A review by Matthew H. Henry October 12, 2005

1. Alpcan, T., and T. Basar (2004) “A game theoretic analysis of intrusion detection in access control systems” Proceedings of 43rd IEEE Conference on Decision and Control. A review by Matthew H. Henry October 12, 2005

2. Description of Game • Network intrusion scenario • Three players: • Intruder • Virtual Sensor Network (VSN) • Intrusion Detection System (IDS) • Finite and dynamic games

3. Virtual Sensor Network • Network of software sensors: S = {s1, s2, …, smax} • Each sensor is an autonomous agent that either • Seeks to match known network intrusion activity signatures; or • Looks for anomalies in network usage that might indicate nefarious activity • Each sensor reports findings to IDS core directly or via sensor hierarchy • Sensors are “mobile” and can be instantiated and deployed at will by the IDS to monitor different subsystems • In general, each sensor is capable of identifying one or more intrusion mechanisms • The “strategy” of the VSN consists of a fixed probability distribution for each mode of attack and corresponds to the VSN output during that attack

4. The IDS and the Attacker • The target system is decomposed into tmax subsystems: {t1, t2, …, tmax} • There exist Imax possible modes of attack: {I1, I2, …, Imax} • Each attack is an ordered pair: ak = (ti, Ij) • The game, aside from the imperfect information afforded by the VSN, is a non-cooperative non-zero sum game played by the Attacker and the IDS • Attacker benefits from a successful intrusion and suffers a cost at being detected • The IDS benefits from a successful detection and suffers a penalty (in the form of network performance reduction) from a false positive – the IDS must manage a security tradeoff

5. S S Process 1 PCS 1 Attack SCADA MTU 1 S Process 2 PCS 2 S S LAN S S S S S S PCS m-1 SCADA MTU 2 S Process p SCADA Control Center PCS m S S S S S S Process P-1 PCS M-1 SCADA MTU N S Intrusion Detection System (IDS) S Process P PCS M S S Sensor Network Overlay on Protected System

6. Simple Example: single-move finite game • Target system comprises a single subsystem and there exists a single possible mode of attack  a0 = (1, 1) • IDS strategy set includes two possible moves: {Take action against attacker, Do nothing} • Attacker strategy set includes two possible moves: {Attack, Not attack} • VSN “strategy” set includes two probability distributions: {[p10, p11], [p00, p01]}, where • p10 = P(No attack detected | Attack occurred) • p11 = P(Attack detected | Attack occurred) • p00 = P(No attack detected | No attack occurred) • p01 = P(Attack detected | No attack occurred) • Action taken when Attack Detected: Set Alarm

7. Simple Example: single-move finite game Unique Nash equilibrium in mixed strategies with probability distributions and payoffs shown above. (Solution found using GAMBIT)

8. Continuous Game • Problems with finite game: • Exhibits poor scalability for large systems and high-dimensional action spaces • Payoff values must be separately defined for each possible outcome • Propose continuous-kernel game with continuous strategy spaces and cost functions to improve scalability and generalization

9. Attacker Strategy Space • Let Amax denote the cardinality of the attack set of ordered pairs ak = (ti, Ij) • The strategy space of the attacker is now a subset of Amax • Attacker strategy uA  UA  Amax, with elements uAi  0, i = 1, 2, …, Amax

10. IDS Strategy Space • Let Rmax denote the cardinality of the response set available to the IDS • The strategy space of the IDS is now a subset of Rmax • IDS strategy uI  UI  Rmax, with elements uIi  0, i = 1, 2, …, Rmax

11. Virtual Sensor Network • Sensor output as functions of attacker actions represented as a linear transformation P in the space US  Amax × Amax • The matrix P = [pij], i,j = 1…Amax, maps attacker actions to sensor output • Sensor output = (uA)TP  e.g. ideal P would be the Identity matrix: sensors perfectly detect and report attacker strategy • Detection metric for attack ai: dq(i)= pij/rowsum(pij) • Define P = [pij] = [-pij] for i=j, [pij] otherwise  this provides positive cost for erroneous detection and negative cost (positive benefit) for correct detection

12. IDS Cost Function • JI(uA, uI, P)= γ(uA)TPQuI(cost of false detection/benefit of correct detection) + (uI)Tdiag()uI(cost of resource allocation) + (cI)T(QuA – QuI) (cost of successful attack) • γ – scalar gain for cost/benefit of false/correct detection • Q – Amax× Rmax matrix of binary values (0/1) that maps IDS response actions to attacks • Q - Amax× Amax diagonal matrix with elements  1, signifying the degree of vulnerability of specific subsystems to attacks • diag() = diag([1 2 … Rmax])– cost of response actions • cI = [cI1 cI2 … cIAmax] – cost of each attack to IDS

13. IDS Cost Function (Example) • 2-Dimensional attack space: uA = [uA1 uA2] corresponding to one attack mode on two subsystems • 1-dimensional IDS response space uI • γ =1 • Q = [1 1]T – IDS response is same for both attacks • Q = 2-Dim Identity Matrix – both subsystems equally vulnerable to this attack • diag() =  = 1 • cI = [1 2] – attack on subsystem 2 twice as costly as an attack on subsystem 1 • P = [.8 .2; .3 .7]

14. Attacker Cost Function • JA(uA, uI, P) = -γ(uA)TPQuI(cost of capture/benefit of successful intrusion) + (uA)Tdiag()uA(cost of resource allocation) + (cA)T(QuI – QuA) (benefit of successful attack) • diag() = diag([1  2 … Amax])– cost of attack resources • cA = [cI1 cI2 … cIAmax] – benefit of each attack to attacker

15. “Optimal” Trajectories • Minimizing the cost functions yield the following reaction functions • uI(uA, P) = [I – γ[diag(2)]-1QTPTuA]+ • uA(uI, P) = [A + γ[diag(2)]-1PQuI]+ • Where • I = [(cIQ)1/(21)…(cIQ)Rmax/(2Rmax)] • A = [(cAQ)1/(21)…(cAQ)Amax/(2Amax)] • [•]+ indicates that negative elements are mapped to zero • note: this is not best response in the sense of fictitious play since uA is unknown to the IDS, and uI is unknown to the Attacker

16. Nash Equilibrium • Strategy pair (uI*, uA*) is in Nash equilibrium if they jointly minimize cost: • uI*= argminuI{JI(uA*, uI, P)} • uA*= argminuA{JI(uA, uI*, P)} • The authors prove that a unique interior Nash equilibrium exists for constrained values of γ which force uI* to be positive in the equilibrium solution • Their proof uses the convexity of the cost functions and derives a Hessian for the coupled cost vector [JI JA] to show uniqueness of the interior solution

17. Repeated Games • Incorporates dynamics associated with improving sensing capability (learning) and sensor reconfiguration (reallocation of IDS/VSN resources) • Reflected in dynamic P matrix • e.g. P(n+1)=[P(n)+2(+)(diag(diag(uA)QuI) - col(diag(uA)QuI))+W(n)]N • Where • , ,  are small positive constants •  ~ U([-1,1]) • W(n) = [wij]  Amax×Rmax, wij are I.I.D. and ~ U([-1,1]), models transients and imperfections in the sensor grid • [•]N maps the elements to the interval (0,1)

18. Repeated Games • Given sensor network performance P(n), players optimizes next moves – similar to best response to expected cost • Assumes some (limited?) mutual knowledge of P(n) and some estimation of opponent play history (?) • Note: it is not clear from this paper how the estimates of opponent strategy or P(n) are made (in fact, the authors do not explicitly suggest that they are estimates – this is my inference) • Any ideas?

19. Convergence to Nash Equilibrium • Authors demonstrate that since N.E. exists for fixed P, it is sufficient for convergence to equilibrium with dynamic P to show convergence of P • P converges for small positive  and  • Both players have an incentive to vary strategies over time since, otherwise, the opponent of a player with an unchanging strategy will adapt to exploit weaknesses left open by the static strategy