Showing papers by "Charles A. Kamhoua published in 2020"

Exploring the Attack Surface of Blockchain: A Comprehensive Survey

Abstract: In this paper, we systematically explore the attack surface of the Blockchain technology, with an emphasis on public Blockchains. Towards this goal, we attribute attack viability in the attack surface to 1) the Blockchain cryptographic constructs, 2) the distributed architecture of the systems using Blockchain, and 3) the Blockchain application context. To each of those contributing factors, we outline several attacks, including selfish mining, the 51% attack, DNS attacks, distributed denial-of-service (DDoS) attacks, consensus delay (due to selfish behavior or distributed denial-of-service attacks), Blockchain forks, orphaned and stale blocks, block ingestion, wallet thefts, smart contract attacks, and privacy attacks. We also explore the causal relationships between these attacks to demonstrate how various attack vectors are connected to one another. A secondary contribution of this work is outlining effective defense measures taken by the Blockchain technology or proposed by researchers to mitigate the effects of these attacks and patch associated vulnerabilities.

Blockchain Enabled Named Data Networking for Secure Vehicle-to-Everything Communications

Abstract: A huge amount of information is expected to be exchanged in vehicular networks through vehicle-to-everything (V2X) communications for enhancing overall traffic efficiency and road safety. However, there are several critical challenges to be addressed before completely realizing the full potential of V2X networking. Privacy-aware security is one of the central components to be addressed for V2X communications. This paper presents a novel framework by leveraging the best features of two emerging technologies: blockchain technology and named data networking (NDN) for privacy-aware secure V2X communications. The proposed framework does not use the private information of users (owners, drivers, pedestrians, passengers, cyclists, etc.) in vehicular networks while providing verifiable secure V2X communications by using non-private information such as number plate of the vehicle (like in ParkMobile App or E-ZPass systems use) for integrity and accountability of the communications. Specifically, integrity and accountability in the proposed framework for its users are achieved by amalgamating the best features of blockchain technology and NDN. Furthermore, the proposed approach aims to increase the trust and transparency and reduce the business friction in smart transplantation systems.

Generative adversarial attacks against intrusion detection systems using active learning

Abstract: Intrusion Detection Systems (IDS) are increasingly adopting machine learning (ML)-based approaches to detect threats in computer networks due to their ability to learn underlying threat patterns/features. However, ML-based models are susceptible to adversarial attacks, attacks wherein slight perturbations of the input features, cause misclassifications. We propose a method that uses active learning and generative adversarial networks to evaluate the threat of adversarial attacks on ML-based IDS. Existing adversarial attack methods require a large amount of training data or assume knowledge of the IDS model itself (e.g., loss function), which may not be possible in real-world settings. Our method overcomes these limitations by demonstrating the ability to compromise an IDS using limited training data and assuming no prior knowledge of the IDS model other than its binary classification (i.e., benign or malicious). Experimental results demonstrate the ability of our proposed model to achieve a 98.86% success rate in bypassing the IDS model using only 25 labeled data points during model training. The knowledge gained by compromising the ML-based IDS, can be integrated into the IDS in order to enhance its robustness against similar ML-based adversarial attacks.

Honeypot Allocation over Attack Graphs in Cyber Deception Games

Abstract: In this paper, we propose a scalable algorithm to allocate honeypots over an attack graph. We formulate a two-person zero-sum strategic game between the network defender and an attacker. This formulation captures the importance of different nodes inside the network. The game mode accounts for the cost associated with different defense strategies as well as the cost paid by the attacker. Moreover, this game model considers a practical threat model with respect to the available information about the attacker to the network defender. Nash equilibrium defense strategies are analytically characterized and studied for a special game. The complexity of a general game is discussed and a scalable algorithm is proposed to obtain honeypots allocation strategy in large scale networks. Finally, samples of our numerical results are shown to verify our findings.

Learning quasi-identifiers for privacy-preserving exchanges: a rough set theory approach

Abstract: The challenging and pervasive issue associated with information exchange is inferential disclosure. It occurs in the following three situations: (1) the exchanged data correlate with publicly available information, (2) the exchanged data comprise patterns similar to those in a sharing partner’s datum, and (3) the shared data’s attributes are interdependent. In this work, we provide and implement new algorithms that impede the third type of inferential attack. They rely on rough set theory to undermine the deductive route from nonsensitive to sensitive features. Our approach comprises three steps which include learning quasi-identifiers, computing a granulation of the underlying information system that maximizes the distribution of sensitive attributes in each granule, and masking the deductive route from nonsensitive to sensitive features. Our routine for learning quasi-identifiers achieves both the largest distinction and separation without an exhaustive search among tuples of features. The learned quasi-identifiers are employed to find a granulation of the information system that strikes a balance between the anonymity of quasi-identifiers and the diversity of sensitive attributes, without solving a difficult optimization problem. We employ this granulation in a strategy similar to that used in k-anonymity to de-identify private information systems.

Applying Chaos Theory for Runtime Hardware Trojan Monitoring and Detection

Abstract: Hardware Trojans (HTs) pose a serious threat to the security of Integrated Circuits (ICs). Detecting HTs in an IC is an important but difficult problem due to the wide spectrum of HTs and their stealthy nature. While researchers have been working on enhancing traditional IC tests and developing new methods to try to detect Trojans, there is still a possibility a Trojan will avoid detection during test time and be activated once the chip is in use. A runtime Trojan detection system could monitor an IC during its operational life time and provide a last-line of defense. However, most runtime approaches are infeasible due to the overhead introduced by additional hardware, or computational complexity, or both. In this paper, we propose a hardware-based runtime detection model that overcomes the aforementioned constraints. It applies chaos theory, which has been shown to be effective in several other domains, to characterize dynamic data in a reconstructed phase space, which helps us describe, analyze, and interpret power consumption data (whether chaotic or not). The proposed chaos based approach does not make any assumption on the statistical distribution of power consumption, this makes our model applicable for runtime use given the fact that power consumption is very dynamic as well as heavily application and data dependent. Hardware overhead, which is the main challenge for runtime approaches, is reduced by taking advantage of available thermal sensors present in most modern ICs. For real world implementation, thermal sensor noise cancelation is considered in our proposed model. Our simulation results for detecting Trojans on publicly available Trojan benchmarks demonstrate that the proposed model outperforms the current runtime Trojan detection approaches in terms of detection rate, computational complexity, and implementation feasibility. Approved for Public Release; Distribution Unlimited: 88ABW-2016-4308; Dated 31 AUG 2016.

Cooperative Spectrum Sharing and Trust Management in IoT Networks

Abstract: In this chapter, we study the problem of cooperative spectrum leasing to the unlicensed Internet of Things (IoT) devices. We accounted for potential selfish behavior of unlicensed users. A distributed game‐theoretic framework is proposed for the purpose of spectrum leasing. In this framework, unlicensed users can borrow the spectrum access from licensed users, and, in return, they provide cooperative service for two main goals: first, to enhance information secrecy of licensed users via adding intentional jamming to protect them from potential eavesdroppers, and second, to enhance the quality of communication through cooperative relaying. A reputation‐based mechanism monitors the cooperative behavior of the IoT devices to give the chance to the primary user to only interact with the reliable IoT devices. Simulation results show that this model can offer a practical solution for spectrum sharing by improving the secrecy rate of the primary users and reducing the possible attacks from selfish IoT devices.

Game Theory on Attack Graph for Cyber Deception

Abstract: Game Theory provides a set of tools and a framework suitable to study security problems. In this paper, a class of games is developed to study cyber deception and the interactions between the network defender who is deceiving an adversary to mitigate the damage of the attack. In order to capture network topology, each game is played over an attack graph that can be generated according to the vulnerabilities associated with each node. The defender’s goal is to take deceptive actions to prevent the attacker from taking control over the network resources exploiting the incomplete information of the attacker regarding the deceptive network gained through the attack reconnaissance stage. To this end, we present several games such as normal form static, dynamic, hypergame, and a partially observable stochastic game (POSG) to study the game dynamics at different information structures. For the most general class of games, (i.e., POSG), we provide multiple solution approaches to overcome the intractability of the game model and finally present numerical result samples to show the effectiveness of each solution approach.

Harnessing the Power of Deception in Attack Graph-Based Security Games

Abstract: We study the use of deception in attack graph-based Stackelberg security games. In our setting, in addition to allocating defensive resources to protect important targets from attackers, the defender can strategically manipulate the attack graph through three main types of deceptive actions. We show that finding the optimal deception and defense strategy is at least NP-hard. We provide two techniques for efficiently solving this problem: a mixed-integer linear program for layered directed acyclic graphs (DAGs) and neural architecture search for general DAGs. We empirically demonstrate that using deception on attack graphs gives the defender a significant advantage, and the algorithms we develop scale gracefully to medium-sized problems.

Cybersecurity Deception Experimentation System

Abstract: Cybersecurity deception research has had many successes in recent years. While early cyber deception systems (e.g., honeypots) were largely static, recent approaches leverage computational game theory and machine learning techniques to allow for dynamic deception strategies that can potentially observe, react, and adapt to an adversary in both the short and long term. However, applying these theoretical models and algorithms in real-world settings poses additional considerations that are not always apparent in theory. Currently, testbeds and experimentation platforms for dynamic deception are lacking, limiting the ability of researchers and analysts to test and evaluate these approaches using realistic scenarios and data.Honeypots are a technology where these dynamic deception methods can have a great impact on effectiveness. The basic technology to mimic nodes and network services has been used for several decades and is effective against less experienced adversaries, but is less useful against sophisticated intruders. Using adaptation, behavior-based model development and reasoning and other artificial intelligence techniques have the potential to make honeypots much more effective against experienced adversaries by making them less predictable and more targeted. Before these novel technologies can be used in the real world, it is critical that they are tested and validated on realistic systems and in realistic settings.We present the Cybersecurity Deception Experimentation System (CDES) that extends the Common Open Research Emulator (CORE) to provide a platform that is capable of evaluating dynamic deception algorithms. We also provide three case studies that demonstrate how CDES can be used to practically implement dynamic honeypots in increasingly complex scenarios and discuss some nuances of each implementation.

Blocking Adversarial Influence in Social Networks

Abstract: While social networks are widely used as a media for information diffusion, attackers can also strategically employ analytical tools, such as influence maximization, to maximize the spread of adversarial content through the networks. We investigate the problem of limiting the diffusion of negative information by blocking nodes and edges in the network. We formulate the interaction between the defender and the attacker as a Stackelberg game where the defender first chooses a set of nodes to block and then the attacker selects a set of seeds to spread negative information from. This yields an extremely complex bi-level optimization problem, particularly since even the standard influence measures are difficult to compute. Our approach is to approximate the attacker’s problem as the maximum node domination problem. To solve this problem, we first develop a method based on integer programming combined with constraint generation. Next, to improve scalability, we develop an approximate solution method that represents the attacker’s problem as an integer program, and then combines relaxation with duality to yield an upper bound on the defender’s objective that can be computed using mixed integer linear programming. Finally, we propose an even more scalable heuristic method that prunes nodes from the consideration set based on their degree. Extensive experiments demonstrate the efficacy of our approaches.

A Bayesian Game Theoretic Approach for Inspecting Web-Based Malvertising

Abstract: Web-based advertising systems have been exploited by cybercriminals to disseminate malware to an enormous number of end-users and their vulnerable machines. To protect their malicious ads and malware from detection by the ad network, malvertisers apply various redirection and evasion techniques. Meanwhile, the ad network can also apply inspection techniques to spoil the malvertiser's tricks and expose the malware. However, both the malvertiser and the ad network are under resource and time constraints. Moreover, the ad network is disadvantaged because it has incomplete information about whether it is facing a benign or malicious advertiser. In this paper, we aim to apply the Bayesian game model by designing two games to formulate the problem of inspecting the Web-based maladvertising. The first game has two types of Advertisers, namely Malicious and Benign, and one type of Defender; the second game has two types of Attackers, Advanced and Simple, in terms of their capability of redirection and evasion, and one type of Defender. We define their strategies and payoff functions, and compute their Bayesian Nash equilibria. We use numeric simulation to evaluate our game theoretic models, and we derive several insights from the results that can serve as guidelines for the ad network to decide its best inspection strategy.

Partially Observable Stochastic Games for Cyber Deception Against Network Epidemic

Abstract: A Decentralized Denial of Service is an attack done by an agent capable to control the spread of a malware. This is a combination of epidemiological and conflictual aspects between several decision makers. There exists in the literature papers that study (non oriented) epidemics and papers that study network attacks regardless the epidemiological aspect. We put together the two aspects and provide a new game theoretical model which is part of the family of partially observable stochastic games (POSG) but with particular features. We prove the consistency of heuristic search value iteration (HSVI) based algorithms. Our framework is applied to optimally design a cyber deception technique based on honeypots in order to control an epidemic cyber-attack of a network by a strategic attacker. Some basic simulations are proposed to illustrate the framework described in this work-in-progress paper.

Mitigation of Jamming Attacks via Deception

Abstract: This paper considers the problem of mitigating jamming attacks by aiming to deceive the jammer. Specifically, in the presence of a jammer, to defend a transmitter-receiver pair sending (real) information, the paper proposes the novel technique of sending fake information over a second transmitter-receiver pair in order to deceive the jammer into investing some of its jamming power budget for jamming the channel carrying fake information. The paper develops a leader-follower model where the jammer (acting as the follower) adopts it’s jamming strategy after sensing the communication activities on the channels carrying the real and fake information, while the system (acting as the leader) adopts its power allocation strategy prior to the jammer. The paper characterizes the optimal power allocation strategy of the system considering the jammer to be non-strategic in nature, as well as characterizes the Subgame Perfect Nash Equilibrium (SPNE) strategy of the leader-follower game considering both the system and the jammer to be strategic entities. Extensive simulation results are provided to gain insights into the deception strategies developed in the paper.

A Hypergame‐Based Defense Strategy Toward Cyber Deception in Internet of Battlefield Things (IoBT)

Abstract: In this chapter, we develop a defense strategy to secure Internet of Battlefield Things (IoBT) based on a hypergame employing deceptive techniques. The hypergame is played multiple rounds. At each round, the adversary updates its perception of the attack graph and chooses the next node to compromise. The defender updates its perceived list of compromised nodes and actively feeds false signals to the adversary to create deception. The hypergame developed in this chapter provides an important theoretical framework for us to model how a cyberattack spreads on a network and the interaction between the adversary and the defender. It also provides quantitative metrics such as the time it takes the adversary to explore the network and compromise the target nodes. Based on these metrics, the defender can reboot the network devices and reset the network topology in time to clean up all potentially compromised devices and to protect the critical nodes. The hypergame provides useful guidance on how to create cyber deceptions so that the adversary cannot obtain information about the correct network topology and can be deterred from reaching the target critical nodes on a military network while it is in service.

Learning and Planning in the Feature Deception Problem

Abstract: Today’s high-stakes adversarial interactions feature attackers who constantly breach the ever-improving security measures Deception mitigates the defender’s loss by misleading the attacker to make suboptimal decisions In order to formally reason about deception, we introduce the feature deception problem (FDP), a domain-independent model and present a learning and planning framework for finding the optimal deception strategy, taking into account the adversary’s preferences which are initially unknown to the defender We make the following contributions (1) We show that we can uniformly learn the adversary’s preferences using data from a modest number of deception strategies (2) We propose an approximation algorithm for finding the optimal deception strategy given the learned preferences and show that the problem is NP-hard (3) We perform extensive experiments to validate our methods and results In addition, we provide a case study of the credit bureau network to illustrate how FDP implements deception on a real-world problem

Deceptive Labeling: Hypergames on Graphs for Stealthy Deception

Abstract: With the increasing sophistication of attacks on cyber-physical systems, deception has emerged as an effective tool to improve system security and safety by obfuscating the attacker's perception. In this paper, we present a solution to the deceptive game in which a control agent is to satisfy a Boolean objective specified by a co-safe temporal logic formula in the presence of an adversary. The agent intentionally introduces asymmetric information to create payoff misperception, which manifests as the misperception of the labeling function in the game model. Thus, the adversary is unable to accurately determine which logical formula is satisfied by a given outcome of the game. We introduce a model called hypergame on graph to capture the asymmetrical information with one-sided payoff misperception. Based on this model, we present the solution of such a hypergame and use the solution to synthesize stealthy deceptive strategies. Specifically, deceptive sure winning and deceptive almost-sure winning strategies are developed by reducing the hypergame to a two-player game and one-player stochastic game with reachability objectives. A running example is introduced to demonstrate the game model and the solution concept used for strategy synthesis.

A Game Theoretic Framework for Software Diversity for Network Security

Abstract: Diversity plays a significant role in network security, and we propose a formal model to investigate and optimize the advantages of software diversity in network security. However, diversity is also costly, and network administrators encounter a tradeoff between network secu- rity and the cost to deploy and maintain a well-diversified network. We study this tradeoff in a two-player nonzero-sum game-theoretic model of software diversity. We find the Nash equilibrium of the game to give an optimal security strategy for the defender, and implement an algorithm for optimizing software diversity via embedding a graph-coloring approach based on the Nash equilibrium. We show that the opponent (i.e., adversary) spends more effort to compromise an optimally diversified network. We also analyze the complexity of the proposed algorithm and propose a complexity reduction approach to avoid exponential growth in runtime. We present numerical results that validate the effectiveness of the proposed software diversity approach.

A Quantitative Framework to Model Reconnaissance by Stealthy Attackers and Support Deception-Based Defenses

Abstract: In recent years, persistent cyber adversaries have developed increasingly sophisticated techniques to evade detection. Once adversaries have established a foothold within the target network, using seemingly-limited passive reconnaissance techniques, they can develop significant network reconnaissance capabilities. Cyber deception has been recognized as a critical capability to defend against such adversaries, but, without an accurate model of the adversary’s reconnaissance behavior, current approaches are ineffective against advanced adversaries. To address this gap, we propose a novel model to capture how advanced, stealthy adversaries acquire knowledge about the target network and establish and expand their foothold within the system. This model quantifies the cost and reward, from the adversary’s perspective, of compromising and maintaining control over target nodes. We evaluate our model through simulations in the CyberVAN testbed, and indicate how it can guide the development and deployment of future defensive capabilities, including high-interaction honeypots, so as to influence the behavior of adversaries and steer them away from critical resources.

Moving target defense for in-vehicle software-defined networking: IP shuffling in network slicing with multiagent deep reinforcement learning

Abstract: Moving target defense (MTD) is an emerging defense principle that aims to dynamically change attack surface to confuse attackers. By dynamic reconfiguration, MTD intends to invalidate the attacker's intelligence or information collection during reconnaissance, resulting in wasted resources and high attack cost/complexity for the attacker. One of the key merits of MTD is its capability to offer 'affordable defense,' by working with legacy defense mechanisms, such as intrusion detection systems (IDS) or other cryptographic mechanisms. On the other hand, a well-known drawback of MTD is the additional overhead, such as reconfiguration cost and/or potential interruptions of service availability to normal users. In this work, we aim to develop a highly secure, resilient, and affordable MTD-based proactive defense mechanism, which achieves multiple objectives of minimizing system security vulnerabilities and defense cost while maximizing service availability. To this end, we propose a multi-agent Deep Reinforcement Learning (mDRL)-based network slicing technique that can help determine two key resource management decisions: (1) link bandwidth allocation to meet Quality-of-Service requirements and (2) the frequency of triggering IP shuffling as an MTD operation not to hinder service availability by maintaining normal system operations. Specifically, we apply this strategy in an in-vehicle network that uses software-defined networking (SDN) technology to deploy the IP shuffling-based MTD, which dynamically changes IP addresses assigned to electronic control unit (ECU) nodes to introduce uncertainty or confusion for attackers.

Integrating Mission-Centric Impact Assessment to Operational Resiliency in Cyber-Physical Systems

Abstract: Developing mission-centric impact assessment techniques to address cyber resiliency in the cyber-physical systems (CPSs) requires integrating system inter-dependencies to the risk and resilience analysis process. Generally, network administrators utilize attack graphs to estimate possible consequences in a networked environment. Attack graphs lack to incorporate the operations-specific dependencies. Localizing the dependencies among operational missions, tasks, and the hosting devices in a large-scale CPS is also challenging. In this work, we offer a graphical modeling technique to integrate the mission-centric impact assessment of cyberattacks by relating the effect to the operational resiliency by utilizing a combination of the logical attack graph and mission impact propagation graph. We propose formal techniques to compute cyberattacks’ impact on the operational mission and offer an optimization process to minimize the same, having budgetary restrictions. We also relate the effect to the system functional operability. We illustrate our modeling techniques using a SCADA (supervisory control and data acquisition) case study for the cyber-physical power systems. We believe our proposed method would help evaluate and minimize the impact of cyber attacks on CPS’s operational missions and, thus, enhance cyber resiliency.

Decoy Allocation Games on Graphs with Temporal Logic Objectives

Abstract: We study a class of games, in which the adversary (attacker) is to satisfy a complex mission specified in linear temporal logic, and the defender is to prevent the adversary from achieving its goal A deceptive defender can allocate decoys, in addition to defense actions, to create disinformation for the attacker Thus, we focus on the problem of jointly synthesizing a decoy placement strategy and a deceptive defense strategy that maximally exploits the incomplete information the attacker about the decoy locations We introduce a model of hypergames on graphs with temporal logic objectives to capture such adversarial interactions with asymmetric information Using the hypergame model, we analyze the effectiveness of a given decoy placement, quantified by the set of deceptive winning states where the defender can prevent the attacker from satisfying the attack objective given its incomplete information about decoy locations Then, we investigate how to place decoys to maximize the defender’s deceptive winning region Considering the large search space for all possible decoy allocation strategies, we incorporate the idea of compositional synthesis from formal methods and show that the objective function in the class of decoy allocation problem is monotone and non-decreasing We derive the sufficient conditions under which the objective function for the decoy allocation problem is submodular, or supermodular, respectively We show a sub-optimal allocation can be efficiently computed by iteratively composing the solutions of hypergames with a subset of decoys and the solution of a hypergame given a single decoy We use a running example to illustrate the proposed method

Modeling Mission Impact of Cyber Attacks on Energy Delivery Systems

Abstract: Today energy delivery systems (EDS) face challenges in dealing with cyberattacks that originate by exploiting the communication network assets. Traditional power systems are highly complex and heterogeneous. These systems focus on reliability, availability, and continuous performance and, thus, not designed to handle security issues. Network administrators often utilize attack graphs to analyze security in EDS. Although attack graphs are useful tools to generate attack paths and estimate possible consequences in a networked system, they lack incorporating the operational or functional dependencies. Localizing the dependencies among operational missions, tasks, and the hosting devices in a large-scale cyber-physical network is also challenging. Current research works handle the system dependency and the attack scenario modeling separately using dependency graphs and attack graphs, respectively. To address the gap of incorporating the mission operational dependencies with possible attack scenarios, in this work, we offer an approach to assess the cyberattack impact on the operational mission of the EDS by combining the logical attack graph and mission functional dependency graph. We provide the graphical modeling details and illustrate the approach using a case study of SCADA (supervisory control and data acquisition) operations within an EDS environment.

Decoy Allocation Games on Graphs with Temporal Logic Objectives

Abstract: We study a class of games, in which the adversary (attacker) is to satisfy a complex mission specified in linear temporal logic, and the defender is to prevent the adversary from achieving its goal. A deceptive defender can allocate decoys, in addition to defense actions, to create disinformation for the attacker. Thus, we focus on the problem of jointly synthesizing a decoy placement strategy and a deceptive defense strategy that maximally exploits the incomplete information the attacker about the decoy locations. We introduce a model of hypergames on graphs with temporal logic objectives to capture such adversarial interactions with asymmetric information. Using the hypergame model, we analyze the effectiveness of a given decoy placement, quantified by the set of deceptive winning states where the defender can prevent the attacker from satisfying the attack objective given its incomplete information about decoy locations. Then, we investigate how to place decoys to maximize the defender's deceptive winning region. Considering the large search space for all possible decoy allocation strategies, we incorporate the idea of compositional synthesis from formal methods and show that the objective function in the class of decoy allocation problem is monotone and non-decreasing. We derive the sufficient conditions under which the objective function for the decoy allocation problem is submodular, or supermodular, respectively. We show a sub-optimal allocation can be efficiently computed by iteratively composing the solutions of hypergames with a subset of decoys and the solution of a hypergame given a single decoy. We use a running example to illustrate the proposed method.

Software Diversity for Cyber Deception

Abstract: In this paper, we propose a cyber deception approach using software diversity in a honeynet. Honeypot allocation is used as an active cyber deception technique to increase the uncertainty of adversaries and hide the true state of the network. Moreover, software diversity limits the ability of attackers to discover honeypots. Specifically, this paper introduces a diversity-based honeypot allocation approach for network security formulated in a game-theoretic framework. We consider a two-player zero-sum game between the network defender and the adversary. To validate our findings, we measured the potential benefits of diversity on network security and calculated the optimum diversifying strategy in Nash equilibrium using different honeypot types.

Estimating Attack Risk of Network Activities in Temporal Domain: A Wavelet Transform Approach

Abstract: Analyzing network traffic data to detect suspicious network activities requires tremendous efforts because of continuously changing network traffic patterns and intrusion scenarios. Numerous research has been devoted to the task of identifying network anomalies while maintaining excellent performances. However, most studies focus on identifying network attacks without considering their temporal domain. Time information is useful for discovering patterns in network activities and understanding the changes in network traffic over time. This paper introduces an approach to discover network traffic patterns with time series analysis to estimate the level of attack risks. Classification is performed with machine learning techniques to assess the estimated attack risks. Findings from this study can increase the capability to detect network intrusions by analyzing the behaviors of temporal data and estimating their attack risks.

On Development of a Game‐Theoretic Model for Deception‐Based Security

Abstract: This chapter presents a game‐theoretic model to analyze attack–defense scenarios that use fake nodes (computing devices) for deception under consideration of the system deploying defense resources to protect individual nodes in a cost‐effective manner. The developed model has important applications in the Internet of Battlefield Things (IoBT). Our game‐theoretic model illustrates how the concept of the Nash equilibrium can be used by the defender to intelligently choose which nodes should be used for performing a computation task while deceiving the attacker into expending resources for attacking fake nodes. Our model considers the fact that defense resources may become compromised under an attack and suggests that the defender, in a probabilistic manner, may utilize unprotected nodes for performing a computation while the attacker is deceived into attacking a node with defense resources installed. The chapter also presents a deception‐based strategy to protect a target node that can be accessed via a tree network. Numerical results provide insights into the strategic deception techniques presented in this chapter.