Presentation is loading. Please wait.

Presentation is loading. Please wait.

Presented by: Jesse Hoskins

Published byLaurent Boulet Modified over 6 years ago

Similar presentations

Presentation on theme: "Presented by: Jesse Hoskins"— Presentation transcript:

1 Presented by: Jesse Hoskins
Game-Theory-Based Active Defense for Intrusion Detection in Cyber-Physical Embedded Systems Presented by: Jesse Hoskins

2 Overview Introduction Related Work Attack-Defense Game Model
Game Tree Model for Error Detection and Missing Detection Performance Evaluations Conclusions Discussion Overview

3 Introduction Embedded Sensor Networks (ESNs) in Cyber- Physical Embedded Systems (CPES) becoming ubiquitous in many applications How to secure these systems with intrusion detection systems? Motivation: Unmanned unattended systems becoming part of critical infrastructure need to be secured

4 ESNs and Intrusion Detection
ESNs used extensively in safety critical applications Supervisory Control and Data Acquisition (SCADA) Process Control Systems (PCS) Low power/bandwidth security mechanism needed Deep packet inspection too resource heavy ESNs have inherent limited bandwidth and energy constraints Intrusion detection: Detect abnormalities/malicious activities in the network via single/multiple collaborating sensor nodes

5 Why Game Theory? Deep packet inspection is too resource heavy
Pattern-matching IDS is not scalable

6 Why Game Theory for IDS? Heuristic-based solutions use central data analysis engine Constantly use resources for monitoring Distributed IDS processes are subject to tampering Game theory solution Better handle multistage attacks More accurate in modelling payoff Can determine optimal response

7 Problem Statement 3 attack methods: purely centralized, purely distributed, distributed-centralized 3 main attacks: Eavesdropping, DOS, and black hole attacks Problem Statement: Apply game theory to build an attack-defense game model to find out optimal strategies for IDS architecture over repeated games

8 Contributions Repeated game model for IDS, uses a mixed strategy to achieve dynamic equilibrium between attackers and defenders Game model for both attack and defense to reduce energy consumption and improve detection rate Game tree model used to solve error detection and missing detection

9 Related Work Non-Game Theory Based
Unmanned unattended systems becoming part of critical infrastructure need to be secured via IDS Most existing IDS architectures assume IDS cooperate honestly and unselfishly Existing trust models for IDS are insufficient. No study on collaboration incentives 1. [Kreibich et al. 2014; Wang et al. 2016; Wang et al. 2015] 2. Abduvaliyev et al. [2013], Lin and Leneutre [2009], and Min and Keecheon [2012] 3. [Mitchell and Ray 2014; Fung et al. 2013]

10 Related Work Game Theory Based
Decentralized approach to maximize network performance (resource allocation) used in P2P and routing networks Optimize resource allocation while accounting for malicious nodes prevent malicious nodes from overusing network resources but can lead to unfairness Two-player non-cooperative host based game theory framework (HIDS) for dynamically adjusting objects based on expected attacks Model for IDS to achieve fairness and incentive compatibility Two-person non-zero-sum incomplete information game for IDS to minimize loss based on its own belief 1. Moosavi and Bui [2014] Ziming et al. [2015] Weaver et al. [2014] 2. Grothoff [2003] 3. Wang et al. [2015] 4. Wang and Wu [2012] 5. Mohi et al. [2009] and Liu et al. [2006

11 Attack-Defense Game Model
Define attack-defense game model and payoff function Nash equilibrium Error detection and missing detection Attack-Defense Game Model

12 Attack-Defense Game Model
Game G as G {{A, I}, {SA, SI }, UA, UI , T }, where {A, I} is the finite collection of players by N = {1, 2, N}, wherein A = {A1, A2, AN} represents attackers’ intrusion nodes I = {I1, I2, IM} represents IDS defenders’ defense nodes. {SA, SI } is an offensive and defensive strategy collection of players, wherein SA = {SA,1, SA,2, SA,N} represents the offensive nodes’ strategies, which can launch various types of attack or not. SI = {SI,1, SI,2, SI,M} represents the defensive nodes’ strategies, which can start the IDS or not. {UA, UI } is the payoffs’ collection of the game, wherein UA represents the payoffs of offensive nodes’ action strategies UI represents the payoffs of defensive nodes’ action strategies. T represents the number of repeated games and T =. ∞ Different players have different desired game strategies

13 Payoff Function Definition and Strategies
The cost of a player includes: Costs of starting the IDS (CTm) The average loss when node i is attacked (CTi ) The costs of attackers’ attacking (CTa ) The costs of attackers’ not attacking (CTw ). The payoffs of a player consist of: malicious nodes’ payoffs (Ua) defensive nodes’ payoffs (Ui ) where the attacked nodes’ loss is far greater than the nodes’ who start the IDS

14 Strategies Continued

15 Strategies Continued Attackers always want to attack to maximize payoffs Payoffs maximized when defenders don’t start IDS However, more frequently attackers attack, higher probability of detection, once detected, they will suffer a huge loss Therefore must consider not attacking all the time Defenders should not start IDS for a long time due to resource consumption Payoffs maximized when they do not start the IDS However, if attacked, the loss is far greater than the resource consumption from starting IDS Therefore must consider starting IDS sooner The attackers always try to attack in order to maximize their own payoffs. They will gain the biggest payoffs when the defenders don’t start the IDS. However, attackers must worry about a worstcase scenario, in which the attacks are detected by the IDS; the more frequently the attackers launch an attack, the higher the probability of being detected. Once detected by the IDS, Attackers will be isolated from the network, which suffers the huge loss [Bradai and Afifi 2013]. Simultaneously, it is not wise for defenders to start the IDS for a long time due to the IDS resources’ consumption. Defenders will gain the biggest payoffs when the nodes don’t start the IDS, where the attacked loss is far greater than the consumption of starting the IDS. Therefore, the defenders have to consider starting the IDS to detect the possibility of being attacked.

16 Nash Equilibrium Game model has no pure strategy Nash Equilibrium
Attackers/Defenders will not choose fixed strategy Game model has mixed strategy Nash Equilibrium

17 Mixed Strategy

18 Mixed Strategy Nash Equilibrium
Attacker’s/defender’s strategies inversely proportional Eventually will achieve dynamic Nash equilibrium Attackers’ and defenders’ mixed strategies δi and σi are the relationship of inverse proportion. When defenders’ mixed strategy starts the IDS and δi goes larger, the probability of being detected by the IDS also correspondingly increases, and attackers’ payoffs will greatly reduce correspondingly. In this case, for the attackers, the best strategy is to reduce the attacking probability of σi . If defenders always start the IDS when the attack doesn’t occur, they will waste a lot of energy and resources. Meanwhile, the life cycle of the network may decrease and defenders’ payoffs will greatly reduce. Therefore, defenders will gradually reduce the probability of starting the IDS δi . With the decreasing of δi , attackers will be profitable, and then attackers will gradually increase the attacking probability of σi .

19 For the attacker, malicious nodes can choose not to attack to build trust, causing the probability of a defender node starting the IDS to decrease When the cost of starting the IDS is high, the attacker needs to attack Rational defender will increase probability of starting IDS when intruded nodes are detected Strategies make full user of limited resources and provides effective security protection Strategy Summary For a rational attacker, when the attack doesn’t happen, the malicious nodes can imitate the normal nodes to participate in normal network activity for the sake of more trust from other nodes. CTw will increase with the increasing of the degree of credibility. With the increasing of CTw , the δi will be reducing. For a rational defender when the cost of starting the IDS CTm is large, defenders will try to reduce starting the IDS. As a result, attackers must increase the probability of attacking. With the increase of CTm, σi will be increasing. In this attack-defense game model, in every period T , defenders need to re-evaluate the previous stage of the payoffs to formulate a new defense strategy (δi, 1 − δi ). In the initial stage, to each node with larger CTw , the probability of starting the IDS is lower. Once intruded nodes are detected, nodes close to the intrusion quickly reduce the value of CTw and improve the probability of starting the IDS to increase the defense rating. When a period of time without intrusion occurs, each node will gradually increase the values of CTw to reduce the probability of starting the IDS. Nodes in ESNs are changing between attackers’ and defenders’ strategies in a dynamic balance, which makes full use of the limited resources and provides effective security protection at the same time.

20 Payoff Analysis As a rational defender, excessive protection cannot bring extra payoffs to the network. Meanwhile, as a rational attacker, excessive frequency of attacking is not a long-term strategy

21 Game Tree Model for Error Detection and Missing Detection
Graphical representation of a sequential game Defines players, payoffs, strategies, and order of moves Nodes (or vertices) are points at which players can take actions Edges represent the actions that may be taken at that node Game Tree Model for Error Detection and Missing Detection

22 Game Tree Model for Error Detection and Missing Detection
SA = {NA, A} represents attackers’ strategies, wherein NA represents not attack and A represents attack. SI = {NW,W} represents defenders’ strategies, wherein NW represents not alert and W represents alert. For example, we assume the IDS’s detection results mixed probability matrix: P = A game tree is a graphical representation of a sequential game. It provides information about the players, payoffs, strategies, and order of moves. The game tree consists of nodes (or vertices), which are points at which players can take actions, connected by edges, which represent the actions that may be taken at that node .

23 Mixed Strategy Nash Equilibrium in Game Tree Model
Mixed probability matrix changes with time Nodes can take into account missing detection (IDS missed an attack) or error detection (IDS misidentifies an attack)

24 Performance Evaluations
Simulate using embedded network environment Compare attack-defense game model with All Monitor (AM) and Cluster Head (CH) Comparison parameters are energy performance and detection rate performance over 3 groups of different mixed strategies 3 different attack types (eavesdropping, DOS, black hole)

25 Simulation Setup

26 Performance Results – Energy Consumption

27 Performance Results – Detection Rate

28 Performance Results - Payoffs

29 The game model is more stable than the CH model and possesses better safety performance
The mixed strategies (δi, σi) can effectively improve the detection rate. When the mixed strategies (δi, σi) reach a dynamic balance, Nash equilibrium, the game model will achieve optimal performance at the same time. Proposed game model can lead to a more fairly competitive environment for the IDS, where the model can increase the IDS’s payoffs, reduce energy consumption, and improve stability Conclusions

30 Discussion Of the three attack types considered, which do you think is most likely to occur in autonomous vehicles and why? How does this effect the value of the repeated game model approach? What are some potential weaknesses of the repeated game model approach described in the paper? How could those weaknesses be mitigated? What do you see as barriers to the widespread adoption of this approach? Please explain

31 References Wang, Kun, et al. “Game-Theory-Based Active Defense for Intrusion Detection in Cyber-Physical Embedded Systems.” ACM Transactions on Embedded Computing Systems, vol. 16, no. 1, 2016, pp. 1–21., doi: / O. Kreibich, J. Neuzil, and R. Smid Quality-based multiple-sensor fusion in an industrial wireless sensor network for MCM. IEEE Trans. Ind. Electron. 61, 9, 4903–4911. K. Wang, Y. Shao, L. Shu, Y. Zhang, and C. Zhu Mobile big data fault-tolerant processing for eHealth networks. IEEE Netw. 30, 1, 1–7. K. Wang, Y. Shao, L. Shu, G. Han, and C. Zhu LDPA: A local data processing architecture in ambient assisted living communications, IEEE Commun. Mag. 53, 1, 56–63. A. Abduvaliyev, A. S. K. Pathan, Z. Jianying, R. Roman, and W. Wai Choong On the vital areas of intrusion detection systems in wireless sensor networks. Commun. Surveys Tuts. 15, 3, 1223–1237. C. Lin and J. Leneutre A game theoretical framework on intrusion detection in heterogeneous networks,” IEEE Trans. Inf. Forens. Secur. 4, 2, 165–178. W. Min and K. Keecheon Intrusion detection scheme using traffic prediction for wireless industrial networks. IEEE Trans. Commun. 14, 3, 310–318. R. Mitchell and C. Ing Ray Adaptive intrusion detection of malicious unmanned air vehicles using behavior rule specifications. IEEE Trans. Syst. Man Cybern. 44, 5, 593–604. [Kreibich et al. 2014; Wang et al. 2016; Wang et al. 2015] Abduvaliyev et al. [2013], Lin and Leneutre [2009], and Min and Keecheon [2012] [Mitchell and Ray 2014; Fung et al. 2013] Moosavi and Bui [2014] Ziming et al. [2015] Weaver et al. [2014] Grothoff [2003] Wang et al. [2015] Wang and Wu [2012] Mohi et al. [2009] and Liu et al. [2006

32 References 9. C. Grothoff An excess-based economic model for resource allocation in peer-to-peer networks. IEEE Trans. Internet Comput. 45, 3, 285– K. Wang and M. Wu Nash equilibrium of node cooperation based on metamodel for MANETs. J. Informat. Sci. Eng. 28, 2, 317– M. Mohi, A. Movaghar, and P. M. Zadeh A Bayesian game approach for preventing DoS attacks in wireless sensor networks. In Proceedings of the IEEE International Conference on Communications and Mobile Computing, pp. 507– Y. Liu and C. Comaniciu A Bayesian game approach for intrusion detection in wireless ad hoc networks. In Proceedings of the IEEE International Conferences on Valuetools, pp. 1– C. J. Fung, J. Zhang, I. Aib, and R. Boutaba Dirichlet-based trust management for effective collaborative intrusion detection networks. IEEE Trans. Netw. 8, 2, 79– H. Moosavi and F. M. Bui A game-theoretic framework for robust optimal intrusion detection in wireless sensor networks. IEEE Trans. Inf. Forens. Secur. 9, 9, 1367– Z. Ziming, S. Lambotharan, C. Woon Hau, and F. Zhong A game theoretic optimization framework for home demand management incorporating local energy resources. IEEE Trans. Ind. Inf. 11, 2, 353– N. C. Ekneligoda and W. W. Weaver Game-theoretic cold-start transient optimization in DC microgrids. IEEE.Trans. Ind. Electron. 61, 12, 6681–6690. [Kreibich et al. 2014; Wang et al. 2016; Wang et al. 2015] Abduvaliyev et al. [2013], Lin and Leneutre [2009], and Min and Keecheon [2012] [Mitchell and Ray 2014; Fung et al. 2013] Moosavi and Bui [2014] Ziming et al. [2015] Weaver et al. [2014] Grothoff [2003] Wang et al. [2015] Wang and Wu [2012] Mohi et al. [2009] and Liu et al. [2006

Download ppt "Presented by: Jesse Hoskins"

Similar presentations

February 20, 2008 1 Spatio-Temporal Bandwidth Reuse: A Centralized Scheduling Mechanism for Wireless Mesh Networks Mahbub Alam Prof. Choong Seon Hong.

February 20, Spatio-Temporal Bandwidth Reuse: A Centralized Scheduling Mechanism for Wireless Mesh Networks Mahbub Alam Prof. Choong Seon Hong.
Security in Mobile Ad Hoc Networks

Security in Mobile Ad Hoc Networks
This Segment: Computational game theory Lecture 1: Game representations, solution concepts and complexity Tuomas Sandholm Computer Science Department Carnegie.

This Segment: Computational game theory Lecture 1: Game representations, solution concepts and complexity Tuomas Sandholm Computer Science Department Carnegie.
DARWIN: Distributed and Adaptive Reputation Mechanism for Wireless Ad- hoc Networks CHEN Xiao Wei, Cheung Siu Ming CSE, CUHK May 15, 2008 This talk is.

DARWIN: Distributed and Adaptive Reputation Mechanism for Wireless Ad- hoc Networks CHEN Xiao Wei, Cheung Siu Ming CSE, CUHK May 15, 2008 This talk is.
21-23 November, 2012, 5th IDCS, Wu Yi Shan, China Smartening the Environment using Wireless Sensor Networks in a Developing Country Presented By Al-Sakib.

21-23 November, 2012, 5th IDCS, Wu Yi Shan, China Smartening the Environment using Wireless Sensor Networks in a Developing Country Presented By Al-Sakib.
Markov Game Analysis for Attack and Defense of Power Networks Chris Y. T. Ma, David K. Y. Yau, Xin Lou, and Nageswara S. V. Rao.

Markov Game Analysis for Attack and Defense of Power Networks Chris Y. T. Ma, David K. Y. Yau, Xin Lou, and Nageswara S. V. Rao.
산업 및 시스템 공학과 통신시스템 및 인터넷보안연구실 20075273 김효원 Optimizing Tree Reconfiguration for Mobile Target Tracking in Sensor Networks Wensheng Zhang and Guohong Cao.

산업 및 시스템 공학과 통신시스템 및 인터넷보안연구실 김효원 Optimizing Tree Reconfiguration for Mobile Target Tracking in Sensor Networks Wensheng Zhang and Guohong Cao.
Using Game Theoretic Approach to Analyze Security Issues In Ad Hoc Networks Term Presentation Name: Li Xiaoqi, Gigi Supervisor: Michael R. Lyu Department:

Using Game Theoretic Approach to Analyze Security Issues In Ad Hoc Networks Term Presentation Name: Li Xiaoqi, Gigi Supervisor: Michael R. Lyu Department:
Sogang University ICC Lab Using Game Theory to Analyze Wireless Ad Hoc networks.

Sogang University ICC Lab Using Game Theory to Analyze Wireless Ad Hoc networks.
Edith C. H. Ngai1, Jiangchuan Liu2, and Michael R. Lyu1

Edith C. H. Ngai1, Jiangchuan Liu2, and Michael R. Lyu1
An Energy Efficient Hierarchical Heterogeneous Wireless Sensor Network

An Energy Efficient Hierarchical Heterogeneous Wireless Sensor Network
Multicasting in Mobile Ad-Hoc Networks (MANET)

Multicasting in Mobile Ad-Hoc Networks (MANET)
Lecture 1 - Introduction 1.  Introduction to Game Theory  Basic Game Theory Examples  Strategic Games  More Game Theory Examples  Equilibrium  Mixed.

Lecture 1 - Introduction 1.  Introduction to Game Theory  Basic Game Theory Examples  Strategic Games  More Game Theory Examples  Equilibrium  Mixed.
Adaptive Data Collection Strategies for Lifetime-Constrained Wireless Sensor Networks Xueyan Tang Jianliang Xu Sch. of Comput. Eng., Nanyang Technol. Univ.,

Adaptive Data Collection Strategies for Lifetime-Constrained Wireless Sensor Networks Xueyan Tang Jianliang Xu Sch. of Comput. Eng., Nanyang Technol. Univ.,
An Authentication Service Based on Trust and Clustering in Wireless Ad Hoc Networks: Description and Security Evaluation Edith C.H. Ngai and Michael R.

An Authentication Service Based on Trust and Clustering in Wireless Ad Hoc Networks: Description and Security Evaluation Edith C.H. Ngai and Michael R.
Detecting Network Intrusions via Sampling : A Game Theoretic Approach Presented By: Matt Vidal Murali Kodialam T.V. Lakshman July 22, 2003 Bell Labs, Lucent.

Detecting Network Intrusions via Sampling : A Game Theoretic Approach Presented By: Matt Vidal Murali Kodialam T.V. Lakshman July 22, 2003 Bell Labs, Lucent.
Pricing What Can Pricing Do In Wireless Networks? Jianning Mai and Lihua Yuan

Pricing What Can Pricing Do In Wireless Networks? Jianning Mai and Lihua Yuan
Selfish Caching in Distributed Systems: A Game-Theoretic Analysis By Byung-Gon Chun et al. UC Berkeley PODC’04.

Selfish Caching in Distributed Systems: A Game-Theoretic Analysis By Byung-Gon Chun et al. UC Berkeley PODC’04.
An Authentication Service Against Dishonest Users in Mobile Ad Hoc Networks Edith Ngai, Michael R. Lyu, and Roland T. Chin IEEE Aerospace Conference, Big.

An Authentication Service Against Dishonest Users in Mobile Ad Hoc Networks Edith Ngai, Michael R. Lyu, and Roland T. Chin IEEE Aerospace Conference, Big.
Building a Strong Foundation for a Future Internet Jennifer Rexford ’91 Computer Science Department (and Electrical Engineering and the Center for IT Policy)

Building a Strong Foundation for a Future Internet Jennifer Rexford ’91 Computer Science Department (and Electrical Engineering and the Center for IT Policy)

Similar presentations

Ads by Google