{"title":"通过脉冲微分博弈方法对先进持续性威胁的防御外包进行建模和研究","authors":"","doi":"10.1016/j.cose.2024.104003","DOIUrl":null,"url":null,"abstract":"<div><p>Advanced persistent threat (APT) poses serious threat to organizations with rich digital assets. APT detection programs designed for quickly finding possibly hijacked hosts are now commercially available. This greatly reduces the workload of APT defense. In practice, the identification and repair of APT-hijacked hosts are out of a system administrator’s capability and have to be outsourced to an established cybersecurity firm. Owing to the limited security budget, the APT defense can be outsourced only in a small number of maintenance periods. We refer to the sequence of outsourcing costs paid in these maintenance periods as an impulsive defense (ID) strategy. On the other hand, APT is time-continuous. We refer to the growth rate function of the attack cost over time as a continuous attack (CA) strategy. In the context that the APT actor is strategic and pursues a cost-effective CA strategy, the organization faces the problem of finding a cost-effective ID strategy (the single-impulsive defense (SID) problem). This paper addresses the SID problem through game-theoretic modeling. Based on an impulsive state evolutionary model, the SID problem is boiled down to a single-impulsive differential game model (the SID model). By applying single-impulsive differential game theory, an iterative algorithm of solving the SID problem is presented. The ID strategy obtained by running the algorithm is corroborated to be cost-effective under the Nash equilibrium solution concept. Therefore, we recommend the ID strategy. This work takes the first step toward the theoretic study of APT defense outsourcing in the presence of strategic attacker.</p></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":null,"pages":null},"PeriodicalIF":4.8000,"publicationDate":"2024-07-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"Modeling and study of defense outsourcing against advanced persistent threat through impulsive differential game approach\",\"authors\":\"\",\"doi\":\"10.1016/j.cose.2024.104003\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"<div><p>Advanced persistent threat (APT) poses serious threat to organizations with rich digital assets. APT detection programs designed for quickly finding possibly hijacked hosts are now commercially available. This greatly reduces the workload of APT defense. In practice, the identification and repair of APT-hijacked hosts are out of a system administrator’s capability and have to be outsourced to an established cybersecurity firm. Owing to the limited security budget, the APT defense can be outsourced only in a small number of maintenance periods. We refer to the sequence of outsourcing costs paid in these maintenance periods as an impulsive defense (ID) strategy. On the other hand, APT is time-continuous. We refer to the growth rate function of the attack cost over time as a continuous attack (CA) strategy. In the context that the APT actor is strategic and pursues a cost-effective CA strategy, the organization faces the problem of finding a cost-effective ID strategy (the single-impulsive defense (SID) problem). This paper addresses the SID problem through game-theoretic modeling. Based on an impulsive state evolutionary model, the SID problem is boiled down to a single-impulsive differential game model (the SID model). By applying single-impulsive differential game theory, an iterative algorithm of solving the SID problem is presented. The ID strategy obtained by running the algorithm is corroborated to be cost-effective under the Nash equilibrium solution concept. Therefore, we recommend the ID strategy. This work takes the first step toward the theoretic study of APT defense outsourcing in the presence of strategic attacker.</p></div>\",\"PeriodicalId\":51004,\"journal\":{\"name\":\"Computers & Security\",\"volume\":null,\"pages\":null},\"PeriodicalIF\":4.8000,\"publicationDate\":\"2024-07-15\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Computers & Security\",\"FirstCategoryId\":\"94\",\"ListUrlMain\":\"https://www.sciencedirect.com/science/article/pii/S0167404824003080\",\"RegionNum\":2,\"RegionCategory\":\"计算机科学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q1\",\"JCRName\":\"COMPUTER SCIENCE, INFORMATION SYSTEMS\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computers & Security","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0167404824003080","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}
引用次数: 0
摘要
高级持续威胁(APT)对拥有丰富数字资产的组织构成严重威胁。旨在快速发现可能被劫持的主机的 APT 检测程序现在已经可以在市场上买到。这大大减少了 APT 防御的工作量。实际上,识别和修复被 APT 劫持的主机超出了系统管理员的能力范围,必须外包给成熟的网络安全公司。由于安全预算有限,APT 防御只能在少量维护期内外包。我们将这些维护期内支付的外包费用序列称为冲动防御(ID)策略。另一方面,APT 是时间连续的。我们将攻击成本随时间变化的增长率函数称为持续攻击(CA)策略。在 APT 行为者具有战略眼光并追求具有成本效益的 CA 战略的情况下,组织面临着寻找具有成本效益的 ID 战略的问题(单次冲动防御 (SID) 问题)。本文通过博弈论建模来解决 SID 问题。基于冲动状态演化模型,SID 问题被归结为单冲动微分博弈模型(SID 模型)。通过应用单冲微分博弈论,提出了一种解决 SID 问题的迭代算法。在纳什均衡解概念下,运行该算法得到的 ID 策略被证实是经济有效的。因此,我们推荐使用 ID 策略。这项工作迈出了在战略攻击者存在的情况下进行 APT 防御外包理论研究的第一步。
Modeling and study of defense outsourcing against advanced persistent threat through impulsive differential game approach
Advanced persistent threat (APT) poses serious threat to organizations with rich digital assets. APT detection programs designed for quickly finding possibly hijacked hosts are now commercially available. This greatly reduces the workload of APT defense. In practice, the identification and repair of APT-hijacked hosts are out of a system administrator’s capability and have to be outsourced to an established cybersecurity firm. Owing to the limited security budget, the APT defense can be outsourced only in a small number of maintenance periods. We refer to the sequence of outsourcing costs paid in these maintenance periods as an impulsive defense (ID) strategy. On the other hand, APT is time-continuous. We refer to the growth rate function of the attack cost over time as a continuous attack (CA) strategy. In the context that the APT actor is strategic and pursues a cost-effective CA strategy, the organization faces the problem of finding a cost-effective ID strategy (the single-impulsive defense (SID) problem). This paper addresses the SID problem through game-theoretic modeling. Based on an impulsive state evolutionary model, the SID problem is boiled down to a single-impulsive differential game model (the SID model). By applying single-impulsive differential game theory, an iterative algorithm of solving the SID problem is presented. The ID strategy obtained by running the algorithm is corroborated to be cost-effective under the Nash equilibrium solution concept. Therefore, we recommend the ID strategy. This work takes the first step toward the theoretic study of APT defense outsourcing in the presence of strategic attacker.
期刊介绍:
Computers & Security is the most respected technical journal in the IT security field. With its high-profile editorial board and informative regular features and columns, the journal is essential reading for IT security professionals around the world.
Computers & Security provides you with a unique blend of leading edge research and sound practical management advice. It is aimed at the professional involved with computer security, audit, control and data integrity in all sectors - industry, commerce and academia. Recognized worldwide as THE primary source of reference for applied research and technical expertise it is your first step to fully secure systems.