Secured Network Sensor-based Defense System

Secured Network Sensor-based Defense System Sixiao Wei† , Dan Shen† , Linqiang Ge‡ , Wei Yu‡ , Erik P. Blasch∗, Khanh D. Pham∗ and Genshe Chen† †

Intelligent Fusion Technology, Inc, MD 20876, USA and Information Sciences Dept., Towson University, MD, 21252, USA ∗ Air Force Research Laboratory, NM, 87117/ NY 13444, USA

‡ Computer

ABSTRACT Network sensor-based defense (NSD) systems have been widely used to defend against cyber threats. Nonetheless, if the adversary finds ways to identify the location of monitor sensors, the effectiveness of NSD systems can be reduced. In this paper, we propose both temporal and spatial perturbation based defense mechanisms to secure NSD systems and make the monitor sensor invisible to the adversary. The temporal-perturbation based defense manipulates the timing information of published data so that the probability of successfully recognizing monitor sensors can be reduced. The spatial-perturbation based defense dynamically redeploys monitor sensors in the network so that the adversary cannot obtain the complete information to recognize all of the monitor sensors. We carried out experiments using real-world traffic traces to evaluate the effectiveness of our proposed defense mechanisms. Our data shows that our proposed defense mechanisms can reduce the attack accuracy of recognizing detection sensors. Keywords: Network Sensor Based System, Temporal-based Pseudorandom Ordering, Spatial-based Pseudorandom Ordering, Attack Accuracy

1. INTRODUCTION There has been a number of dangerous and widespread security threats (e.g., botnet, malware propagation, etc.) over the Internet.1 To defend such widely-spreading attacks, it becomes critical to develop collaborative monitoring and defense systems, which can effectively characterize, track, and mitigate these threats.2 To this end, the design of Network Sensorbased Defense (NSD) systems is critically needed. Generally speaking, such a NSD system3–6 consists of a centralized detection center and a number of monitor sensors distributed over the network. Each monitor sensor will record suspicious traffic associated with the monitored region and send the recorded data to the detection center. The detection center provisions detection mechanisms to analyze the collected data and provides useful information to system administers and users. Nonetheless, the effectiveness of NSD systems relies on the location of monitor sensors. If an adversary can find ways to identify the location of monitor sensors, the effectiveness of NSD can be reduced significantly. There have been a number of attacks investigated to identify the location of monitor locations in the NSD.7, 8 For example, in our previous study, a Pseudo-Noise (PN) code based attack8 was studied. In this attack, the adversary first generates a low-rate probing traffic modulated by a secret PN code9 and sends it to a target network. The adversary then determines whether the published data from NSD contains the PN code embedded. In addition, we studied different types of attacks and formalized those attacks using communication channels.10 In this paper, we focus on developing effective countermeasures to defend against attacks that can identify the location of the monitor sensors. Particularly, we developed both temporal and spatial perturbation based defensive mechanisms, which can effectively reduce the accuracy of recognizing monitor sensors by the adversary. We first introduc a Temporalbased Pseudorandom Ordering Mechanism (TPOM), which manipulates the timing information of published data so that the probability of successfully recognizing detection sensors can be reduced. We then present the Spatial-based Pseudorandom Ordering Mechanism (SPOM), which can dynamically move the monitor sensors in the network. In this way, the adversary cannot obtain the complete information to recognize the location of the monitor sensors. To evaluate the Further author information: (Send correspondence to Wei Yu, Genshe Chen (Wei Yu: Email: [email protected], Genshe Chen: Email: [email protected])

Sensors and Systems for Space Applications VIII, edited by Khanh D. Pham, Genshe Chen, Proc. of SPIE Vol. 9469, 946909 · © 2015 SPIE CCC code: 0277-786X/15/$18 · doi: 10.1117/12.2179282 Proc. of SPIE Vol. 9469 946909-1 Downloaded From: http://proceedings.spiedigitallibrary.org/ on 06/02/2015 Terms of Use: http://spiedl.org/terms

effectiveness of our proposed TPOM and SPOM methods, we conducted experiments using real-world traffic traces. Our data shows that TPOM and SPOM can reduce the attack accuracy of recognizing the detection sensor. The remainder of the paper is organized as follows. In Section 2, we briefly review the network model and threat model. We present TPOM and SPOM in Section 3. We show our simulation and evaluation results in Section 4. We review the related work in Section 5, followed by final remarks in Section 6.

2. NETWORK AND THREAT MODELS In this section, we briefly introduce the network model and threat model. Figure 1 depicts the basic architecture of NSD system. In a NSD system, monitor sensors are geographically distributed over the network to capture anomalous traffic (e.g., port-scans, etc.) addressed to a set of monitored IP addresses. The monitor sensors can be deployed at either end-hosts or network devices (e.g., routers, firewalls, etc.)3 After collecting data based on configured rules, monitor sensors will send the recorded data to a detection center. The detection center uses the provision detection mechanisms to further analyze the received data and publishes the aggregated views of the reports through a query-based user’s interface.11 The interface provides high-level information fusion results of situation and threat assessment to a user.12

V:

Detection Center

Background Traffic

Detection Center

: Attack Probing Traffic

Adversary 2. Querying Stage

I.

Launch Attacks User Clients

Adversary 1. Probing

(ji

ppp IUOL

Stage

U

11

Monitor Sensor

t

Monitor Sensors

Monitor Sensor

Figure 1: NSD System Architecture

Figure 2: Attack Workflow

Nonetheless, the adversary can launch attacks to identify the location of monitor sensors in NSD systems. In our previous study,10 we investigated a technique to identify the location of monitor sensors as shown in Figure 2. The idea of such an attack is described as follows: in the probing stage, the adversary first selects a probing traffic that embeds a secret pattern and transmits the probing traffic to a target network. Then, in the querying stage, the adversary issues queries to the detection center and obtains a data report from the NSD. From the query report, the adversary uses the decoding mechanism (e.g., Fast Fourier Transform (FFT)) to recognize the embedded signal. If the embedded signal is recognized, the adversary knows that the targeted network is deployed with a monitor sensor.

3. OUR APPROACHES By investigating the attack proposed in8 that is also described in Section 2, it was shown that in order to mitigate such an attack, it is critical to disrupt the recognition process to detect the embedded attack signal in queried data. Therefore, we consider a perturbation based defensive strategy, denoted as Pseudorandom Ordering Mechanism (POM), which can be performed in either a temporal or spatial domain. On one hand, in the temporal domain, we develop a temporalbased pseudorandom ordering mechanism (TPOM), which manipulates the timing information of published data so that the probability of successfully recognizing monitor sensors can be reduced. On the other hand, in the spatial domain, we develop a spatial-based pseudorandom ordering mechanism (SPOM), which can dynamically move monitor sensors in the network. In the following, we introduce these two defensive mechanisms in detail.

Proc. of SPIE Vol. 9469 946909-2 Downloaded From: http://proceedings.spiedigitallibrary.org/ on 06/02/2015 Terms of Use: http://spiedl.org/terms

3.1 Temporal-based Pseudorandom Ordering Mechanism (TPOM) To defend against the attack proposed in8 and secure the NSD, we developed a temporal-based pseudorandom ordering mechanism (TPOM). The main idea of TPOM is to perturb the timing information of the data before the detection center publishes it. Recall that in the attack, the adversary will first generate a probing traffic embedded with a signal pattern, which will be mixed with the background traffic at the detection center. Therefore, the idea of TPOM is to randomize the sequence of generated mixture traffic so that the adversary cannot correctly recognize the embedded signal. The TPOM consists of the following two main processes detailed in Algorithm 1: (i) Traffic Segmentation: In this process, it first randomly generates a traffic divider, which is denoted as ξ (0 < ξ ≤ total sequence number of recorded traffic). Based on the generated traffic divider, a traffic segmentation then divides the entire mixture traffic sequence into small pieces, where the sequence length of each small piece is set as ξ. (ii) Pseudorandom Ordering: Based on the segmentation of the traffic sequence, the TPOM for each divided piece is applied. Through this process, the probing traffic will not be sequenced regularly in the time domain. Instead, the probing data in each sequence slot will be randomly assigned to different sequence slots in the mixture traffic. The distribution of sequence slots will be controlled by a random ordering code, which is only known by the defender. Figure 3 shows an example of TPOM. In this example, as the traffic divider is 4, we divide all the traffic sequences into many small pieces with length of 4. After applying TPOM, the original probing sequence will be changed to the POM sequence randomly over time. Without the knowledge of the random ordering code configured by the TPOM, it will be extremely hard for the adversary to recover the originally embedded signal pattern correctly. As such, the probability of recognizing the monitor sensors by the adversary can be largely reduced. Algorithm 1: Algorithm for TPOM : Background Data Array B = [B1 , B2 , · · · , Bm ]; Frequency of attack signal f0 ; Amplitude of attack signal A; Output : Pseudorandom ordering sequence of mixture traffic (background + attack probing signal) Attack probing signal A = [A1 , A2 , · · · , An ]; An =A*square(2*π*f0 *n); Generate traffic divider ξi : for i = 1 : n do ξi = [ξi , round(rand(1) ∗ 10)]; end Embed attack probing signal: Create an array N U M and a mixture traffic sequence before applying TPOM Mi ; for i = 1 : n do MN U Mi = BN U Mi + Ai ; end Traffic segmentation and pseudorandom ordering: Create a mixture traffic sequence after applying TPOM P OMi ; randarrayn = randperm(ni ); for j = 1 : length(MN U Mi ) do for i = 1 : ni do P OMn (i + (j − 1) ∗ ni ) = M (randarrayn (i) + (j − 1) ∗ ni ); end end Input

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19

Figure 4 shows the effectiveness of Algorithm 1. We have the following observations: (i) No particular pattern is shown in “Background FFT”, but there is an obvious spike in “Attack Probing Signal FFT”. This is because the launched probing attack contains a pattern and the adversary can identify the pattern from the queried data based on the pattern. (ii) The spike in “Background+Attack Signal FFT” indicates that the queried data report contains the attack signal with the designated frequency pattern as expected. Without TPOM, the adversary can easily identify the location of monitor sensors based on the recognition of the pattern. (iii) From the curves of “Background+Attack Signal FFT” and “Background+Attack Signal+Pseudorandom ordering FFT”, we can observe that the spike disappears after the TPOM is in place. Therefore,

Proc. of SPIE Vol. 9469 946909-3 Downloaded From: http://proceedings.spiedigitallibrary.org/ on 06/02/2015 Terms of Use: http://spiedl.org/terms

Background 10 5

00

50

100

150

200 250 Background FFT

300

350

400

450

0.2 0.1

00

50

100 150 Attack Probing Signal

200

250

2

Original Sequence

Al

\

A2

\

:i

\ Ar-

POM Sequence

A4

Al

A3 I A4

i

31

\\ A3

\ /

B2 I B3

0

B4

\ //

Cl

/

A2

31

B4

B3

50

0

100

150 200 250 300 Attack Probing Signal FFT

350

400

450

05 0

50

0

100 150 Background + Attack Signal FFT

200

250

05

B2

Cl

0

50 100 150 200 Background + Attack Signal + Pseudorandom Ordering FFT

0

250

05 0

50

0

Figure 3: An Example of TPOM

100

150

200

250

Figure 4: Effectiveness of TPOM

after TPOM is applied, it is hard for the adversary to recover the probing signal and accurately decide whether the targeted network is deployed with a monitor sensor.

3.2 Spatial-based Pseudorandom Ordering Mechanism (SPOM) We now introduce the second defense mechanism named Spatial-based Pseudorandom Ordering Mechanism (SPOM). Differing from TPOM, the main idea of SPOM is to change the location of monitor sensors dynamically so that the adversary cannot have sufficient information to recover the embedded signal accurately. Recall that the adversary can obtain the deployment information of monitor sensors by launching the attack proposed in.8 If the system configuration and the location of monitor sensors keep changing, the attack will fail to recognize the correct probing signal from the queried reports of the location of the monitor sensors. By applying the SPOM, we obtain the effectiveness of the defense mechanism, similar to Figure 4. Figures 5 and 6 show the detail procedures of SPOM. Here, network A as an example demonstrates the principle of the defense mechanism. When the SPOM is in place, the adversary first launches the probing traffic to network A with IP addresses of 192.168.10.X, where the IP address of detection sensor A is 192.168.10.5. Then, when the SPOM is used, the IP addresses for monitor sensor A will be changed over time. By doing so, the adversary obtains traffic logs, which consists of both the attack signal and background traffic from other monitor sensors. As the IP addresses of network A are changed to 192.168.255.X, the IP address of monitor sensor becomes 192.168.255.5. Therefore, the adversary cannot obtain the complete information to recover the attack signal after launching the probing traffic to the IP addresses of network A: 192.168.10.X. As a result, the adversary cannot make a correction decision about whether the target network is deployed with a monitor sensor or not. In this way, the attack accuracy will be dramatically reduced. There are two parameters that can have an impact on the effectiveness of SPOM. The first parameter is the query time Tq controlled by the adversary. It is defined as the time between launching the probing traffic and obtaining the detection report. The second parameter is the time interval TM of SPOM, which is controlled by the defender. It is controlled by the time when the monitor sensor will be assigned to a new location. If Tq > TM , this means that the monitor sensor will move fast. Therefore, the adversary will not be able to recognize the monitor sensor. Nonetheless, it will also incur a high overhead to the system when the monitor sensor moves rapidly. In the evaluation, we consider the case when Tq ≤ TM . Here, the adversary can only obtain a part of the attack signal and the effectiveness of the attack proposed in8 can be largely reduced.

4. PERFORMANCE EVALUATION We now show the evaluation results of our investigated defense mechanisms. We use Matlab 2013a to conduct experiments and validate the effectiveness of our proposed defensive schemes using real-world traffic traces. In our simulation, we measure the attack accuracy of recognizing the location of monitor sensors. We consider the following two metrics. The

Proc. of SPIE Vol. 9469 946909-4 Downloaded From: http://proceedings.spiedigitallibrary.org/ on 06/02/2015 Terms of Use: http://spiedl.org/terms

4r

Detection Center

IN

Backgrou

Attack

Probing Signa\

192.168.10.5

+A

raffic Logs

."--

Background Traffic Logs

Backgr..

Probing Signal

Detection Center

Retrieval

Traffic Logs

+ Attack Probing Signal

4

MI

192.168.30.5

192.168.20.5

Monito Sensor B

Monito Sensor A

192.168.255.5

192.168.235.5

192.168.245.5

Monito Sensor C

192.168.30.

Figure 5: Probing Stage Before SPOM

Figure 6: Querying Stage After SPOM

first metric is the attack success rate, PD , which is defined as the probability that the adversary can correctly determine the location of the monitor sensors. The second metric is the attack false positive rate PF , which is defined as the probability of mistakenly determining a target network deployed with monitor sensors. From the defender’s perspective, the lower PD or the higher PF , the worse the attack accuracy is. Based on the attack success rate and the attack false positive rate, we draw ROC (Receiver Operating Characteristic) curve.13 Figure 7 shows the attack accuracy of TPOM, where we set the frequency of the attack probing signal as 4. As we can see, the adversary can achieve a high attack success rate while maintaining a low attack false positive rate. For example, when the attack strength is 0.25, the attack success rate is around 80% while the attack false positive rate is only around 10%. Once TPOM is used, the attack success rate drops dramatically. We also observe that when the sequence estimator of TPOM is generated at 4, which is the same as baseline frequency, the attack accuracy reduces less in comparison with the scenarios, where the sequence estimator is set to 5, 10 or 20. This means that when the generated sequence estimator and the baseline attack signal frequency are less similar, the effectiveness of TPOM can be improved. In Figure 8, we can observe that the effectiveness of attack accuracy when SPOM technique is in place. Recall that we chose two parameters Tq and TM to evaluate the effectiveness of SPOM. Here, we set the query time for the adversary Tq is constant. From the Figure 8, we can see that deploying SPOM with a lower TM can achieve a lower attack success rate. For example, the attack success rate of SPOM with 5 times of Tq is much lower than the attack success rate of SPOM with 1.5 times of Tq . It is expected because a higher rate of moving monitor sensors in the SPOM, the attack successful probability that the adversary can achieve will be lowered.

09

09

08

08

0]

0]

ó 06

Ol06

0

0

- 03- Baseline without SPOM

- e-Baseline Frequency4 02

02

- e-TPOM4 - e-TPOM 5

- 8-SPOM (Tm =1.5 Tq)

-$- $POM(Tm= 2.0Tq) - a-SPOM(Tm= 4.0Tq) $ SPOM (Tm =10.0 TM

-ar-TPOM 10

t TPOM 20 01

02

03

04

0.5 0.8 False Positive Rate

0.7

0.8

09

Figure 7: Effectiveness of Attack Accuracy Applying TPOM

01

02

03

04

0.5 0.8 False Positive Rate

0.7

0.8

0.9

Figure 8: Effectiveness of Attack Accuracy Applying SPOM

Proc. of SPIE Vol. 9469 946909-5 Downloaded From: http://proceedings.spiedigitallibrary.org/ on 06/02/2015 Terms of Use: http://spiedl.org/terms

5. RELATED WORK A number of research efforts have been made to study related to the NSD system and cyber threats.10, 14–22 For example, Yu et al.10 investigated the localization attacks aiming to identify the location of monitor sensors and proposed a formal model of such attacks using communication channels. Ouyang et al.14 proposed a detection framework to deal with denial-of-service (DoS) attacks (e.g., jamming, flooding, etc.) in wireless sensor networks.23 Wei et al.15 developed an integrated network defense system with detection mechanisms to support cyber-security situation awareness capabilities. Devarashetty et al.16 proposed a formal model for secure sensor networks. Their proposed approach consists of a multilayered structure consisting, where a synchronous firing mechanism is used to detect malicious nodes. Arai et al.17 studied a scheduling problem for networked sensor networks, where sensors are distributed and measurements have noise. Taylor et al.18 presented a work in progress on developing a defense system to protect wireless sensor networks from denial-ofservice attacks after one or more nodes on the network have been captured and reprogrammed by an adversary. Differing from the above research approaches, in this paper we focused on developing effective countermeasures to defend against attacks proposed in,8 which efficiently identifies the location of monitor sensors and steals important information from the NSD system. Based on cyber situation awareness,24, 25 we provide both temporal and spatial based perturbation based defensive mechanisms, which can effectively disrupt the process of attack signal recognition to make the monitor sensors invisible to the adversary.

6. FINAL REMARKS In this paper, we developed both temporal and spatial perturbation based defensive mechanisms, which can reduce the probability of monitor sensors discovered by the adversary. The temporal-perturbation based defense manipulates the timing information of queried data so that the chance of successfully recognizing detection sensors can be reduced. The spatial-perturbation based defense dynamically moves monitor sensors in the network so that the adversary cannot obtain the complete information to recognize monitor sensors. We conducted experiments using real-world traffic traces to evaluate the effectiveness of our proposed defense schemes. Our data confirms that TPOM and SPOM can reduce the effectiveness of recognizing detection sensors.

7. ACKNOWLEDGEMENT This material is based on research sponsored by Air Force Research Laboratory under agreement number FA9453-15C-0016. The U.S. Government is authorized to reproduce and distribute reprints for Governmental purposes notwithstanding any copyright notation thereon. The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of Air Force Research Laboratory or the U.S. Government.

REFERENCES [1] C. Fleizach, M. Liljenstam, P. Johansson, G. M. Voelker, and A. Mehes, “Can you infect me now?: Malware propagation in mobile phone networks,” in Proc. ACM Workshop on Recurring Malcode, 2007. [2] R. M. Zinkernagel, S. Ehl, P. Aichele, S. Oehen, T. Kundig, and H. Hengartner, “Antigen localisation regulates immune responses in a dose and time-dependent fashion: A geographical view of immune reactivity,” Immunological Reviews 156, pp. 199–209, 1997. [3] D. Zhang, W. Yu, and R. Hardy, “A distributed network-sensor based intrusion detection framework in enterprise networks,” in Proc. IEEE International Conference on Military Communications Conference (MILCOM), 2011. [4] J. L. Hill, R. Szewczyk, A. Woo, S. Hollar, D. E. Culler, and K. S. J. Pister, “System architecture directions for networked sensors,” Sigplan Notices 28, pp. 93–104, 2000. [5] S. Saponara, E. Petri, L. Fanucci, and P. Terreni, “Smart transducer interface in embedded systems for networked sensors based on the emerging ieee 1451 standard: H2 detection case study,” in Proc. Intelligent solutions in Embedded Systems, pp. 49–55, June 2009. [6] W. Yu, Z. Chen, G. Xu, S. Wei, and N. Ekedebe, “A threat monitoring system for smart mobiles in enterprise networks,” Research in Adaptive and Convergent Systems , pp. 300–305, 2013.

Proc. of SPIE Vol. 9469 946909-6 Downloaded From: http://proceedings.spiedigitallibrary.org/ on 06/02/2015 Terms of Use: http://spiedl.org/terms

[7] W. Yu, N. Zhang, X. Fu, R. Bettati, and W. Zhao, “Localization attacks to internet threat monitors: Modeling and countermeasures,” IEEE Transactions on Computers 59, pp. 1655–1668, 2010. [8] W. Yu, X. Wang, X. Fu, D. Xuan, and W. Zhao, “An invisible localization attack to internet threat monitors,” IEEE Transactions on Parallel and Distributed Systems (TPDS) 20, pp. 1611–1625, 2009. [9] W. Yu, X. Fu, E. Blasch, K. Pham, D. Shen, and G. Chen, “On effectiveness of hopping-based techniques for network forensic traceback,” Int’l J. of Networked and Distributed Computing 1, 2013. [10] W. Yu, S. Wei, G. Ma, X. Fu, and N. Zhang, “On effective localization attacks against internet threat monitors,” in Proc. IEEE International Conference on Communication (ICC), 2013. [11] M. Hemmje, A 3D Based User Interface for Information Retrieval Systems, vol. 871, Database Issues for Data Visualization, 1994. [12] E. Blasch, E. Bosse, and D. A. Lambert, High-Level Information Fusion Management and Systems Design, Artech House, 2012. [13] E. Blasch, J. J. Salerno, and G. Tadda, “Measuring the worthiness of situation assessment,” in Proc. IEEE Nat. Aerospace Electronics Conf. (NAECON), 2011. [14] X. Ouyang, B. Tian, Q. Li, J. yi Zhang, Z.-M. Hu, and Y. Xin, “A novel framework of defense system against dos attacks in wireless sensor networks,” in Proc. International Conference on Wireless Communications, Networking and Mobile Computing, 2011. [15] W. Yu, S. Wei, D. Shen, M. Blowers, and E. P. Blasch, “On detection and visualization techniques for cyber security situation awareness,” in Proc. SPIE, 8739, pp. 9–17, 2013. [16] V. Devarashetty, J. Tsai, L. Ma, and D. Zhang, “Modeling a secure sensor network system using an extended elementary object system,” in Proc. 7th IEEE International Conference on Cognitive Informatics (ICCI), 2008. [17] S. Arai, Y. Iwatani, and K. Hashimoto, “Fast and optimal sensor scheduling for networked sensor systems,” in Proc. IEEE International Conference on Decision and Control, 2008. [18] V. Taylor and D. Fokum, “Securing wireless sensor networks from denial-of-service attacks using artificial intelligence and the clips expert system tool,” in Proc. IEEE Southeastcon, 2013. [19] H. Zhang, S. Wei, W. Yu, E. Blasch, G. Chen, D. Shen, and K. Pham, “Scheduling methods for unmanned aerial vehicle based delivery systems,” in Proc. 2014 IEEE/AIAA 33rd Digital Avionics Systems Conference (DASC), 2014. [20] S. Bhattarai, S. Rook, L. Ge, S. Wei, W. Yu, and X. Fu, “On simulation studies of cyber attacks against lte networks,” in Proc. IEEE International Conference Computer Communication and Networks (ICCCN), 2014. [21] S. Wei, L. Ge, W. Yu, G. Chen, and K. Pham, “Simulation study of unmanned aerial vehicle communication networks addressing bandwidth disruptions,” in Proc. SPIE, 9085, pp. 10–17, 2014. [22] K. Liu, Q. Du, H. Yang, and B. Ma, “Optical flow and principal component analysis-based motion detection in outdoor videos,” Eurasip Journal on Advances in Signal Processing 2010, pp. 1–7, 2010. [23] D. Shen, G. Chen, J. Cruz, L. Haynes, M. Kruger, and E. Blasch, “A markov game theoretic data fusion approach for cyber situational awareness,” in Proc. SPIE, 6571, 2007. [24] E. Blasch, D. Shen, K. Pham, and G. Chen, “Review of game theory applications for situation awareness,” in Proc. SPIE, 9469, 2015. [25] G. Chen, D. Shen, C. Kwan, J. Cruz, M. Kruger, and E. Blasch, “Game theoretic approach to threat prediction and situation awareness,” Journal of Advances in Information Fusion 2, pp. 1–14, June 2007.

Proc. of SPIE Vol. 9469 946909-7 Downloaded From: http://proceedings.spiedigitallibrary.org/ on 06/02/2015 Terms of Use: http://spiedl.org/terms