Combating Informational Denial-of-Service (IDoS) Attacks: Modeling and Mitigation of Attentional Human Vulnerability

TL;DR

This paper introduces a formal model for IDoS attacks exploiting human attentional vulnerabilities, and develops mitigation strategies using attention management to reduce attack severity and risk.

Contribution

It models IDoS attacks with semi-Markov processes and proposes an adaptive alert highlighting system to mitigate human vulnerability.

Findings

Attention management strategies can significantly reduce IDoS attack severity.

Optimal inattention levels improve human performance and security outcomes.

The proposed framework enables real-time learning and adaptation.

Abstract

This work proposes a new class of proactive attacks called the Informational Denial-of-Service (IDoS) attacks that exploit the attentional human vulnerability. By generating a large volume of feints, IDoS attacks deplete the cognitive resources of human operators to prevent humans from identifying the real attacks hidden among feints. This work aims to formally define IDoS attacks, quantify their consequences, and develop human-assistive security technologies to mitigate the severity level and risks of IDoS attacks. To this end, we use the semi-Markov process to model the sequential arrivals of feints and real attacks with category labels attached in the associated alerts. The assistive technology strategically manages human attention by highlighting selective alerts periodically to prevent the distraction of other alerts. A data-driven approach is applied to evaluate human performance under different Attention Management (AM) strategies. Under a representative special case, we establish the computational equivalency between two dynamic programming representations to reduce the computation complexity and enable online learning with samples of reduced size and zero delays. A case study corroborates the effectiveness of the learning framework. The numerical results illustrate how AM strategies can alleviate the severity level and the risk of IDoS attacks. Furthermore, the results show that the minimum risk is achieved with a proper level of intentional inattention to alerts, which we refer to as the law of rational risk-reduction inattention.