Using Deception in Markov Game to Understand Adversarial Behaviors through a Capture-The-Flag Environment

2025-05-06 0 0 1.24MB 20 页 10玖币
侵权投诉
Using Deception in Markov Game to
Understand Adversarial Behaviors through a
Capture-The-Flag Environment
Siddhant Bhambri1, Purv Chauhan1, Frederico Araujo2, Adam Doupé1, and
Subbarao Kambhampati1
1Arizona State University, Tempe, AZ, USA
{sbhambr1, prchauha, doupe, rao}@asu.edu
2IBM Research, Yorktown Heights, NY, USA
frederico.araujo@ibm.com
Abstract.
Identifying the actual adversarial threat against a system
vulnerability has been a long-standing challenge for cybersecurity re-
search. To determine an optimal strategy for the defender, game-theoretic
based decision models have been widely used to simulate the real-world
attacker-defender scenarios while taking the defender’s constraints into
consideration. In this work, we focus on understanding human attacker
behaviors in order to optimize the defender’s strategy. To achieve this goal,
we model attacker-defender engagements as Markov Games and search
for their Bayesian Stackelberg Equilibrium. We validate our modeling
approach and report our empirical findings using a Capture-The-Flag
(CTF) setup, and we conduct user studies on adversaries with varying
skill-levels. Our studies show that application-level deceptions are an op-
timal mitigation strategy against targeted attacks—outperforming classic
cyber-defensive maneuvers, such as patching or blocking network requests.
We use this result to further hypothesize over the attacker’s behaviors
when trapped in an embedded honeypot environment and present a
detailed analysis of the same.
Keywords:
Adversarial Behavior
·
Markov Games
·
Capture-The-Flag.
1 Introduction
Cybersecurity research, particularly that focused on finding optimal decision
strategies for a system defender, when faced by an adversarial threat, has almost
always involved a strong dependence on the assumptions made over the adver-
sary’s capabilities and the associated threat posed on the system vulnerabilities.
Assuming a rational adversary, who will always choose the action or strategy
that rewards highest returns, does not typically map to real-world situations [
1
].
However, this assumption has been a part of a common staple of approaches
that model attacker-defender interactions to compute an optimal strategy for
the defender, motivated by its practical performance [2].
These authors contributed equally to this work.
Accepted at GameSec 2022 - Conference on Decision and Game Theory for Security.
arXiv:2210.15011v2 [cs.GT] 9 Nov 2022
2 S. Bhambri & P. Chauhan et al.
Such adversarial interactions become more interesting and complex when
defenders use cyber-deceptive techniques to respond to and thwart attacks.
Deception strategies in cybersecurity frameworks, such as installing honeypot
configurations to misdirect attackers, have been shown to be effective tools to
disrupt attack kill chains and perform attacker reconnaissance [
3
,
4
,
5
,
6
,
7
]. Under-
standing an adversary’s behavior can aid cybersecurity defenders to optimally use
the available resources to deploy deceptions and mitigate potential threats, while
optimizing over the system constraints. Such knowledge can substantially aid a
decision-making model, reducing the magnitude of the assumptions a defender
must provide about the adversary to make the model operational.
In this paper, we build on the insight that an embedded honeypot [
8
]—a
decoy environment that is inlined with genuine service functionality—can be
configured in a way that is invisible to attackers while providing the defender with
essential knowledge about the attacker’s techniques in real operational settings.
Moreover, we show that the expected payoffs for the defender may vary when
compared to the real-world scenario where the attacker’s behaviors may not meet
the defender’s expectations or prior beliefs.
Our contributions are summarized as follows:
To ground this problem, we created a real-world Capture-The-Flag (CTF)
environment hosting three system vulnerabilities, and we conduct studies
using human subjects with varying system and attack skill levels who try
to capture the corresponding (real) flags. Each of these vulnerabilities are
protected by different real and practical mitigation strategies, one of which
is a deception-based honey-patch [
4
], which misdirects an adversary to an
embedded honeypot configuration that yields the attacker a fake, or as we
refer to it in this work, a honeypot flag.
In parallel to these studies, we model this attacker-defender system interaction
as a Markov Game and find its Bayesian Stackelberg Equilibrium. We start
with the assumption of inputs to this Markov Game being set by a system
expert.
Later, by varying these inputs, especially for cases when the attacker may be
trapped in a honeypot configuration, we leverage the statistical results received
from the conducted user studies, which further allows us to understand the
differences between the obtained equilibria and the empirical setting.
The paper is structured as follows: we begin in Section 2 by providing a
background on the CTF environment, Markov Games, and the system vulner-
abilities with the corresponding mitigations used in this work. We present our
hypotheses over the adversary behaviors and explain our user study setup along
with the Markov Game modeling in Section 3. Experimental details and results,
particularly involving a case-by-case evaluation and discussion on the observations
is presented in Section 4. We then talk about related work in Section 5, with the
conclusion discussing future directions for this work in Section 6.
Using Deception to Understand Adversarial Behaviors 3
2 Background
In this section, we first present a brief overview of the Capture-The-Flag style
setup that we employed to host our user studies. Then, we introduce the real-world
vulnerabilities that we used to design the user study test-bed and game-theoretic
model evaluations, followed by the defense mechanisms deployed as mitigation
strategies. We also describe the Markov Game formalism used for finding an
optimal strategy for the defender.
2.1 Capture-The-Flag Setup
The primary goal of conducting the user studies is to gather realistic data on
attacker behaviors using CTF environments, rather than artificially generating
the data based on commonly accepted assumption over adversaries [
9
]. One
way to achieve this is through creating prototype components to run CTF style
experiments. We further integrate them into an existing open-source framework
known as the iCTF framework [
10
,
11
]
. This infrastructure allowed experiments
to be run with a sizable number of human subjects to gather enough data for
our desired analysis.
The iCTF framework is the core framework used for conducting user studies.
It is primarily used to host attack-and-defense style CTF competitions every year
.
For the purpose of collecting data for this study, we made several modifications
to the existing implementation of the framework. Most of these modifications
include deploying defense mechanisms and data collection tools. Since our goal
is to simulate real-life scenarios, we choose three vulnerabilities (which are still
prominent in current software applications) and develop three corresponding
vulnerable applications for this purpose. The vulnerabilities are selected and
deployed in a manner that it is possible to exploit them in a reasonable amount
of time (which we verified through pilot studies), therefore faithfully representing
typical large-scale cyber-attacks. The vulnerabilities selected include command
injection and buffer overflow. The vulnerable applications are written in Cand
dockerized to isolate them from the host machine. Also, all modern security
mitigations, including Position Independent Executable (PIE), Data Execution
Prevention (DEP), and Address Space Layer Randomization (ASLR) are disabled.
2.2 Vulnerabilities and Exploits
We developed three different vulnerable applications. backup is the first application
which allows users to store and retrieve data that is stored as files on the host
system. One of the functions in this application concatenates a string with the
user input and passes that string to the C function
system()
, and the user’s
input is not sanitized, thus resulting in a command injection vulnerability.
https://github.com/shellphish/ictf-framework
https://shellphish.net/ictf/
4 S. Bhambri & P. Chauhan et al.
The second application, sampleak, allows users to store and retrieve notes
which are also stored as files, but unlike the backup application, a password is
stored in the files, so that the user is required to provide a password when creating
a note and needs to enter the correct password when retrieving them. The user
input is stored in the application’s memory using buffers, but the function
read()
unintentionally reads in more bytes than the buffer can hold, thus resulting in a
buffer overflow vulnerability.
The third vulnerable application is exploit-market, which allows users to store,
retrieve, and list payloads, which are stored in the memory of the program. The
vulnerability in this application is due to buffers being initialized with different
sizes in separate functions, so when the function
strcpy()
is called to copy the
contents of the buffer, a carefully crafted payload can result into a buffer overflow
vulnerability. Another intentional bug is also placed in the form of a memory
disclosure which leaks heap addresses of the string buffers.
2.3 Defense Strategies and Analysis Tools
The defense mitigations are selected for protecting the vulnerable applications.
The mitigations include deploying Snort, an intrusion detection system on a router
machine acting as a gateway between the attacker machine and the defender
machine. Snort uses a rule-based configuration file for setup, and this rule filter
has a list of commonly used shellcodes for exploiting various applications running
on multiple architectures. We also extended a live-patching framework [
12
] to
enable cyber-deceptive attack countermeasures.
To collect valuable attacker and defender information, we further deploy tools
on our host machines that include: tcpdump, which is a network packet analyzer to
capture network traffic for further analysis, and SysFlow [
13
,
14
], an open-source
system-call monitoring framework that encodes the representation of system
activities into a compact entity-relational format that captures the interactions of
processes with system resources, including file and network activity. This provides
a richer context for post-exploitation analysis [15].
2.4 Attack Graph
Attack graphs (AGs) have been established as useful structures to represent
exploit possibilities and derive attack behaviors for an adversary [
16
,
17
]. An
attack graph is represented as
G
(
V,E
), where
v∈ V
denotes vertices or nodes
representing the different states the adversary can be in, and
e∈ E
denotes the
edges between these nodes that represent the actions the adversary can take to
move one from one state of the exploit to another.
Figure 1 is an example of an attack graph for an attacker trying to exploit
the vulnerabilities present in the environment with the possibility of one or more
of them being honey-patched, i.e., deceiving and misdirecting the attacker into
a honeypot configuration where the system defender can extract useful insights
about attacker behavior.
摘要:

UsingDeceptioninMarkovGametoUnderstandAdversarialBehaviorsthroughaCapture-The-FlagEnvironmentSiddhantBhambri1y,PurvChauhan1y,FredericoAraujo2,AdamDoupé1,andSubbaraoKambhampati11ArizonaStateUniversity,Tempe,AZ,USA{sbhambr1,prchauha,doupe,rao}@asu.edu2IBMResearch,YorktownHeights,NY,USAfrederico.araujo...

展开>> 收起<<
Using Deception in Markov Game to Understand Adversarial Behaviors through a Capture-The-Flag Environment.pdf

共20页,预览4页

还剩页未读, 继续阅读

声明:本站为文档C2C交易模式,即用户上传的文档直接被用户下载,本站只是中间服务平台,本站所有文档下载所得的收益归上传人(含作者)所有。玖贝云文库仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。若文档所含内容侵犯了您的版权或隐私,请立即通知玖贝云文库,我们立即给予删除!

相关推荐

更多
立即下载
分类:图书资源 价格:10玖币 属性:20 页 大小:1.24MB 格式:PDF 时间:2025-05-06

开通VIP享超值会员特权

  • 多端同步记录
  • 高速下载文档
  • 免费文档工具
  • 分享文档赚钱
  • 每日登录抽奖
  • 优质衍生服务

作者详情

相关内容

更多

热门标签

人际关系 配电装置 动力学连接体 力的合成 高考理综 全宋诗作者索引 公务员考试
/ 20
评分 收藏
分享
立即下载
客服
关注