Partially-Observable Security Games for Automating Attack-Defense Analysis

TL;DR

This paper introduces a stochastic game-theoretic method for analyzing and automating defense strategies in network security, especially under partial observation of attacker activities, using a transformed perfect game approach.

Contribution

It proposes a novel partial observation security game model and a transformation technique to analyze and synthesize defense strategies automatically.

Findings

Effective analysis of partial observability in security games.

Successful automation of defense strategy synthesis.

Validation on real-world network data.

Abstract

Network systems often contain vulnerabilities that remain unfixed in a network for various reasons, such as the lack of a patch or knowledge to fix them. With the presence of such residual vulnerabilities, the network administrator should properly react to the malicious activities or proactively prevent them, by applying suitable countermeasures that minimize the likelihood of an attack by the attacker. In this paper, we propose a stochastic game-theoretic approach for analyzing network security and synthesizing defense strategies to protect a network. To support analysis under partial observation, where some of the attacker's activities are unobservable or undetectable by the defender, we construct a one-sided partially observable security game and transform it into a perfect game for further analysis. We prove that this transformation is sound for a sub-class of security games and a subset of properties specified in the logic rPATL. We implement a prototype that fully automates our approach, and evaluate it by conducting experiments on a real-life network.