Game Strategies in Network Security 1 2 Kong-wei Lye Jeannette Wing May 2002 CMU-CS-02-136 Scho ol of Computer Science Carnegie Mellon University Pittsburgh, PA 15213 An extended abstract based on this rep ort was submitted to the Foundations of Computer Security 2002, Cop enhagen, Denmark. Abstract This pap er presents a game-theoretic metho d for analyzing the security of computer networks. We view the interactions b etween an attacker and the administrator as a two-player sto chastic game and construct a mo del for the game. Using a non-linear program, we compute the Nash equilibrium or b est-resp onse strategies for the players attacker and administrator. We then explain why the strategies are realistic and how administrators can use these results to enhance the security of their network. 1 Department of Electrical and Computer Engineering. 2 Computer Science Department. This research is sp onsored in part by the Defense Advanced Research Pro jects Agency and the Army Research Oce ARO under contract no. DAAD19-01-1-0485. The views and conclusions contained herein are those of the authors and should not b e interpreted as necessarily representing the ocial p olicies or endorsements, either expressed or implied, of the DOD, ARO, or the U.S. Government. Keywords: sto chastic games, non-linear programming, network security 1 1 Intro duction Government agencies, scho ols, retailers, banks and a growing numb er of go o ds and service providers to day all use the Internet as their integral way of conducting daily business. Individuals, go o d or bad, can also easily connect to the Internet. Due to the ubiquity of the Internet, computer security has now b ecome more imp ortant than ever to organizations suchasgovernments, banks, and businesses. Security sp ecialists have long b een interested in knowing what an intruder can do to a computer network, and what can b e done to prevent or counteract attacks. In this pap er, we describ e how game theory can b e used to nd strategies for b oth an attacker and the administrator. We illustrate our approach with an example Figure 1 of a lo cal network connected to the Internet and consider the interactions b etween them as a general-sum sto chastic game. In Section 2, weintro duce the formal mo del for sto chastic games and relate the elements of this mo del to those in our network example. In Section 3, we explain the concept of a Nash equilibrium for sto chastic games and explain what it means to the attacker and administrator. Then, in Section 4, we describ e three p ossible attack scenarios for our network example. In these scenarios, an attacker on the Internet attempts to deface the homepage on the public web server on the network, launchaninternal denial-of-service attack, and capture some imp ortant data from a workstation on the network. We compute the Nash equilibrium strategies b est resp onses for the attacker and administrator using a non-linear program; we explain this solution for our example in Section 5. We discuss the implications of our approach in Section 6 and compare our work with previous work in the literature in Section 7. Finally,we summarize our results and p oint to directions for future work in Section 8. Firewall Attacker Border router Internet Public Private Private web server file server workstation Figure 1: A Network Example 2 Networks as Sto chastic Games In this section, we rst intro duce the formal mo del of a stochastic game.We then use this mo del for our network attack example and explain how the state set, actions sets, cost/reward functions and transition probabilities can b e de ned or derived. 1 2 1 2 Formally,atwo-player sto chastic game is a tuple S; A ;A ;Q;R ;R ; where S = f ; ; g 1 N k k k k k is the state set and A = f ; ; g, k =1;2, M = jA j, is the action set of player k . The action k 1 M S N k k k k k 1 2 set for player k at state s is a subset of A , i.e., A A and A = A . Q : S A A S ! s i=1 i 1 k 1 2 1 [0; 1] is the state transition function. R : S A A !<,k=1;2 is the reward function of player k .0< 1isadiscount factor for discounting future rewards, i.e., at the current state, a state transition has a reward worth its full value, but the reward for the transition from the next state is worth times its value at the current state. The game is played as follows: at a discrete time instant t, the game is in state s 2 S . Player 1 t 1 1 2 2 cho oses an action a from A and player 2 cho oses an action a from A . Player 1 then receives a t t 1 1 1 2 2 2 1 2 reward r = R s ;a ;a and player 2 receives a reward r = R s ;a ;a . The game then moves to t t t t t t t t 1 2 1 2 a new state s with conditional probability Probs js ;a ;a equal to Qs ;a ;a ;s . In our t+1 t+1 t t t+1 t t t t example, we provide two views of the game: the attacker's view Figure 3 and the administrator's view Figure 4. These gures will b e describ ed in detail later in Section 4. 2.1 Network state In general, the state of the network can contain various kinds of information or features suchastyp e of hardware, software, connectivity, user privileges, etc. Using more features in the state allows us to represent the network b etter, but often makes the analysis more complex and dicult. We can view the network example as a graph Figure 2. A no de in the graph is a physical entity suchas aworkstation or router. We mo del the external world as a single computer no de E and represent the web server, le server and workstation by no des W, F and N, resp ectively. An edge in the graph represents a direct communication path physical or virtual. For example, the external computer no de E has direct access to only the public web server no de W. Instantiating our game mo del, we let a sup erstate <n ;n ;n ;t >2 S b e the state of the W F N network. n , n and n are the node states for the web server, le server and workstation resp ec- W F N tively, and t is a trac state for the whole network. Eachnode X where X 2fE; W;F;Ng has a no de state n =< P;a;d> to represent information ab out hardware and software con gurations. X P ff ; h; n; p; s; v g is a list of software applications running on the no de. We let f , h, n, and a denote ftpd, httpd, nfsd and some user pro cess resp ectively; for malicious co des, s and v represent sni er programs and viruses resp ectively. a 2fu; cg is a variable used to represent the state of the user accounts. u represents normal user accounts and c means some user account has b een compro- mised. We use the variable d 2fc; ig to represent the state of the data on the no de. c and i mean the data has and has not b een corrupted or stolen resp ectively.For example, if n =< f ; h; s;c;i>, W it means the web server is running an ftpd and an httpd; a sni er program has b een implanted; and a user account has b een compromised but no data has b een corrupted or stolen yet. The trac information for the whole network is captured in a trac state t =< fl g > where X and Y are XY 2 1 ; ;1gindicates the load carried on this link. A value of 1 indicates maximum no des and l 2f0; XY 3 3 1 2 capacity.For example, in a 10Base-T connection, the values 0, , and 1 represent 0Mbps, 3.3Mbps, 3 3 6.7Mbps and 10Mbps resp ectively. In our example, the trac state is t =<l ;l ;l ;l >. EW WF FN NW 1 1 1 1 We let t =< ; ; ; > for normal trac conditions. 3 3 3 3 The p otential state space for our network example is very large but we shall discuss how to handle this problem in Section 6. The full state space in our example has a size of jn jjn jjn jjtj = W F N 3 4 63 2 2 4 4 billion states but there are only 18 states fteen in Figure 3 and three additional ones in Figure 4 relevant to our illustration here. In these gures, each state is represented using abox with a symb olic state name and the values of the state variables. For convenience, we shall mostly refer to the states using their symb olic state names. 1 We use the term \reward" in general here; in later sections, p ositivevalues are rewards and negativevalues are costs. 2 l E EW W lWF lNW F N lFN Figure 2: Network State 2.2 Actions An action pair one from the attacker and one from the administrator causes the system to move from one state to another in a probabilistic manner.