Game Theory Based Risk and Impact Analysis 

OverviewAmong the diverse attack types, the most destructive and difficult one is the multistage attack for the administrator to response to. Multistage attacks usually strike highly protected targets, coordinate the subgoals of single stage attacks and conceal the true origin of the attack. After the intrusion detection system (IDS) detects an attack, the IDS will respond to minimize the loss of the system. For single stage attacks, the process of finding the administrator's best responsive action to a detected attack and maximizing rewards is an optimization problem. However, since attackers usually launch multistage attacks in reality and the administrator does not know the attacker's full strategies when making decisions to minimize the loss, the problem becomes finding the best strategy using game theory. If we assume that the attacker considers the possible response of the administrator, tries to maximize its reward, and makes the sum of its rewards and the administrator's losses equal to zero, then alternative actions between the attacker and the IDS can be modeled as a two players noncooperative zerosum multistage game. In our noncooperative zerosum attacker defender game, it is sufficient to find only the reward of the attacker. The reward of the attack is also called the payoff in the game tree. No matter how many feasible interactions the attacker and the administrator will consider in the future, the payoff at the end of any feasible game tree is the sum of all impacts to the attacker and the administrator within this period and the potential impact of the attack outside this period. In the attacker's payoff, the total impact to the attacker and the administrator includes the actual impacts of the attack and the costs of responses within interactions. In the administrator's payoff, it includes the actual impacts of the attack, the costs of responses, and the impact of the attack during interactions. The interactions of the attacker and the administrator can be described from the following partial game tree. The red nodes and arcs represent the decision nodes and the actions of the attacker. The blue nodes and arcs represent the decision nodes and the responsive actions of the administrator. The green nodes and arcs represent the chance nodes and the probabilites. The payoffs are showed in the leaves of the game tree. PeoplePublications1. Y. Luo, F. Szidarovszky, Y. AlNashif, and S. Hariri. "A Game Theory Based Risk and Impact Analysis Method for Intrusion Defense Systems". aiccsa, pp.975982. May 1013, 2009, Rabat, Morocco. 2. Y. Luo, F. Szidarovszky, Y. AlNashif, and S. Hariri. "Game Tree Based Partially Observable Stochastic MultiStage Game Model". IIE Annual Conference and Expo (IERC 2009), May 30June 3, 2009, Miami, FL, USA.



Phone Number: (520) 6216626 Room 306, SIE Dept. 1127 E. James E. Rogers Way, Tucson, AZ 857210020 ACL  © Copyright 2009, Yi Luo All Rights Reserved 