@inproceedings{edf5c4052734482ca12052823f0f66e7,
title = "A game theoretical framework for inter-process adversarial intervention detection",
abstract = "In this paper, we propose and analyze a two-level game theoretical framework to detect advanced and persistent threats across processes. The two-level framework adapted facilitates abstraction of the complexity of process level interactions between defense mechanisms and adversaries from easier to interpret and more flexible system-level interaction. At the process-level, program anomaly detection algorithms have already been proposed to detect anomalous program behavior by comparing monitored activities with the predetermined expected behavior. This had led to significant detection performance initially until advanced adversaries modified the attacks to remain undetected. Therefore, we propose defense mechanisms that anticipate the reaction of advanced evaders and seek to maximize the complexity of undetectable attacks at the expense of additional false alarm rate. Furthermore, in the system-level, we propose defense mechanisms to detect adversarial intervention across processes through the assessment of all process activities together in a cohesive way so that the advanced adversaries need to craft their attacks further to remain undetected also at the system-level. This further increases the cost of complexity for the attacker, and correspondingly degrades the motivation to attack. We provide a game theoretical incentive analysis for both defenders and adversaries, and characterize pure and mixed strategy equilibria. We also analyze the coupling between the two levels of the game.",
keywords = "Advanced persistent threats, Anomaly detection, Games-in-games, Host-based intrusion detection, Mimicry attacks, Process monitoring, Stackelberg games",
author = "Sayin, {Muhammed O.} and Hossein Hosseini and Radha Poovendran and Tamer Ba{\c s}ar",
note = "Publisher Copyright: {\textcopyright} 2018, Springer Nature Switzerland AG.; 9th International Conference on Decision and Game Theory for Security, GameSec 2018 ; Conference date: 29-10-2018 Through 31-10-2018",
year = "2018",
doi = "10.1007/978-3-030-01554-1_28",
language = "English (US)",
isbn = "9783030015534",
series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",
publisher = "Springer",
pages = "486--507",
editor = "Linda Bushnell and Radha Poovendran and Tamer Basar",
booktitle = "Decision and Game Theory for Security - 9th International Conference, GameSec 2018, Proceedings",
address = "Germany",
}