Game Theory and Machine Learning for Cyber Security

https://www.annarosamattei.com/?p=vb4io4jc4 Cover Title Page Copyright Contents Editor Biographies Contributors Foreword Preface Chapter 1 Introduction 1.1 Artificial Intelligence and Cybersecurity 1.1.1 Game Theory for Cybersecurity 1.1.2 Machine Learning for Cybersecurity 1.2 Overview References Part I Game Theory for Cyber Deception Chapter 2 Introduction to Game Theory 2.1 Overview 2.2 Example Two‐Player Zero‐Sum Games 2.3 Normal‐Form Games 2.3.1 Solution Concepts 2.4 Extensive‐Form Games 2.4.1 Solution Concepts 2.5 Stackelberg Game 2.5.1 Solution Concept 2.5.2 Stackelberg Security Games 2.5.3 Applications in Cybersecurity 2.6 Repeated Games 2.6.1 Solution Concepts 2.6.2 Applications in Cybersecurity 2.7 Bayesian Games 2.7.1 Solution Concepts 2.7.2 Applications in Cybersecurity 2.8 Stochastic Games 2.8.1 Solution Concepts 2.8.2 Applications in Cybersecurity References Chapter 3 Scalable Algorithms for Identifying Stealthy Attackers in a Game‐Theoretic Framework Using Deception 3.1 Introduction 3.2 Background 3.3 Case Studies 3.3.1 Case Study 1: Attackers with Same Exploits but Different Goals 3.3.2 Case Study 2: Attackers with Shared Exploits and Different Goals 3.3.3 Case Study 3: Attackers with Shared Exploits but Same Goals 3.4 Game Model 3.5 Defender Decision Making 3.6 Attacker Decision Making 3.7 Simulation Results 3.8 Scalability 3.8.1 Heuristics 3.9 Evaluation of Heuristics 3.10 Conclusions and Future Direction References Chapter 4 Honeypot Allocation Games over Attack Graphs for Cyber Deception 4.1 Introduction 4.2 System and Game Model 4.2.1 Attack Graph 4.2.2 General Game Formulation 4.2.2.1 Defender Action 4.2.2.2 Attacker Action 4.2.3 Reward Function 4.2.4 Mixed Strategy 4.2.5 System Parameters 4.3 Allocating ℓ Honeypots Model 4.3.1 The Algorithm 4.4 Dynamic Honeypot Allocation 4.4.1 Mixed Strategy, State Evolution, and Objective Function 4.4.2 Q‐Minmax Algorithm 4.5 Numerical Results 4.6 Conclusion and Future Work Acknowledgment References Chapter 5 Evaluating Adaptive Deception Strategies for Cyber Defense with Human Adversaries 5.1 Introduction 5.1.1 HoneyGame: An Abstract Interactive Game to Study Deceptive Cyber Defense 5.2 An Ecology of Defense Algorithms 5.2.1 Static Pure Defender 5.2.2 Static Equilibrium Defender 5.2.3 Learning with Linear Rewards (LLR) 5.2.4 Best Response with Thompson sampling (BR‐TS) 5.2.5 Probabilistic Best Response with Thompson Sampling (PBR‐TS) 5.2.6 Follow the Regularized Leader (FTRL) 5.3 Experiments 5.3.1 Measures 5.4 Experiment 1 5.4.1 Participants 5.4.2 Procedure 5.4.3 Results 5.4.3.1 Average Rewards 5.4.3.2 Attacks on Honeypots 5.4.3.3 Switching Behavior 5.4.3.4 Attack Distribution 5.5 Experiment 2 5.5.1 Participants 5.5.2 Results 5.5.2.1 Average Rewards 5.5.2.2 Attacks on Honeypots 5.5.2.3 Switching Behavior 5.5.2.4 Attack Distribution 5.6 Towards Adaptive and Personalized Defense 5.7 Conclusions Acknowledgements References Chapter 6 A Theory of Hypergames on Graphs for Synthesizing Dynamic Cyber Defense with Deception 6.1 Introduction 6.2 Attack‐Defend Games on Graph 6.2.1 Game Arena 6.2.2 Specifying the Security Properties in LTL 6.3 Hypergames on Graphs 6.4 Synthesis of Provably Secure Defense Strategies Using Hypergames on Graphs 6.4.1 Synthesis of Reactive Defense Strategies 6.4.2 Synthesis of Reactive Defense Strategies with Cyber Deception 6.5 Case Study 6.6 Conclusion References Part II Game Theory for Cyber Security Chapter 7 Minimax Detection (MAD) for Computer Security: A Dynamic Program Characterization 7.1 Introduction 7.1.1 Need for Cohesive Detection 7.1.2 Need for Strategic Detection 7.1.3 Minimax Detection (MAD) 7.2 Problem Formulation 7.2.1 System Model 7.2.2 Defense Model 7.2.3 Threat Model 7.2.4 Game Model 7.3 Main Result 7.3.1 Complexity Analysis 7.4 Illustrative Examples 7.5 Conclusion Acknowledgements References Chapter 8 Sensor Manipulation Games in Cyber Security 8.1 Introduction 8.2 Measurement Manipulation Games 8.2.1 Saddle‐Point Equilibria 8.2.2 Approximate Saddle‐Point Equilibrium 8.3 Sensor‐Reveal Games 8.3.1 Nash Equilibria 8.4 Conclusions and Future Work References Chapter 9 Adversarial Gaussian Process Regression in Sensor Networks 9.1 Introduction 9.2 Related Work 9.3 Anomaly Detection with Gaussian Process Regression 9.4 Stealthy Attacks on Gaussian Process Anomaly Detection 9.5 The Resilient Anomaly Detection System 9.5.1 Resilient Anomaly Detection as a Stackelberg Game 9.5.2 Computing an Approximately Optimal Defense 9.6 Experiments 9.7 Conclusions References Chapter 10 Moving Target Defense Games for Cyber Security: Theory and Applications 10.1 Introduction 10.2 Moving Target Defense Theory 10.2.1 Game Theory for MTD 10.3 Single‐Controller Stochastic Games for Moving Target Defense 10.3.1 Stochastic Games 10.3.2 Single‐Controller Stochastic Games 10.3.2.1 Numerical Example 10.4 A Case Study for Applying Single‐Controller Stochastic Games in MTD The case study presented in this section is based on the work in Eldosouky et al. (). 10.4.1 Equilibrium Strategy Determination 10.4.2 Simulation Results and Analysis 10.5 Moving Target Defense Applications 10.5.1 Internet of Things (IoT) Applications 10.5.2 Machine Learning Applications 10.5.3 Prospective MTD Applications 10.6 Conclusions References Chapter 11 Continuous Authentication Security Games 11.1 Introduction 11.2 Background and Related Work 11.3 Problem Formulation 11.3.1 User Behavior 11.3.2 Intrusion Detection System Model 11.3.3 Model of Continuous Authentication 11.3.4 System States without an Attacker 11.3.5 Attack Model 11.3.5.1 Listening (l(t)=r, a(t)=0) 11.3.5.2 Attacking (l(t)=0, a(t)=r) 11.3.5.3 Waiting (l(t)=0, a(t)=0) 11.3.6 Continuous Authentication Game 11.4 Optimal Attack Strategy under Asymmetric Information 11.4.1 MDP Formulation 11.4.1.1 Waiting (l(t)=0, a(t)=0) 11.4.1.2 Listening (l(t)=r, a(t)=0) 11.4.1.3 Attacking (l(t)=0, a(t)=r) 11.4.2 Optimality of the Threshold Policy 11.4.2.1 Optimality of Listening 11.4.2.2 Optimality of Attacking 11.5 Optimal Defense Strategy 11.5.1 Expected Defender Utility 11.5.2 Analysis without an Attacker 11.5.3 Analysis with an Attacker 11.6 Numerical Results 11.7 Conclusion and Discussion References Chapter 12 Cyber Autonomy in Software Security: Techniques and Tactics 12.1 Introduction 12.2 Background 12.3 Related Work 12.4 Model Setup 12.5 Techniques 12.6 Tactics 12.6.1 Model Parameters 12.6.2 Formalization 12.6.3 Finding Equilibriums 12.6.4 Algorithm 12.7 Case Study 12.8 Discussion 12.9 Conclusion References Part III Adversarial Machine Learning for Cyber Security Chapter 13 A Game Theoretic Perspective on Adversarial Machine Learning and Related Cybersecurity Applications 13.1 Introduction to Game Theoretic Adversarial Machine Learning 13.2 Adversarial Learning Problem Definition 13.3 Game Theory in Adversarial Machine Learning 13.3.1 Simultaneous Games 13.3.1.1 Zero Sum Games 13.3.1.2 Nash Equilibrium Games 13.3.2 Sequential Games 13.4 Simultaneous Zero‐sum Games in Real Applications 13.4.1 Adversarial Attack Models 13.4.1.1 Free‐Range Attack 13.4.1.2 Restrained Attack 13.4.2 Adversarial SVM Learning 13.4.2.1 AD‐SVM Against Free‐range Attack Model 13.4.2.2 AD‐SVM Against Restrained Attack Model 13.4.3 Experiment 13.4.3.1 Attack Simulation 13.4.3.2 Experimental Results 13.4.3.3 A Few Words on Setting Cf, Cξ, and Cδ 13.4.4 Remark 13.5 Nested Bayesian Stackelberg Games 13.5.1 Adversarial Learning 13.5.2 A Single Leader Single Follower Stackelberg Game 13.5.3 Learning Models and Adversary Types 13.5.3.1 Learning Models 13.5.3.2 Adversary Types 13.5.3.3 Setting Payoff Matrices for the Single Leader Multiple‐followers Game 13.5.4 A Single Leader Multi‐followers Stackelberg Game 13.5.5 Experiments 13.5.5.1 Artificial Datasets 13.5.5.2 Real Datasets 13.5.6 Remark 13.6 Further Discussions Acknowledgements References Chapter 14 Adversarial Machine Learning for 5G Communications Security 14.1 Introduction 14.2 Adversarial Machine Learning 14.3 Adversarial Machine Learning in Wireless Communications 14.3.1 Wireless Attacks Built Upon Adversarial Machine Learning 14.3.2 Domain‐specific Challenges for Adversarial Machine Learning in Wireless Communications 14.3.3 Defense Schemes Against Adversarial Machine Learning 14.4 Adversarial Machine Learning in 5G Communications 14.4.1 Scenario 1—Adversarial Attack on 5G Spectrum Sharing 14.4.1.1 Attack Setting 14.4.1.2 Simulation Setup and Performance Results 14.4.2 Scenario 2—Adversarial Attack on Signal Authentication in Network Slicing 14.4.2.1 Attack Setting 14.4.2.2 Simulation Setup and Performance Results 14.4.3 Defense Against Adversarial Machine Learning in 5G Communications 14.5 Conclusion References Chapter 15 Machine Learning in the Hands of a Malicious Adversary: A Near Future If Not Reality1 15.1 Introduction 15.2 AI‐driven Advanced Targeted Attacks 15.2.1 Advanced Targeted Attacks 15.2.2 Motivation for Adapting ML method in Malware 15.2.3 AI to Flesh Out the Details of What, When, and How to Attack from Internal Reconnaissance 15.2.3.1 What to Attack: Confirming a Target System 15.2.3.2 When to Attack: Determining the Time to Trigger an Attack Payload 15.2.3.3 How to Attack: Devising the Attack Payload 15.2.4 Assumptions 15.3 Inference of When to Attack: The Case of Attacking a Surgical Robot 15.3.1 Target System 15.3.2 Attack Model 15.3.2.1 Attack Preparation 15.3.2.2 Attack Strategy: ROS‐specific MITM 15.3.2.3 Trigger: Inference of Critical Time to Initiate the Malicious Payload 15.3.2.4 Attack Payload: Fault Injection 15.3.3 Results 15.3.4 Attack timeline 15.3.5 Summary 15.4 Inference of How to Attack: The Case of Attacking a Building Control System 15.4.1 Target system 15.4.1.1 Computing Infrastructure: Blue Waters 15.4.1.2 Cyber‐physical System: NPCF Building Automation System 15.4.1.3 Data 15.4.2 Attack Model 15.4.3 Results 15.4.4 Attack Timeline 15.4.5 Summary 15.5 Protection from Rising Threats 15.6 Related Work 15.7 The Future References Chapter 16 Trinity: Trust, Resilience and Interpretability of Machine Learning Models 16.1 Introduction 16.2 Trust and Interpretability 16.2.1 Formal Methods and Verification 16.2.2 Top‐down Analysis by Synthesis 16.3 Resilience and Interpretability 16.3.1 Manifold‐based Defense 16.3.2 Attribution‐based Confidence Using Shapley Values 16.4 Conclusion References Part IV Generative Models for Cyber Security Chapter 17 Evading Machine Learning Based Network Intrusion Detection Systems with GANs 17.1 Introduction 17.2 Background 17.2.1 Network Intrusion Detection Systems 17.2.2 Adversarial Examples 17.2.3 Generative Adversarial Networks 17.2.4 Crafting Adversarial Examples Using GANs 17.3 Methodology 17.3.1 Target NIDS for Detecting Attack Traffic 17.3.1.1 Discriminator and Generator Architectures 17.3.2 Constraints 17.3.3 Preprocessing 17.3.4 The Attack Algorithm 17.4 Evaluation 17.4.1 Results 17.4.2 Transfer‐based Attack 17.5 Conclusion References Chapter 18 Concealment Charm (ConcealGAN): Automatic Generation of Steganographic Text Using Generative Models to Bypass Censorship 18.1 Censorship 18.2 Steganography 18.3 Methodology 18.3.1 Previous Works Using Machine Learning Techniques 18.3.2 High Level of Working Mechanism of ConcealGAN 18.3.3 Double Layer of Encoding 18.3.4 Compression of Data 18.3.5 Embedding Algorithms 18.3.5.1 RNN 18.3.5.2 LeakGAN 18.4 Results 18.5 Conclusion and Future Work References Part V Reinforcement Learning for Cyber Security Chapter 19 Manipulating Reinforcement Learning: Stealthy Attacks on Cost Signals 19.1 Introduction of Reinforcement Learning 19.1.1 Setting of RL 19.1.2 TD Learning 19.1.3 Q‐Learning 19.2 Security Problems of Reinforcement Learning 19.3 Reinforcement Learning with Manipulated Cost Signals 19.3.1 TD Learning with Manipulated Cost Signals 19.3.2 Q‐Learning with Manipulated Cost Signals 19.4 Case Study 19.5 Conclusion References Chapter 20 Resource‐Aware Intrusion Response Based on Deep Reinforcement Learning for Software‐Defined Internet‐of‐Battle‐Things 20.1 Introduction 20.1.1 Motivation and Challenges 20.1.2 Research Goal 20.1.3 Research Questions 20.1.4 Key Contributions 20.1.5 Structure of This Chapter 20.2 Related Work 20.2.1 Software‐Defined Internet‐of‐Battle‐Things 20.2.2 Deep Reinforcement Learning 20.2.3 Resource‐Aware Defense Systems 20.3 System Model 20.3.1 Node Model 20.3.2 Network Model 20.3.3 Attack Model 20.3.4 System Failure Condition 20.3.5 Assumptions 20.4 The Proposed DRL‐Based Resource‐Aware Active Defense Framework 20.4.1 MultiLayered Defense Network Structure 20.4.2 DRL‐Based Intrusion Response Strategies 20.4.2.1 Intrusion Response Strategies 20.4.2.2 Selection of an Intrusion Response Policy 20.5 Experimental Setting 20.5.1 Comparing Schemes 20.5.2 Metrics 20.6 Simulation Results & Analysis 20.6.1 Effect of DRL‐Based Intrusion Response Strategies on Accumulated Rewards 20.6.2 Effect of DRL‐Based Intrusion Response Strategies Under Varying Attack Severity (Pa) 20.7 Conclusion & Future Work References Part VI Other Machine Learning Approach to Cyber Security Chapter 21 Smart Internet Probing: Scanning Using Adaptive Machine Learning 21.1 Introduction 21.2 Data Sets 21.2.1 Global Internet Scans 21.2.2 Data Curation 21.2.3 Data Processing 21.3 Model and Metrics 21.3.1 Classification Algorithm 21.3.2 Features for Model Training 21.3.3 Metrics 21.4 Methodology 21.4.1 Parallel Scanning 21.4.2 Sequential Scanning 21.4.2.1 Finding an Optimal Scan Order 21.4.2.2 Training the Sequence of Classifiers 21.5 Evaluation 21.5.1 Setup 21.5.2 Parallel Scanning 21.5.3 Sequential Scanning 21.6 Discussion 21.6.1 Comparison with Other Approaches 21.6.2 Coverage on Vulnerable IP Addresses 21.6.3 Keeping Models Up‐to‐Date 21.6.4 Practical Utility 21.7 Related Work 21.8 Conclusions and Future Work Acknowledgments References Chapter 22 Semi‐automated Parameterization of a Probabilistic Model Using Logistic Regression—A Tutorial 22.1 Introduction 22.1.1 Context, Scope, and Notation 22.1.2 Assumptions on Data Availability 22.2 Method Derivation 22.2.1 Exact Transition Models 22.2.2 Meaning of Dependencies 22.2.3 Dependency Descriptions and Information Exchange 22.2.4 Local and Global Models 22.3 Parameterization by Example 22.3.1 Structure of Examples 22.3.2 Modeling Recovery Events 22.3.3 Constructing the Model Parameter Estimation Function 22.4 Data Gathering and Preparation 22.4.1 Public Sources of Data 22.4.2 Getting Training Data 22.4.3 Explorative Data Analysis 22.5 Logistic Regression (LR)—Basics 22.5.1 Handling Categorical and Missing Data 22.5.1.1 Treatment of Missing Values 22.5.1.2 Recommended Treatment of Missing Data 22.6 Application of LR for Model Parameterization 22.6.1 Step 1: Fitting the Regression Model 22.6.1.1 Model Diagnostics and Plausibility Checks 22.6.1.2 Choosing/Constructing Alternative Models 22.6.2 Step 2: Apply the Regression for Batch Parameterization 22.6.2.1 Parameterizing the Automaton with Incomplete Data 22.6.2.2 Compiling the Results 22.7 Summary Acknowledgment 22.A.1 On Fuzzy Logic Methods and Copulas 22.A.2 Using Fuzzy Logic to Estimate Parameters 22.A.3 Using Neural Networks to Estimate Parameters References Chapter 23 Resilient Distributed Adaptive Cyber‐Defense Using Blockchain 23.1 Introduction 23.2 Temporal Online Reinforcement Learning 23.3 Spatial Online Reinforcement Learning 23.4 Experimental Results 23.5 Survivable Adaptive Distributed Systems 23.6 Summary and Future Work Acknowledgements References Chapter 24 Summary and Future Work 24.1 Summary 24.1.1 Game Theory for Cyber Deception 24.1.2 Game Theory for Cyber Security 24.1.3 Part 3: Adversarial Machine Learning for Cyber Security 24.1.4 Part 4: Generative Models for Cyber Security 24.1.5 Part 5: Reinforcement Learning for Cyber Security 24.1.6 Other Machine Learning approach to Cyber Security 24.2 The Future 24.2.1 Game Theory and Cyber Security 24.2.2 Machine Learning and Cyber Security References Index EULA