Attacker-Centric View of a Detection Game against Advanced Persistent Threats

Advanced persistent threats (APTs) are a major threat to cyber-security, causing significant financial and privacy losses each year. In this paper, cumulative prospect theory (CPT) is applied to study the interactions between a cyber system and an APT attacker when each of them makes subjective decisions to choose their scan interval and attack interval, respectively. Both the probability distortion effect and the framing effect are applied to model the deviation of subjective decisions of end-users from the objective decisions governed by expected utility theory, under uncertain attack durations in a pure-strategy game and scan interval in a mixed-strategy game. The CPT-based APT detection game incorporates both the probability weighting distortion and the framing effect of the subjective attacker and security agent of the cyber system, rather than discrete decision weights, as in earlier prospect theoretic study of APT detection. The Nash equilibria of the APT detection game are derived, showing that a subjective attacker becomes risk-seeking if the frame of reference for evaluating the utility is large, and becomes risk-averse if the frame of reference for evaluating the utility is small. A policy hill-climbing (PHC) based detection scheme is proposed to increase the policy uncertainty to fool the attacker in the dynamic game, and a 'hotbooting' technique that exploits experiences in similar scenarios to initialize the quality values is developed to accelerate the learning speed of PHC-based detection. A practical example of a mobile network is presented to evaluate the performance of the proposed detection strategy. Simulation results show that the proposed strategy can improve detection performance with a higher data protection level and utilities of the cloud in the presence of an attacker compared with a standard Q-learning strategy.