Advanced Persistent Threats (APTs) are stealthy customized attacks by intelligent adversaries. This paper deals with the detection of APTs that infiltrate cyber systems and compromise specifically targeted data and/or infrastructures. Dynamic information flow tracking is an information trace-based detection mechanism against APTs that taints suspicious information flows in the system and generates security analysis for unauthorized use of tainted data. In this paper, we develop an analytical model for resource-efficient detection of APTs using an information flow tracking game. The game is a nonzero-sum, turn-based, stochastic game with asymmetric information as the defender cannot distinguish whether an incoming flow is malicious or benign and hence has only partial state observation. We analyze equilibrium of the game and prove that a Nash equilibrium is given by a solution to the minimum capacity cut set problem on a flow-network derived from the system, where the edge capacities are obtained from the cost of performing security analysis. Finally, we implement our algorithm on the real-world dataset for a data exfiltration attack augmented with false-negative and false-positive rates and compute an optimal defender strategy.
翻译:高级持续威胁(APTs) 是智能对手的隐性定制攻击。 本文涉及检测渗入网络系统并损害特定目标数据和/或基础设施的APTs。 动态信息流动跟踪是一种针对APTs的信息追踪机制,它污染系统中的可疑信息流动,并为未经授权使用污点数据进行安全分析。 在本文中, 我们开发了一个分析模型, 用于使用信息流跟踪游戏对APTs进行资源高效检测。 游戏是一个非零和、 转盘、 随机游戏, 信息不对称, 因为捍卫者无法辨别流入的流量是恶意还是良性的, 因而只能进行部分状态观察。 我们分析游戏的平衡性, 并证明对系统产生的流动网络的最小能力设置问题, 其边际能力来自进行安全分析的成本。 最后, 我们用真实世界数据集进行算法, 以数据过滤攻击, 以虚假的反弹率和假反应率加固了最佳防御战略 。