Stochastic game net and applications in security ... - Semantic Scholar

Int. J. Inf. Secur. DOI 10.1007/s10207-011-0148-z

REGULAR CONTRIBUTION

Stochastic game net and applications in security analysis for enterprise network Yuanzhuo Wang · Min Yu · Jingyuan Li · Kun Meng · Chuang Lin · Xueqi Cheng

© Springer-Verlag 2011

Abstract Stochastic game theoretic framework has been used in many fields of networks with interactive behaviors. However, further use of this framework is limited due to the following reasons. Firstly, it is difficult to build comprehensive and rigorous models for complex network structures by the state-based game model. Secondly, solving and extending the dynamic behaviors of participators of the network are nearly impossible, because of the complexity of state transitions. Last but not least, general game model is not able to describe and analyze specific events and behaviors in some kinds of networks, like enterprise networks. In this paper, we propose a new modeling paradigm (stochastic game net, or SGN) for stochastic games representation with Petri nets. Based on our graphical tool, stochastic game problems can be described clearly, and the model can be solved and extended easily. Moreover, this paper puts forth a series of methods for modeling and analyzing the competitive game by SGN, which is the main contribution of this work. Our achievements are applied to the security analysis for enterprise networks. The analysis results prove the powerful ability of our achievements in solving the complicated and dynamic game problems. Furthermore, our approaches can be used to calculate the existence and the value of an equilibrium point.

Y. Wang (B) · J. Li · X. Cheng Institute of Computing Technology, Chinese Academy of Sciences, Beijing 100190, China e-mail: [email protected] M. Yu Information Engineering School, University of Science and Technology, Beijing 100083, China K. Meng · C. Lin Department of Computer Science and Technology, Tsinghua University, Beijing 100084, China

Keywords Stochastic game net · Enterprise network · Security analysis · Integrality · Confidentiality · Availability

1 Introduction Recently, game theory is introduced to the field of modeling and analysis of networks. Network systems are becoming more complex and larger, which causes uncertainty for the resource management and security issues. In Lye and Wing’s work [1] , a game theoretic method for analyzing the security of computer networks was presented. The interactions between an attacker and the administrator were modeled as a two-player stochastic game for which best-response strategies (Nash Equilibriums) were computed. Mahimkar and Shmatikov [2] proposed a new protocol for preventing malicious bandwidth consumption and demonstrated how gamebased formal methods can be successfully used to verify availability-related security properties of network protocols. Liu et al. [3] presented a general incentive-based method to model attacker intent, objectives, and strategies (AIOS) and a game theoretic approach to infer AIOS. The authors developed a game theoretic AIOS formalization that can capture the inherent interdependency between AIOS and defender’s objectives and strategies in such a way that AIOS can be automatically inferred. Wang and Reiter [4] and Bencsth et al. [5] proposed a puzzle auction mechanism to defend the DoS and DDoS attacks based on game theory. Note that the puzzle auction protocol in Wang and Reiter [4] allows clients to bid for service by computing puzzles with difficulty levels of their own choices. The player bidding for the most difficulty puzzles would achieve the highest priorities of being served. Bencsth et al. [5] used static game theory to analyze the optimal strategy for the server and the DoS attacker when client puzzle was utilized. Xu and Lee

123

Y. Wang et al.

[6] used game theoretical framework to analyze the performance of their proposed DDoS defense system and to guide its design and to improve the performance of their system. Browne [7] described and pointed out a way to make use of static games to analyze attacks involving complicated and heterogeneous military networks. In his example, a defense team had to defend a network of three hosts against an attacking team’s worms. Game models of networks are being confronted with many significant challenges. Most of the early work in network security game model emphasizes the prevention of attacks in network systems. Later work focuses on designing the system-level security mechanism so that the system can perform its intended function through detecting and preventing malicious attacks. More recently, the notion of intrusion tolerance has been advocated to allow the system to continue performing its intended function despite partially successful attacks. Nicol et al. work [8] is a good example of this idea. Most of the attempts to validate management mechanisms and strategies are qualitative, which states the adopted procedures to construct a safe network. However, it is practically infeasible to construct perfect management mechanisms and strategies, in the face of various game behaviors. Network managers are only interested in knowing whether the behaviors of an intruder or a self-organizing network node affect the security or performance of their networks and what they should react to solve in killing these problems efficiently. Stochastic game [9] extend the single player Markov decision process to include multiple players whose actions also impact the resulting rewards and the next state. Stochastic games can also be viewed as an extension of game theory’s simple notion of matrix games. Such a view amplifies the difficulty of finding optimal behaviors in stochastic games, because optimal behavior depends on the behavior of other players. Therefore, the model serves as a bridge between notions from game theory and reinforcement learning. In most of the previous research findings, the interactions between the attacker and administrator are described as some game relations. A purely competitive (zero-sum) stochastic game would always end up with one Nash equilibrium, while a general sum stochastic game may have multiple Nash equilibrium. The defender can obtain the attacker’s strategy according to the calculation results of Nash equilibrium, categorize the attacks into different states, and prepare for the counterattack methods for each state of attack. The reason why the categorization of attacks is possible is: we can calculate the attacker’s best attack strategies according to Nash equilibrium. Moreover, by using a stochastic game model, we are able to capture the probabilistic nature of the state transitions, which is more useful in the real with our study and work. However, some essential properties of the stochastic game theory prevent it from further using in the field of network

123

structure analysis. Firstly, the stochastic game theory does not have enough modeling tools to describe interaction relations for complex network structure. The comprehensive and rigorous models are difficult to build. Secondly, the complexity of state transitions makes it nearly impossible to model the dynamic behaviors of participators in computer networks by existing modeling methods. Besides, the model is difficult to update when conditions change. Thirdly, in general game model, the unabridged state space can be extremely large, while we are interested in only a small subset of states that are relevant to attacks and defenses scenarios. In addition, it may be difficult to quantify the costs of actions and the associative transition probabilities in practice. Stochastic Petri nets, e.g., see Molloy [10], are a modeling formalism that can be conveniently used for modeling and analyzing complex systems, such as performance analysis and reliability evaluation. The probabilistic models that underlie the dynamic behaviors of the system can be automatically constructed by using the theory of Petri nets. Stochastic Petri nets models have good expansibility, where new components can be easily appended. Stochastic reward nets, e.g., see Ciardo et al. [11] , which are extensions of Stochastic Petri nets by adding reward function, are more suitable to describe the rewards of players in a network game. We therefore suggest that stochastic Petri nets, with their efficient and concise features, be used to solve the game theory-related issues better. Given all that, we propose a novel modeling method, stochastic game nets, to model and analyze the game issues by taking advantages of stochastic Petri nets. Stochastic game nets are suitable to investigate the complex and dynamic game-related issues and compute the Nash equilibrium and best-response strategies in networks. We believe that the stochastic game nets could open a new avenue to handle the game-related issues in the field of network game models. Lye and Wing’s work [1] to a certain extent inspired us to further research into the role of SGN in game theory problems, presenting a group of interesting results and a series of quantitative evaluations. The major contributions of our work are: •

•

•

A novel modeling framework, stochastic game net, SGN is proposed, and its detailed definitions, properties and theorems are given. We also point out through an application that SGN can be used to solve competitive game problems. In SGN, we propose the graphical modeling description method for the game problems and the corresponding representations of the utility and strategy. According to the structure characteristics of the graphical model, we study the effective solving methods of the equilibrium. We further utilize the SGN model in analyzing even more application issues for enterprise networks security,

Stochastic game net and applications

comprising the probability of successful attack, mean time for a successful attack, mean time to recover if attacks are detected, and statistic properties of attack and defense behaviors. Confidentiality, integrity and availability of our SGN models are also evaluated quantificationally. We explain why our strategies are realistic, and how administrators of the network can use our results to enhance the security of their network. We hope that our approach will become the foundation stone to further investigations of modeling and analyzing theories in game issues other than security of enterprise networks. The rest of the paper is organized as follows. Section 2 introduces the definitions and useful properties of stochastic game nets. In Sect. 3, an enterprise network and its security problems are analyzed. In Sect. 4, the stochastic game net is used to model attack and defense behaviors in enterprise network. Section 5 analyzes some security issues based on the model. Section 6 concludes the paper.

2 Stochastic game nets We first provide the definition of stochastic game nets. Note that this definition extends definition of Stochastic Petri Nets (SGN) by means of the stochastic game mechanism, whose understanding may refer to [12,13,18] for more details. Definition 1 A Stochastic game net is represented as the nine-tuple vector SGN = (N , P, T, F, π, λ, R, U, M0 ), where (1) (2) (3)

(4) (5)

(6)

(7) (8) (9)

N = {1, 2, . . . , n} denotes the set of players, P is a finite set of places, T = T 1 ∪ T 2 ∪ · · · ∪ T n is a finite set of transitions, where T k is the set of transitions with respect to player k for k ∈ N , π : T → [0,1] is a routing policy representing the probability of choosing a particular transition, F ⊆ I ∪ O is a set of arcs, where I ⊆ (P × T ) and O ⊆ (T × P) such that P ∩ T = φ and P ∪ T = φ, where φ is a empty set, for a convenience, we denote • x = {y |(y, x) ∈ F} the pre-set of x, similarly, x • = {y |(x, y) ∈ F} the post-set of x, R : T → (1 , 2 , . . . ,  N ) is a reward function for the players taking each transition, where i ∈ (−∞, +∞) for i ∈ N , λ = {λ1 , λ2 , . . ., λw } is a set of transition firing rates in the transition set, where w is the number of transitions, U is the utility function of players, and M0 is the initial marking, which denotes the initial state of the players.

In this definition, P is the state set of the game, a token in a place p ∈ P denotes players are in the state and a marking m represents a distribution of the tokens in stochastic game nets. Each token s in a place p ∈ P is related to a reward vector h p (s) = (h 1p (s), h 2p (s), . . . , h kp (s)) as its property, where h kp (s) is the reward of player k got in the place p for the token s. Each element of T represents a class of possible changes of markings. Such a change of t ∈ T , also called transition firing, consists of removing tokens from a subset of places and adding them to another according to the expressions labeling the arcs. Furthermore, we need to explain the firing rule of the SGN. A transition t is enabled under a marking M whenever, M( p) = φ, where ( p, t) ∈ F, p ∈ P. Players get the reward R(t) = (R 1 (t), R 2 (t), . . . , R k (t)), where R i (t) denotes the reward gets by the player i, and the reward is recorded in the token h p (s) if the token is transport into the place P. Definition 2 In a game, Let p be the whole state space, T k be the action set of player k. We call P k the state set of player k, and P k = ∪t∈Tk ptk , where ptk = { p|t ∈ T k , p ∈ · t, p ∈ P}. In other words, at the state p ∈ ptk , player k can take action t. Reversely, we call t pk = {t|t ∈ T k , p ∈ P k , t ∈ p · } the action set of player k under the state p ∈ P k . Definition 3 (Strategy): In a SGN model, a strategy for player k is described as a vector π k = (π(t1k ), π(t2k ), . . . , π(twk )), where π(t kj ) is the probability that Player k takes action t j and w = |T k |. If we classify the transition accordk denotes the player k can take action ing to the place, let t pi ti under the place  of player   p, sothe strategy  k can also  descrik k k bed as π = π t p1 i1 , . . . , π t p i | p· | , . . . , π t pk|P| j1 , 1 1   k , | pi | refers to get the number of ele. . . , π t p|P| j | p· | 1

|P|

ments within the set | pi |. Given an n players game, the strategy of the game can be represented as π = (π 1 , π 2 , . . . , π n ). Remark Let φ kp be the empty action of player k under the state p. Assuming that the player k has an empty action φ kp under the arbitrary state p. So, any feasible strategy satisfies  k ti ∈t kp π(t pi ) = 1. Let player k’s utility is defined as U k (π, M0 ) (always be reduced to U k (π )), where M0 denotes the initial state of the game. Definition 4 It is a unilaterally competitive game if for each i ∈ N , U i (π ) ≥ U i (π

) if and only if U j (π ) ≤ U j (π

) for all j ∈ N , j = i. For analyzing complicated game problems, it is an effective method to first set up the player models respectively and then combine them into a whole model. The next property indicates the sufficient condition the models of special players can combined.

123

Y. Wang et al.

Definition 5 (Competitive SGN), Given a SGN, we call it an competitive SGN if the following conditions hold: (1) #N = 2, (2) for any strategies π , π

and π = π

, U 1 (π ) ≥ U 1 (π

) if and only if U 2 (π ) ≤ U 2 (π

) or U 2 (π ) ≥ U 2 (π

) if and only if U 1 (π ) ≤ U 1 (π

), (3) there exist some transitions ti such that ti· = φ. Proposition 1 Given a unilaterally competitive game, for players i, j, the state sets are P i and P j respectively, then P i ∩ P j = φ. Proof Let π−i = (π 1 , π 2 , . . . , π i−1 , π i+1 , . . . , π N ) and denote π = (π i , π−i ). Supposed P i ∩ P j = φ. Because the utility value of the player i is determined by initial state and the corresponding strategy, also by the assumption and T i ∩ T j = φ, we obtain that the utility value of the player i is only related to π i . For i = j, there exist j π = (π i , π−i ) = (π j , π− ) and π

= (π i

, π−i

) = j (π j

, π−

) such that U i (π ) ≥ U i (π

) and U j (π ) ≤ U j (π

). Let π

= (π i , π j

, ∗) and π I V = (π i

, π j , ∗), so U i (π

) ≥ U i (π I V ) and U j (π

) ≥ U j (π I V ). This is a contradiction to the condition the game is unilaterally competitive. Therefore, the initial assumption must be false, in other words, P i ∩ P j = φ. Proposition 2 A competitive SGN is corresponding with an unilaterally competitive game, and there exists at least one place pi ∈ P such that pi· ∩ T1 = φ and pi· ∩ T2 = φ. Definition 6 (Nash Equilibrium): Given an n SGN, a mixed strategy Nash Equilibrium (NE) is a vector π ∗ = (π 1∗ , π 2∗ , . . . , π n∗ ) such that:   U k π 1∗ , . . . , π (k−1)∗ , π k∗ , π (k+1)∗ , . . . , π n∗   ≥ U k π 1∗ , . . . , π (k−1)∗ , π k , π (k+1)∗ , . . . , π n∗ where k = 1, 2, . . . , n, π k is any alternative mixed strategy of player k except for π k∗ . For a NE π ∗ , no player does not have has an incentive to deviate from its mixed strategy given that the others do not deviate. Moreover, there is no mutual incentive for anyone of the players to deviate their equilibrium strategies π 1∗ , π 2∗ , . . . , π n∗ . A deviation will mean that some of them will have lowered their optimal expected utility. So, the NE is also known as best responses. Theorem 1 For a stochastic game net, SG N = (N , P, T, F, π, λ, R, U, M0 ). If the integer n < ∞, and the two sets P and T contain finite elements, and then there exists a Nash Equilibrium under the setting of mixed strategies. Proof For a game with finite states, there exists at least one mixed strategy Nash Equilibrium (see [14]). So it remains to prove that a stochastic game net is associated with a game.

123

In fact, for the case of P i ∩ P j = φ, the corresponding game is a programming problem. For the case of P i ∩ P j = φ, the states P i ∩ P j is the states space of the corresponding game, the rule of transitions firing in SGN is the rule of the game, and U is the utility function of the game. Therefore, there exists a mixed strategy Nash Equilibrium under the setting of mixed strategies. In the rest of this section, we shall present an algorithm for constructing an SGN and an algorithm for solving it to find the optimal strategy of each player, i.e., to find the NE. The objective of each player is to maximize its expected at time w and r k (pw ) = return. Let p w be  the state  k k si ∈S h p w (si ) + t j ∈Tw R (t j ) be the reward received by player k at time w, where S is the token set in the place p w and Tw is the transition set tokens passed until to time w. In order to assure that the game can finished within finite time, we set a discount factor δ ∈ [0, 1]. Given a strategy π , there remains m rounds from time w. We define an expected return utility function as Uwk (π, p w ) denotes a utility of player k from the time w. So, the expected utility Uwk (π, p w ) is defined as  Uwk (π, p w ) = E r k ( p w ) + δr k ( p w+1 ) + δ 2 r k ( p w+2 )  + · · · + δ m r k ( p w+m )  m

δ m r k ( p w+n ) =E n=0

The expectation operator E is used to mean that player k plays π k , i.e., player k chooses an action using the probability distribution π k ( p w+n ) and receives a reward r k ( p w+n ), where 1  1 2 2 n r k ( p) = t 1 ∈T 1 ··· t n ∈ T N  π ( p, t )π (p, t ), . . . , π n k 1 n k 1 N is the reward ( p, t )R ( p; t , . . . , t ) R p; t , . . . , t gained by player k at p under the player i choose the action t i , i = 1, 2, . . . , N . Definition 7 For a two-player game, a NE (π 1∗ , π 2∗ ) is one which satisfies U 1 (π 1∗ , π 2∗ ) ≥ U 1 (π 1 , π 2∗ ), U 2 (π 1∗ , π 2∗ ) ≥ U 2 (π 1∗ , π 2 ). And utility of player k is U k (π 1 , π 2 ) = U k (π, M0 ). For a two-player SGN model, a nonlinear program can be used to find the stationary equilibrium strategies for finitehorizon games. For the SGN, by Theorem 1, we know that there exists at least one mixed strategy Nash Equilibrium. Also by the work of Filar and Vrieze [11] , a NE of a discounted stochastic game can be found by solving a nonlinear

Stochastic game net and applications

programming problem (NLP) as follows. T k   min 1 u − Rk π 1, π 2 1 2 1 2 u ,u ,σ ,σ   k = 1, 2 −δ P π 1 , π 2 u k , s.t.R 1 ( pi )π 2 ( pi ) + δT ( pi , u 1 )π 2 ( pi ) (1) i = 1, . . . , |P| ≤ u 1 ( pi )1, π 1 ( pi )T R 2 ( pi ) + δπ 1 ( pi )T T ( pi , u 2 ) i = 1, . . . , |P| ≤ u 2 ( pi )1T , where T ( p, u k ) = [[ p( p1 | p, t 1 , t 2 ), . . . , p( p|P| | p, t 1 , t 2 )]T u k ]t 1 ∈T 1 ,t 2 ∈T 2 , p i ∈ P, u k ∈ |P| are variables for value   k   k ) = 1. 1 is a unit vector vectors, π k ∈  T and ti ∈t kp π(t pi with appropriate dimensions, R k (π 1 , π 2 ) is the vector



 T     π 1 ( p1 )T R k ( p1 )π 2 ( p1 ), . . . , π 1 p|P| R k p|P| π 2 p|P|

and the state transition probability matrix P(π 1 , π 2 ) induced by the strategy pair (π 1 , π 2 ) is     1 T

1 2 2 π ( p) P( p | p, t , t ) 1 1 2 2 π ( p) . t ∈T ,t ∈T

By Propositions 1, 2 and 3, we can construct SGN model and can compute the equilibrium strategy by the Algorithm 1.

Algorithm 1 Modeling and strategy computing method in SGN 01: Distinguish players in the game and analyze the type of game 02: According to the goals and action sets of the players, construct the set of transitions T 03: Analyze reward values Rand assign values R : T → (1 , 2 , . . . , n ) 04: According to the results of the actions, construct the set of places P, and set up SGN models for each player 05: Based on the player SGN model, compute the corresponding to a Nash Equilibrium (u 1∗ , u 2∗ , π 1∗ , π 2∗ ) 06: Combine the places P that denote the same meanings in SGN models of different players , and put π i∗ to the corresponding transitions T 07: Assume the preferences λ for each transition t ∈ T in the SGN 08: Simplify the structure of a SGN model using transition enabling predicates and rate functions and transform the whole SGN model to corresponding Markov process and solve the steady state probability

p, p ∈P

For players, the global minimum to this nonlinear program represents optimality conditions required, which solution   1∗ 2∗ the 1∗ 2∗ corresponds to a Nash Equilibrium the u ,u ,π ,π game.

According to the above Algorithm 1, to distinctly the actions of the players, we construct SGN models for each player respectively. First, we need identify the game elements and make certain the actions of different players. And then assign reward values.

3 Modeling method in SGN

(1)

For convenience in analyzing complicated game problems, it is an effective method to set up the player models respectively and then combine them into a whole model. In one unilaterally competitive game, we have the following proposition that implies the character of the SGN player models. Proposition 3 For a SGN, we can obtain the SGN Nash equilibrium strategy by the Nash equilibrium of the sub-SGN of players. Proof Given a SGN, by the formulation (1), we can obtain the SGN Nash equilibrium. According to (1), we know that the solution of the NLP depends only on the utility functions   k k of players. By r k (pw ) = si ∈S h p w (si ) + t j ∈Tw R (t j ) we know that the utility of player k is decided by his state space and the corresponding action set. Therefore, we can construct the sub-SGN of a player by refining the place and the transition into the player’s. By the formulation (1), we can obtain the sub-SGN Nash equilibrium and the player’s optimal utility. By (1), the optimal utility of the players for sub-SGN is the optimal one for SGN. So the Nash equilibrium constrained in the sub-SGN is same as the sub-SGN Nash equilibrium. In other words, the SGN Nash equilibrium can be obtained by combination of the sub-SGN of players.

(2)

(3)

Construct the set of transitions T . It consists of all possible actions. For all transitions out of the game element states, identify the corresponding game actions. Note that there will always be an inaction φ, which represents that a player takes no action at all. The action set is the complete set of all these actions, φ included. All actions will not necessarily be available in all states. We use transition Ti to refer to the set of actions available in some state. Assign reward values R. In SGN model, we assign values R : T → (1 , 2 , . . . , n ), i ∈ (−∞, +∞) to each transitions T to represent the reward gained by the player when an action finished. If the reward is negative, it expresses the player suffered loss. Reward can be used to social status and satisfaction versus disrespect and disappointment, as well as real values, e.g., financial gain and loss. Construct the set of places P. We use the places to describe the states of the system or player according to the results or infections of the actions. And we use the arc F to denote the consequence between the P and T .

To compute the model parameters and obtain the equilibrium strategies, we need to construct the combination model based on the above player models. The material method is as follows

123

Y. Wang et al.

(1)

(2)

(3)

Combine the places P that denote the same meanings in SGN models of different players. According to Proposition 1, there must be some places different players can take their actions in the game. Take computational results multi-strategy π as the choice probabilities to transitions T in the whole model. Assume the preferences λ for each transition t ∈ T in the SGN, which express the different action abilities.

By the above algorithm, the SGN model can be computed and analyzed easily.

4 Security in enterprise network 4.1 Enterprise network Enterprise networks interconnect islands of departmental, local and remote computing, and communication resources. They provide many benefits to organizations using them, such as the enhancement of efficiency, allowing employees greater flexibility in their work habits. As the role of enterprise networks, they are keeping expanding in their support of both internal and external connectivity in the form of emerging internet, intranet and extranet applications. Unfortunately, owing to all kinds of reasons, the networks always are under the hazard of illegal intrusion. This has given rise to the dichotomy faced by those partaking in the information economy paradigm. Security has become an ever increasingly critical element for enterprise network design and implementation. Consider the enterprise network shown in Fig. 1 (left). It consists of Internet and intranet. The intranet includes administration server, information center, and some workstations at least. The perimeter router connects to the ISP router with a serial line. For analyzing the security of the network, we simplify the network as Fig. 1 (right). In the reduced one, a node in the graph is a physical entity such as a server or workstation. We model the security threat by node attacker and the defense as

Fig. 1 Enterprise network and its security role model

123

the administrator part by nodes InforCenter, AdminServer, and Workstation, respectively. An edge in the graph represents a direct communication path. 4.2 Action An action pair (one from the attacker and one from the administrator) causes the system to move from one state to another in a probabilistic manner. A single action of the attacker can be any part of his attack strategies, such as flooding a server with SYN packets or downloading the password file. When a player does nothing, we denote this inaction as ø. Attacker consists of all the actions he can take in all the states. They can be described as {Attack_httpd, Attack_ftpd, Continue_attacking, Deface_webportal_leave, Install_ sniffer, Run_DOS_virus,Crach_Inforcenter_root_password,Crack_ workstation_root_password, Capture_data, Shutdown_Network}. His action candidates in each state are whole or a part of above attack actions. For example, in the state Normal operation, the attacker has actions Attack_httpd, Attack_ftpd and ø. Actions for the administrator are mainly taking preventive or restorative measures. The actions of the administrator can be described in the following {Remove_compromised_ assount_restart_httpd, Restore_ Webportal_remove_compromised_ass-ount, Remove_virus_compromised_account, Install_snffer_detector, Remove _sniffer_detector, Remove_ compromised_account_restart_ftpd, Remove_compromised _account_sniffer}. The explanations of the above actions are similar to that of Lye’s work [1]. We assume that the administrator does not know whether there is an attacker or not. Also, the attacker may have several objectives and strategies that the administrator does not know. Furthermore, not all of the attacker’s actions can be observed.

5 SGN model of enterprise network In this section, we describe some main security problems of enterprise network by SGN model. The transitions in our model are derived from the actions of the attackers and administrators, which are mentioned in Sect. 4. The places represent the effect of these actions to the enterprise network. We show attacker model in Fig. 2. Figure 3 shows the administrator’s viewpoint. In these figures, places represent network states containing the symbolic name. Each transition is labeled with an action ( p, r ), where p is the probability of the transition and r is the reward. According to the importance of attack steps in daily life by the network administrator and Risk Management Guide for Information Technology Systems [15], we define the

Stochastic game net and applications

Fig. 4 SGN combination model Fig. 2 Attacker’s view model

6 Security analysis In this section, we will consider the following three aspects to analyze the security of the enterprise network. Firstly, typical evaluation factors in security are considered; secondly, the relations between motivation of network attack, and the attack and defense behaviors are also worthy of our attention, and finally, in order to have an overall awareness of network security, we also discuss and quantify the overall security conditions from three points of view.

Fig. 3 Administrator’s view model

6.1 Typical security factors 6.1.1 The probability of a successful attack

numerical reward values of transitions. Due to the room constraints, values of parameters for each action are shown in Figs. 2 and 3. We assume whenever the administrator find the attack launched, he must adopt the corresponding defense steps. As show in Fig. 3, there are a group of models. By the above method of combination, the SGN combination model can be obtained as Fig. 4. For this model, the meanings of transitions as Table 1. In the model of Fig. 4, the gray transitions denote the attacker’s actions, and the white transitions denote the administrator’s actions. We give the λ and π of transitions as Table 1, where λ denotes the action ability and π denotes the choice probability. The exact value of the choice probability (π ) is computational results of the Nash equilibrium strategies by Algorithm 1 in Sect. 3, and the exact value of action ability (λ) is assumed based on the difficulty of the real attack steps.

The probability of a successful attack refers to the probability of the attackers to complete a successful attack. In our model, the initial position contains a token, and the targets of attack have two possible states, as shown in Fig. 4. If a target contains a token, we consider the attack to be a successful one. Hence, the probability of a successful attack can be given by: Ps = 1 − P{M(g) = 0} where Ps and M(g) denote the probability of a successful attack and the token number involving the place g, respectively. The probability of a successful attack on the target g is defined as Ps = P{M(g) = 1}, which can be calculated by the software package SPNP (Stochastic Petri Net Package) [16]. We obtain the probability of successful attack variation over time and arrival rate of attack (λ), as depicted in Fig. 5.

123

Y. Wang et al. Table 1 Parameters of the combination model

Attack actions

Defense actions

λ

π

1 1

1 0

0

0.5

1

0

0.5

1

Continue_attacking

0

0.5

1

tat6

Continue_attacking

0

0.5

1

tat7

Deface_ webportal_leave

90

2

0.33

tat8

Install_ sniffer

10

2

0.1

tat9

Install_sniffer

10

2

0.1

tat10

Install_sniffer

10

2

1

T

Meaning

tat1 tat2

Attack_httpd Attack_ftpd

tat3

Continue_ attacking

tat4

Continue_attacking

tat5

r 10 10

tat11

Install_sniffer

10

2

1

tat12

RunDOS_ virus

30

1.5

0

tat13

Crach_Infor_center_root_password

50

1.5

0.5

tat14

Crack_workstation_ root_ password

50

1.5

0.5

tat15

Capture_data

1,000

2

1

tat16

Capture_data

1,000

2

1

tat17

Shutdown_network

50

2

1

tat18

Shutdown_ network

50

2

1

tad1

Remove_sniffer_detector

1.5

1

−10

tad2

Remove_sniffer_detector

−90

1.5

1

tad3

Remove_sniffer_detector

−30

1.5

0.6

tad4

Remove_compromised_account_restart_httpd

−100

2

0.7

tad5

Remove_compromised_assount_restart_ftpd

−10

2

0.7 0.6

tad6

Remove_ sniffer_detector

−10

1.5

tad7

Remove_compromised_account_sniffer

−10

2

1

tad8

Restore_webportal_remove_ compromised_assount

−10

0.5

0.23

tad9

Remove_virus_and_compromised_account

−10

0.5

0.9

tad10

Remove_virus_and_compromised_account

−20

0.5

0.33

tad11

Remove_compromised_account_ sniffer

−20

0.75

0.9

tad12

Remove_compromised_account_ sniffer

−20

0.75

0.9

6.1.2 Mean time for a successful attack Mean time of a successful attack refers to the average time to implement an attack. We evaluated a number of successful attack paths, these paths including three successful attack targets: Webportal_defaced, Adminserver_DoS and Inforcenter_data_stolen_1 (or Workstation_data_stolen_1). Therefore, the mean time of a successful attack (t) can be shown as follows: n  m k i=1 j=1 T (2) t= n 1 T = (3) TH Fig. 5 The probability of successful attack changes in the enterprise network, with λ = 0.25, 1, 10, respectively

123

where n and m denote the number of attack paths and transitions in an attack path, respectively, while TH and T are the

Stochastic game net and applications

Fig. 6 Mean time for a successful attack changes in the enterprise network, with λ = 1, 10, respectively

time to repair have no direct contact. The attackers will prevail because we only consider successful attacks, although the mean time of a successful attack is increased and the action of Shutdown_network spends longer time as the value of λ grows larger. The contrasts between Figs. 5 and 6 show that, with the increase in λ, the probability of a successful attack is higher, but the required time for a successful attack becomes longer after a period of time. This is because the higher the value of λ, the easier the defender can detect the attacker. According to Formula (2), in order to increase the mean time of a successful attack, the defender should increase the number of transitions k by complicating the topology of the network, and decrease the number of attack paths (n) by regularly restoring system vulnerability and timely upgrading antivirus software. Figure 7 shows the trend of mean time to repair, which is increased at first, then decreased, then repaired finally. Comparing Figs. 6 and 7, we confirmed the fact that low λ is more destructive for network security, because it takes shorter time for a successful attack and longer time to repair after the beginning phase of the attack. Therefore, we must strengthen the detection and prevention of low λ attacks at the beginning. According to formula (4), to reduce i is a good solution for the purpose of decreasing the mean time to repair (MTTR). However, this conclusion has a conflict with the mean time for a successful attack. Accordingly, we should choose specific strategies for specific requirements.

6.2 Statistical results of attack and defense behaviors Fig. 7 Mean time to repair (MTTR), with λ = 1, 10, respectively

throughput and response time of a transition respectively, and k stands for the number of transitions. Mean time of a successful attack variation over time and arrival rate of attack (λ) is depicted in Fig. 6. 6.1.3 Mean time to repair We define mean time to repair (MTTR) as the time from failure to recover. In this case, it is the time to recover the system or site after the destruction by some kind of attackes. Therefore, the mean time to repair can be shown as follows: n i=1 T Hi (4) MTTR = m×λ×π where λ denotes the transition firing rate and π is the probability of choosing a particular transition. The mean time to repair variation over time and the arrival rate of attack (λ) is shown in Fig. 7. According to Figs. 5, 6 and 7, the probability of a successful attack, the mean time of a successful attack and the mean

According to the US-CERT [17] (United States-Computer Emergency Response Team) annual report 2009, motivation of network attack shifted from technology show off to commercial or personal interests gradually. For example, attackers tend to steal commercial competitors’ user accounts, passwords, and other important data. Based on the above observations, we categorize the attack and defense behaviors into three types according to the motivation of network attacks: network destroying, data stealing, and random attacking. Here, network destroying is the destruction of a website or network system; data stealing refers not to destroy the network system, but to break in and steal important and crucial data; random attacking type refers to any other attacks that are of no specific purpose.

6.2.1 The proportion of the number and time-consuming of attack actions In our model, we define action of attack as stealing critical data as well as destructing system or website. The proportion of the number and time-consuming of attacks can be shown

123

Y. Wang et al.

Fig. 8 PN of attack actions (%)

Fig. 10 PN of defense actions (%)

Fig. 9 PT of attack actions (%)

Fig. 11 PT of defense actions (%)

as follows: n T Hi PN = n i=1 m j i=1 j=1 T Hi n i=1 Ti PT = n  j m i=1 j=1 Ti

Figures 10 and 11 illustrate PN and PT of defense actions varying over time and the arrival rate of attack (λ). For the drawing convenience, we offer some abbreviation of legend name based on the Action in Sect. 4.2. Attack_httpd (Httpd), Attack_ftpd (Ftpd), Install_sniffer (Ins-sni), Deface_webportal_leave (Def-web), RunDOS_ virus (DoS) and Shutdown_network (Net-shut). Remove _ sniffer_detector (Remsni), Remove_compromised_account _sniffer (Remcom), Remove_virus_and_compromised_ account t (Remacc), Remove_compromised_account_restart _httpd & ftpd(Res-d), Restore_webportal_remove_compromised_assount (Res-web). In Fig. 8, PN of Httpd approximately equals to the proportion of all other actions of attack in any motivation of network attacks, which indicates that most of the attacks are launched from web channel. Furthermore, it is a sharp contrast between Figs. 8 and 9 that Httpd owns the least PT although it occupies half of the total PN ; while Inst-snif takes largest PT . These experimental results show that Inst-snif is very critical in all actions of attacks although the PN is little, which is why we consider it to be the most important factor to evaluate the severity of an attack.

(5) (6)

where T = 1/T H and all other parameters have the same meaning as in formula (4). PN denotes the proportion of the number, and PT denotes the proportion of time-consuming similarity. The variation in PN and PT ’s attack actions over time and arrival rate of attack (λ) is depicted in Figs. 8 and 9. 6.2.2 The proportion of the number and time-consuming of defense actions With the same principles as attack, we define actions of defense as the tactics to prevent the invasion of attacks by means of various defensive methods and to restore the system. So the proportion of the number and time-consuming of defense actions can also be expressed by formula (5) and (6).

123

Stochastic game net and applications

Meanwhile, Rem-sni and Rem-com constitute the main defense behaviors as shown in Fig. 10, which indicates that most of the defensive behaviors are performed after the attack, lack of pre-judgement of the unknown attacks. A comparison between Figs. 10 and 11 reveals the fact that defensive behaviors are influenced by the types and motives of the attack. According to Figs. 8, 9, and 11, we find Rem-sni spends less PT than Inst-snif, which shows current attackers have enough patience to attack until success because of interests. It takes most of PT and PN after a successful attack by the defensive action Rem-com, which guide us to take appropriate defense strategies according to different network environments. 6.3 Overall evaluation on security issues 6.3.1 Confidentiality Confidentiality is the absence of unauthorized disclosure of information and is denoted as the probability that important data and information are not stolen or tampered. So the confidentiality can be shown as C = PI n f or center _data_stolen1 × PW or kstation_data_stolen1 where P I n f or center _data_stolen_1 and PW or kstation_data_stolen_1 denote the probability that the number of the token is zero in the places Inforcenter_data_stolen_1 and Workstation_data_stolen_1. We obtain the confidentiality variation over time as in Fig. 12. 6.3.2 Integrity Integrity is the absence of improper system alterations, preventing improper or unauthorized change. Here, it is described as the probability that the normal network services are affected or destroyed. So the integrity can be shown as

Fig. 12 Confidentiality changes in the enterprise network

Fig. 13 Integrity changes in the enterprise network

I = PW ebpor tal_de f aced × PAd min ser ver _DoS ×PN etwor k_shut_down where PW ebd por tal_de f aced , P Adminser ver _D O S and P N etwor k_shut_down denote the probability that the number of the token is zero in the places Webportal_defaced, Adminserver_DoS and Network_shut_down. Integrity variety over time is depicted in Fig. 13. 6.3.3 Availability Availability is that systems are available when needed, and computing resources can be accessed by authorized users at any time. Here, it is described as whether the authorized users can access the information when necessary, if we consider the probability that the normal network services are affected or destroyed. So the availability can be expressed by the following approximate and simple formula A = θ × t Run D O S_vir us n where t Run D O S_vir us = λ1 × i=1 T Hi . A stands for availability and t Run D O S_vir us is the time required for a successful RunDOS_virus, θ denotes the proportion of A and equal to 1 in this model. Other parameters have the same meaning as in Sect. 6.1. We obtain the availability variation over time and arrival rate of attack (λ) as depicted in Fig. 14. Comparing and contrasting Figs. 12, 13, and 14, we find out that the changes of confidentiality, integrity, and availability decrease at the beginning and then increase as time passes. Therefore, it is crucial to the safety of the system that the administrator can discover the attack as early as possible or dig out the attack in the bud. In Fig. 14, when λ equals 10, availability of the system is better than other λ after a certain point of network system time, which means administrator should focus on low λ in the long term.

123

Y. Wang et al.

Fig. 14 Availability changes in the enterprise network, with λ = 0.25, 1, 10, respectively

7 Conclusion In this paper, we propose a security model for enterprise network by a novel modeling method SGN which is a good method to model and deal with the complicated and dynamic game issues. The model inherits the efficient and flexible modeling approach of Stochastic Petri Nets and also makes well use of the game theoretical framework from stochastic game theory. Based on it, we computed the strategy π as the choice probabilities under Nash equilibrium and analyzed the security of enterprise network. Moreover, based on a series of experiments, we pointed out that the mean time for a successful attack is longer, while the mean time to repair is shorter with high λ after a time point. We also analyzed three overall evaluation factors on security issues and observed the phenomenon that the availability is better with high λ in practice. Future work includes determining and calculating the specific time point. Acknowledgments This work was supported by the National Natural Science Foundation of China (no. 61173008, no. 60803123, 60933005, and no. 60873193), and the Projects of Development Plan of the State High Technology Research (no. 2010AA012502), and National Information Security Foundation of China (no. 2010F032).

References 1. Lye, K., Wing, J.M.: Game strategies in network security. In: Proceedings of 15th IEEE Computer Security Foundations Workshop (2002)

123

2. Mahimkar, A., Shmatikov, V.: On the advantage of network coding for improving network throughput. In: Proceedings of 18th IEEE Computer Security Foundations Workshop (2005) 3. Liu, P., Zang, W., Yu, M.: Incentive-based modeling and inference of attacker intent, objectives, and strategies. ACM Trans. Inf. Syst. Secur. 8(1), 78–118 (2005) 4. Wang, X., Reiter, M.: Defending against denial-of-service attacks with puzzle auctions. In: Proceedings of IEEE Security and Privacy (2003) 5. Bencsth, B., Buttyn, L., Vajda, I.: A game based analysis of the client puzzle approach to defend against dos attacks. In: Proceedings of IEEE Conference on Software, Telecommunications and Computer Networks (2003) 6. Xu, J., Lee, W.: Sustaining availability of web services under distributed denial of service attacks. IEEE Trans. Comput. 52(2), 195– 208 (2003) 7. Browne, R.: Defensive infrastructure for survivability against multi-mode attacks. In: Proceedings of 21st Century Military Communication-Architectures and Technologies for Information Superiority (2000) 8. Nicol, D.M., Sanders, W.H., Trivedi, K.S.: Model-based evaluation: from depend-ability to security. IEEE Trans. Dependability Secur. Comput. 1(1), 48–65 (2004) 9. Shapley, L.S.: Stochastic games. In: Proceedings of the National Academy of Sciences, pp. 1095–1100. (1953) 10. Molloy, M.K.: Performance analysis using stochastic petri nets. IEEE Trans. Comput. 31(9), 913–917 (1982) 11. Ciardo, G., Blakemore, A., Chimento, P.F., Trivedi, K.S.: Automated Generation and Analysis of Markov Reward Models Using Stochastic Reward Nets. In: Meyer, C., Plemmons, R. (eds.) Linear Algebra, Markov Chains and Queuing Models, IMA Volumes in Mathematics and its Applications, vol. 48, pp. 145–191. Springer, Heidelberg (1993) 12. Wang, Y.Z., Lin, C., Wang, Y., Meng, K.: Security analysis of enterprise network based on Stochastic game nets model. ICC ’09 Communica-tion and Information Systems Security Symposium (2009) 13. Lin, C., Wang, Y., Wang, Y.: A Stochastic game nets based approach for network security analysis. In: Proceedings of the 29th International Conference on Application and Theory of Petri Nets and other Models of Concurrency, Concurrency methods: Issues and Applications, pp. 21–23 (2008) 14. Nash, J.: Equilibrium points in n-person games. In: Proceedings of the National Academy of Science, vol. 36, pp. 48–49. (1950) 15. Stoneburner, G., Goguen, A., Feringa, A.: Risk management guide for information technology systems. National Institute of Standards and Technology, Gaithersburg, Special Publication, 800(30). http:// csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf (2001). Accessed 1 Jun 2007 16. Ciaodo, G., Muppala, J., Trivedi, K.S.: SPNP: Stochastic Petri net package, In: Proceedings of Petri Nets and Performance Models, pp. 142–151. (1989) 17. United States-Computer Emergency Response Team. http://www. us-cert.gov/ 18. Wang, Y., Lin, C., Meng, K.,: Security analysis for online banking system using hierarchical Stochastic game nets model. In: Proceeding of IEEE Global Communications Conference (2009)