Visible to the public DIFT Games: Dynamic Information Flow Tracking Games for Advanced Persistent Threats

TitleDIFT Games: Dynamic Information Flow Tracking Games for Advanced Persistent Threats
Publication TypeConference Paper
Year of Publication2018
AuthorsSahabandu, D., Xiao, B., Clark, A., Lee, S., Lee, W., Poovendran, R.
Conference Name2018 IEEE Conference on Decision and Control (CDC)
Keywordsadversarial information flows, Analytical models, Computational modeling, Cyber Attacks, defense strategies, DIFT games, dynamic information flow tracking games, firewalls, game theory, Games, information flow passes, memory overhead, Monitoring, multistage game, nonadversarial information tracking, optimal adversary, pubcrawl, RAIN framework, realworld attack dataset, refinable attack investigation framework, resilience, Resiliency, Scalability, security, security of data, signature based defense, signature-based antivirus systems, Stochastic processes, suspicious information, tagging
AbstractDynamic Information Flow Tracking (DIFT) has been proposed to detect stealthy and persistent cyber attacks that evade existing defenses such as firewalls and signature-based antivirus systems. A DIFT defense taints and tracks suspicious information flows across the network in order to identify possible attacks, at the cost of additional memory overhead for tracking non-adversarial information flows. In this paper, we present the first analytical model that describes the interaction between DIFT and adversarial information flows, including the probability that the adversary evades detection and the performance overhead of the defense. Our analytical model consists of a multi-stage game, in which each stage represents a system process through which the information flow passes. We characterize the optimal strategies for both the defense and adversary, and derive efficient algorithms for computing the strategies. Our results are evaluated on a realworld attack dataset obtained using the Refinable Attack Investigation (RAIN) framework, enabling us to draw conclusions on the optimal adversary and defense strategies, as well as the effect of valid information flows on the interaction between adversary and defense.
Citation Keysahabandu_dift_2018