Stackelberg Game Modeling of Cloud Security Defending Strategy in the Case of Information Leaks and Corruption

Stackelberg Game Modeling of Cloud Security Defending Strategy in the Case of Information Leaks and Corruption

Journal Pre-proof

Stackelberg Game Modeling of Cloud Security Defending Strategy in the Case of Information Leaks and Corruption ´ Agnieszka Jakobik PII: DOI: Reference:

S1569-190X(20)30009-5 https://doi.org/10.1016/j.simpat.2020.102071 SIMPAT 102071

To appear in:

Simulation Modelling Practice and Theory

Received date: Revised date: Accepted date:

6 February 2019 4 January 2020 25 January 2020

´ Please cite this article as: Agnieszka Jakobik, Stackelberg Game Modeling of Cloud Security Defending Strategy in the Case of Information Leaks and Corruption, Simulation Modelling Practice and Theory (2020), doi: https://doi.org/10.1016/j.simpat.2020.102071

This is a PDF file of an article that has undergone enhancements after acceptance, such as the addition of a cover page and metadata, and formatting for readability, but it is not yet the definitive version of record. This version will undergo additional copyediting, typesetting and review before it is published in its final form, but we are providing this version to give early visibility of the article. Please note that, during the production process, errors may be discovered which could affect the content, and all legal disclaimers that apply to the journal pertain. © 2020 Published by Elsevier B.V.

Stackelberg Game Modeling of Cloud Security Defending Strategy in the Case of Information Leaks and Corruption Agnieszka Jak´ obik Department of Computer Science, Cracow University of Technology, Warszawska 24, Cracow, Poland [email protected]

Abstract. The paper presents the Stackelberg Game (SG) based model for automating security decisions in Cloud Computing systems (CC). The presented model enables to describe the attack-defense scenarios. The game incorporates two types of players competing against each other: defender and attacker. The Cloud provider is the leader. He is allowed to play his strategy first. The attackers, hackers or other malicious individuals, were aggregated into the second player. Second player’s decisions are made based on the leader actions and based on their own aims. The paper presents the black-box method for calculating the strategy of the attacker. In the paper, the utility function was obtained by applying several pipelines of Artificial Neural Networks (ANNs). Additionally, the model assumes information leakages about the attacker strategy and corruption against standard SG models. The solution has been verified by the experimental simulation of Cloud security attacks based on logs from open data set provided by Los Alamos National Security Lab. The best strategy for security controls applying is calculated based on security threats occurrence. It enables finding the relevant defense strategy by the cloud provider. Keywords: Cloud security, security threat modeling, Stackelberg games.

1

Introduction

Security threats in Cloud Computing systems are real problems for the users and Cloud providers [1]. From among them, Data Breaches frequently happened, including the breach of identity management data of over 2,000 companies worldwide (data breach inside OneLogin Cloud). Data loss and insider threats were the most recognizable in 2018, Denial of service (DoS) attacks that are simple to execute, by a botnet are also, growing in popularity. A threat recorded more frequently in 2018 was Spectre and Meltdown permit side-channel attacks that break down the isolation between applications, [2]. The international organization suggested a lot of security guidance for Cloud providers [3], or a list of security controls [4]. However, due to a large number of users and components in CC systems, there is a strong need to find automated solutions, [5]. The main aim

2

A. Jak´ obik

of the proposed solution is to support the automatization of security decisions in Cloud systems. From Security threats in CC systems, one may distinguish long-lasting attacks - like persistent threats, exploiting system very slowly or repeated attacks like Denial of Service or brute force logging by password spraying, [6]. They are successful if the attacker managed to repeat them many times. Finally, attacks like SQL injection may be very harmful during only one single successful try. This is why the flexible solutions taking into account different kind of attacks are necessary. Successfully applied security countermeasures have to be based on the analysis that may be derived from the data itself, omitting additionally computationally expensive computation. The competition between attackers and defenders are modeled as a rational game, see. [7]. Interests of both conflict sides are represented by their utility functions. The aim of both players is to maximize their own payoffs. Therefore, in order to achieve an effective model, we must effectively compute the Cloud provider opponent payoff function, [8]. Based on this function we may define a non-cooperative game. The solution of the game, from the Cloud provider perspective, is the strategy that is maximizing the game model assuming Cloud attacker objectives. The paper is the continuation of the research presented [9]. The research presented in the paper concentrates mainly on the question if the Cloud defender utility function may be modelled by using the black-box methods. The additional rationale behind the work is to examine if the game assumption breaking, that is information leaks and the corruption of the game axioms may result in the more exact threat prediction. This paper presents methods for obtaining Cloud attacker utility functions based on Artificial Intelligence methods, especially, Artificial Neural Networks (ANN), [10]. In the proposed model, security threats are assumed as attackers possible actions. The attacker is a hostile entity: a hacker or automatic security threat. To find the attacker utility function parallel lines of Artificial Neural Networks are used. The first layer of the line enables to detect of the Cloud is under the attack. The second layer is detecting the element of the Cloud that was attacked The set of all attacks probabilities are formulating the attacker strategy. Based on estimated attacker strategy, the Cloud defender may propose his own to protect the CC. Self Organizing Maps (SOM) ANN [11], and Multilayered Perceptrons, [12] were used. The remainder of the paper is structured as follows. After introducing the most significant concepts in Cloud security threat modeling in section 2, section 3 presents the SG model and game theory axioms that are the basis of the introduced model. Section 4 presets ANN evaluation for three chosen CC security threats: Denial of Service, Brute force logging by password spraying and SQL injection. Section 5 describes game realization for three chosen security controls and Cloud provider payoff function based on The Common Vulnerability Scor-

Title Suppressed Due to Excessive Length

3

ing System ranking. Conclusion and discussion for future research are given in Section 6.

2

Related work on Cloud security threats modeling

Different kinds of methods for modeling security threats in Cloud computing systems were considered. The following methods have been proposed, among others: attack graphs, attack surfaces, kill chains, attack trees, Petri nets, and Markov processes. In paper [13] ordered vulnerability set in the form of the graph is considered. In [14], an attacker-centric threat modeling method that allows finding how assets can be compromised by introducing the attack graph in the form of the edge-weighted a directed graph is described. Cloud security threats have been modeling taking into account the Cloud system structure, in [15] attack surfaces were used. The attack itself was modeled as Input the I/O automata model [16]. A cyber kill chain [17] is another tool for modeling the stages of cyber attacks. The kill chain is also used as network defense. The model assumes that every threat must follow several stages. For stopping the attack in progress we have to select the defensible actions in the form of a chain of actions, that is: – – – – – –

detect: determine whether an attacker is around, deny: prevent information disclosure and unauthorized access, disrupt: stop or change outbound traffic (to an attacker), degrade: counter-attack command and control, deceive: interfere with command and control, contain: network segmentation changes.

Using this methodology, in paper [17], authors proposed protecting the Internet of Things (IoT) systems against Advanced Persistent Threats (APTs). In [18], similar structures were used. Attack trees for modeling Cross-Site Request Forgery (CSRF) threat against Web application users were used. In the attack tree attackers goal is the root node. The possible actions to achieve the goal are represented as leaf nodes. The purpose of this modeling is to clarify conditions on with the adversaries may reach their targets and to help to find week point of the system. The modified version of the three, that is attack-fault trees (AFTs) was applied in [19]. The main modification was the decomposition of the security attack into smaller sub-goals. The leaves of proposed trees are: the basic component failures, the basic attack steps or on-demand instant failures. The tree structure is an acyclic graph. The logical gates are used for modeling dependencies between leaves. In paper [20], the model of risk propagation among connected parts of the modeled system is described. The model is based on analyzing the internal dependencies in the form of modified Petri nets. The Propagation Nets are built to map trigger places representing the possible attack place into by using s firing

4

A. Jak´ obik

sequences of transitions. Authors introduced the transitions that represented internal dependencies, and transitions represented changes values caused by the system environment. The result of the modeling is all possible paths of risk propagation. in paper[21], the usage of Stochastic Petri Net to defense against security threats and deceptive defense tactics is described. Considering Game theoretic models, in [22], authors proposed using non-zero sum Nash game for the protected wireless sensor network system. The threat prevented was only one chosen type of threat. On the contrary, a zero-sum was used in [23], for protecting a network of computers against node-capturing and false signal transmission. In [24], the case of protecting a set of software modules by using a multi-stage two-player competitive game with infinite horizon was considered. In paper [25] a two-player Bayesian game to defense elastic optical networks against cross-domain physical-layer attacks is defined. In [26], authors modelled the defenses of Satellite Base Station networks by incorporating stochastic game models. Several types of attacks were considered, for example, attack via HTTP, sniffing, viruses, cracking root password and capturing data. Smart Grid was protected against the coalition attack by using Iterated Public Goods Game (IPGG) in [27]. Multiple adversaries were considered in [28]. Considering complex systems, games were successfully applied for wireless networks protection against stealthy decoy attacks, [29]. The bi-level game-theoretic model for Computer Network protection. Authors used a zero-sum game in a moral-hazard type of principal-agent game. They considered three players: Computer Network Users, Attackers, and Insurers. All those methods require a deeper knowledge of the system architecture. Both attack chains and attack threes have to be remodeled if the architecture of the system is modified. On the contrary to the above-protected systems, CC architecture is very dynamic. In Cloud systems instances may be switching on demand, virtual networks and virtual disks are created and destroyed according to the users’ needs. Therefore in the presented paper only methods that are retrieving information from data is concerned. No additional information about the CC architecture is included. This is the main reason that we used black box type modeling. All necessary information is retrieved from the security records. So far, Stackelberg games were successfully applied for less challenging problems, such as setting the security levels of virtual machines [5], and physical system security like airport protecting or save guard location [30]. We used such a methodology for Cloud systems [9], but the earlier solution requires modeling adversary utility function. A novelty of the proposed approach is to omit this stage of computation and extract the adversary strategy from the data by using ANN modeling. An additional novelty is the corruption of the rationality axiom of the game, that was not considered in game-based solutions mentioned above. Moreover, this research incorporates the possibility of information leaks, that was not possible in the model presented in the literature.

Title Suppressed Due to Excessive Length

3 3.1

5

Stackelberg with information leaks for modeling cloud attack scenario Stackelberg game model

2-player non-zero Stackelberg game Γn with information leaks is used for modeling security attack on the CC system and calculation of the most proper defense method. The Stackelberg game model assumes the following system of axioms [8]: 1. Rationality axiom: the players behave rationally, it means that every player optimizes the value of his payoff function. 2. Knowledge axiom: the players know the set of players, the strategy sets and the payoff functions. 3. Payoff axiom: the players calculate their payoffs as the value of their payoffs function on the resulting strategy. 4. Hierarchy axiom: the players choose their strategies in a defined order. The forts player (leader) chooses his strategy and communicates it to the second player (the follower). The game, that was adopted in the following paper was based on: 1. information leak axiom: the decision process has two pseudo-stages:(i) the information leak about the player chosen strategies may occur, (ii) the players choose their strategies, some of them knowing the strategies chosen by other players. 2. corruption of knowledge axiom: the payoff function for the game leader is not known for the game follower. He may only obtain the leader’s strategy. For such game models, knowledge vectors are introduced: 1. γ leader = (γ0leader , γ1leader , ...) and γ f ollower = (γ0f ollower , γ1f ollower , ...); 2. γ0leader =1 and γ0f ollower =1 mean that both leader and follower have the full information about the strategy sets and payoff functions. γ0leader =0 and γ0f ollower =0 mean that both leader and follower does not have the information about the strategy sets and payoff functions; item γ1leader =0 and γ1f ollower =0 means that each player does not know the opponent’s strategy (no information leaks), γ1leader =1 and γ1f ollower =1 mean that their know the opponent strategy (information leaks); 3. γ2leader =0 and γ2f ollower =0 mean that each player know that the opponent does not know his strategy, γ2leader =1 and γ2f ollower =1 mean that for each player, correspondingly, he knows that the opponent knows player’s strategy. In the presented model, the two-level knowledge vector game was used. That means that for all knowledge vector with indices greater than two, they are equal to zero. To model the game between Cloud provider and the Cloud attacker, the following knowledge vector of the game was defined:

6

A. Jak´ obik

1. γ0leader =1 and γ0f ollower =0, only the leader knows the payoff function of the opponent, 2. γ1leader =0 and γ1f ollower =1, information leaks about the follower strategy; 3. γ2leader =0 and γ2f ollower =1 mean that follower knows that the leader knows his strategy; A general n-players game Γn can be describe in normal-form by the pair: Γn = ((N, {Si }i∈N )

(1)

where: – N = {1, . . . , n} is the set of players, – {S1 , . . . , Sn } where (|Si | ≥ 2; i = 1, . . . , n ) is the set of strategies for them and |Si | denotes the number of elements in Si – {H1 , . . . , Hn } with Hi : S1 × S2 × . . . × Sn → R ∀i=1,...,n is the set of payoff functions for each player, giving a value to each combination of selected strategies. The strategy of a player in the game can be defined as a set of actions that the player considers beneficial for him. Pure strategies and mixed strategies are used in game theory [7]. A pure strategy completely allows a player to play one specific action in any possible situation. A mixed strategy assigns a probability to each pure strategy. This allows a player to randomly select a single strategy from a set of available strategies. A Pure strategy si of the player i is the deterministic plan of the player’s actions during the game. The set of all pure strategies specified for player i is denoted by Si . The mixed strategy of the player i is denoted by σi ∈ Si ⊂ ∆Si and may be defined as follows: σi = {σi (si1 ), σi (si2 ), . . . , σi (sim )},

(2)

where σi (si ) is the probability that the player i plays according to the pure strategy si , and ∆Si , known as the simplex of Si is the set of all probability distributions over Si . 3.2

Stackelberg game between the Cloud defender and Cloud attacker

In the presented model, Cloud provider is the game leader and attacker is the follower. Each player is deciding about his strategy. In order to properly refer to the strategies of the opponents i we can define s−i ∈ S−i as a particular possible profile of strategies for all players who are not i. Then, we can rewrite the payoff of player i from strategy (si , s−i ) as Hi (si , s−i ). Using the mixed strategy model, we allow the random decisions of each player. Randomization is provided according to the probability distribution σi (si ).

Title Suppressed Due to Excessive Length

7

The aim of choosing strategy is to gain maximum expected payoff H. For the player i playing the mixed strategy σi ∈ ∆Si and when his opponents plays the mixed strategy σ−i ∈ ∆S−i is defined in the following way: P P P Hi (σi , σ−i ) = si ∈Si σi (si )Hi (si , σ−i ) = si ∈Si ( s−i ∈S−i (3) σi (si )σ−i (s−i )Hi (si , s−i )) In the proposed model, we consider utility functions for both players to be defined independently. Protected asset a in the cloud was considered as the aim of the attack. An asset may be for example a virtual machine (VM), a service, a database or an application. Let us denote by Assets the set of assets by: a ∈ Assets

(4)

T hreatsa = {threata1 , .., threatam }

(5)

controlsa = {ca1 , ..., can }

(6)

Then, set of all possible threats against the asset a is denoted by:

Only delectable threats were considered. A control is any action, which helps to protect the asset from the threat. A set of all the possible countermeasures for the asset a is denoted by:

a

(threatai , caj )

Let P be the probability of an attack on asset a by using a threat number i ∈ {1, 2, . . . , m} a system protected by the control j ∈ {1, 2, . . . , n}. Therefore the jth pure strategy sj,a for the game leader is applying the 1 j,a a countermeasure number j for asset a: cj . The mixed strategy σ1 (sj,a 1 ) = σ1 for the game leader results from the probability of applying the countermeasure caj . Additionally, the ith pure strategy si,a 2 for the game follower is choosing the i,a threat number i, so that the mixed strategy σ2 (si,a 2 ) = σ2 for the attacker is the probability of choosing the threat number i against asset a. The Leader Payoff function may be assumed in a different form, depending on the Cloud provider objectives, [6], [31]. The presented paper focuses on Follower Payoff modeling. During the game, leader and follower are deciding many times based on their opponents’ strategies. For each asset the single game is the following: 1. the leader plays first ever strategy σ1 (sj,a 1 ) randomly 2. for the fixed leader strategy, if the follower does not break the rationality axiom, the follower solves the optimization problem to find his optimal response: argmaxσ2 (s2 ) H2 (σ1 (s1 ), σ2 (s2 )) (7) with constraints meaning that every mixed strategy is possible: σ2i >=0

X

i=1,...,m

σ2i = 1

(8)

8

A. Jak´ obik

m,a 1,a 2,a n,a 2,a where s1 = [s1,a 1 , s1 , ..., s1 ], and s2 = [s2 , s2 , ..., s2 ]. For the sake of simplicity subscript a was omitted in the remaining text of the paper. Therefore P a (threatai , caj ) = σ2 (si,a 2 ). If rationality axiom was corrupted by the follower the linear constraints may not be fulfilled or he may decide to choose the strategy that is not optimal. 3. due to the information leaks the leader observes the result of the follower action and gains knowledge during the first pseudo stage. The rest of the components are known during the second pseudo stage. Without the generality loss, we may assume that, σ2i for i = 1, ..., m0 are the leaked strategy components and the rest of the components, that is σ2i for i = m0 + 1, ..., m are known during the second pseudo stage.

– first pseudo stage: the leader finds the pseudo strategy σ1pseudo (s1 ) that maximizes his utility: argmaxσ1,pseudo (s1 ) H1 (σ1,pseudo (s1 ), σ21 , ..., σ2m0 , σ2m0 +1 , ..., σ2m )

(9)

where σ2m0 +1 , ..., σ2m as the unknown values are replaced by their mean values observed during previous game stages: σ2m0 +1 := mean(sigma2m0 +1 ), ..., σ2m := mean(sigmam 2 )

(10)

with constraints that ensure that every mixed strategy is possible: i σ1,pseudo >=0

X

i σ1,pseudo =1

(11)

i=1,...,n

σ1,pseudo is then corrected by the value of δ: σ1,pseudo <= σ1,pseudo + δ

(12)

indicating the foretasted mean error between the second stage and the first stage value of strategy; – second pseudo stage, σ2m0 +1 , ..., σ2m are reviled. Additionally, because of the γ2f ollower =1 mean that follower knows that the leader knows his strategy; and he may modify the values of σ21 , ..., , σ2m0 . If so, argmaxσ1 (s1 ) H1 (σ1 (s1 ), σ21 , ..., σ2m )

(13)

is solved ones again with constraints that ensure that every mixed strategy is possible: σ1i >=0

X

σ1i = 1

i=1,...,n

4. 2-4 are repeated as long as the system is working.

(14)

Title Suppressed Due to Excessive Length

9

The difference between σ pseudo and σ is recorded in order to upgrade future σ pseudo calculation. Each consecutive σ pseudo is corrected by the mean value of the δ = mean(σ pseudo − σ) error. In the all above equations mean is calculated based on all values of the related variables are known for all time widows considered so far. The presented game is repeated many times. Time windows of the constant length are considered for collecting information about the attacker strategy, see fig.1. In this paper, steps 2 and 3 are replaced by using ANN modeling. This allows omitting defining the formula for attacker utility function (6) and solving the problem of its maximization (6)-(7). Instead, the process of calculating the σ2 (s2 ) is made form the data set in the straight forward way. The security logs of the Cloud system are used. Information of the observed attacks is absorbed by ANN, and stored in the form of ANN weights as the model memory. Moreover, if the game is corrupted the strategy of the attacker may no longer be the solution of the problem (6)-(7) and if he behaves against rationality axiom it cannot be a calculation from mathematical formulas (6)-(7). Additionally, using pseudo stages enables the Cloud provider to stay active and to make decisions before all elements of attacker strategy are revealed. Such modeling reflects the situation that some of the security threats may be detected earlier in the considered time windows. In the simulation part of the paper, such an attack is the SQL injection. It may be detected by the analysis of the single URL string. On the other hand, Password Spraying Attack is a long-lasting threat. Using pseudo stage enables to apply some controls before obtaining full knowledge from the analysis of the long time window. The corruption of the game means that the payoff function of the attacker is not known, therefore the game leader may only record the attacker strategy. This strategy may not, in particular, be fully rational, and assumptions of stage 2 of the game may be broken. The attacker strategy may not fulfill Eq. (7). 3.3

ANN system for finding attacker strategy

Each activity that was recorded in the security log is denoted as ’event’. All events were divided into sets. Each set was dedicated to detecting a single threat against all considered assets. For example, all recorded logging attempts were events for detecting Brute Force Logging Attempt. Events were indexed by the consecutive number, separately in each stream. This number indicates the consecutive moment of time when the event was recorded. Events were analyzed in sets that were recorded in defined time moments. Single time interval when events were recorded for a single analysis is called a monitoring block. Several monitoring blocks formulate time window of the game. The game is repeated every time window. Every monitoring block consists of a chosen number of consecutive events. The set of Neural Networks in the form of pipelines was designed, see Fig.1. The input from the one ANN helps to feed the consecutive ANN. Firstly, ANN1 in each line is Self Organizing Map (SOM) used in unsupervised learning

10

A. Jak´ obik

Fig. 1: The chosen time window for two observed assets and two monitored threats for single game realization, time windows of equal length for asset 1 and asset 2.

Title Suppressed Due to Excessive Length

11

mode. This network is organizing the events from the time window by clustering. Then, one layered back propagation ANN2 is used as the classifier. The output from this ANN is a flag equals 0, representing the situation when Cloud is not being under that specific attack or 1 when the Cloud was is being attacked. The flag is created based on values of neuron interconnections inside the SOM layer of the previous ANN1. Based on this flag, and additional attack specific knowledge - ANN3 is applied. This network is taught by supervised methods, and it decides if a particular asset was attacked by the considered threat or not. The output from the network is a binary vector. The length of the vector is equal to the number of assets in the Cloud system. The ’0’ value at the ith component of the output indicates that ith asset is not under this chosen attack. All above ANNs are created for each considered threat separately. Therefore, we have 3 times more of ANNs in the model, then the number of considered threats. The last, strategy calculator is collecting the results from the all previous ANNs. It summarizes information calculated for all types of considered threats and all available assets. The output of this calculator is the strategy of the attacker, see the tab. 1. Let us denote by: a

Eventsi,a,K (t) = [ei,a (t), ei,a (t + 1), ..., ei,a (t + K a )]

(15)

K a consecutive vectors of events for asset a ∈ Assets for chosen threat number i ∈ {1, 2, ..., m}, recorded from time t until t + K a that formulates the single monitoring block. The corresponding inputs and output for the cascade are presented in 1. The length of the time window was selected equally for all threats. Each time window consists of the defined number of monitoring blocks. Additional vector [xi1 , xi2 , ..., xiM i,a ] is chosen for each threat separately. Its length depends on the threat type and frequency of the events recording for the purpose of detection this threat. Table 1: Inputs and outputs for the ANNs, i ∈ {1, 2, ..., m}, A represents the number of assets, T a is the number of decisions made by ANN3 during considered monitoring block. every monitoring block ANN identifier ANN1 ANN2 ANN3 every time window for all threats

ANN type SOM(i) BP classifier(i) BP threat predictor(i)

level 1 2 3

input output a Eventsi,a,K (t) for all a WSOM (i) WSOM (i) {0/1} {0/1}, [xi1 , xi2 , ..., xiM i ] {0/A}

strategy calculator

4

0/AT

a

p1 , p2 , ..., pm

12

A. Jak´ obik

Fig. 2: Lines of ANNs for calculating attacker strategy. Each row is designed to detect different kind of security threat. Calculator gathers information for all the threats.

Title Suppressed Due to Excessive Length

4

13

Experimental Evaluation

Experimental results are based on events recorded by Los Alamos National Security, LLC for the U.S. Department of Energy’s NNSA. They are open for download from [32]. Comprehensive, Multi-Source Cyber-Security Events data set [33], User-Computer Authentication Associations in Time [34] and The Unified Host and Network Dataset [35] were used. All events were simulated using the CloudSim Simulator, [36], equipped with the security supportive nondeterministic scheduler [37], [38]. Security threats were introduced in randomly chosen time moments in the form of hostile activity. For the sake of simplicity of presentation short time windows were considered. All attacks were simulated by preparing Cloudsim Cloudlets of the special type, that was consumed by the Cloud model. Instead of default – – – – –

int: id int: pesNumber long: length - workload in MIPS (maximum) long: fileSize long: outputSize

Cloudlet characteristics, for a particular security-related event, were used. A set of given three controlsa is considered and three threats are applied. They were: Denial of Service from multi-user into one computer (DoS), Brute force logging (BFL) by password spraying, and SQL injection. The aim of the procedure described below is to calculate P a (threatai , caj ) = σ2 (si,a 2 ). Then a proper control caj may be applied. 4.1

Denial of Service from multi-user into one computer

First monitored threat was a DoS attack. DoS occurs when system users are unable to access their assets, services, devices, or other resources because of the actions of a malicious cyber threat actor. A denial-of-service is accomplished by flooding the targeted host with enormous traffic until it is unable to respond or work properly. The attack was simulated by very frequently logging. Considered data set consists of authentication events in the form of: time, user, computer and represents an authentication try by a user to a computer at the given time. Users are represented as U plus an anonymized, unique number, and computers represented as C plus an anonymized, unique number. Timestamps of recording have a resolution of 1 second. For example, firsts four events from this data set are: e1,1 (1) = [1,U1,C1], e1,2 (1) = [1,U1,C2], e1, 3(2) = [2,U2,C3], e1,4 (3) = [3,U3,C4]. In this case the Cloudlet was in the form of : – – – –

int: id; int: pesNumber; long: length - workload im MIPS (maximum) long: user number;

14

A. Jak´ obik

Fig. 3: Histogram of logging attempts.

– long: computer number; DoS attack was identified as the enormous number of logging attempts into one chosen computer. For clarity of presentation monitoring block of 10 consecutive events was considered. Data set consists of 26560 records. This set was split into a training set containing 70% of all given monitoring blocks, a validation set and a testing set consisting both 15% of randomly chosen monitoring blocks, not used during ANN training. 5 computers were attacked by DOS: C20, C216, C287, C524. During observing logs for a long time, see Fig.2, it is visible that for those computers there were many more logging attempts. The histogram shows also fifth high value, that was observed as normal system behavior due to frequent usage of certain computers. The main aim of ANN1 and ANN2 is to find abnormal logging pattern. Splitting events into monitoring blocks resulted in 2656 separately considered sets. Self-organizing map having 2 input neurons and 10x10 hidden neurons ANNof was clustering above events in unsupervised mode. The SOM architecture was depicted on the Fig.3. and the input and output were formulated as: AN N 1input (k) = (e1,1 (k)(1), e1,1 (k)(2)) AN N 1output (k) =

10 [W11 (k), W12 (k), ..., W10 (k)]

(16) (17)

. Without hostile activity, there is a wide variety of ANN1 SOM weights, see Fig.3 and 4. Under the DOS attack, the SOM weights diversity was very low, see Fig.6. To define a pattern recognition problem for ANN2 network, we considered the map generated by ANN1. The output from ANN1 is the input vector of ANN2, see Fig.2. The kth input vector into the ANN2 network was assumed in the form of ANN1 SOM output for kth monitoring block:

Title Suppressed Due to Excessive Length

15

Fig. 4: A first element of the line, ANN1 in the form of SOM for clustering DOS threat events.

A. Jak´ obik

SOM Weight Positions

20

18

16

Weight 2

14

12

10

8

6

4

2

0

2

4

6

8

Weight 1

Fig. 5: SOM clustering results for the chosen time window of 10 events. SOM weight positions are depicted, which shows the locations of the data points and the weight vectors values. A wide variety of ANN1 SOM weights is visible, during Cloud logging process without DOS attack. SOM Weight Positions

20 19 18 17

Weight 2

16

16 15 14 13 12 11 10

8

10

12

14

16

18

Weight 1

Fig. 6: SOM clustering results for another time window of 10 events. Wide variety of ANN1 SOM weights is observed.

Title Suppressed Due to Excessive Length

SOM Weight Positions 80

100

120

140

160

180

200

220

240

260

280

Weight 1

Fig. 7: SOM clustering results for chosen time window of 10 events during DOS attack. Second elements of weights of SOM are very close in values. SOM Weight Positions

180 160

Weight 2

140 120 100 80 60 40 20

0

50

100

150

200

250

Weight 1

Fig. 8: SOM clustering results for another time window of 10 events during DOS attack. Narrow variety of ANN1 SOM weights is observed.

17

18

A. Jak´ obik

10 AN N 2input (k) = [W11 (k), W12 (k), ..., W10 (k)]

(18)

AN N 2output (k) = {0/1}

(19)

The ANN2 network was a back propagation neural network that was taught with the teacher, using a typical supervised learning approach. At this stage, Cloud provider must tell the ANN if the cloud is indeed under the attack against his system security. Then, we defined targets so that they indicate two classes to which the input vectors are assigned. One class was denoted as the ’attacked’ and the second one ’no attack detected’. The ANN2 output was set to one according to the values of second components of ANN1 SOM weights for the particular time window. The variance value inside each set of weight coming from second ANN1 input was calculated. If that number was higher then mean-variance value for all time windows classified as ’attack detected’, the time window was classified as ’attacked’. It is clearly depicted on fig 5 and 6: for first given time window there is only one value representing the second component of SOM weights, for a second time window, there are 4 values (very close values were unified), Contrary, for the unaffected by DOS time windows, there are several different second components of SOM weights, see Fig.3 and 4. The ANN2 uses the Scaled Conjugate Gradient (SCG) back-propagation learning method, which is appropriate for classification, [39]. Neural Networks were tested for 15% of randomly chosen patters unused during learning. The neural network size was: 100-25-1, see Fig.9.

Fig. 9: ANN2 for a conclusive decision about DOS threat event occurrence.

The results of ANN2 learning and testing are depicted in the form of confusion matrix, see the tab. 2, that was depicted on Fig.10 and Fig. 11. Without hostile activity, One can identify three planes for three inputs. They are visualizations of the weights that connect each input to each of the neurons. Lighter and darker colors represent larger and smaller weights, respectively. The time window for Cloud without hostile activity. For component 1 and 2, light areas, that is the low component values are located in the wide area in comparison to the system that is under attack. Considering component 3, there is almost only one value. In system is under the attack: for component 1 and 2, light areas,

Title Suppressed Due to Excessive Length

19

that is the low component values are very rare in comparison to the system not being under attack. The 1 and 2 component planes are very alike. Low value, and hight values are concentrated at the same region of the SOM hidden plane Considering component 3, there is very broad value variety. Table 2: Confusion matrix, [40], for classification results for ANN2, for DoS threat. Population Training set Predicted condition Predicted condition Testing set Predicted condition Predicted condition

Condition positive

Condition negative

positive True positive rate TPR=61.4% False positive rate FPR=3% negative False negative rate FNR=2.6% True negative rate TNR=33% positive TPR=56.7% negative FNR=2.0%

FPR=6.7% TNR=34.7%

The output form ANN2 was a flag if the system is under DOS attack. The results from ANN2 were given to ANN3. ANN3 was build to detect the particular asset was under considered attack. Shallow feed-forward networks Neural Network was then trained to classify inputs according to target classes. We used the two-layer feed-forward network, with sigmoid hidden and softmax output neurons, [10]. ANN3 input vector was formulated as follows. All consecutive input vector values were built from information considering a single monitoring block of 10 logging attempts. For example, for first-time window assets 3, 4 and 20 were recorded. The formulated input vector was in the form of the number of logging attempts into each asset: AN N 3input(1) = [2, 5, 3, 3, 4, 20]

(20)

This activity was classified by ANN1 as normal logging pattern, therefore the output vector consist zero: AN N 3output(1) = 0

(21)

indicating that none of assets was under the DoS attack. For observation block 468, assets 20, 49 and 154 were recorded. The formulated input vector was in the form of: AN N 3input(468) = [81, 1, 20, 49, 154]

(22)

This activity was classified by ANN1 by abnormal logging pattern, therefore the ANN2 flag was 1. For that asset this is the beginning of the DOS attack: AN N 3output(468) = 20

(23)

20

A. Jak´ obik

indicating that 20th considered asset was under the DoS attack. If the answer from ANN3 does not fit the flag from ANN2, this answer is ignored, and the output is included in badly classified. Similarity, to the previous ANNs training set, validation set and the testing set consisting of the same number of randomly chosen monitoring blocks. The results of ANN3 6-10-1 learning and testing are: the training set correlation coefficient R=0.82, and testing set correlation coefficient R=0.80. The ANN3 incorporates the Levenberg-Marquardt back-propagation learning method [10]. Training automatically stops when generalization stops improving, as indicated by an increase in the mean square error of the validation samples. 4.2

Brute force logging (BFL) by password spraying detection

This data set represents events collected from individual desktop computers, servers, and Active Directory servers. Each event is on a separate line in the form of time, a source user@domain, destination user@domain, source computer, destination computer, authentication type, logon type, authentication orientation, success/failure, password SHA256 hash. It represents an authentication event at the given time. Brute force logging was simulated by using 50 easy-to-guess passwords, like qwert, admin, etc. Three first events from the data were: 1. e625 2 (1) = [1, C625@DOM1, U147@DOM1, C625, C625, Negotiate, Batch, LogOn, Success, hash] 2. e653 2 (2) = [1, C653@DO2M1, SYSTEM@C653, C653, C653, Negotiate, Service, LogOn, Success, hash] 3. e660 2 (3) =[1, C660@DOM1, SYSTEM@C660, C660, C660, Negotiate, Service, LogOn, Success, hash] If password given by the logging attempt fits into one of 50 easy passwords the 10th position in the record was set to 1, if not, it was set to zero. Only the LogOn activity was considered. 149873 logging attempts were collected. In this case, the Cloudlet was in the form of: – – – – – –

int: id; int: pesNumber; long: length; long: source computer number; long: destination computer number; bit hash white list equality;

Self-organizing map ANN1 was clustering events of length 10. Input matrix was assumed in the form of [source computer, destination computer, hash equality marker:0/1]. Each consecutive input matrix consists of next 100 recorded events because password spraying attack is very time-consuming due to the additional necessity of double identification if several consecutive logging attempts were stared ’failed’.

Title Suppressed Due to Excessive Length

21

Normal system functioning results in very different values of ANN SOM weights, see Fig.12 because the sporadic suspicious logging activity was recorded. Under the BFL attack, the SOM weights diversity was very broad, see Fig.13. To define a pattern recognition problem for ANN2 network we considered the map, generated by ANN1. The kth input vector into the ANN2 network was assumed in the form of ANN1 SOM maps weights matrix for kth time window: AN N 2input(k) = (W 11 , ..., W 810 )

(24)

AN N 2output(k) = (0/1)

(25)

The ANN2 network was backpropagation ANN that was taught with the teacher, using a typical supervised learning approach. At this stage, the Cloud provider decides if a particular event was the attack against his system security. Similarly to the DOS attack, one class was denoted as ’threat’ and the second one ’no threat detected’. The ANN2 output was set to one (threat) if the standard deviation value for the weights from input 3 of ANN1 SOM for the monitoring block was larger then for all blocks classified so far as to ’no threat detected’. The considered data set was split into the training set, the validation and the testing set randomly, with the same proportion as for DOS attack. The ANN2 uses the Scaled Conjugate Gradient (SCG) back-propagation learning method, which is appropriate for classification [39]. The corresponding results are shown in Tab. 3. Table 3: Confusion matrix for classification results for ANN2 for BFL threat. Population Training set Predicted condition Predicted condition Testing set Predicted condition Predicted condition

Condition positive

Condition negative

positive True positive rate TPR=60.7% False positive rate FPR=4.0% negative False negative rate FNR=2.7% True negative rate TNR=32.7% positive TPR=60.6% negative FNR=2.5%

FPR=3.7% TNR=33.2%

The output form ANN2 was a flag if the system is under BLF attack. Next, ANN3 was build to detect if a particular asset was under considered attack. ANN3 input vector was formulated as follows. The number of unsuccessful logging into first considered asset was set as the first input value. All consecutive input vector values were built from information considering consecutive assets. ANN3 was assumed in the form of 10-N-1 network. For example for monitoring block number 1, assets 625, 653, and 661 recorded. 1 unsuccessful logging for assets 625, 653 and 2 unsuccessful logging for asset

22

A. Jak´ obik

Weights from Input 2

Weights from Input 1 8

8

6

6

4

4

2

2

0

0 0

2

4

6

8

10

0

2

4

6

8

10

Weights from Input 3 8 6 4 2 0 0

2

4

6

8

10

Fig. 10: SOM Weight Planes for selected monitoring block. A weight plane for each element of the input vector is depicted. Weights from Input 2

Weights from Input 1 8

8

6

6

4

4

2

2

0

0 0

2

4

6

8

10

0

2

4

6

8

10

Weights from Input 3 8 6 4 2 0 0

2

4

6

8

10

Fig. 11: SOM Weight Planes for selected monitoring block with recorded hostile activity.

Title Suppressed Due to Excessive Length

23

661. The formulated input vector was in the form of: AN N 3input(1) = (1, 1, 2, 625, 653, 661)

(26)

This activity was classified by ANN1 as normal logging pattern, therefore the output equals: AN N 3output(1) = 0 (27) indicating that none of assets were under the DoS attack. For monitoring block number 77, assets 11, 81, 550 were recorded. One unsuccessful logging for assets 11, 81 and 8 unsuccessful logging for asset 661. The formulated input vector was in the form of: AN N 3input(1) = (1, 1, 8, 11, 81, 550)

(28)

This activity was classified by ANN1 as abnormal logging pattern, therefore the output equals AN N 3output(1) = 550 (29) indicating that assets number 550 was under the DoS attack. Similarly, the training set, the validation set, and the testing set consist of the same number of randomly chosen events. The ANN3 for BLF detection uses the same Levenberg-Marquardt algorithm for back-propagation learning method, used for DOS detecting. Corresponding results are the training set correlation coefficient R=0.76 and the set correlation coefficient R=0.75. 4.3

SQL injection detection

SQL injection is an attack wherein an attacker can execute malicious SQL code using the input data from the browser to the application server, in the form of web input. For example, during the attack attempt, instead of entering a valid user name and password in the input fields, a string like: ’x’=’x’ is injected. The condition is always true, therefore, the query will return all rows from the users’ table. This way, an attacker can get access to all the sensitive information of a database. Unified Host and Network Dataset was used for this part of the simulation, as the basic events’ record. The considered data set consist of 1550 browser requests. The chosen events from the data set are: 1. e624729 (1) = EventID: 4769, UserName: User624729, ServiceName: Comp 3 883934, DomainName: Domain002, Status: 0x0, Source: Comp 309534, Computer: ActiveDirectory, Time: 2, GET /dccstats/stats-hashes.1week.png HTTP/1.0 2. e380010 (2) = EventID: 4624, UserName: User380010, LogonID: 0x9f17415, 3 DomainName: Domain002, LogonTypeDescription: Network, Computer: Comp 966305, AuthenticationPackage: Kerberos, Time: 2, LogonType: 3, GET /dccstats/stats-spam.1month.png HTTP/1.0

24

A. Jak´ obik

3. e096622 (3) = EventID: 4624, UserName: User096622, LogonID: 0x9f17637, 3 DomainName: Domain002, LogonTypeDescription: Network, Computer: Comp 966305, AuthenticationPackage: Kerberos, Time: 2, LogonType: 3, GET /dccstats/stats-spam-ratio.1month.png HTTP/1.0 8 alternative expression of ’or 1 = 1’ was used for injection. SQL attack, in contrast to DoS and BFL, is based not on the frequency of particular event occurrence. Each suspicious event was considered as the attack. SQL injection occurrence was assumed as the initialization for the pseudo-stage for the game. Therefore the monitoring block for SQL injection was only 2 events. In this case, the Cloudlet was in the form of: – int: id; – int: pesNumber; – string: browser requests; 4.4

Attacker strategy calculation

The aim of that part of the system was to calculate the attacker strategy vector. For all considered attacks the time window was divided into monitoring block, see Fig.1. The length of the monitoring block was different for each threat. This is due to the fact that from among all the security threats, some needs more monitoring time to be detected, and some may be found in a shorter time. The following monitoring blocks were analyzed for the chosen time window: – vectors of length 10 events for identifying the DoS attack. The number of monitoring blocks that consists events considering asset a, recorded during a consecutively; this time window equals NDoS a – vectors of length 10 events for identifying the BFL attack, NBF L; a . – 1 vectors of length 2 events for identifying the SQL injection attack, NSQL For each monitoring block ANN3 was proceeding ones. Result not equal zero pointed the asset that is under the attack. Let the naDoS , naBF L and naSQL indicates the number of ANN answers not equal zero for asset a. Then, the attacker strategy vector is formulated as follows: 2,a 3,a a a a a a a s2 = [s1,a 2 , s2 , s2 ] = [nDoS /NDoS , nBF L /NBF L , nSQL /NSQL ]

(30)

Of SQL threat was detected 2 pseudo stages are used according to the (8)(13). If not, the optimization problem is solved only ones, analogically to (6)-(7). Time window consists of 10 consecutive monitoring blocks.

5 5.1

Discussion Game realization

Three considered attacks were counter-measured by three possible controls: using multi-factor authentication (control 1), using SYN cookies monitor (control 2) and White List Input Validation (control 3).

Title Suppressed Due to Excessive Length

25

Applying single control results of lowering Common Vulnerability Scoring System v3.0, [41], index of the considered system, see tab. 6. Therefore the game leader utility function was of the form: X i,a H2 (σ1 (s1 ), σ2 (s2 )) = − sj,a (31) 1 s2 CV SS(i, j) i=1,2,3 j=1,2,3

where

  2.3 6.3 4.6 CV SS = 7.4 2.2 0.3 9.7 6.0 0.5

(32)

CVSS metrics range is from 0 to 10. Textual severity of the ratings is: None (0), Low (0.1-3.9), Medium (4.0-6.9), High (7.0-8.9), and Critical (9.0-10.0) For finding the defender strategy Simplex optimization method was used. The game is repeated every time window. Three chosen time windows are presented for asset nb. 20, see tab. 6, 7, 8. Table 4: Cloud defender strategy for time window nb. 213, information leaks included, no corruption of the follower rationality detected. first pseudo stage

control 1 s1,20 =0 2 control 2 s2,20 =1 2 control 3 s3,20 =0 2 second pseudo stage

control 1 s1,20 =1 2 control 2 s2,20 =0 2 control 3 s3,20 =0 2

DOS threat mean(s11,20 ) = 0.38 2.3/unknown 7.4/unknown 9.7/unknown

BFL threat mean(12,20 ) = 0.35 6.3/unknown 2.2/unknown 6.0/unknown

SQL inj. threat s3,20 = 0.25 1 4.6/unknown 0.3/unknown 0.5/unknown

DOS threat s1,20 = 0.45 1 2.3/unknown 7.4/unknown 9.7/unknown

BFL threat s2,20 = 0.30 1 6.3/unknown 2.2/unknown 6.0/unknown

SQL inj. threat s3,20 = 0.24 1 4.6/unknown 0.3/unknown 0.5/unknown

Table 5: Cloud defender strategy for time window nb. 510, no information leaks, corruption of the follower rationality. no pseudo stages

control 1 s1,20 2 control 2 s2,20 2 control 3 s3,20 2

DOS threat s1,20 = 0.71 1 = 0 2.3/unknown = 1 7.4/unknown = 0 9.7/unknown

BFL threat s2,20 = 0.97 1 6.3/unknown 2.2/unknown 6.0/unknown

SQL inj. threat s3,20 = 0.16 1 4.6/unknown 0.3/unknown 0.5/unknown

26

A. Jak´ obik

Table 6: Cloud defender strategy for time window nb. 646, information leaks included, corruption of the follower rationality. first pseudo stage

control 1 s1,20 =1 2 control 2 s2,20 =0 2 control 3 s3,20 =0 2 second pseudo stage

control 1 s1,20 =1 2 control 2 s2,20 =0 2 =0 control 3 s3,20 2

DOS threat mean(s11,20 ) = 0.4 2.3/unknown 7.4/unknown 9.7/unknown

BFL threat mean(2,20 ) = 0.36 1 6.3/unknown 2.2/unknown 6.0/unknown

SQL inj. threat s3,20 = 0.07 1 4.6/unknown 0.3/unknown 0.5/unknown

DOS threat s1,20 = 36 1 2.3/unknown 7.4/unknown 9.7/unknown

BFL threat s2,20 = 0.13 1 6.3/unknown 2.2/unknown 6.0/unknown

SQL inj. threat s3,20 = 0.21 1 4.6/unknown 0.3/unknown 0.5/unknown

Fig.13 depicts long term game realization. It shows how the optimal decision of the Cloud defender changes during 100 consecutive time windows. Each time window is indicating the equal number of security logs data. After each time window has finished, the analysis is made. 5.2

Summary of the main results of the experiment

The presented model enables incorporation data from monitoring of the treats that are short term and long term. In case of long term threats longer time windows may be used. Using the ANN modelling allows retrieving the information about the security threat from security logs of the Cloud system, without the information about the system internal structure. It is based on detection abnormalities in the data sets. Adding information leak stage allows applying the countermeasures in the middle of the longer time windows when incomplete information is available. Black box modelling using the set of ANNs enables to calculate the attacker strategy even in the case when the attacker utility function is not known.

6

Conclusion and future works

We presented model Stackelberg Games for automating security decisions in Cloud Computing systems. The model includes attack-defense scenarios when information leaks and the chosen rule of the SG are corrupted. The game stages assume Cloud provider and Cloud attacker competing against each other to maximize their payoffs. In the presented model, the Cloud provider is the game leader and may play his strategy first. The attacker follows his actions based on their own aims. The paper presents the method for obtaining the strategy of the attacker without a necessity for attacker utility function modeling in analytical form. Instead, Artificial Neural Networks are used for analysis of the security logs

Title Suppressed Due to Excessive Length

1 0.9 0.8 0.7 0.6 0.5 0.4 0.3 0.2 0.1 0

0

10

20

30

40

50

60

70

80

90

100

Fig. 12: The dynamics of the probability of applying control 1 during time windows 1, 2,...,100. 1 0.9 0.8 0.7 0.6 0.5 0.4 0.3 0.2 0.1 0

0

10

20

30

40

50

60

70

80

90

100

Fig. 13: The dynamics of the probability of applying control 2 during time windows 1, 2,...,100. 10-9

2.5

2

1.5

1

0.5

0

0

10

20

30

40

50

60

70

80

90

100

Fig. 14: The dynamics of the probability of applying control 1 during time windows 1, 2,...,100..

27

28

A. Jak´ obik

from the Cloud. Estimation of attacker strategy enables to select the optimum set of security decisions for the Cloud provider. The model assumes information leak about the attacker strategy and corruption against follower rationality. It allows modelling the attack on Cloud system in a very realistic way. The proposed solution has been tested by the experimental analysis on Cloud security logs from open data set provided by Los Alamos National Security Lab. Presented SG model enables finding the proper defense strategy for the Cloud provider. In the future, we would like to incorporate more advanced game models, that allow mixing Stackelberg Games with Nash games. It enables some stages of the game to be executed at the same time and to choose stages in the leader-follower model.

References 1. J. Archer, A. Boehme, D. Cullinane, P. Kurtz, N. Puhlmann, J. Reavis, Top Threats to Cloud Computing V1.0, Tech. rep. (2010). 2. 6 Top Cloud Security Threats in 2018. URL https://www.tripwire.com/state-of-security/security-dataprotection/cloud/top-cloud-security-threats/ 3. Security Guidance for Critical Areas of Focus in Cloud Computing V2.1, Tech. rep. (2009). 4. CSA Controls Matrix v.3, Tech. rep. (2013). 5. A. Wilczy´ nski, A. Jak´ obik, Using Polymatrix Extensive Stackelberg Games in Security–Aware Resource Allocation and Task Scheduling in Computational Clouds, Journal of Telecommunications and Information Technology 1. 6. A. Jak´ obik, Big Data Security, Springer International Publishing, Resource Management for Big Data Platforms: Algorithms, Modelling, and High-Performance Computing Techniques, 2016, pp. 241–261. 7. S. Tadelis, Game Theory: An Introduction, Princeton University Press, 2013. 8. M. T. Hagan, H. B. Demuth, M. Beale, Pareto-Nash-Stackelberg Game and Control Theory, Springer International Publishing, UK, 2018. 9. A. Jak´ obik, F. Palmieri, J. Ko´lodziej, Stackelberg games for modeling defense scenarios against cloud security threats, Journal of Network and Computer Applications 110 (2018) 99 – 107. doi:https://doi.org/10.1016/j.jnca.2018.02.015. URL http://www.sciencedirect.com/science/article/pii/S1084804518300663 10. S. Haykin, Neural Networks: A Comprehensive Foundation, 2nd Edition, Prentice Hall PTR, Upper Saddle River, NJ, USA, 1998. 11. T. Kohonen, Self-Organizing Maps, Springer Series in Information Sciences, 2001. 12. S. Dlugosz, Multi-layer Perceptron Networks for Ordinal Data Analysis, Logos Verlag, 2008. 13. X. Liu, Z. Liu, Evaluating method of security threat based on attacking-path graph model, in: 2008 International Conference on Computer Science and Software Engineering, Vol. 3, 2008, pp. 1127–1132. doi:10.1109/CSSE.2008.775. 14. P. Johnson, A. Vernotte, M. Ekstedt, R. Lagerstrm, pwnpr3d: An attack-graphdriven probabilistic threat-modeling approach, in: 2016 11th International Conference on Availability, Reliability and Security (ARES), 2016, pp. 278–283. doi:10.1109/ARES.2016.77. 15. P. K. Manadhata, J. M. Wing, An attack surface metric, IEEE Transactions on Software Engineering 37 (3) (2011) 371–386. doi:10.1109/TSE.2010.60.

Title Suppressed Due to Excessive Length

29

16. N. Lynch, R. Segala, F. Vaandrager, Hybrid i/o automata, Inf. Comput. 185 (1) (2003) 105–157. doi:10.1016/S0890-5401(03)00067-1. URL http://dx.doi.org/10.1016/S0890-5401(03)00067-1 17. M. Mohsin, Z. Anwar, Where to kill the cyber kill-chain: An ontology-driven framework for iot security analytics, in: 2016 International Conference on Frontiers of Information Technology (FIT), 2016, pp. 23–28. doi:10.1109/FIT.2016.013. 18. X. Lin, P. Zavarsky, R. Ruhl, D. Lindskog, Threat modeling for csrf attacks, 2009 International Conference on Computational Science and Engineering 3 (2009) 486– 491. 19. R. Kumar, M. Stoelinga, Quantitative security and safety analysis with attack-fault trees, in: 2017 IEEE 18th International Symposium on High Assurance Systems Engineering (HASE), 2017, pp. 25–32. doi:10.1109/HASE.2017.12. 20. M. Szpyrka, B. Jasiul, Evaluation of cyber security and modelling of risk propagation with petri nets, Symmetry 9 (3). doi:10.3390/sym9030032. URL http://www.mdpi.com/2073-8994/9/3/32 21. W. C. Moody, H. Hu, A. Apon, Defensive maneuver cyber platform modeling with stochastic petri nets, in: 10th IEEE International Conference on Collaborative Computing: Networking, Applications and Worksharing, 2014, pp. 531–538. doi:10.4108/icst.collaboratecom.2014.257559. 22. Y. Li, D. E. Quevedo, S. Dey, L. Shi, A game-theoretic approach to fake-acknowledgment attack on cyber-physical systems, IEEE Transactions on Signal and Information Processing over Networks 3 (1) (2017) 1–11. doi:10.1109/TSIPN.2016.2611446. 23. E. Eisenstadt, A. Moshaiov, Novel solution approach for multi-objective attackdefense cyber games with unknown utilities of the opponent, IEEE Transactions on Emerging Topics in Computational Intelligence 1 (1) (2017) 16–26. doi:10.1109/TETCI.2016.2637410. 24. N. Basilico, A. Lanzi, M. Monga, A security game model for remote software protection, in: 2016 11th International Conference on Availability, Reliability and Security (ARES), 2016, pp. 437–443. doi:10.1109/ARES.2016.96. 25. J. Zhu, B. Zhao, Z. Zhu, Leveraging game theory to achieve efficient attack-aware service provisioning in eons, Journal of Lightwave Technology 35 (10) (2017) 1785– 1796. doi:10.1109/JLT.2017.2656892. 26. M. P. Fanti, M. Nolich, S. Simi, W. Ukovich, Modeling cyber attacks by stochastic games and timed petri nets, in: 2016 IEEE International Conference on Systems, Man, and Cybernetics (SMC), 2016, pp. 002960–002965. doi:10.1109/SMC.2016.7844690. 27. X. Yang, X. He, J. Lin, W. Yu, Q. Yang, A game-theoretic model on coalitional attacks in smart grid, in: 2016 IEEE Trustcom/BigDataSE/ISPA, 2016, pp. 435– 442. doi:10.1109/TrustCom.2016.0094. 28. A. H. Anwar, G. Atia, M. Guirguis, Game theoretic defense approach to wireless networks against stealthy decoy attacks, in: 2016 54th Annual Allerton Conference on Communication, Control, and Computing (Allerton), 2016, pp. 816–821. doi:10.1109/ALLERTON.2016.7852317. 29. R. Zhang, Q. Zhu, Y. Hayel, A bi-level game approach to attack-aware cyber insurance of computer networks, IEEE Journal on Selected Areas in Communications 35 (3) (2017) 779–794. doi:10.1109/JSAC.2017.2672378. 30. A. Wilczy´ nski, A. Jak´ obik, J. Ko´lodziej, Stackelberg security games: Models, applications and computational aspects 3 (2016) 70–79. 31. L. Dupr, T. Haeberlen, Cloud Computing. Benefits, risks and recommendations for information security, Tech. rep. (2010).

30

A. Jak´ obik

32. Los Alamos National Laboratory. URL https://csr.lanl.gov/data 33. M. J. M. Turcotte, A. D. Kent, C. Hash, Unified Host and Network Data Set, ArXiv e-printsarXiv:1708.07518. 34. A. D. Kent, Cybersecurity Data Sources for Dynamic Network Research, in: Dynamic Networks in Cybersecurity, Imperial College Press, 2015. 35. A. D. Kent, User-computer authentication associations in time, Los Alamos National Laboratory (2014). doi:10.11578/1160076. 36. Cloudsim. URL http://www.cloudbus.org/cloudsim/ 37. A. Jak´ obik, D. Grzonka, F. Palmieri, Non-deterministic security driven meta scheduler for distributed cloud organizations, Simulation Modelling Practice and Theory 76 (2017) 67 – 81, high-Performance Modelling and Simulation for Big Data Applications. doi:10.1016/j.simpat.2016.10.011. 38. A. Jakobik, D. Grzonka, J. Kolodziej, H. Gonz´ alez-V´elez, Towards secure nondeterministic meta-scheduling for clouds, in: 30th European Conference on Modelling and Simulation, ECMS 2016, Regensburg, Germany, May 31 - June 3, 2016, Proceedings., 2016, pp. 596–602. doi:10.7148/2016-0596. URL http://dx.doi.org/10.7148/2016-0596 39. M. T. Hagan, H. B. Demuth, M. Beale, Neural Network Design, PWS Publishing Co., Boston, MA, USA, 1996. 40. S. Visa, B. Ramsay, A. Ralescu, E. Knaap, Confusion matrix-based feature selection. 710 (2011) 120–127. 41. Calculator 3.0. URL https://www.first.org/cvss/calculator/3.0