Advanced persistent threats (APTs) are organized prolonged cyberattacks by sophisticated attackers. Although APT activities are stealthy, they interact with the system components and these interactions lead to information flows. Dynamic Information Flow Tracking (DIFT) has been proposed as one of the effective ways to detect APTs using the information flows. However, wide range security analysis using DIFT results in a significant increase in performance overhead and high rates of false-positives and false-negatives generated by DIFT. In this paper, we model the strategic interaction between APT and DIFT as a non-cooperative stochastic game. The game unfolds on a state space constructed from an information flow graph (IFG) that is extracted from the system log. The objective of the APT in the game is to choose transitions in the IFG to find an optimal path in the IFG from an entry point of the attack to an attack target. On the other hand, the objective of DIFT is to dynamically select nodes in the IFG to perform security analysis for detecting APT. Our game model has imperfect information as the players do not have information about the actions of the opponent. We consider two scenarios of the game (i) when the false-positive and false-negative rates are known to both players and (ii) when the false-positive and false-negative rates are unknown to both players. Case (i) translates to a game model with complete information and we propose a value iteration-based algorithm and prove the convergence. Case (ii) translates to a game with unknown transition probabilities. In this case, we propose Hierarchical Supervised Learning (HSL) algorithm that integrates a neural network, to predict the value vector of the game, with a policy iteration algorithm to compute an approximate equilibrium. We implemented our algorithms on real attack datasets and validated the performance of our approach.
翻译:高级持续威胁(APTs)是复杂的攻击者组织的长期网络攻击。 虽然APT活动是隐秘的, 它们与系统组件互动, 这些互动导致信息流动。 动态信息流动跟踪( DIFT) 被提议为使用信息流检测APT的有效方法之一。 然而, 使用DIFT 的范围广泛的安全分析导致性能管理率大幅上升, 以及由DIFT 产生的虚假阳性反应和假反偏差的高比率。 在本文中, 我们将APT和DIFT之间的战略互动模拟为非合作性窥探性游戏。 游戏在从系统日志中提取的信息流( IFG) 构建的状态空间上展开。 动态信息流动跟踪( DIFT) 将性能管理管理器从攻击的切入点向攻击目标过渡。 另一方面, DIFT的目标是动态地在IFG 中选择节点为检测 APT 的安全分析。 我们的游戏模型显示不完善的数值, 当游戏机机机既要将数据转换为不真实的数值, 也将游戏机体数据转换为不真实的数值。