Mathematical Problems in Engineering

Volume 2015, Article ID 356146, 7 pages

http://dx.doi.org/10.1155/2015/356146

## A Novel Dynamic Method in Distributed Network Attack-Defense Game

^{1}College of Computer Science and Technology, Beijing University of Posts and Telecommunications, Beijing 100876, China^{2}College of Software Engineering, Beijing University of Posts and Telecommunications, Beijing 100876, China

Received 5 January 2015; Revised 4 March 2015; Accepted 4 March 2015

Academic Editor: Hui Zhang

Copyright © 2015 Liu Xiaojian and Yuan Yuyu. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

#### Abstract

We analyze the distributed network attack-defense game scenarios, and we find that attackers and defenders have different information acquisition abilities since the ownership of the target system. Correspondingly, they will have different initiative and reaction in the game. Based on that, we propose a novel dynamic game method for distributed network attack-defense game. The method takes advantage of defenders’ information superiority and attackers’ imitation behaviors and induces attackers’ reaction evolutionary process in the game to gain more defense payoffs. Experiments show that our method can achieve relatively more average defense payoffs than previous work.

#### 1. Introduction

Modern organizations embed information and communication technologies (ICT) into their core processes as means to facilitate the collection, storage, processing, and exchange of data to increase operational efficiency, improve decision quality, and reduce costs [1]. In this way, distributed system is becoming widely used. Despite the significant benefits of distributed system, the system also places the processing tasks at the risk due to “distributed vulnerability.” Traditional approaches to improve security generally consider only system vulnerabilities and attempt to defend all the attacks through system upgrading. No matter if the assuming attacks come, the defending resources have to be inputted. In distributed system, these keeping upgrading approaches will result in a huge waste of defending resource. Regarding this, game theory has been applied in network security.

In traditional game theory, equilibrium is achieved through players’ analysis and reasoning based on common view about game rules, players’ reason, and payoff matrix. Generally, the game players are the interactional individuals. Even as group-player, the members should be consubstantial with the same rational characteristics, strategies, and payoffs. However, this strong rational assumption of traditional game theory is receiving more and more criticism from game theory experts and economists [2].

In reality, there exist a large number of game problems between individual-player and group-player. For example, in distributed network attack-defense game scenarios, system officers, as defenders of the system, are consubstantial and can be regarded as individual-player (we use singular form to indicate individual-player and use plural form to indicate group-player). The defender has more information about system, game structure, and payoff matrix. Even if they temporarily lack knowledge, the defender has more resources to fill in the blank. So the defender is easier to make rational decision. On the other hand, attackers are regarded as group-player, because of their different information acquisition abilities and rational characteristics. In the game process, attackers will perform in an incomplete rational way and tend to imitate high payoff strategy behaviors. The process of imitation can be regarded as evolutionary process. As the theory of learning stated, the equilibrium is the results of the long-term process that players with incomplete rationality seek for optimization [3]. In distributed network attack-defense game scenarios, game players, especially attackers as group-player, dynamically adjust their strategies based on game situation and press on towards dynamic equilibrium.

In this paper, we propose a dynamic method in distributed network attack-defense game scenarios. The method takes advantage of defenders’ information superiority and attackers’ imitation behaviors and induces attackers’ evolutionary process to gain more defense payoffs.

The contribution of this paper is as follows. First, we describe distributed network attack-defense game as one-many game, regarding defender as individual-player and attackers as group-player. This way is more realistic. Moreover we formulate the game group-player’s behaviors as evolutionary process. Based on the above, we propose a dynamic game method to achieve optimization of defense benefit.

The remainder of this paper is structured as follows. In Section 2, we discuss related work. In Section 3, we describe the problem and distributed network attack-defense game scenarios. In Section 4, we discuss group-players’ behaviors in the game and model the behaviors into the imitation evolutionary process. In Section 5, we propose the dynamic game method with a strategy sequence generation algorithm and a parameter analysis method. In Section 6, experiments are performed to verify the proposed method. Finally, in Section 7, we present our conclusions and make recommendations for future works.

#### 2. Related Work

Game theory is a study of mathematical models of conflict and cooperation between intelligent rational decision-makers [4]. In 1928, von Neumann proved the basic principle of game theory, which formally declared the birth of game theory. Due to the superiority of understanding and modeling conflict, game theory has recently been used in the field of computer network security. Reference [5] proposes a model to reason the friendly and hostile nodes in secure distributed computation using game theoretic framework. Reference [6] presents an incentive-based method to model the interactions between a DDoS attacker and the network administrator and a game-theoretic approach to infer intent, objectives, and strategies (AIOS). References [7, 8] also focused on DDos attack and defense mechanisms using game theory. Reference [9] modeled the interactions between an attacker and the administrator as a two-player stochastic game and computed Nash equilibrium using a nonlinear program. However, these researches all assume that both players in the game are consubstantial even individuals. Obviously this assumption cannot cover all the realistic situations. This paper extends this assumption to one-many game to be more realistic.

In the field of dynamic game, [10, 11] focused on the same scenarios as this paper. Reference [10] modeled the interaction of an attacker and the network administrator as a repeated game and found the Nash equilibrium via simulation. Reference [11] models the interaction between the hacker and the defender as a two-player, zero-sum game and explained how min-max theorem for this game is formulated. They concluded by suggesting that to solve this problem linear algorithms would be appropriate. Reference [12] modeled the mission deployment problem as repeated game and computed Nash equilibrium using improved PSO. They all do not consider the attackers’ group behaviors. This paper precisely takes advantage of the attackers’ group behaviors and in this way defender can gain more payoffs. More related works about applying game theory in network security can be referred to [13].

#### 3. Distributed Network Attack-Defense Game

Given the flexibility that software-based operation provides, it is unreasonable to expect that attackers will demonstrate a fixed behavior over time [14]. Instead, on the one hand, attackers dynamically change their strategy in response to the dynamics of the configuration of the target system or defense strategy. On the other hand, relative to the defenders, attackers vary in degree of information acquisition abilities and rational characteristics.

We simplify attackers into two categories: senior attacker and junior attacker. Senior attacker has greater ability to acquire game information than junior attacker. As a result, senior attacker can react as soon as game situation changes and junior attacker generally follows senior attacker’s behavior because of his weaker information acquisition ability.

Different from attackers, defenders, as system officers, are consubstantial and have more information about system, game structure, and payoff matrix. Even if they temporarily lack knowledge, they have more resources to fill in the blank. So the defenders are easier to gain the whole view of game situation.

Similar to Stackelberg model [15], there are senior and junior players in the distributed network attack-defense game. Moreover, distributed network attack-defense game is one-many game, as is stated above. Attackers are group-players, containing a minority of senior players and a majority of junior players. Defender is individual and senior player.

In distributed network attack-defense game, there are three game stages classified based on players’ behaviors.

*Stage 1*. Attackers, as group-players, select different pure strategies randomly and format the proportion distribution of various kinds of pure strategies. Generally, the first game stage will not last too long and it will be terminated by defender’s behavior.

*Stage 2*. Defender, as individual-player, behaves based on the proportion distribution of attack strategies. In our opinion, defender can gain more payoffs through misleading and guiding attacker group distribution structure, as in Section 5.

*Stage 3*. Senior attackers react to the game situation, and junior attackers follow senior attacker’s behaviors to gain more payoffs. Junior attackers’ behavioral pattern can be modeled as imitation dynamics model, as in Section 4.

Then, the game situation will repeat between the second stage and the third stage infinitely, unless in some special situation which we will discuss in Section 5.1.

#### 4. Imitation Dynamics Model

As discussed above, attacker group presents imitation dynamics pattern in distributed network attack-defense game. Different from general imitation dynamics model, minority of senior attackers can lead the imitation actions. In this section, we model attacker imitation dynamics in distributed network attack-defense game considering the effect of senior attackers.

*Stage 1*. As attackers select pure strategies randomly, proportion distribution of various kinds of pure strategies obeys uniform distribution. Let attacker’s pure strategy space be and let the number of the attackers be . The Proportion Vector (PV) of attacker group choosing strategy at time is denoted by . In this stage, is equal to . is the number of attack strategies. In the attacker group, the proportion of senior attackers is denoted by . So there are senior attackers choosing . Similarly, defender’s pure strategy space is denoted by and the game situation when attacker chooses and defender chooses is denoted by , corresponding to attacker’s payoff and defender’s payoff .

*Stage 2*. Defender behaves based on the proportion distribution of attack strategies. There are two cases to be considered: first defense behavior and follow-up defense behavior. Before the first time defender behaves, senior attackers randomly choose attack strategies and the distribution of senior attackers obeys uniform distribution like junior attackers. After the first time defender behaves, senior attackers always concentrate on the best response strategy no matter how defense strategy changes because of their quick reaction capability and the distribution of senior attackers obeys concentrated distribution.

*Stage 3*. Senior attackers react to the game situation immediately. Let senior attackers react in vector at time be . In the first defense behavior case, uniform distribution of the senior attackers concentrates on the best response attack strategy, suppose :

In the follow-up defense behavior case, suppose that best response attack strategy changes from to . Then concentrated distribution of senior attackers accordingly changes from to :

Let be the PV after senior attackers’ reaction at time :

For junior attackers, they imitate senior attacker’s behaviors to gain more payoffs in the imitation probability The distribution of junior attackers concentrates on the best response strategy gradually. Let imitation vector be Similar to the first defense behavior case, uniform distribution of the junior attackers concentrates on the best response attack strategy, suppose :

In the follow-up defense behavior case, suppose that best response attack strategy changes from to . Then concentrated distribution of junior attackers accordingly changes from to :

Correspondingly, the Proportion Vector (PV) of attacker group is updated as

Imitation probability is affected by additional game information obtained by junior attackers beyond their own information acquisition ability. In this paper, we assume that the additional game information is obtained from two aspects. One is revealing game information initiatively by defender. The more game information is revealed, the higher value of can be. So can reach maximum value of 1 if plenty of game information was revealed by defender. The other aspect is internal communication among attacker group which is the natural attribute of group and cannot be controlled by external behaviors. So has a constant minimum value, suppose *.* As a result, the following is obtained:

As mentioned above, defender has a partially ability to control junior attackers’ imitation rate through revealing game information purposefully. The game information revealing strategy will be discussed in Section 5.2.1.

#### 5. Dynamic Game Method

We now present a dynamic game method for achieving the optimization of defense benefit. The proposed method is a two-step procedure which involves defense strategy sequence generation algorithm (SSGA) (Section 5.1) and parameter analysis method (Section 5.2) used to set parameters in dynamic game method.

Consider a simple game payoff matrix as in Table 1.