This electronic thesis or dissertation has been downloaded from the King’s Research Portal at https://kclpure.kcl.ac.uk/portal/ Cyber Hide-and-Seek Chapman, Martin David Awarding institution: King's College London The copyright of this thesis rests with the author and no quotation from it or information derived from it may be published without proper acknowledgement. END USER LICENCE AGREEMENT Unless another licence is stated on the immediately following page this work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International licence. https://creativecommons.org/licenses/by-nc-nd/4.0/ You are free to copy, distribute and transmit the work Under the following conditions: Attribution: You must attribute the work in the manner specified by the author (but not in any way that suggests that they endorse you or your use of the work). Non Commercial: You may not use this work for commercial purposes. No Derivative Works - You may not alter, transform, or build upon this work. Any of these conditions can be waived if you receive permission from the author. Your fair dealings and other rights are in no way affected by the above. Take down policy If you believe that this document breaches copyright please contact [email protected] providing details, and we will remove access to the work immediately and investigate your claim. Download date: 27. Sep. 2021 Cyber Hide-and-Seek by Martin Chapman A thesis submitted in partial fulfillment for the degree of Doctor of Philosophy in the Faculty of Natural & Mathematical Sciences Department of Informatics May 2016 [On the process of completing a Ph.D.] . this experience has taught me that research in formal, mathematical subjects is like doing a jigsaw puzzle. However, it is a puzzle where you don’t know in advance the picture you are trying to create – or at best have only the vaguest idea of what the picture may be – and where you have to find or build the jigsaw pieces yourself as you go along. Moreover, once the jigsaw is completed it may reveal that there was no picture there at all! Working diligently in the face of such uncertainty, I have found, requires a great deal of faith and not a little courage. Professor Peter McBurney KING’S COLLEGE LONDON Abstract Faculty of Natural & Mathematical Sciences Department of Informatics Doctor of Philosophy by Martin Chapman This thesis proposes to model a network attack as a game of hide-and-seek between an attacker and a defender. In the game of hide-and-seek, one player, the hider, conceals a set of objects on the nodes of a network, and a seeker must locate them by taking into account how the hider has concealed them. In a network attack, an attacker regularly leverages a subset of hosts in a legitimate network (e.g. creating bots in a peer-to-peer (P2P) network) to work on their behalf in order to attack a network. These nodes must be found, and blocked, if a defender is to protect their network. In both these cases, the task of the seeker and the task of the defender are the same: to not only search the graph, but to also understand how the opponent has actively concealed the objects sought. A seeker and a defender can therefore be considered interchangeably. Under this framing, the seeker is a benign entity, but the versatility of the hide-and-seek model also allows us to consider the case in which a seeker is an attacker (e.g. an intruder in a network). In both cases, solutions for the hide-and-seek game can provide recommendations for how a defender should act in order to protect their network. However, current hide-and-seek game models avoid incorporating parameters that may increase the complexity of the game. We argue that these same parameters – an arbitrary network topology, and multiple player interactions, among others – must be included in order to accurately capture the dynamics of a network attack. We therefore present a new hide-and-seek game model, which is designed to include these parameters. We define this model conceptually, before using it to implement a simulation platform. This platform supports both the development of strategies, and an estimation of their payoffs. Using these estimations, we are able to solve the game of hide-and-seek, under various configurations, and thus provide the aforementioned recommendations for how to play the game and how to act during, or in preparation for, a network attack. Acknowledgements Part of this work was originally inspired by various discussions with Dr. Thomas Lidbet- ter (London School of Economics, UK). I am thankful to him for his openness in both discussing and sharing his work. My foremost thanks go to my supervisor, Professor Peter McBurney. In the short space afforded to me here, it is impossible to describe just how much Peter has done for my academic career. It suffices to say that Peter is a fantastic mentor and, above all, a friend, and I hope we are able to collaborate for many years to come. My second thanks go to Professor Michael Luck. I have not had a single meeting with Michael that I have not come away from with some new tool or way of working. His natural ability to understand both a person’s work, and a person’s way of working, has helped me immensely during my studies. Some of the more formal elements of this work I could not have completed without the help and guidance of Dr. Christopher Hampson. Chris’s knowledge of mathematics is formidable, and he has acted as an honorary third supervisor in this respect. I would like to especially thank the following people: Professor Carles Sierra, IIIA-CSIC, Spain; Dr. Jose Such, Lancaster University, UK; Dr. Gareth Tyson, Queen Mary Uni- versity, UK; Dr. Elizabeth Sklar, King’s College London, UK; Professor Simon Parsons, King’s College London, UK; Dr. Steve Phelps, King’s College London, UK; and Dr. Hana Chockler, King’s College London, UK. My remaining (non-exhaustive) list of acknowledgements are as follows: Sarvar Ab- dullaev, King’s College London, UK; Josef Bajada, King’s College London, UK; Dr. Elizabeth Black, King’s College London, UK; Lukas Diekmann, King’s College London, UK; Dr. Elliot Fairweather, King’s College London, UK; Chipp Jansen, King’s Col- lege London, UK; Dr. Michael Kaisers, Centrum Wiskunde & Informatica, Amsterdam; Valeri Katerinchuk, King’s College London, UK; Pascal Kesseli, The University of Ox- ford, UK; Dr. Lela Koulouri, King’s College London, UK; Dr. Samhar Mahmoud, King’s College London, UK; Brendan Michael, King’s College London, UK; Dr. Simon Miles, King’s College London, UK; Gareth Muirhead, King’s College London, UK; Professor Michal Pechouchek, Czech Technical University, Prague; Dr. Thomas Ridd, King’s Col- lege London, UK; Dr. Edward Robinson, Incisively Limited, UK; Dr. Matthew Shaw, Credit Suisse, Hong Kong; Dr. Pier-Giovanni Taranti, CASNAV, Brazil; Dr. Michael Tauschnig, Queen Mary University, UK; Dr. Laurie Tratt, King’s College London, UK. Finally, thank you to my parents, Arthur and Susanne; my sister, Rebecca; Callum, Sofia and Alice. iii Contents Abstract ii Acknowledgements iii List of Tables viii List of Figures ix Symbols xvi 1 Introduction1 1.1 Game Theory and Security..........................2 1.2 Hide-and-seek games..............................3 1.3 Contributions..................................5 1.3.1 Publication...............................6 2 Literature Review7 2.1 Network Attacks................................7 2.1.1 Multiple Node Attacks.........................9 2.1.1.1 DDoS and Botnets......................9 2.1.1.2 Attack Pivoting....................... 11 2.1.2 Summary................................ 12 2.2 Game Theory.................................. 12 2.2.1 Normal-form Game........................... 13 2.2.2 Payoff Matrix.............................. 13 2.2.3 Extensive-Form Games......................... 14 2.2.3.1 Information Sets....................... 15 2.2.3.2 Repeated Games....................... 15 2.2.4 Bayesian Games............................ 16 2.2.5 A Pure and a Mixed Strategy..................... 17 2.2.6 Solution Concept............................ 18 2.2.6.1 Strategy Dominance..................... 18 iv Contents v 2.2.6.2 Nash equilibrium....................... 18 2.2.6.3 Subgame Perfect Nash Equilibrium and Backwards In- duction............................ 19 2.2.6.4 Bayesian Nash Equilibrium................. 21 2.2.6.5 Perfect Bayesian Equilibrium................ 21 2.2.7 Zero-Sum Games............................ 24 2.2.7.1 Minimax strategy...................... 25 2.3 Network security games............................ 26 2.3.1 Simultaneous Games.......................... 27 2.3.1.1 Complete Information.................... 27 2.3.1.2 Incomplete and Imperfect Information........... 32 2.3.2 Sequential Games............................ 33 2.3.2.1 Complete Information.................... 34 2.3.2.2 Incomplete and Imperfect Information........... 35 2.3.3 Other Games.............................. 36 2.3.4 Empirical Game Theoretic Analysis................. 37 2.3.5 Summary and Conclusions....................... 38 2.4 Two-Sided Search Problems.......................... 39 2.5 Search Games.................................. 40 2.5.1 A simple search game......................... 41 2.5.2 Game Variants............................. 41 2.5.2.1 Search Space......................... 42 2.5.2.2 Player Movement....................... 43 2.5.2.3 Hider Location........................ 43 2.5.2.4 Number of players...................... 44 2.5.2.5 Knowledge of the search space............... 44 2.5.3 Prominent Strategies.......................... 45 2.5.3.1 Randomised Euler and Chinese Postman Tour...... 45 2.5.3.2 Minimal Reversible Expanding Search........... 46 2.5.3.3 Search for k balls in n boxes................ 47 2.5.3.4 Randomised Tarry Algorithm................ 49 2.5.4 Summary and Conclusions....................... 50 2.6 Summary.................................... 53 3 Game Model 54 3.1 Motivation and Research Questions...................... 54 3.2 Conceptual Model............................... 56 3.2.1 Search Space.............................