Mitigation of Targeted and Non-Targeted Covert Attacks as a Timing Game

Transcription

1 Mitigation of Targeted and Non-Targeted Covert Attacks as a Timing Game Aron Laszka 1, Benjamin Johnson 2, and Jens Grosskags 3 1 Department of Networked Systems and Services, Budapest University of Technoogy and Economics, Hungary 2 Department of Mathematics, University of Caifornia, Berkeey, USA 3 Coege of Information Sciences and Technoogy, Pennsyvania State University, USA Abstract. We consider a strategic game in which a defender wants to maintain contro over a resource that is subject to both targeted and nontargeted covert attacks. Because the attacks are covert, the defender must choose to secure the resource in rea time without knowing who contros it. Each move by the defender to secure the resource has a one-time cost and these defending moves are not covert, so that a targeted attacker may time her attacks based on the defender s moves. The time between when a targeted attack starts and when it succeeds is given by an exponentiay distributed random variabe with a known rate. Non-targeted attackers are modeed together as a singe attacker whose attacks arrive foowing a Poisson process. We find that in this regime, the optima moving strategy for the defender is a periodic strategy, so that the time intervas between consecutive moves are constant. Keywords: Game Theory, Computer Security, Games of Timing, Covert Compromise, Targeted Attacks, Non-Targeted Attacks 1 Introduction A growing trend in computer security is the prevaence of continuous covert attacks on networked resources. In contrast to one-time attacks with immediate benefit, such as initiating a wire transfer from a compromised bank account, a covert attack seeks to maintain contro of a resource whie keeping the compromise a secret. This type of attack is ubiquitous in the formation of botnets, as individua computer owners rarey know that their computer is a botnet member. Routers that are used to conduct man-in-the-midde attacks are aso typicay coverty compromised; and when web servers are used to compromise cient s computers, the initia infection is typicay covert. In ight of the prevaence of covert attacks, it behooves the user to consider what mitigation strategies can be taken to minimize the osses resuting from such attacks. Mitigation strategies incude resetting passwords, changing private keys, re-instaing servers, or re-instantiating virtua servers. Such strategies have notabe characteristics in that they are often effective at securing the resource,

2 2 Aron Laszka, Benjamin Johnson, and Jens Grosskags but they revea itte about past attacks or compromises. For exampe, if a server is re-instaed, knowedge of when the server was compromised may be ost. Simiary, resetting a password does not revea any information about the integrity of the previous password. A second dimension of the attack space is the extent to which an attack is targeted or customized for a particuar user [4,2]. DoS attacks and incidents of cyber-espionage are exampes of targeted attacks. Typica exampes of nontargeted attacks incude spam and phishing. The dichotomy between targeted and non-targeted attacks is expained by Cormac Herey as a consequence of economic considerations of the attacker [4]. In that framework, an outsized number of users are both susceptibe to and subject to scaabe attacks which compromise their computer systems, but most are never targeted simpy because they cannot be distinguished from ow vaue targets. See Tabe 1 for a comparison between targeted and non-targeted attacks. Tabe 1: Comparison of Targeted and Non-Targeted Attacks Targeted Non-Targeted Number of attackers ow high Number of targets ow high Effort required for each attack high ow Success probabiity of each attack high ow Whether or not an attack is targeted is aso important for the defender, because targeted and non-targeted attacks do different types of damage. For exampe, targeted attackers might read a of an organization s secret e-mais, causing economic damages of one type, whie a non-targeted attacker might use the same compromised machine to send out spam, causing reputation oss, or machine backisting, or another separate type of damage. This dichotomy suggests that damages resuting from targeted and non-targeted attacks shoud be modeed additivey. The presence of both targeted and non-targeted covert attacks presents an interesting diemma for a common user to choose a mitigation strategy against covert attacks. Strategies which are optima against non-targeted covert attacks may not be the best choice against targeted attacks. At the same time, mitigation strategies against targeted attacks may not be economicay cost-effective against ony non-targeted attackers. This paper fis the research gap induced by the aforementioned dichotomy, by considering the strategy spaces of users who may be subject to both targeted and non-targeted attacks. In our game, a defender must vie for a contested resource that is subject to the risk of compromise from both targeted and non-

3 Mitigation of Targeted and Non-Targeted Covert Attacks 3 targeted covert attacks. We expore the strategy space to find good mitigation strategies against this combination. 2 Reated Work 2.1 Games of timing Cybersecurity economics has been concerned with how to reduce the impact of the actions of financiay or poiticay motivated adversaries who threaten computing resources and their users. Previous research in this domain has primariy focused on the choice between different canonica actions to prevent, deter or otherwise mitigate harm e.g., [3,5,6]. However, being successfu in dynamic environments shifts the focus from seecting the most suitabe option from a poo of aternatives to a decision probem of when to act to get an advantage over an opponent. For exampe, in tactica security scenarios it is important to jump to action at the right time to avoid a oss of money or even human ife see, for exampe, timing of interventions in internationa conficts. To understand these scenarios, so-caed games of timing have been studied with the toos of non-cooperative game theory since the cod war era see, for exampe, [11,14]. For a detaied survey and summary of the theoretica contributions in this area, we refer the interested reader to [10]. 2.2 FipIt: Modeing Targeted Attacks In response to recent high-profie steathy attacks, researchers at RSA proposed the FipIt mode [13] to study such scenarios. In the origina mode, there are two payers, a defender and an attacker, and a resource that they are both interested in maintaining contro of. For each unit of time that a payer is controing the resource, she gains a fixed amount of benefit. Conversey, when a payer is not in contro, she gains no benefit from the resource. At any time instance, either payer may fip the resource to gain contro of it for some cost. Fipping whie in contro does not give the opponent contro of the resource, therefore the payers have to be carefu not to make too many unnecessary fips to keep their costs ow. This game can mode, for exampe, the case of a password-protected account. Benefit is derived from using the account, and fipping the resource is anaogous to the defender resetting the password or the attacker compromising it. In the origina FipIt paper, dominant strategies and equiibria are studied for some simpe cases [13]. Other researchers have worked on extensions [9,7]. For exampe, Laszka et a. extended the FipIt game to the case of mutipe resources. In addition, the usefuness of the FipIt game has been investigated for various appication scenarios [1,13]. In comparison to previous work, the FipIt game is of interest because it combines a number of important decision-making factors [8]. First, it covers aspects of uncertainty about the game status by assuming that moves by the

4 4 Aron Laszka, Benjamin Johnson, and Jens Grosskags payers are steathy. Second, the game is payed in continuous time and asynchronous fashion. Hence, ex-post the game appears to be divided in mutipe periods of uneven ength. Simiary, the number of actions that can be taken by the payers is quasi-unimited if agents have an unrestricted budget. Third, action have a cost. That is, payers do not ony vaue the time in which they have possession of the board, but they aso have to baance these benefits with the cost of gaining possession of the board. The origina FipIt game has aso been studied in an experiment with human subjects [8]. In that paper, the experimenters matched human participants with computerized opponents in severa fast-paced rounds of the FipIt game. The resuts indicate that participant performance improves over time; but that it is dependent on age, gender, and a number of individua difference variabes. The researchers aso show that human participants generay perform better when they have more information about the strategy of the computerized payer; i.e., they are abe to make use of such game-reevant information. This experimenta work was extended to aso incude different visua presentation modaities for the avaiabe feedback during the experiment [12]. 3 Mode Definition We mode the covert compromise scenario as a non-zero-sum game. The payer who is the rightfu owner of the resource is caed the defender, whie the other payers are caed the attackers. The game starts at time t = 0 with the defender in contro of the resource, and it is payed indefinitey as t. We assume that time is continuous. We et D, A, and N denote the defender, the targeted attacker, and the nontargeted attackers respectivey. At any time instance, payer i may make a move, which costs her C i. When the defender makes a move, the resource immediatey becomes uncompromised for every attacker. When the targeted attacker makes a move, she starts her attack, which takes some random amount of time. If the defender makes a move whie an attack is in progress, the attack fais. We assume that the time required by the attack foows an exponentia distribution. Formay, the probabiity that the attack has successfuy finished in a amount of time is 1 e a, where is the rate parameter of the targeted attacker s attack time. The attackers moves are steathy; i.e., the defender does not know when the resource got compromised or if it is compromised at a. On the other hand, the defender s moves are non-steathy. In other words, the attackers earn immediatey when the defender has made a move. The cost rate for payer i up to time t, denoted by c i t, is the number of moves per unit of time, made by payer i up to time t, mutipied by the cost per move C i for payer i. For attacker i {A, N}, the benefit rate b i t up to time t is the fraction of time up to t that the resource has been compromised by i, mutipied by B i. Note that if mutipe attackers have compromised the resource, they a receive

5 Mitigation of Targeted and Non-Targeted Covert Attacks 5 benefit unti the defender s next move. For the defender D, the benefit rate b D t up to time t is defined to be i {A,N} b it i.e., what has been ost to the attackers. The reation between the defender s and attackers benefits impies that the game woud be zero-sum if we ony considered the payers benefits. Because our payers payoffs aso consider move costs, our game is not zero-sum. Payer i s payoff is defined as im inf t b it c i t. 1 Tabe 2: List of Symbos C D C A B N move cost for the defender move cost for the targeted attacker benefit received per unit of time for the targeted attacker benefit received per unit of time for the non-targeted attackers rate of the targeted attacker s attack time rate of the non-targeted attacks arriva 3.1 Types of Strategies for the Defender and the Targeted Attacker Adaptive Strategies for Attackers Let T n = {T 0, T 1,..., T n } denote the move times of the defender up to her nth move or in the case of T 0 = 0, the start of the game. The attacker uses an adaptive strategy if she waits for W T n time unti making a move after the defender s nth move or after the start of the game, where W is a non-deterministic function. If the defender makes her n + 1st move before the chosen wait time is up, the attacker chooses a new wait time W T n + 1, which aso considers the new information that is the defender s n + 1st move time. This cass is a simpe representation of a the rationa strategies avaiabe to an attacker, since the function W depends on a the information that the attacker has, and we don t have any constraints on W. Renewa Strategies Payer i uses a renewa strategy if the time intervas between consecutive moves are identicay distributed independent random variabes, whose distribution is given by the cumuative function F Ri. Renewa strategies are we-motivated by the fact that the defender is paying bindy; thus, she has the same information avaiabe after each move. So it makes sense to use a strategy which aways chooses the time unti her next fip according to the same distribution Note that every renewa strategy is a specia case of an adaptive strategy.

6 6 Aron Laszka, Benjamin Johnson, and Jens Grosskags Periodic Strategies Payer i uses a periodic strategy if the time intervas between her consecutive moves are identica. This period is denoted by δ i. Every periodic strategy is a specia case of a renewa strategy. 3.2 Non-Targeted Attacks Suppose that there are N non-targeted attackers. In practice, N is very arge, but the expected number of successfu compromises is finite. As N goes to infinity, the probabiity that a given non-targeted attacker targets the defender approaches zero. Since the non-targeted attackers operate independenty, successfu nontargeted attacks arrive foowing a Poisson process. Furthermore, as the economic decisions of the non-targeted attackers depend on a very arge poo of possibe targets, the defender s effect on the decisions is negigibe. Thus, the non-targeted attackers strategies that is, the attack rate can be considered exogenousy given. We et denote the expected number of arrivas that occur per unit of time; and we mode a the non-targeted attackers together as a singe attacker whose benefit per unit of time is B N. 3.3 Comparison to FipIt Even though our game-theoretic mode is in many ways simiar to FipIt, it differs in three key assumptions. First, we assume that the defender s moves are not steathy. The motivation for this is that an attacker must know whether she is in contro of a resource if she receives benefits from it continuousy. For exampe, if the attacker uses the compromised password of an account to reguary spy on its e-mais, she wi earn of a password reset immediatey the next time she tries to og in. Second, we assume that the targeted attacker s moves are not instantaneous, but take some time. The motivation for this is that an attack requires some time and effort to be carried out in practice. Furthermore, the time required for a successfu attack may vary, which we mode using a random variabe for the attack time. Third, we assume that the defender faces mutipe attackers, not ony a singe one. Moreover, to the authors best knowedge, papers pubished on FipIt so far give anaytica resuts ony on a very restricted set of strategies. In contrast, we competey describe our game s equiibria and give optima defender strategies based on very mid assumptions, which effectivey do not imit the power of payers see the introduction of Section 4. 4 Anaytica Resuts In this section, we give anaytica resuts on the game. We first consider the specia case of a targeted attacker ony i.e., = 0, and then the genera case of both targeted and non-targeted attackers. We start with a discussion on the payers strategies. First, reca that the defender has to pay bindy, which means that she has the same information

7 Mitigation of Targeted and Non-Targeted Covert Attacks 7 avaiabe after each one of her moves. Consequenty, it makes sense for her to choose the time unti her next fip according to the same distribution each time. In other words, a rationa defender can use a renewa strategy. Now, if the defender uses a renewa strategy, the time of her next move depends ony on the time eapsed since her ast move T n, and the times of previous moves incuding T n are irreevant to the future of the game. Therefore, it is reasonabe to assume that the attacker s response strategy to a renewa strategy aso does not depend on T 0, T 1,..., T n. For the remainder of the paper, when the defender pays a renewa strategy, the attacker uses a fixed probabiity distribution given by the density function f W over her wait times for when to begin her attack. Note that it is cear that there aways exists a best response strategy for the attacker of this form against a renewa strategy. Since the attacker aways waits an amount of time that is chosen according to a fixed probabiity distribution after the defender s each move, the amount of time unti the resource woud be successfuy compromised after the defender s move aso foows a fixed probabiity distribution. Let S be the random variabe measuring the time after the defender has moved unti the attacker s attack woud finish. The probabiity density function f S of S can be computed as f S s = s w=0 f W w s w a=0 e a da dw. 2 We et F S denote the cumuative distribution function of S. Since e a > 0 for every a R 0, if there exists an s for which F S s > 0, then F S is stricty increasing on [s,. 4.1 Nash Equiibrium for Targeted Attacker and Renewa Defender Defender s Best Response We begin our anaysis with finding the defender s best response strategy. Lemma 1. Suppose that the attacker uses an adaptive strategy with a fixed probabiity distribution for choosing the time to wait unti starting the attack. Then, not moving is the ony best response if C D = F S F S s ds 3 has no soution for ; a periodic strategy whose period is the unique soution of Equation 3 is the ony best response otherwise. Even though we cannot express the soution of Equation 3 in cosed form, it can be easiy found using numerica methods, as the right hand side is continuous and increasing. 4 Note that the equations presented in the subsequent emmas and theorems of this paper can aso be soved using numerica methods. 4 We show that the right hand side is continuous and increasing in the proof of the emma.

8 8 Aron Laszka, Benjamin Johnson, and Jens Grosskags Proof. When paying a renewa strategy, the defender randomy seects the intervas between her consecutive moves according to the distribution generating the renewa strategy. In a best response, her strategy and, hence, every interva ength in the support of the strategy s distribution has to minimize the defender s oss per unit of time. The defender s expected oss per unit of time for an interva of ength is 1 f S s s ds + C D = B 1 A [F S s s] F S s 1 ds + C D + C D = 1 = F S s ds F S s ds + C D To find the minimizing interva engths if there exists any, we take the derivative of 7 and sove it for equaity with 0 as foows: [ 0 = d ] 1 F S s ds + C D 8 d 0 = 1 2 F S s ds + C D + 1 F S 9 F S s ds + C D =F S 10 C D =F S F S s ds. 11 Suppose that is the east number for which this equation is satisfied. Then > 0, and aso F > 0. This in turn impies that F S is stricty increasing on [, ; and thus aso the right hand side of the above equation is stricty increasing as a function of on [,. Therefore, if there is any soution to the above equation, then it is unique. Furthermore, this vaue of is a minimizing vaue for the expected oss per unit of time as the second derivative at this

9 Mitigation of Targeted and Non-Targeted Covert Attacks 9 minimizing is greater than zero: ] d [ 12 F S s ds + C D + 1 d F S = 2 3 F S s ds + C D F S + = F S + 1 f S 13 F S s ds + C D F S + 1 f S. 14 We care about the vaue of this expression when the first derivative is zero. Using this constraint, we obtain 2 3 F S s ds + C D F S + 1 f S 15 = 2 12 F S s ds + C D + 1 F S + 1 f S 16 = f S > Consequenty, the ony best response is the periodic strategy with the minimizing as the period. On the other hand, if Equation 11 is not satisfiabe for, then the ony best response for the defender is to never move. When, the defender s expected oss per unit of time approaches, which is equa to her oss for never moving. When 0, her expected oss per unit of time goes to infinity due to the ever increasing costs. Consequenty, if the expected oss per unit of time does not have a minimizing, then it is aways greater than. Attacker s Best Response We continue our anaysis with finding the attacker s best response strategy. Lemma 2. Against a defender who uses a periodic strategy with period δ D, never attacking is the ony best response if C A > e δdλa 1 + δ D ; 18 attacking immediatey after the defender moved is the ony best response if C A < e δdλa 1 + δ D ; 19

10 10 Aron Laszka, Benjamin Johnson, and Jens Grosskags both not attacking and attacking immediatey are best responses otherwise. The emma shows that the attacker shoud either attack immediatey or not attack at a, but she shoud never wait to attack. Consequenty, if the attacker uses her best response strategy, the defender can determine the optima period of her strategy soey based on the distribution of A, which is an exponentia distribution with parameter. This observation wi be of key importance for characterizing the game s equiibria. Proof. First, assume that the attacker does attack. Given that the attacker waits w < δ D time before making her move, the expected amount of time she has the resource compromised unti the defender s next move is δd w a=0 e a δ D w ada. 20 It is easy to see that the maximum of this equation is attained for w = 0. Therefore, if the attacker does attack, she attacks immediatey. The expected amount of time she has the resource compromised unti the defender s next move is δd a=0 e a δ D ada 21 = [ 1 e a δ D a ] δ D a=0 δd a=0 = 1 e δ D δd δ D 1 e 0 δ D 0 + }{{}}{{} 0 δd = 1 e λaa da = δ D a=0 0 ] [ e a δd 1 e a 1da 22 a=0 δd a=0 1 e a da 23 = e δ D 1 + δ D. 24 Therefore, if the attacker does attack, her asymptotic benefit rate is and her payoff is δ e D 1 λ + δ D A, 25 δ D δ e D 1 λ + δ D A C A. 26 δ D δ D Thus, when the above vaue is ess than or equa to zero, never attacking is a best-response strategy; when the above vaue is greater than or equa to zero, aways attacking immediatey is a best-response strategy. When the above vaue is equa to zero, the attacker can decide whether to attack immediatey or to not attack at a after each move of the defender.

11 Mitigation of Targeted and Non-Targeted Covert Attacks 11 Equiibrium Based on the above emmas, we can describe a the equiibria of the game if there are any as foows. Theorem 1. Suppose that the defender uses a renewa strategy and the attacker uses an adaptive strategy. Then the game s equiibria can be described as foows. 1. If C D = e λa + 1 e does not have a soution for, then there is a unique equiibrium in which the defender does not move and in which the attacker attacks exacty once at the beginning of the game. 2. If C D = e λa + 1 e does have a soution δ D for, then a if C A + δ D, then there is a unique equiibrium in which the defender pays a periodic strategy with period δ D, and the attacker attacks immediatey after the defender s each move; b if C A > e δ D 1 + δ D, then there is no equiibrium. e δ D 1 In the first case, the attacker is at an overwheming advantage, as the reative cost of defending the resource is prohibitivey high. Consequenty, the defender simpy gives up the game since any effort to gain contro of the resource is not profitabe for her, and the attacker wi have contro of the resource a the time. In the second case, no payer is at an overwheming advantage. Both the defender and the attacker are activey trying to gain contro of the resource, and both succeed from time to time. In the third case, the defender is at an overwheming advantage. However, this does not ead to an equiibrium. If the defender moves with a sufficienty high rate, she makes moving unprofitabe for the attacker. But if the attacker decides not to move, the defender is aso better off not moving, as this decreases her cost. However, once the defender stops moving, it is again profitabe for the attacker to move, which in turn triggers the defender to start moving. Proof. First, we have from Lemma 1 that in any equiibrium, the defender either never moves or uses a periodic strategy. If the defender never moves, then the best strategy for the attacker is to attack immediatey after the game starts. Now, if the defender moves using a periodic strategy, we have from Lemma 2 that the attacker either never attacks or attacks immediatey. This eaves us with two strategies for defender and two strategies for attacker from which a equiibria must be composed. Second, we show that there is no equiibrium in which the attacker never attacks. To see this, suppose that the attacker never attacks. Then the defender s best response is to never move, because this preserves contro of the resource whie minimizing the defender s cost. But if the defender never moves, then it is advantageous for the attacker to compromise the resource immediatey after the start of the game. So this situation is not an equiibrium. Next, we anayze the situation where a defender never moves. In this circumstance, the attacker attacks once and contros the resource for the duration of

12 12 Aron Laszka, Benjamin Johnson, and Jens Grosskags the game. From Lemma 1, we see that this is indeed a unique equiibrium if C D = F S F S s ds 27 = 1 e 1 e s ds 28 = e e 1 29 = e + 1 e 30 does not have a soution in R 0 for. Finay, we consider the scenario where the defender pays a periodic strategy with period δ D. In this case, Lemma 2 gives conditions for the best response of the attacker. Either the attacker never moves or the attacker attacks immediatey. Since we know that there is no equiibrium in which an attacker never moves, we concern ourseves in the theorem ony with the circumstances under which the attacker has a reason to attack immediatey. From Lemma 2, the condition for this is C A e δ D 1 + δ D. 4.2 Equiibrium for Both Targeted and Non-Targeted Attackers Defender s Best Response Again, we begin our anaysis by finding the defender s best response strategy. Lemma 3. Suppose that the non-targeted attacks arrive according to a Poisson process with rate, and the targeted attacker uses an adaptive strategy with a fixed wait time distribution given by the cumuative function F S. Then, not moving is the ony best response if C D = F S F S s ds + B N e + 1 e 31 has no soution for ; a periodic strategy whose period is the soution to Equation 31 is the ony best response otherwise. Proof. The outine of the proof is simiar to that of Lemma 1.

13 Mitigation of Targeted and Non-Targeted Covert Attacks 13 The defender s expected oss per unit of time for an interva of ength is 1 = 1 = 1 f S s s ds + B N [F S s s] a=0 F S s ds F S s ds + B N e 1 a e a da + C D + B N e C D C D To find the minimizing interva engths if there exists any, we take the derivative of 34 and sove it for equaity with 0 as foows: [ 0 = d 1 e ] 1 F S s ds + B N + + C D d 0 = 1 2 F S s ds F S e e B N + C D C D = F S F S s ds + B N e + 1 e From the proof of Lemma 1, we have that the first term of the right hand side is monotonicay increasing. Furthermore, the second term is stricty increasing, as its derivate is e > 0. Thus, the right hand side is stricty increasing, which impies that if there is an for which the equaity hods, it has to be unique. Furthermore, this is a minimizing vaue as the second derivative is greater than zero: [ d 12 F S s ds F S d ] e e B N + C D = F S s ds 2F S + 2 f S + B N e λ 2 N e C D

14 14 Aron Laszka, Benjamin Johnson, and Jens Grosskags We care about the vaue of this expression when the first derivative is zero. Using this constraint, we obtain F S s ds 2F S + 2 f S e λ 2 N + B e + 2 N + 2C D 40 = 2 F S s ds F S f S + B N e + 1 = 2 + B N e e C D BA f S + B N e > Consequenty, the ony best response is the periodic strategy with the minimizing as the period. On the other hand, if Equation 11 is not satisfiabe for, then the ony best response for the defender is to never move. When, the defender s expected oss per unit of time approaches + B N, which is equa to her oss for never moving. When 0, her expected oss per unit of time goes to infinity due to the ever increasing costs. Therefore, if there is no minimizing, then the expected oss per unit of time is aways greater than + B N. Equiibrium Since the targeted attacker s payoff and, consequenty, best response are not directy affected by the presence of non-targeted attackers, we can use Lemma 2 and the above emma to describe the equiibria of the game. Theorem 2. Suppose that the defender uses a renewa strategy, the targeted attacker uses an adaptive strategy, and the non-targeted attacks arrive according to a Poisson process with rate. Then the game s equiibria can be described as foows. 1. If C D = e + 1 e +B N e + 1 e does not have a soution for, then there is a unique equiibrium in which the defender does not move and in which the attacker attacks exacty once at the beginning of the game. 2. If C D = e + 1 e + B N e + 1 e does have a soution δ D for, then: a If C A e δ D 1 + δ D, then there is a unique equiibrium in which the defender pays a periodic strategy with period δ D, and the targeted attacker moves immediatey after the defender s each move. b If C A > e δ D 1 + δ D, then

15 Mitigation of Targeted and Non-Targeted Covert Attacks 15 if C D = B N e + 1 e C A e δ D 1 has a soution δ D for, and + δ D, then there is a unique equiibrium in which the defender pays a periodic strategy with period δ D and the targeted attacker never moves; otherwise, there is no equiibrium. By comparing the equation determining the defender s strategy in the theorem above to the equation in Theorem 1, we see that the parameter vaues and C D for which there is a soution is arger in the theorem above. Thus, the defender is more ikey to move instead of giving it up when there is a threat of non-targeted attacks. Proof. Cases 1. and 2. a foow from Lemma 2 and Lemma 3 using the argument as the proof of Theorem 1. In Case 2. b, there coud be no equiibrium when the defender faced ony a targeted attacker Theorem 1, since the defender had no incentives to move if the targeted attacker did not move. However, when there are non-targeted attacker present as we, the defender moving periodicay and the targeted attacker never moving can be an equiibrium. The necessary and sufficient conditions for this are that moving periodicay is a best response for the defender against non-targeted attackers ony the existence of δ D and that never attacking is a best-response for the targeted attacker against this period δ D. 5 Numerica Iustrations In this section, we present numerica resuts on our game. First, in Figure 1, we study the effects of varying the vaue of the resource, that is, the unit benefit received by the targeted attacker. Figure 1a shows both payers payoffs for various vaues of the defender s periods for the same setup are shown by Figure 1b. The figure shows that the defender s payoff is stricty decreasing, which is not surprising: the more vauabe the resource is, the higher the cost of security is for the defender. The attacker s payoff, on the other hand, starts growing ineary, but then suffers a sharp drop, and finay converges to a finite positive vaue. For ower vaues < 1, the defender does not protect the resource, as it is not vauabe enough to defend. Accordingy, Figure 1b shows no period for this region. In this case, the attacker s payoff is equa to simpy the vaue of the resource. However, once the vaue of the resource reaches 1, the defender starts protecting it. At this point, the attacker s payoff drops as she no onger has the resource compromised a the time. For higher vaues, the defender baances between osses due to compromise and moving costs, which means that the time the resource is compromised decreases steadiy as its vaue increases. In Figure 2, we study the effects of varying the defender s move cost C D. Figure 2a shows both payers payoffs for various vaues of C D the defender s periods for the same setup are shown by Figure 2b. The figure shows that the

16 16 Aron Laszka, Benjamin Johnson, and Jens Grosskags a The defender s and the targeted attacker s payoffs soid and dashed ines, respectivey as a function of b The defender s optima period as a function of. Fig. 1: The effects of varying the unit benefit received by the targeted attacker C D a The defender s and the targeted attacker s payoffs soid and dashed ines, respectivey as a function of C D C D b The defender s optima period as a function of C D. Fig. 2: The effects of varying the defender s move cost C D. defender s payoff is decreasing, whie the attacker s payoff is increasing, which is again not surprising: the more costy it is to defend the resource, the greater the attacker s advantage is. For ower costs, no payer is at an overwheming advantage, as both payers try to contro the resource and succeed from time to time. As the cost increases, the defender s payoff steadiy decreases, whie the attacker s payoff steadiy increases. For higher costs, the attacker is at an overwheming advantage. In this case, the defender never moves, whie the attacker moves once. Hence, their payoffs are 1 and 1, respectivey.

17 6 Concusions Mitigation of Targeted and Non-Targeted Covert Attacks 17 Targeted and non-targeted attacks are born of different motivations and have different types of consequences. In this paper, we modeed a regime in which a defender must vie for a contested resource against both targeted and nontargeted covert attacks. As a principa resut, we found that the most effective strategy against both types of attacks and aso against their combination is the periodic strategy. This resut can be surprising considering the simpicity of this strategy, but it aso serves as a theoretica justification of the periodic password and cryptographic key renewa practices. Furthermore, this contradicts the esson earned from the FipIt mode [13], which suggests that a defender paying against an adaptive attacker shoud use an unpredictabe strategy. We aso found that a defender is more ikey to stay in pay and bear the costs of periodic risk mitigation if she is threatened by non-targeted attacks. Whie this resut seems very intuitive, it is not obvious, as we aso demonstrated that a very high eve of either threat type can force the defender to abandon a hope and stop moving. Our work can be extended in mutipe directions. First, even though the exponentia attack time distribution can be we-motivated for a number of resources, it woud be worthwhie to extend our mode to genera distributions with some mid assumptions ony. Second, our mode focuses on medium-profie targets that are susceptibe to both targeted and non-targeted attacks, but it coud be easiy extended to a broader range by having a susceptibiity probabiity for each type. Acknowedgements We gratefuy acknowedge the support of the Penn State Institute for Cyber- Science. We aso thank the reviewers for their comments on an earier draft of the paper. References 1. Kevin Bowers, Marten Dijk, Robert Griffin, Ari Jues, Aina Oprea, Ronad Rivest, and Nikos Triandopouos. Defending against the unknown enemy: Appying FipIt to system security. In Jens Grosskags and Jean Warand, editors, Decision and Game Theory for Security, voume 7638 of Lecture Notes in Computer Science, pages Springer, Eoghan Casey. Determining intent - opportunistic vs targeted attacks. Computer Fraud & Security, 20034:8 11, Jens Grosskags, Nicoas Christin, and John Chuang. Secure or insure? A gametheoretic anaysis of information security games. In Proceedings of the 17th Internationa Word Wide Web Conference WWW, pages , 2008.

18 18 Aron Laszka, Benjamin Johnson, and Jens Grosskags 4. Cormac Herey. The pight of the targeted attacker in a word of scae. In Proceedings of the 9th Workshop on the Economics of Information Security WEIS, Benjamin Johnson, Rainer Böhme, and Jens Grosskags. Security games with market insurance. In John Baras, Jonathan Katz, and Eitan Atman, editors, Decision and Game Theory for Security, voume 7037 of Lecture Notes in Computer Science, pages Springer, Aron Laszka, Mark Feegyhazi, and Levente Buttyán. A survey of interdependent security games. Technica Report CRYSYS-TR , CrySyS Lab, Budapest University of Technoogy and Economics, Nov Aron Laszka, Gabor Horvath, Mark Feegyhazi, and Levente Buttyan. FipThem: Modeing targeted attacks with FipIt for mutipe resources. Technica report, Budapest University of Technoogy and Economics, Aan Nochenson and Jens Grosskags. A behaviora investigation of the FipIt game. In Proceedings of the 12th Workshop on the Economics of Information Security WEIS, Viet Pham and Caros Cid. Are we compromised? Modeing security assessment games. In Jens Grosskags and Jean Warand, editors, Decision and Game Theory for Security, voume 7638 of Lecture Notes in Computer Science, pages Springer, Tadeusz Radzik. Resuts and probems in games of timing. Lecture Notes- Monograph Series, Statistics, Probabiity and Game Theory: Papers in Honor of David Backwe, 30: , Tadeusz Radzik and Krzysztof Orowski. A mixed game of timing: Investigation of strategies. Zastosowania Matematyki, 173: , David Reitter, Jens Grosskags, and Aan Nochenson. Risk-seeking in a continuous game of timing. In Proceedings of the 13th Internationa Conference on Cognitive Modeing ICCM, pages , Marten van Dijk, Ari Jues, Aina Oprea, and Ronad Rivest. FipIt: The game of steathy takeover. Journa of Cryptoogy, 26: , October Vitaiy Zhadan. Noisy dues with arbitrary accuracy functions. Issedovanye Operacity, 5: , 1976.