Advanced Persistent Threats (APTs) are stealthy attacks that threaten the security and privacy of sensitive information. Interactions of APTs with victim system introduce information flows that are recorded in the system logs. Dynamic Information Flow Tracking (DIFT) is a promising detection mechanism for detecting APTs. DIFT taints information flows originating at system entities that are susceptible to an attack, tracks the propagation of the tainted flows, and authenticates the tainted flows at certain system components according to a pre-defined security policy. Deployment of DIFT to defend against APTs in cyber systems is limited by the heavy resource and performance overhead associated with DIFT. In this paper, we propose a resource-efficient model for DIFT by incorporating the security costs, false-positives, and false-negatives associated with DIFT. Specifically, we develop a game-theoretic framework and provide an analytical model of DIFT that enables the study of trade-off between resource efficiency and the effectiveness of detection. Our game model is a nonzero-sum, infinite-horizon, average reward stochastic game. Our model incorporates the information asymmetry between players that arises from DIFT's inability to distinguish malicious flows from benign flows and APT's inability to know the locations where DIFT performs a security analysis. Additionally, the game has incomplete information as the transition probabilities (false-positive and false-negative rates) are unknown. We propose a multiple-time scale stochastic approximation algorithm to learn an equilibrium solution of the game. We prove that our algorithm converges to an average reward Nash equilibrium. We evaluate our proposed model and algorithm on a real-world ransomware dataset and validate the effectiveness of the proposed approach.
翻译:高级持续威胁(APT)是威胁敏感信息安全和隐私的隐性袭击。APT与受害者系统的相互作用,引入了系统日志中记录的信息流动。动态信息流动跟踪(DIFT)是探测APT的一个很有希望的检测机制。DIFT将来自容易受到攻击的系统实体的信息流动污染起来,跟踪污染流动的传播,并根据预先确定的安全政策验证某些系统组成部分的污染流动。部署DIFT以在网络系统中防御ATT。DIFT与DIFT相关的大量资源和性能管理有限。在本文件中,我们为DIFT提出了一个资源效率模式,纳入了安全成本、假阳性、与DIFT相关的错误。具体地说,我们开发了一个游戏理论框架,并提供了一个DIFT的分析模型,以便能够研究资源效率和不完全性检测效率之间的交易。我们的游戏模式是非零和极性、极性、平均奖赏性价比值。我们的数据流中,从一个不真实的汇率流到一个不固定的汇率数据流到一个不固定的汇率数据流。