3.3 Proposed false alarm minimization scheme
3.3.4 Sensible Vulnerability Set
3. False Alarm Reduction in Signature based IDS: Game Theory Approach
AA= [ p:p∈[0, P]X,
X
X
i=0
pi ≤P ]
DD = [ q:q∈[0, Q]X,
X
X
i=0
qi ≤Q ]
• Payoff Utility: UAfor attacker,UD for defender.
• Game rule: The attacker and the defender player adopts strategies that maximize their respective payoff utilitiesUAandUD.
In the said non-cooperative intrusion detection game between the attacker and the de- fender player, Nash equilibrium (NE) corresponds to the steady state of the game in which no player has any profitable incentive to deviate from its current strategy while the other player keeps its strategy fixed. The strategy profileS =hp*, q*iis said to be the NE of the game if neither the attacker nor the defender player can improve their payoff utilities by unilaterally deviating from the NE strategyS. In the subsequent sub-section, we develop the NE strategy for the proposed non-cooperative game between the attacker and the defender player. We then employ the NE strategy to develop the Sensible Vulnerability Set (SVS) of the network and minimize the overall false alarm rate of the signature based IDS.
3.3. Proposed false alarm minimization scheme
Wcr(i) > (1−C|Ss|(1−Ca)−2aQ
a)(P
j∈Ss 1
Wcr(j))), ∀i∈Ss
Wcr(i) = (1−C|Ss|(1−Ca)−2aQ
a)(P
j∈Ss 1
Wcr(j))), ∀i∈Sq
Wcr(i) < (1−C|Ss|(1−Ca)−2aQ
a)(P
j∈Ss 1
Wcr(j))), ∀i∈N-Ss-Sq
(3.3)
whereQis the defender’s monitoring probability distribution overN vulnerability sets of the network’s Threat profile,|Ss|is the cardinality of the setSsandN -Ss-Sq are the set of vulnerabilities inN but neither inSsnor inSq.
Lemma 1 : Given a network with N vulnerability sets, both Ss and Sq can uniquely be determined. Ss consists of NA vulnerability sets (NA⊆N) with the largest criticality weights such that if :
1. Wcr(N) > N(1−Ca)−2aQ
(1−Ca)(PN i=1 1
Wcr(i)), thenNA=N,Sq =∅ 2. Wcr(N) ≤ N(1−Ca)−2aQ
(1−Ca)(PN i=1
1
Wcr(i)), thenNAis determined by the following equations:
Wcr(NA) > NA(1−Ca)−2aQ
(1−Ca)(PNA
k=1 1 Wcr(k))
Wcr(NA+1) ≤ NA(1−Ca)−2aQ
(1−Ca)(PNA
k=1 1 Wcr(k))
(3.4)
andSq consists of vulnerabilities from the vulnerability setSisuch that:
Wcr(Si) = NA(1−Ca)−2aQ (1−Ca)(PNA
k=1 1 Wcr(k))
The proof ofLemma 1has been adopted from [93] and provided below.
Proof: The proof consists of showing that Ss comprises ofn vulnerability sets with the largest criticality weights and then proving that n =NA by showing that neithern< NA norn>NAis possible.
Case 1 of Lemma 1 can be proven straightforwardly. Here, we prove the 2nd case of theLemma 1. TheNAvulnerability sets with largest criticality weights satisfying Equation
3. False Alarm Reduction in Signature based IDS: Game Theory Approach
(3.4) consists of a sensible vulnerability setSs and Equation (3.3) holds in such a case. We need to show that the setSscan be determined uniquely.
We first show that if the vulnerability seti∈Ss, then∀j<i(Wcr(j)≥Wcr(i)); it holds that j∈Ss. If not,∃jo<i(Wcr(jo)≥Wcr(i)), such thatjo∈N-Ss. It then implies thatWcr(jo)
≤ (|Ss|.(1-Ca)-2aQ)/((1-Ca)P
k∈Ss(1/Wcr(k))). But from Equation 3.3, we have Wcr(i)
> (|Ss|.(1-Ca)-2aQ)/((1-Ca)P
k∈Ss(1/Wcr(k))). It implies that Wcr(i) > Wcr(jo), which contradicts with the assumption thatWcr(jo)≥Wcr(i). HenceSsconsists ofnvulnerability sets with the largest criticality weights. We then show that n =NA and it is not possible thatn<NAorn>NA. Ifn<NA, then from Equation (3.4), we have :
Wcr(NA) > NA(1−Ca)−2aQ (1−Ca)(PNA
k=1 1 Wcr(k))
=⇒ Wcr(NA)
NA
X
k=1
1 Wcr(k)
!
> NA(1−Ca)−2aQ (1−Ca)
=⇒ Wcr(NA)
NA
X
k=1
1 Wcr(k)
!
−(NA−n) > n− 2aQ 1−Ca
Noticing thatWcr(NA)≤Wcr(i),∀i≤NAand sincen<NA(i.e.Wcr(n+ 1)≥Wcr(NA)), we have:
Wcr(n+ 1)
n
X
j=1
1 Wcr(j)
!
≥ Wcr(NA)
n
X
j=1
1 Wcr(j)
!
≥ Wcr(NA)
NA
X
j=1
1 Wcr(j)
!
− Wcr(NA)
NA
X
j=n+1
1 Wcr(j)
!
≥ Wcr(NA)
NA
X
j=1
1 Wcr(j)
!
− (NA−n)
> n − 2aQ (1−Ca).
=⇒ Wcr(n+ 1) > n(1−Ca)−2aQ (1−Ca)
n
P
j=1 1 Wcr(j)
But from Equation (3.4), we haveWcr(n+ 1)≤(n*(1-Ca) -2aQ)/((1 -Ca)Pn
j=1(1/Wcr(j))).
This contradiction shows that it is not possible thatn<NA. Similarly, we can show that it is not possible thatn>NA. Hence,n=NAis uniquely determined, and so isSs. It logically follows thatSqcan also be uniquely determined. This concludes the proof ofLemma 1.
3.3. Proposed false alarm minimization scheme
We now state the following Theorems:
• Theorem 1: The attacker has no incentive to attack any vulnerabilities in the setN - Ss-Sq.
• Theorem 2: The defender only needs to monitor the vulnerabilities in the setSs+Sq to improve its overall payoffUD.
Proof Theorem 1: Letp∈AAbe the attacker’s strategy such that∃ i∈N -Ss -Sq with pi > 0. Letq ∈DD be the defender’s strategy and let p*be another strategy of attacker such that p∗i = 0,∀ i∈N - Ss -Sq. The proof of theorem lies in showing thatUA(p,q)<
UA(p*,q) .
IfWcr(N) ≥ NA(1−Ca)−2aQ
(1−Ca)(PNA
k=1 1
Wcr(k)), then N -Ss - Sq =∅ and the theorem holds evidently.
We now need to prove that the theorem holds for the case when:
Wcr(N)< NA(1−Ca)−2aQ
(1−Ca)(PNA
k=1 1
Wcr(k)), i.e. whenN -Ss-Sq 6=∅.
Consider the defender’s strategyq*=hq1∗,q∗2, ...,qN∗ i, where
qi∗ =
1 2a
1−Ca− NA(1−Ca)−2aQ
1−Ca)Wcr(i)(PNA
k=1 1 Wcr(k)
, ifi∈Ss
0, ifi∈N-Ss
It holds that qi∗ ≥ 0 and PNA
i=1(q∗i) = Q. Let q = h q1, q2, ..., qN i be the monitoring probability distribution of the defender overN vulnerability sets. By Pigeon Hole Principle, it holds thatPNA
i=1(qi) ≤Q. Thus ∃ m ∈ Ss such that qm ≤qm∗. Now consider any attack strategyp=hp1,p2, ...,pN i ∈AAsatisfyingP
(pi) > 0 withi∈N-Ss-Sqi.e., the attacker attacks at least one target outside the sensible setSs with non-zero probability. Letp* =h p∗1,p∗2, ...,p∗N ibe another attacker strategy profile based onpsuch that
p∗i =
pi, i∈Ssandi6=m pm+ P
j∈N−Ss−Sq
pj , i= m
pi, i∈Sq
0, i∈N-Ss-Sq
Now, noticing thatWcr(i)< (NA(1−Ca)−2aQ)
((1−Ca)PNA
j=1 1
Wcr(j)),∀i∈N-Ss-Sq. and comparing attacker’s
3. False Alarm Reduction in Signature based IDS: Game Theory Approach
payoff with strategypand strategyp* we get:
UA(p)−UA(p∗) = X
i∈N
piWcr(i)(1−2aqi−Ca) − X
i∈N
p∗iWcr(i)(1−2aqi−Ca)
=X
i∈N
piWcr(i)(1−2aqi−Ca) − h X
i∈Ss+Ss,i6=m
piWcr(i)(1−2aqi−Ca)
+ (pm + X
i∈N−Ss−Sq
pi)Wcr(i)(1−2aqm−Ca)i
= X
i∈N
piWcr(i)(1−2aqi−Ca) − h X
i∈Ss+Ss,i6=m
piWcr(i)(1−2aqi−Ca) +
pm + X
i∈N−Ss−Sq
pi
Wcr(i)(1−2aqm−Ca) i
= X
i∈N−Ss−Sq
piWcr(i)(1−2aqi−Ca) − X
i∈N−Ss−Sq
piWcr(m)(1−2aqm−Ca)
≤ X
i∈N−Ss−Sq
piWcr(i)(1−2aqi−Ca) − X
i∈N−Ss−Sq
piWcr(m)(1−2aqm∗ −Ca)
= X
i∈N−Ss−Sq
piWcr(i)(1−2aqi−Ca) − X
i∈N−Ss−Sq
pi NA(1−Ca)−2aQ (1−Ca)PNA
k=1 1
Wcr(k)
≤ X
i∈N−Ss−Sq
piWcr(i) − X
i∈N−Ss−Sq
pi NA(1−Ca)−2aQ (1−Ca)PNA
k=1 1 Wcr(k)
= X
i∈N−Ss−Sq
pi
Wcr(i) − NA(1−Ca)−2aQ (1−Ca)PNA
k=1 1 Wcr(k)
< 0.
Hence the attack strategyp* provides the attacker more payoff than the strategyp. There- fore, the rational attacker has no incentive to choosepoverp*.
Theorem 1shows that focusing only on targets in the setsSs andSq is enough to maxi- mize the attacker’s payoff. Other targets in the setN -Ss -Sq are not attractive enough to draw attacker’s attention due to their low security asset values. The proof of Theorem 2 logically follows from proof ofTheorem 1.
Let p* and q* be the attack and monitor probability distribution of the attacker and defender over the vulnerability set (Ss +Sq), respectively. The Nash Equilibrium (NE) of the non-cooperative game between the attacker and defender corresponds to the strategy profile(p*, q*), such that if the attacker change its attack strategy to pfromp*, while the