movement
AU - Noureddine, Mohammad A.
AU - Fawaz, Ahmed
AU - Sanders, William H.
AU - Başar, Tamer
N1 - Publisher Copyright:
© Springer International Publishing AG 2016.
Copyright:
Copyright 2017 Elsevier B.V., All rights reserved.
PY - 2016
Y1 - 2016
N2 - In the wake of an increasing number in targeted and complex attacks on enterprise networks, there is a growing need for timely, efficient and strategic network response. Intrusion detection systems provide network administrators with a plethora of monitoring information, but that information must often be processed manually to enable decisions on response actions and thwart attacks. This gap between detection time and response time, which may be months long, may allow attackers to move freely in the network and achieve their goals. In this paper, we present a game-theoretic approach for automatic network response to an attacker that is moving laterally in an enterprise network. To do so, we first model the system as a network services graph and use monitoring information to label the graph with possible attacker lateral movement communications. We then build a defense-based zero-sum game in which we aim to prevent the attacker from reaching a sensitive node in the network. Solving the matrix game for saddle-point strategies provides us with an effective way to select appropriate response actions. We use simulations to show that our engine can efficiently delay an attacker that is moving laterally in the network from reaching the sensitive target, thus giving network administrators enough time to analyze the monitoring data and deploy effective actions to neutralize any impending threats.
AB - In the wake of an increasing number in targeted and complex attacks on enterprise networks, there is a growing need for timely, efficient and strategic network response. Intrusion detection systems provide network administrators with a plethora of monitoring information, but that information must often be processed manually to enable decisions on response actions and thwart attacks. This gap between detection time and response time, which may be months long, may allow attackers to move freely in the network and achieve their goals. In this paper, we present a game-theoretic approach for automatic network response to an attacker that is moving laterally in an enterprise network. To do so, we first model the system as a network services graph and use monitoring information to label the graph with possible attacker lateral movement communications. We then build a defense-based zero-sum game in which we aim to prevent the attacker from reaching a sensitive node in the network. Solving the matrix game for saddle-point strategies provides us with an effective way to select appropriate response actions. We use simulations to show that our engine can efficiently delay an attacker that is moving laterally in the network from reaching the sensitive target, thus giving network administrators enough time to analyze the monitoring data and deploy effective actions to neutralize any impending threats.
UR - http://www.scopus.com/inward/record.url?scp=84994823927&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84994823927&partnerID=8YFLogxK
U2 - 10.1007/978-3-319-47413-7_17
DO - 10.1007/978-3-319-47413-7_17
M3 - Conference contribution
AN - SCOPUS:84994823927
SN - 9783319474120
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 294
EP - 313
BT - Decision and Game Theory for Security - 7th International Conference, GameSec 2016, Proceedings
A2 - Panaousis, Emmanouil
A2 - Tambe, Milind
A2 - Alpcan, Tansu
A2 - Casey, William
A2 - Zhu, Quanyan
PB - Springer
T2 - 7th International Conference on Decision and Game Theory for Security, GameSec 2016
Y2 - 2 November 2016 through 4 November 2016
ER -