Security and Communication Networks

Volume 2018, Article ID 2975376, 14 pages

https://doi.org/10.1155/2018/2975376

## Defending against the Advanced Persistent Threat: An Optimal Control Approach

Correspondence should be addressed to Xiaofan Yang; moc.liamg@4691gnayfx

Received 30 September 2017; Accepted 28 January 2018; Published 27 February 2018

Academic Editor: Angel M. Del Rey

Copyright © 2018 Pengdeng Li et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

#### Abstract

The new cyberattack pattern of advanced persistent threat (APT) has posed a serious threat to modern society. This paper addresses the APT defense problem, that is, the problem of how to effectively defend against an APT campaign. Based on a novel APT attack-defense model, the effectiveness of an APT defense strategy is quantified. Thereby, the APT defense problem is modeled as an optimal control problem, in which an optimal control stands for a most effective APT defense strategy. The existence of an optimal control is proved, and an optimality system is derived. Consequently, an optimal control can be figured out by solving the optimality system. Some examples of the optimal control are given. Finally, the influence of some factors on the effectiveness of an optimal control is examined through computer experiments. These findings help organizations to work out policies of defending against APTs.

#### 1. Introduction

Nowadays, the daily operation of most organizations, ranging from large enterprises and financial institutions to government sectors and military branches, depends largely on computers and networks. However, this dependency renders the organizations vulnerable to a wide range of cyberattacks. Traditional cyberattacks include computer viruses, worms, and spyware. Conventional cyber defense measures including firewall and intrusion detection turn out to be effective in withstanding these cyberattacks [1, 2].

The cybersecurity landscape has changed drastically over the past few years. A new type of cyberattack—advanced persistent threat (APT)—has posed an unprecedentedly serious threat to modern society. According to report, many high-profile organizations have experienced APTs [3], and the number of APTs has been increasing rapidly [4]. Compared with traditional cyberattacks, APTs exhibit two distinctive characteristics: (a) The attacker of an APT is a well-resourced and well-organized group, with the goal of stealing as many sensitive data as possible from a specific organization. (b) Based on meticulous reconnaissance, the attacker is going to launch a preliminary advanced social engineering attack on a few target users to gain footholds in the organization and then to gain access to critical information stealthily and slowly [5–7]. Due to these characteristics, APTs can evade traditional detection, causing tremendous damage to organizations. To date, the detection of APTs is far from mature [8, 9]. Consequently, the APT defense problem, that is, the problem of how to effectively defend against APTs, has become a major concern in the field of cybersecurity.

As a branch of applied mathematics, optimal control theory aims to solve a class of optimization problems in which, subject to a set of dynamic constraints, we seek to find a function (control) so that an objective functional is optimized [10, 11]. In real world applications, the set of dynamic constraints represents a dynamic environment, a control represents a time-varying strategy, and the objective functional represents an index to be maximized or minimized. Optimal control theory has been successfully applied to some aspects of cybersecurity [12–19]. To our knowledge, the APT defense problem has yet to be addressed in the framework of optimal control theory. To model the problem as an optimal control problem, we have to formulate an APT defense strategy as a control, characterize the state evolution of an organization as a set of dynamic constraints, and quantify the effectiveness of an APT defense strategy as an objective functional. The key to the modeling process is to accurately characterize the state evolution of an organization by employing the epidemic modeling technique [20].

Individual-level epidemic models refer to epidemic models in which the state evolution of each individual in a population is characterized by one or a few separate differential equations. As compared with the coarse-fined state-level epidemic models [21–26] and the intermediate degree-level epidemic models [27–33], the finest individual-level epidemic models can characterize spreading processes more accurately, because they can perfectly accommodate the network topology. The individual-level epidemic modeling technique has been successfully applied to areas such as the epidemic spreading [34–37], the malware spreading [38–43], and the rumor spreading [44]. In particular, a number of APT attack-defense models have recently been proposed by employing this technique [45–48].

This paper focuses on the APT defense problem. Based on a novel individual-level APT attack-defense model, the effectiveness of an APT defense strategy is quantified. On this basis, the APT defense problem is modeled as an optimal control problem, in which an optimal control represents a most effective APT defense strategy. The existence of an optimal control to the optimal control problem is proved, and an optimality system for the optimal control problem is derived. Therefore, an optimal control can be figured out by solving the optimality system. Some examples of the optimal control are presented. Finally, the influence of some factors on the effectiveness of an optimal control is examined through computer simulations. To our knowledge, this is the first time the APT defense problem is dealt with in this way. These findings help organizations to work out policies of defending against APTs.

The remaining materials are organized in this fashion. Section 2 models the APT defense problem as an optimal control problem. Section 3 studies the optimal control problem. Some most effective APT defense strategies are given in Section 4. Section 5 discusses the influence of different factors on the optimal effectiveness. This work is closed by Section 6.

#### 2. The Modeling of the APT Defense Problem

The goal of this paper is to solve the following problem.

*The APT Defense Problem*. Defend an organization against APTs in an effective way.

To achieve the goal, we have to model the problem. The modeling process consists of the following four steps.

*Step 1. *Introduce preliminary terminologies and notations.

*Step 2. *Establish an APT attack-defense model.

*Step 3. *Quantify the effectiveness of an APT defense strategy.

*Step 4. *Model the APT defense problem as an optimal control problem.

Now, let us proceed by following this four-step procedure.

##### 2.1. Preliminary Terminologies and Notations

Consider an organization with a set of computer systems labeled . Let denote the access network of the organization, where (a) each node stands for a system, that is, , and (b) if and only if system has access to system . Let denote the adjacency matrix for the network, that is, or 0 according to or not.

Suppose an APT campaign to the organization starts at time and terminates at time . Suppose at any time every node in the organization is either* secure*, that is, under the defender’s control, or* compromised*, that is, under the attacker’s control. Let and 1 denote the event that node is secure and compromised at time , respectively. The vectorstands for the* state* of the organization at time . Let and denote the probability of the event that node is secure and compromised at time , respectively. That is,As , the vectorstands for the* expected state* of the organization at time .

From the attacker’s perspective, each secure node in the organization is subject to the external attack. Let denote the cost per unit time for attacking a secure node . The vectorstands for an* attack strategy*. Additionally, each secure node is vulnerable to all the neighboring compromised nodes.

From the defender’s perspective, each secure node in the organization is protected from being compromised. Let denote the cost per unit time for protecting the secure node at time . The vector-valued functionstands for a* prevention strategy*. Additionally, each compromised node in the organization is recovered. Let denote the cost per unit time for recovering the compromised node at time . The vector-valued functionstands for a* recovery strategy*. We refer to the vector-valued functionas an* APT defense strategy*.

##### 2.2. An APT Attack-Defense Model

For fundamental knowledge on differential dynamical systems, see [49]. For our purpose, let us impose a set of hypotheses as follows.(H_{1})Due to the external attack and prevention, a secure node gets compromised at time at the average rate . The rationality of this hypothesis lies in that the average rate is proportional to the attack cost per unit time and is inversely proportional to the prevention cost per unit time.(H_{2})Due to the internal infection and prevention, a secure node gets compromised at time at the average rate , where is a constant, which we refer to as the* infection force*. The rationality of this assumption lies in that the average rate is proportional to the probability of each neighboring node being compromised and is inversely proportional to the prevention cost per unit time.(H_{3})Due to the recovery, a compromised node becomes secure at time at the average rate . The rationality of this assumption lies in that the average rate is proportional to the recovery cost per unit time.

According to these hypotheses, the state transitions of a node are shown in Figure 1. Hence, the time evolution of the expected state of the organization obeys the following dynamical system: