Out-learning Attackers: A Game Theoretic Approach to Cyber Defense

John Musacchio (johnm@soe.ucsc.edu) UC Santa Cruz,
Greg Frazier BAE Systems

February 2009 project start
Supported by the AFOSR Information Operations and Security Program
The conventional approach to cyber defense against attackers is to: i) make systems difficult to infiltrate, ii) detect infiltrations as soon as possible, and iii) expel the attackers when they are detected. A fundamental problem with this approach is that it encourages attackers to try again, and in subsequent attempts, they are likely to have learned more about the defender's systems than the defender has learned about the attacker. Consequently, each attack is more likely to achieve the attacker's objectives. From this perspective, a cyber defense strategy should not only keep attackers out, but should also enable a defender to learn about an attacker's methods and intentions faster than the attacker can learn about the defender.
The approach of "out-learning" an attacker is particularly appropriate for Air Force systems. Attackers of Air Force systems have a wide range of objectives, from espionage, to attacks motivated by financial gain or satisfaction of ego. Attackers of Air Force systems are also likely to be persistent in trying different forms of attack until they achieve success. This combination of attacker diversity and persistence makes it urgent that the Air Force develop both techniques for learning about attackers by classifying their objectives and methods, as well as models for deciding how to react to detected attackers in a way that balances the opportunity to learn with the risk of allowing an attacker to remain in the system.
Our project, which just began this year, addresses this urgent need by undertaking the following three interrelated tasks: 1) develop game theoretic models for optimizing defender strategy in the presence of learning effects, 2) design algorithms to learn about an attacker by classifying his objectives, 3) combine the classification and strategy optimization methods of tasks 1 and 2 to develop integrated strategies for defending secure systems.