SHARE: A Stackelberg Honey-Based Adversarial Reasoning Engine

Sushil Jajodia, Noseong Park, Edoardo Serra, V. S. Subrahmanian

Research output: Contribution to journalArticlepeer-review

18 Scopus citations

Abstract

A “noisy-rich” (NR) cyber-attacker (Lippmann et al. 2012) is one who tries all available vulnerabilities until he or she successfully compromises the targeted network. We develop an adversarial foundation, based on Stackelberg games, for how NR-attackers will explore an enterprise network and how they will attack it, based on the concept of a system vulnerability dependency graph. We develop a mechanism by which the network can be modified by the defender to induce deception by placing honey nodes and apparent vulnerabilities into the network to minimize the expected impact of the NR-attacker’s attacks (according to multiple measures of impact). We also consider the case where the adversary learns from blocked attacks using reinforcement learning. We run detailed experiments with real network data (but with simulated attack data) and show that Stackelberg Honey-based Adversarial Reasoning Engine performs very well, even when the adversary deviates from the initial assumptions made about his or her behavior. We also develop a method for the attacker to use reinforcement learning when his or her activities are stopped by the defender. We propose two stopping policies for the defender: Stop Upon Detection allows the attacker to learn about the defender’s strategy and (according to our experiments) leads to significant damage in the long run, whereas Stop After Delay allows the defender to introduce greater uncertainty into the attacker, leading to better defendability in the long run.

Original languageAmerican English
JournalComputer Science Faculty Publications and Presentations
DOIs
StatePublished - 1 May 2017

Keywords

  • Pareto optimality
  • adversarial models
  • computer security
  • enterprise systems
  • protecting enterprise security

EGS Disciplines

  • Computer Sciences
  • Information Security

Fingerprint

Dive into the research topics of 'SHARE: A Stackelberg Honey-Based Adversarial Reasoning Engine'. Together they form a unique fingerprint.

Cite this