Synthesis of Proactive Sensor Placement In Probabilistic Attack Graphs

TL;DR

This paper presents an optimization approach for deploying sensors in systems with moving target defenses to maximize attack detection, considering both observable and stealthy sensors against multi-stage cyberattacks.

Contribution

It introduces a two-step optimization method for sensor allocation in probabilistic attack graphs under moving target defense scenarios, accounting for attacker responses.

Findings

Optimized sensor placement improves attack detection rates.

Stealthy sensors significantly reduce attacker success probability.

Method validated with a cyber defense example.

Abstract

This paper studies the deployment of joint moving target defense (MTD) and deception against multi-stage cyberattacks. Given the system equipped with MTD that randomizes between different configurations, we investigate how to allocate a bounded number of sensors in each configuration to optimize the attack detection rate before the attacker achieves its objective. Specifically, two types of sensors are considered: intrusion detectors that are observable by the attacker and stealthy sensors that are not observable to the attacker. We propose a two-step optimization-based approach for allocating intrusion detectors and stealthy sensors: Firstly, the defender allocates intrusion detectors assuming the attacker will best respond to evade detection by intrusion detectors. Secondly, the defender will allocate stealthy sensors, given the best response attack strategy computed in the first step, to further reduce the attacker's chance of success. We illustrate the effectiveness of the proposed methods using a cyber defense example.