FIELD OF THE INVENTION

The present invention relates generally to the field of network security. More particularly, the present invention is related to methods for analysis of cyber network interactions among attackers, passive network sensors, and active network sensors using three-sided games, where each side can have multiple participants sharing the same goal. The method provides network security based on the analysis.

BACKGROUND

Network attacks include one-to-one attacks, one-to-many attacks, and many-to-one attacks. Existing network security methods suffer from high false positives, difficulty in detecting highly complex attacks, and the inability to adapt for detecting new types of attacks. Moreover, existing methods often perform attack identification in a passive manner by using only available alerts instead of actively seeking and prioritizing the most useful alerts to mitigate. Another aspect that is lacking with current methods is the inability to provide effective mitigation of network threats, predicting future attacks, and resolving multiple simultaneous attacks. For current methods, the recommendation of mitigation is usually provided in an ad hoc and heuristic manner, often independent of the situation awareness (SA) process, the user, or the importance of the network for operational considerations.

SUMMARY OF THE EMBODIMENTS

It is a feature of the present invention to provide network security in the form of three-sided game-theoretic analysis of the cyber network interactions among attackers, passive network sensors, and active network sensors. A honeypot (e.g., including active network sensors) can act as a supportive side, which can be camouflaged in the network to help passive sensors detect and track cyber network attacks.

In accordance with an additional feature of the present invention, a system is provided that includes a computer programmed for three-side game-theoretic analysis of cyber network interactions among attackers, passive network sensors, and active network sensors. A honeypot acts as a support side, which can be camouflaged in the network to help passive network sensors detect and track cyber network attacks, and which generally originate from attacking servers. Game theory is relatively a new application for cyber research, and the use of a honey net provides a unique aspect of the work that enhances game-theoretic developments over passive network sensors and active network sensors.

It is yet another feature of the present invention to utilize a geometric solution based on a three-dimensional action curve (for a cyber defender) and a three-dimensional action surface (for a cyber attacker) to numerically solve the uniquely three-side game modeled cyber security problem. The numerical game solution includes four features: first, it can quickly determine whether the game problem has one Nash equilibrium, multiple Nash equilibriums, or no Nash equilibrium; second, it can efficiently check if the equilibrium is a mixed or pure Nash; third, it can timely compute the (mixed) Nash equilibriums; and fourth, it also follows a Fictitious Play Concept. These four features provide an adaptive solution and can be applied in any partially observed cyber security system.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 illustrates a block diagram of a system in accordance with features of the present invention;

FIG. 2 is a concept level block diagram of the three-sided game model for cyber network security problems;

FIG. 3 depicts the system level flowchart of the three-sided game model and the geometric method;

FIG. 4 depicts an exemplary three sided game in a matrix format;

FIG. 5 is an exemplary action curve and surface intersection which has pure active sensor strategy;

FIG. 6 depicts another exemplary action curve and surface intersection which is a typical mixed Nash equilibrium;

FIG. 7 is a flowchart showing the block **33**, “determine a cell and line segment”, of FIG. 3.

FIG. 8 depicts an exemplary cell and line segment to be searched for the intersection of action surface (of attacker) and action curve (defender).

FIG. 9 is a flowchart showing the main process of “current set contains MNE?” route **71** in FIG. 7.

FIG. 10 is a flowchart showing the “is p insider a triangle (p1, p2, p3)?” route **93** in FIG. 9.

FIG. 11 depicts an exemplary cell and line segment containing the intersection of action surface (of attacker) and action curve (defender).

DETAILED DESCRIPTION OF EMBODIMENTS

The purpose of this invention is to develop three-sided game theory based innovative situation awareness systems and methods for active network security and impact mitigation of adversarial attacks against cyber networks.

Referring to FIG. 1, there is shown an implementation of a cyber-network security system according to the invention in a local network having the passive and active network sensors deployed. The local network comprises N production server **14**.sub.**1** to **14**.sub.N. The network traffic can be monitored by a Snort based passive network sensor (PNS) **12***a*, which can be controlled by the PNS engine **12***b*. Some network requests can be routed to an active network sensor (ANS) **13***b*, which can interact with remote users in a virtual way. The ANS can be deployed based on Honeypot and Address Resolution Protocol Daemon (ARPD). The interaction scripts and strategies can be reconfigured via the ANS engine **13***b*. The attacker **10** can launch cyber-attacks to the local network via the Internet **11**. The PNS engine and ANS engine can follow the mixed Nash equilibrium of the three-side game model shown in FIG. 2.

FIG. 2 shows the concept level framework of the three-side game model. Attacker 2 may launch various cyber-attack weapons **21***a*, which are inputs to the game model. Attacks will get rewards **21***b*, which depend on the game model parameters **23**, PNS strategies **25***a*, and ANS strategies **26***a*. Similarly, PNS engine **27** and ANS engine **28** can obtain their rewards **25***b *and **26***b *respectively. Their values are also partially determined by the attacker's choices. This reward dependence is the main modeling merit of game theory method: decisions should be made with the consideration of the opponents. To obtain the game solution of Mixed Nash equilibrium (MNE), the invention presents a geometric solution **24** to determine and calculate the intersection point of attacker's action surface and defender's action curve. The action surface or action curve is set of one side's best response actions for his opponents' possible choices. In the three cyber game model, the ANS and PNS are coordinated to defend attackers. Therefore, given a combined PNS and ANS choices (h_{k}, s_{k}), the attacker will compute his best response r_{k}. Since h_{k}, s_{k }and r_{k }are all scalar values, the attacker's best response set is a surface, which is called an action surface. Similarly, for ANS and PNS, their combined best response is a curve, called an action curve.

FIG. 3 shows the system level flowchart of the invention. Block **30** creates a three-sided game model based on a scenario or problem. For the general scenario in FIG. 1, the system states are defined as the probability vector of N servers:

(*p*^{1}_{1|1}*,p*^{1}_{1|0}*,p*^{2}_{1|1}*,p*^{2}_{1|0}*, . . . p*^{N}_{1|1}*,p*^{N}_{1|0}) (1)

where p^{i}_{1|1 }is the detection rate (DR), which is the probability that server i is flagged as attacked when it is actually attacked, p^{i}_{1|0 }is the false positive rate (FPR), which is the probability that server i is flagged as attacked when it is actually NOT attacked.

Given the system state vector p=(p^{1}_{1|1}, p^{1}_{1|0}, p^{2}_{1|1}, p^{2}_{1|0}, . . . )′, the reward functions for the attacker and defender are defined as

*J*_{d}(*p*)=Σ_{i=1:N}(*c*^{i1}*p*^{i}_{1|1}*−c*^{i2}*p*^{i}_{0|1}*−c*^{i3}*p*^{i}_{1|0}) (2)

*J*_{a}(*p*)=Σ_{i=1:N}(*v*^{i1}*p*^{i}_{s}*−v*^{i2}*p*^{i}_{t}) (3)

where c^{i1}, c^{i2}, c^{i3 }are the positive constants for server i; p^{i}_{0|1}=1−p^{i}_{1|1 }is the miss detection probability; v^{i1}, v^{i2 }are the value of server i and the cost of attacking server i; p^{i}_{s }is the probability of successfully penetrate server i. The model includes p^{i}_{s}=p^{i}_{0|1}p_{a}(j), where p_{a}(j) is the success rate of the selected attack (j). p^{i}_{f }is the probability that an attack on server i is failed and p^{i}_{f}=p^{i}_{1|1}+p^{i}_{0|1}(1−p_{a}(j)). The three-sided interaction is modeled as a matrix game. FIG. 4 depicts an exemplary three-sided game in a matrix format. The game size (shown by **40**) is determined by the possible strategies of the three sides. After all sides choose their strategies, a special three-dimensional (3D) action curve or cube can be picked. For example, if attacker chooses r_{3}, ANS engine chooses h_{3}, and PNS engine chooses s_{3}, then cube **41** is picked. Square **43** is the coordinated strategy of PNS and ANS. Square **42** tells the chosen attacker strategy. In the cube **41**, there are two values obtained from equation (2) and (3), respectively.

The game in FIG. 4 is played by three sides in such a way that attacker chooses his strategy to maximize the J_{a }(eq. 3) in the picked cube (for example cube **41** in FIG. 4), while PNS and ANS engines choose their coordinated strategies to maximize the J_{d }(eq. 2) in the same cube, which depends on both attacker's and PNS/ANS combined engine choices.

To solve the three-sided game problem, this invention presents a geometric solution to compute MNEs. The action curve (surface) based solution is depicted in block **31**-**34** of FIG. 3. Block **31** computes the action curve of PNS and ANS engines. For all possible attacker strategies, eq. (2) is maximized by choosing the coordinated PNS and ANS strategies. By connecting all these best responses of coordinated strategies, along with the chosen attacker strategies, block **31** obtains the defender action curve.

Block **32** computes the action surface of attacker. For any possible coordinated PNS and ANS strategies, eq. (3) is maximized by choosing the attacker strategy. Then block **32** connects these best responses of attacking strategies, along with the chosen coordinated defender strategies, to obtain the attacker action surface.

For the three-sided game, an intersection of action curve and surface is a Nash strategy. If the intersection located exactly on these best response points, then the Nash strategy is a pure Nash equilibrium (PNE). Otherwise it is a mixed Nash equilibrium (MNE). PNE can be seemed a special case of MNE, so in this invention, MNEs can be used to solve the three-sided game model. Another advantage of MNE is that at least one MNE always exists for the three-sided game model for cyber network security.

FIG. 5 is an exemplary action curve and surface intersection which has a pure active sensor strategy. **51**_{00 }is the point at attacker action surface when ANS and PNS engines choose the coordinated strategy (0, 0). **51**_{a2 }is the point at attacker action surface when ANS and PNS engines choose the coordinated strategy (10, 2). **50**_{7 }is the point at the defender action curve when attacker takes no. 7 strategy. **50**_{5 }is the point at the defender action curve when attacker takes no. 5 strategy. **52**_{5 }and **52**_{a }are the contour lines of the attacker action surface when the attacking rate is 50% and 100% of the maximum attacking speed. From the plot in FIG. 5, it is obvious that PNS engine will play his No. 10 strategy and the intersection occurs between **50**_{4 }and **50**_{5 }at the action curve.

FIG. 6 depicts another exemplary action curve and action surface intersection which is a typical mixed Nash equilibrium. **60**_{9 }is the point at the defender action curve when attacker takes no. 9 strategy. **60**_{8 }is the point at the defender action curve when attacker takes no. 8 strategy. **61**_{27 }is the point at attacker action surface when ANS and PNS engines choose the coordinated strategy (2, 7). **61**_{19 }is the point at attacker action surface when ANS and PNS engines choose the coordinated strategy (1, 9). **62**_{23 }and **62**_{7 }are the contour lines of the attacker action surface when the attacking rate is 30% and 70% of the maximum attacking speed. From the plot in FIG. 8, it is difficult to find location of the intersection. Therefore, the invention presents a geometric solution (FIG. 7) to find cells in action surface and the related line segments in action curve so that they contains the intersection points.

FIG. 7 is a flowchart showing the “determine a cell and line segment” block **33** in the process of FIG. 3. Block **70** is to initialize the searching by setting the sizes of the attacker action set, the PNS action set, and the ANS action set. It also set the initial position of the searching. Block **71** is to test whether current action surface cell and action curve segment contain the intersection. The details of this block are described in FIG. 8. Block **72** saves the current decision set if it contains the intersection. Otherwise, the process will search next set (surface cell and curve segment). This decision can be decomposed in Block **73**-**77**. Block **73** will check whether all the surface cells are searched. If yes, it is ready to test the possible intersection between next curve segment and one of the all surface cells. The test will start from first curve segment as set in block **74**. Block **76** will check whether all curve segments searched. If yes, the search processing ends and exits (block **78**). If no, the next curve segment is set in block **77**. Then it will repeat the search by going to block **71**. Another possible outcome of block **73** is that unsearched cells for current curve segment may exist. Therefore, the next surface cell is set as the current cell in block **75**. The test procedure repeats and goes to block **71**. After all sets are searched, the process will exit (Block **78**) with saved sets containing the intersection points, which are MNEs. The invention will further calculate the MNEs in Block **34** of FIG. 3.

FIG. 8 depicts an exemplary cell and line segment to be searched for the intersection of action surface (of attacker) and action curve (defender). **80**_{1}-**80**_{4 }determine the action surface cell projected to ANS and PNS engines strategy space (like **43** in FIG. 4). **81**_{1 }and **81**_{2 }define the action curve segment, where r_{1 }and r_{2 }are the consecutive attacker strategies. Since all 6 points are on the action surface or action curve, the locations in three-dimensional (3D) spaces can be determined. This problem, of whether the set contains an intersection point, can be solved via the following way:

- if r
_{1}r_{2 }go through Δ123, true, exit; - else if r
_{1}r_{2 }go through Δ124, true, exit; - else if r
_{1}r_{2 }go through Δ134, true, exit; - else r
_{1}r_{2 }go through Δ234, true, else false;where Δ123 is the triangle determined by points **80**_{1}, **80**_{2}, and **80**_{3}. Similar notes for Δ124, Δ134, and Δ234, The geometric solution to test whether a line segment go through a triangle is presented in FIG. 9.

FIG. 9 is a flow chart of testing whether a line segment goes through a triangle. This part is the main process of “current set contains MNE?” route **71** in FIG. 7. Block **90** specifies the input and output structure. The inputs are the three points of the triangle and the line segment. The output is yes or no. Block **91** calculates the intersection point of the plane, which contains the triangle, and the line, which contains the line segment. The detail algorithm is listed as follows:

- n=cross((p2−p1), (p3−p1)); % calculate the normal vector
- if (n′*(pt−ps)==0), return false; % no intersection
- r=n′*(p1−ps)/(n′*(pt−ps)); % calculate the ratio on the normal vector
- p=ps+r*(pt−ps); % calculate the intersection point based on the ratio
Note that the intersection may not be located in the triangle or in the line segment even if the intersection point exists. Therefore, blocks **92**-**95** are used here to further test whether the intersection point is in the triangle AND in the line segment. Block **92** checks if the intersection point p is between p_{s }and p_{t}. If no, triangle (p1, p2, p3) doesn't intersect with the line segment (ps, pt) as stated in Block **95**. Otherwise, the Block **93** is used to test whether the intersection point p is inside the triangle (p1, p2, p3). The details of the block **93** will be explained in the following FIG. 10. If the result of Block **93** is yes, triangle (p1, p2, p3) does intersect with the line segment (ps, pt) as stated in Block **94**. Otherwise, the procedure goes to Block **95**.

FIG. 10 is a flow chart showing the “is P insider a triangle (p1, p2, p3)?” route **93** in FIG. 9, Block **100** is to specify the input structure, which contains the three points of the triangle and a point to be tested. Given that the p and triangle are in the same plane (since p is the intersection point, p is in the plane contains the triangle), the geometric solution is based on following observation. A point p is the triangle (p_{1},p_{2},p_{3}), if and only if

- p and p
_{1 }on the same side of the line through p_{2 }and p_{3}, AND - p and p
_{2 }on the same side of the line through p_{1 }and p_{3}, AND - p and p
_{3 }on the same side of the line through p_{1 }and p_{2}.The invention uses the following geometric method to test where two points (p1, and p) on the same side of a line (p2, p3):

- cp1=cross(p2−p3, p−p3); % calculate the cross product
- cp2=cross(p2−p3, p1−p3); % calculate the cross product
- IF cp1′*cp2>=0, same side. ELSE different side.
Blocks **101**-**106** depict the whole test processing of whether p insider a triangle (p1, p2, p3). Block **101** tests whether p and p1 are on the same side of line (p2, p3). If yes, the procedure continues in Block **102**. Otherwise, p is not in the current triangle as stated in Block **105**. Block **102** tests whether p and p2 are on the same side of line (p1, p3). If yes, the procedure continues in Block **103**. Otherwise, p is not in the current triangle as stated in Block **105**. Block **103** tests whether p and p3 are on the same side of line (p1, p2). If yes, p is in the current triangle as stated in Block **104**. Otherwise, p is not in the current triangle as stated in Block **105**. The procedure exits in Block **106**.

The next step (block **34** of FIG. 3) is to compute the MNE for a given action surface cell and action curve segment, which contains the intersection point. FIG. 11 depicts an exemplary cell and line segment containing the intersection of action surface (of attacker) and action curve (defender). Points **110**_{1}-**110**_{4 }define the cell and point **111** is the intersection point. The exact position (in three dimensions: PNS s* , ANS h*, and Attacker r*, see FIG. 4 for visual illustration) of **111** can be formulated as

*s*=λ*_{1}*s*_{1}+λ_{2}*s*_{2}+λ_{3}*s*_{3}+(1−λ_{1}−λ_{2}−λ_{3})*s*_{4} (4)

*h*=λ*_{1}*h*_{1}+λ_{2}*h*_{2}+λ_{3}*h*_{3}+(1−λ_{1}−λ_{2}−λ_{3})*h*_{4} (5)

*r*=κ*_{1}*r*_{1}+(1−κ_{1})*r*_{2} (6)

where 0≦λ_{1}≦1, 0≦(λ_{1}+λ_{2}+λ_{3})≦1, and 0≦κ_{1}≦1. r_{1 }and r_{2 }are the attacking strategies of the two end points of active curvve segment. Then the rewards, J, are

*J**_{d}*=J*_{d}(*s*,h*,r**)=*f*_{d}(λ_{1},λ_{2},λ_{3},κ_{1}) (7)

*J**_{a}*=J*_{a}(*s*,h*,r**)=*f*_{a}(λ_{1},λ_{2},λ_{3},κ_{1}) (8)

Since (s*, h*, r*) is a mixed Nash equilibrium, the following equations apply:

∂*f*_{d}/∂λ_{1}=0 (9)

∂*f*_{d}/∂λ_{2}=0 (10)

∂*f*_{d}/∂λ_{3}=0 (11)

∂*f*_{a}/∂κ_{1}=0 (12)

where λ_{1}, λ_{2}, λ_{3}, and κ_{1 }can be obtained by solving the equations (9-12). Then the MNE can be computed by eq. 4-6.

Block **35** of FIG. 3 is implemented the obtain MNE. For the defender side, the PNS engine will play s_{1 }strategy with probability λ_{1}, s_{2 }strategy with probability λ_{2}, s_{3 }strategy with probability λ_{3}, and s4 strategy with probability 1-λ_{1}-λ_{2}-λ_{3}. The ANS engine will play h_{1 }strategy with probability λ_{1}, h_{2 }strategy with probability λ_{2}, h_{3 }strategy with probability λ_{3}, and h4 strategy with probability 1-λ_{1}-λ_{2}-λ_{3}. Similarly, for the attacker side, the attacker will play the r_{1 }strategy with probability κ_{1}, and the r_{2 }strategy with probability 1-κ_{1}. To implement the MNE, two uniformly distributed random variables over [0, 1], X_{d }for defender and X_{a }for attacker, will be created. Each time, the random values will be used to determine which pure strategy to use. If X_{d}∈[0, λ_{1}], then PNS engine takes s_{1 }and ANS engine takes h_{1}. If X_{d}∈(λ_{1}, λ_{1}+λ_{2}**9** , PNS engine takes s_{2 }and ANS engine takes h_{2}. If X_{d}∈(λ_{1}+λ_{2}, λ_{1}+λ_{2}+λ_{3}], PNS engine takes s_{3 }and ANS engine takes h_{3}. If X_{d}∈(λ_{1}+λ_{2}+λ_{3}, 1], PNS engine takes s_{4 }and ANS engine takes h_{4}. Similar, if X_{a}∈[0, κ_{1}], the attacker will apply the r_{1 }strategy. If X_{a}∈[κ_{1}, 1], the attacker will apply the r_{2 }strategy.

Block **36** and **37** of FIG. 3 are designed to let system update the states defined in eq. (1). Then the game can be updated with the new system states. Accordingly, the three-sided game solution can be calculated using the geometric solution of the present invention, which provides a closed loop control paradigm.

In general, geometry is a branch of mathematics concerned with questions of shape, size, relative position of figures, and the properties of space. The disclosed geometric solution solves the three-sided game model by finding a three-dimensional action curve (e.g. for a cyber defender) and a three-dimensional action surface (e.g. for a cyber attacker). The action surface or action curve is set of one side's best responses actions for all the opponents' possible choices of actions. In the three-sided game model, the ANS and PNS engines are coordinated to defend against attackers. Therefore, given a combined PNS and NAS engine choices (a two-dimensional point), the attacker computes his best response. All the attacker's best responses form a surface, which is called an action surface. This set is described in block **32** of FIG. 3. Similarly, for ANS and PNS engines, their combined best response is a curve, called an action curve, which is described in block **31** of FIG. 3. To find the intersection point between the action curve and the action surface, the first step is to find a cell containing the point, as described in block **33** of FIG. 3. The second step is to locate the intersection point in the cell, as described in block **23** of FIG. 3. Since the three-sided game solution is based on the geometric relation (intersection) of two shapes (action curve and action surface), the solution is called geometric solution in this disclosure.

For cyber applications, game theory is a relatively new concept and the use of a honeypot is a unique aspect of the work that enhances game-theoretic developments over active and passive sensors. To numerically solve the uniquely three-side game modeled cyber security problem, a geometric solution based on action surface and action curve is developed. To summarize, the present numerical game solution has four features: first, it can quickly determine whether the game problem has one Nash equilibrium, multiple Nash equilibriums, or no Nash equilibrium; second, it can efficiently check the equilibrium is a mixed or pure Nash; third, it can timely compute the (mixed) Nash equilibriums; and fourth, it also follows a Fictitious play concept, from which the solution is an adaptive one and can be applied for any partially observed cyber security system.