TY - GEN
T1 - Optimal Timing in Dynamic and Robust Attacker Engagement during Advanced Persistent Threats
AU - Pawlick, Jeffrey
AU - Nguyen, Thi Thu Hang
AU - Colbert, Edward
AU - Zhu, Quanyan
N1 - Publisher Copyright:
© 2019 IFIP.
PY - 2019/6
Y1 - 2019/6
N2 - Advanced persistent threats (APTs) are stealthy attacks which make use of social engineering and deception to give adversaries insider access to networked systems. Against APTs, active defense technologies aim to create and exploit information asymmetry for defenders. In this paper, we study a scenario in which a powerful defender uses honeynets for active defense in order to observe an attacker who has penetrated the network. Rather than immediately eject the attacker, the defender may elect to gather information. We introduce an undiscounted, infinite-horizon Markov decision process on a continuous state space in order to model the defender's problem. We find a threshold of information that the defender should gather about the attacker before ejecting him. Then we study the robustness of this policy using a Stackelberg game. Finally, we simulate the policy for a conceptual network. Our results provide a quantitative foundation for studying optimal timing for attacker engagement in network defense.
AB - Advanced persistent threats (APTs) are stealthy attacks which make use of social engineering and deception to give adversaries insider access to networked systems. Against APTs, active defense technologies aim to create and exploit information asymmetry for defenders. In this paper, we study a scenario in which a powerful defender uses honeynets for active defense in order to observe an attacker who has penetrated the network. Rather than immediately eject the attacker, the defender may elect to gather information. We introduce an undiscounted, infinite-horizon Markov decision process on a continuous state space in order to model the defender's problem. We find a threshold of information that the defender should gather about the attacker before ejecting him. Then we study the robustness of this policy using a Stackelberg game. Finally, we simulate the policy for a conceptual network. Our results provide a quantitative foundation for studying optimal timing for attacker engagement in network defense.
KW - Markov decision process
KW - Security
KW - Stackelberg game
KW - advanced persistent threat
KW - attacker engagement
UR - http://www.scopus.com/inward/record.url?scp=85076390520&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85076390520&partnerID=8YFLogxK
U2 - 10.23919/WiOPT47501.2019.9144123
DO - 10.23919/WiOPT47501.2019.9144123
M3 - Conference contribution
AN - SCOPUS:85076390520
T3 - Proceedings - 17th International Symposium on Modeling and Optimization in Mobile, Ad Hoc, and Wireless Networks, WiOpt 2019
BT - Proceedings - 17th International Symposium on Modeling and Optimization in Mobile, Ad Hoc, and Wireless Networks, WiOpt 2019
A2 - de Pelligrini, Francesco
A2 - de Pelligrini, Francesco
A2 - Saad, Walid
A2 - Tan, Chee Wei
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 17th International Symposium on Modeling and Optimization in Mobile, Ad Hoc, and Wireless Networks, WiOpt 2019
Y2 - 3 June 2019 through 7 June 2019
ER -