8.3. Predicting Attacker Behavior
To compute the expected attacker behavior, in terms of attack probabilities as part of the transition rates between states in a CTMC (see Section 8.2.2), one needs to consider the underlying reasons of why attacks occur in the first place. One of the most crucial factors in the analysis of attacker behavior is motivation. In Project [28], six major factors that motivate an attacker’s choices of action are identified:
Financial gain is the main source of motivation for actions such as credit card theft, blackmailing, or extraction of confidential information.
Entertainment can be the cause of hacking web sites or rerouting Internet browser requests.
The motive of ego is the satisfaction and rise in self-esteem that comes from overcoming technical difficulties or finding innovative solutions.
Cause, or ideology, can be based on culture, religion, or social issues, and in Project [28], it is pointed out that it is likely to increase as a motivation factor in the future.
Status is probably the most powerful motivation factor, and is currently motivating many of today’s computer or network system intrusions.
On the other hand, a number of factors may reduce the attacker’s motivation and make them refrain from certain attack actions. In our modeling framework, we include the aspect that attackers may be risk averse. For example, students with a user account at a university will put their enrollment status at risk if they use their insider privileges to abuse their local computer network. The gain from a successful break-in into the university file server may be smaller than the possible consequences if the intrusion is detected by the system administrators. As another example, the illegal aspect of actions (criminal offense) may prevent even remote attackers to use available tools to exploit vulnerabilities in corporate networks. To predict attacker behavior, in terms of attack probabilities for a stochastic model, both the underlying motivation factors as well as the possible deterrent aspects need to be carefully considered.
8.3.1. Reward and Cost Concept
To model the attacker’s motivation in a situation with a realistic risk awareness, we make use of a reward and cost concept. In our model, an attacker accumulates reward during the events of an attack. Whenever an attacker performs an attack action, he or she receives an immediate reward. Furthermore, if the action succeeds, an additional reward may be gained. This is modeled in terms of expected future rewards, which is due to the ability to continue the attack. An attack action can be considered successful if the action causes an undesirable transformation of the current system state. The transition probabilities between states will, therefore, be an important aspect of the expected reward when an attacker decides what action to take. To model the possible consequences experienced by risk-averse attackers, a negative reward, or cost, is used to quantify the impact on an attacker as an attack action is detected and reacted to.
Both reward and cost are generic concepts that can be used to quantify the consequences of the actions both in terms of abstract values, such as social status and satisfaction versus disrespect and disappointment, as well as real values, such as financial gain and loss. For instance, in Lye and Wing [14], the reward of a successful attack action is the expected amount of recovery effort required from a system administrator, and in Liu and Zang [13], the reward is the degree of bandwidth occupied by a Distributed Denial of Service (DDoS) attack. In contrast to Lye and Wing [14] and Liu and Zang [13], we use the cost values in the game model to represent the fact that risk-averse attackers may sometimes refrain from certain attack actions due to the possible consequences of detection. In this chapter, the term “outcome” will be used to represent a consequence value, which can be either a reward or cost. Note that the outcome values themselves are not important, it is their size relative to each other that will affect the expected attacker behavior. This topic will be discussed further in Section 8.5.
8.3.2. Modeling Interactions as a Game
In order to create a generic and sound framework for computing the expected attacker behavior in terms of attack probabilities, this chapter applies game theory as the mathematical tool. Each atomic attack action, which may cause a transition of the current system state, is regarded as an action in a game where an attacker’s choice of action is based on a consideration of the possible consequences. The interactions between the attackers and the systems can then be modeled as a game, as illustrated in Figure 8.5.
Figure 8.5. The interactions between an attacker and a system modeled as a game.
As can be seen, aspects that are included in the game are the detection probabilities of attack actions, operational activities that may affect the current system state, random software and hardware failures that may occur, and of course the outcome (reward and cost values) associated with the available attack actions (not depicted in Figure 8.5). In this chapter, attackers are assumed to be rational, which, in a game theoretic context, means that they seek to maximize their own reward from attacks and, consequently, to minimize the cost associated with attacks.
8.3.3. Stochastic Game Model
In the context of attack prediction for evaluating security and dependability, the game is played by an attacker versus a system. In fact, the attacker’s real counterplayer in the game is the system’s IDS mechanisms, for simplicity referred to as “the system” hereafter. In this chapter, we use a two-player, zero-sum stochastic game to compute the expected attacker behavior, in terms of a set of attack probability vectors π = {πi}. Even though in real life there may be numerous attackers attacking the system, simultaneously and independent of each other, a two-player game model is sufficient to predict their individual behavior, provided that they possess similar motives and skills. In contrast to previous research in the field of network security and game theory (see Section 8.1.1), we view the game entirely from an attacker’s perspective. The purpose of our game model is to predict the behavior of attackers and not to perform any cost-benefit optimization of system defense strategies. Therefore, we assume that the set of system IDS mechanisms are fixed and do not change over time. Since the game is zero-sum, one player’s gain will be the other player’s loss. Hence, we do not need to specify separate outcome values for the system itself, as was done in Lye and Wing [14] and Alpcan and Basar [12]; it is sufficient to assign the attackers outcome values. The main benefit of our approach is that it does not assume that the attackers know the system outcome values. It also reduces the number of parameters that have to be assessed in the system evaluation model.
Formally, the game we use is a tuple (Γ,A,D,γ,p), where Γ = {Γi} is a state set, A = {a} and D = {d} are action sets, γ: Γ × A × D → R is an outcome function, and p: Γ × A × D × Γ → [0,1] is a state transition probability function. To obtain the attack probabilities, a five-step procedure can be used:
1. | Identify the game elements. |
2. | Construct the action sets. |
3. | Assign the outcome values. |
4. | Compute the transition probabilities. |
5. | Solve the game. |
These steps will be explained in detail in Section 8.4.