1.2. Related Works
Bistarelli and others [
2] attempted to assuage this problem by proposing an evaluation approach that uses both qualitative and a quantitative return on investment (ROI) rather than just cost. The ROI approach allows a security administrator to determine whether a defense strategy is worth the cost.
Using empirical evidence, Gordon et al. [
3] studied budgeting and economic activities of computer safety companies. The results show that safety factors, such as the cost–benefit analysis, began to be considered by safety management personnel for expenditure budget and security decision-making [
4]. Feng [
5] proposed a cost estimation model using vulnerability. Using an active and comprehensive vulnerability analysis, he calculated the reliability of the system and the cost of an attack. The defending administrator can use this as a reference to compare the cost of defense to that of repairing the system.
The elements and characteristics of the network attack and defense model are consistent with the definition, elements and characteristics of game theory [
6]. The interaction between the attacker and the defender conforms to player interaction in the game theory. Game theory provides us with a mathematical framework to solve the network security analysis and modeling helps us understand attacker behavior and select an optimal defense strategy for security protection. Carin [
7] proposed a method for quantifying network security risk for security policy effectiveness and analyzed key infrastructure protection strategies using attack and defense models. Lye and Wings [
8] used a stochastic game model to determine a Nash Equilibrium for the defender and attacker and their respective optimal strategies [
9]. A Nash Equilibrium is a solution of a game where none of the players are sufficiently incentivized to change strategy. Simply put, it is a state in which each player will keep doing what it was doing at that point [
10].
From the inception of computer network, researchers have been focusing on network security. Emergence of Internet based services has opened new doors for hacker to exploit network security. Several types of malicious software have been widely studied by researchers, such viruses, worms, botnets, etc. Among other types of Malware attacks, computer worms are well-known for its capability to bring down a network, even Internet. Most notable feature of worms are its small size and fast infections spread capability, since worms do not require human to propagate through the network. Slammer worm, which is the fastest know worm [
11], took only 10 min to reach its targets. The severity of attack by worm depends on scanning rate, infection topology and intended attack on target.
Unlike worms, a virus propagates by replicating itself and requires an executable host file. It often resides in USB flash disks and files transmitted via email. Trojan is another category of malware that tries to run as a legitimate software. Since our model considers a static form of attack and defense, it can only be used to design worm like attack considering possible attack and defense scenarios.
Since the first well-known DDOS attack against Minnesota University in 1999 [
12], the methods and tools used in the attacks have changed significantly. The two general types of DDOS attacks are: (1) bandwidth depletion attacks involving flooding or amplification of network traffics (e.g., flooding, ping of death); and (2) resource depletion attacks involving sending malformed packets or misuse of a protocol to bring down a resource [
13] (e.g., TCP SYN flooding, IP address attacks).
Due to the explosive grow of the Internet of Things, the botnet army attack, which uses IOT-based botnets has emerged, as a new form of DDOS attack [
14]. Since most of the devices connected to IoT networks are controlled by C&C units with little or no authentication, they are often conscripted into botnet armies. The DDoS attacks on KrebsOnSecurity and Dyn by Mirai malware are the largest by data, and are responsible for conscripting at least 500,000 IoT devices in 164 countries [
15]. Another interesting form of DDOS attack that emerged recently is booters (sometimes referred as stresses) in which attack is provided as-a-service [
16]. Using a misconfigured DNS for amplification is a popular technique used by booters [
17].
DDOS attacks over Tor network became popular in 2013 after Dannis Brown’s presentation at Defcon18, on using Tor network to provide anonymity for C&C server. However, this method is not as stealthy as it claims to be, since bots using Tor are detectable due to the characteristic in their network traffic [
18].
The malicious attack described in our model closely resembles botnets. Botnets are used to perform automated tasks and were first used in IRC channels to implement centralized command and control (C&C) [
19]. Since bots can be remotely controlled, they are often used in DDOS attacks [
20]. Dainotti et al. analyzed horizontals scanning IPv4 address space employed by the Sality botnet. They emphasized the difficulty of detecting the new-generation of Botnets and proposed a visualization technique to explore botnet scan propagation. The simulator we developed lacks this capability since our primary focus of the visualizing aspect of the application was visualizing the defense and attack strategies of the network.
Dainotti et al. proposed a mechanism for DDOS detection based on Continuous Wavelet Transform [
21]. Unlike their system, our system is focuses on the strategy calculated based on the resources available to the administrator and his/her priority.
Recently, Abshof et al. [
22] analyzed dynamics in multi-level networks. Although the static representation of the network and cost calculation are similar to the one in our model, their model focuses on measuring the quality of Nash Equilibria. In a review article, Liang [
23] explored the overall research process in cyber security and provided us with a variety of game theory application, each adapted to different security scenarios.
At present, there are three main problems in using traditional game models to determine an optimal defense strategy: (1) the final optimal defense strategy is generally a combination of game theory results and optimization by the security manager; (2) network availability is often weakened by cost and benefit tradeoffs, despite a general need for information networks to prioritize availability; and (3) powerful analysis methods such as Bayesian equilibrium, Markov decision process and de-fuzzification, which are used in many related studies, are difficult to calculate and low in efficiency [
24].
Whilst this paper does not solve all the problems associated with network defense game models, it does present us with specific approach to aid security managers in choosing an optimal solution. In previous research [
25,
26], we have studied the dynamic game process between attackers and defenders. This paper focuses on analyzing the static interaction process in each game, aiming to show that using Pareto Optimization allows security managers to make this choice without actually knowing the attackers exact move.
In very simple terms, Pareto Optimization can be described as the removal of objectively inferior solutions from a solution set. The removal of these objectively inferior solutions means that the security manager is confronted with a smaller set of available options, simplifying the subjective phase of defense strategy selection. The model also gives us a starting point for dynamic goal distribution. Pareto Optimization allows us to define a targeted goal distribution (“network availability/cost” ratio) and choose an optimal decision for that distribution.
The approach allows us to choose an optimal solution for a single attacker defender interaction. This can be done subjectively by the defender or by means of a ranking algorithm. Eventually, this approach will be incorporated into an interactive game with multiple interactions.
It is good to contrast our approach with similar research. Wu et al. [
27] conducted an experiment based on game theory to tackle Denial of Service (DOS) and Distributed Denial of Service (DDOS). They have covered both static and dynamic game scenarios for DDOS. Although their model is very similar in many aspects, the major differences are the topology and objective of the players. In the game model proposed by our work, the players (both attacker and defender) have multiple objectives. In contrast to Wu et al. model, we modeled our network as a peer-to-peer network. In addition to that, in our model, the attacker does not have specific target service provider, since one of the goal is to bring down over all network availability. Studer and Perrig [
28] studied a similar attack pattern to DDOS, called Coremelt attack. The botnets participating in the Coremelt attack floods the network by sending all the other peers in the network. The authors of Coremelt only focused on proving the success of the attack, not the preventive mechanism.
One disadvantage of the Pareto Optimization approach is that it is less efficient than alternative solutions to zero-sum games. The best-case complexity is O(n × log(n)) and the worst-case complexity is O(m(n)2). By contrast, a basic minimax approach would be more efficient at a worst case of O(m × n).
This paper focuses on determining optimal defense and attack strategies for a multi-objective zero-sum game representation of an attack on a computer network. The study limits itself to computer networks that consist of a fixed number of devices (Servers, clients, routers, etc.) connected as a complete graph. The players of the game have several zero-sum objectives, allowing for the use of Pareto Optimization in determining the best strategies for the players [
29].