Once a critical mass of action and deception design patterns has been implemented, the implementations may be used in an active cyber deception system. We developed a game theory model for actively deceiving targeted users. The formal “cyber deception game” is based on long-standing concepts from economics in which two or more players in a game execute strategies to their respective benefit. The game model consists of two players: the defender and the attacker. The software protection system is the defender and the intruding adversary is the attacker. The game model will be asymmetric in that the two players will not have access to the same information about the end node. The defender will have much more information about the end node state, but both players will have incomplete knowledge.3The asymmetry arises from the defender being aware of the attacker and the attacker’s moves. The attacker will have little or no awareness of the defender moves since most of the defender moves may be executed in ways hidden from the attacker.
3For the defender to have complete knowledge requires an impractical number and placement of sensors and actuators spread throughout the end node.
The deception game design is modeled as a dynamic, or extensive, game in which there are many stages of the game. Moves are not strictly by turn, but may be simultaneous and sequential by each player. Moves by both players will be repeated as long as the defender chooses to continue the deception. To conclude the game, the defender may choose at any time to remove the attacker from the end node through deletion of all attacker network sessions, processes, user accounts, and files installed on the end node. The “solution” to the deception game, therefore, is a mixed strategy that is always under the control of the defender.
The goals of each player are included in the game design. For the defender, the anticipated goals are to continue the deception game as long as necessary and to collect information about the attacker and attack methods. For the attacker, the goal may be to establish an APT. Examples of intermediate attacker goals to establish an APT include the aforementioned reconnaissance, escalation of privilege, and malware installation. These goals will be associated with the attack vectors specified in the ontology.
For each player goal, we quantitatively modeled the expected payoff as a utility function. The utility functions add to or deduct from a cumulative score according to the objectives and overall payoff of achieving the goal. Thus, an important part of the game design was to determine the utility functions used by the defender and the attacker. For this, we developed attack graphs, which may or may not include loops.
Without loops, the attack graphs may be viewed as attack trees for achieving the overall goals of the attacker. The root of the tree is the overall goal of the attacker, which is a successful breach of the end node security. In this way, attacker moves can be anticipated and deception used to prevent achievement of the overall goal.
Ideally, the defender remains at least one step ahead of the attacker for all potential attacker moves.
Decisions by the defender use the game model, the defender and attacker utility functions, and a Competitive Markov Decision Process (CMDP). CMDP is a classic framework for making decisions in an asymmetric game as designed. Via CMDP, we analyzed the attacker’s potential strategies and moves. The most likely attacker moves were prioritized and decisions with predecessor moves were made using the catalog of moves for the defender and the attack vectors for the attacker.
We implemented a deception game to secure and defend end nodes. The end nodes considered were Linux based and four candidate attacks were developed for analysis:
1. Data exfiltration,
2. Creating a persistent presence, 3. Remote control exploit, and 4. Denial of service.
The remote control exploit, where an end node is placed under the control of a user from across the network, was selected for further consideration because it can be a superset of the other three candidate attacks. Developing and solving a model for the remote control exploit game provided enough information to model the other attacks.
Execute initial instruction
Escalate privilege
Create exploitation environment
Establish remote connection Wait for
instruction
Exfiltrate results
Execute instruction Receive
instruction
Fig. 1 Remote control attack graph
An attack graph, modeling each step of a remote control exploit and shown in Fig.1, was created from root-kit reference literature. The purpose of the attack is to allow a remote user to take control of an end node by enabling the user to remotely execute instructions on that node. Once a connection is established on a victim node, an attacker can continually execute the process of sending and executing instructions.
A number of exploit techniques can be used at each step in the graph. The Mitre Common Vulnerabilities Enumeration (CVE) database was used to accumulate a list of vulnerabilities for each technique. These vulnerabilities and exploits for the vulnerabilities are listed in Table1. Exploits were found using Metasploit and root-kit references. These resources provided tested and verified techniques for exploits which accelerated prototype implementation.
Table1Linuxvulnerabilities,exploits,andscoring RemotecontrolexecutionVulnerabilitiesExploitCVSSrating Executeinitialinstructions TCP/IPportaccepting connectionsCVE-2007-5244CVE-2016-0273Openmarkerfile9.37.5 USBdeviceCVE-2011-0640CVE-2006-68816.97.5 Wirelessconnectors/driversCVE-2006-6332CVE-2008-4395CVE-2008-5134Madwifi.overflow7.58.310.0 BuffetoverflowCVE-2009-0065CVE-2006-3705CVE-2002-1522SCTPexploit10.07.55.0 StackCVE-2011-0404CVE-200S-1099CVE-2007-5243CVE-2011-0495NetsupportGLD bufferoverflow ***INET_connect
7.510.09.36.0 HeapCVE-2011-4913CVE-2011-2497CVE-2011-14937.88.37.5 FunctionpointerCVE-2008-00092.1 Returnoriented programmingCVE-2005-1768CVE-2004-10703.77.2 PrintfCVE-2009-0689CVE-2008-1391CVE-2003-09696.87.57.5 InjectionattacksCVE-2011-0923CVE-2009-2946CVE-2007-1974HPdataprotector EXEC_CMD10.09.37.5 Networksessionhijacking Man-inthe-middleCVE-2011-3188CVE-2002-19767.82.1 NetworkspoofingCVE-2007-3843CVE-2010-46484.33.3 (continued)
Table1(continued) RemotecontrolexecutionVulnerabilitiesExploitCVSSrating Virus,malwareCVE-2000-0917CVE-2006-4326CVE-2006-6408Formatstring10.070.55.0 Phishing,socialengineeringCVE-2012-3976CVE-2010-2654CVE-2007-1970CVE-2007-17965.85.85.05.0 EscalateprivilegesCVE-2010-3081CVE-2008-42587.26.2 Modifyingofexploiting uninitializedCVE-2009-2692CVE-2008-0600Socketsendpage7.27.2 KernelstackCVE-2011-2319CVE-2011-4062CVE-2011-25174.37.27.2 KernelheapCVE-2011-1759CVE-2011-1477CVE-2011-10176.24.67.2 Interprocess communicationspathwaysCVE-2009-1185CVE-2011-2517CVE-2009-2698Udevnetlink7.27.27.2 DrivevulnerabilitiesCVE-2008-2812CVE-2011-2211CVE-2009-30437.27.24.9 TrojanCVE-2008-2040CVE-2010-31827.26.9 Establishconnectionto remote Forkprocessonport,create pipetoshellInteractconnection portinline OpennetworkconnectionCVE-2003-0019ReverseTCPblind TCP7.2 NowuseraccountCVE-2008-4210AdduserUIDO4.6