Cargando…
Game-Theoretic Decision Support for Cyber Forensic Investigations
The use of anti-forensic techniques is a very common practice that stealthy adversaries may deploy to minimise their traces and make the investigation of an incident harder by evading detection and attribution. In this paper, we study the interaction between a cyber forensic Investigator and a strat...
Autores principales: | , , , |
---|---|
Formato: | Online Artículo Texto |
Lenguaje: | English |
Publicado: |
MDPI
2021
|
Materias: | |
Acceso en línea: | https://www.ncbi.nlm.nih.gov/pmc/articles/PMC8401095/ https://www.ncbi.nlm.nih.gov/pubmed/34450740 http://dx.doi.org/10.3390/s21165300 |
_version_ | 1783745470972035072 |
---|---|
author | Nisioti, Antonia Loukas, George Rass, Stefan Panaousis, Emmanouil |
author_facet | Nisioti, Antonia Loukas, George Rass, Stefan Panaousis, Emmanouil |
author_sort | Nisioti, Antonia |
collection | PubMed |
description | The use of anti-forensic techniques is a very common practice that stealthy adversaries may deploy to minimise their traces and make the investigation of an incident harder by evading detection and attribution. In this paper, we study the interaction between a cyber forensic Investigator and a strategic Attacker using a game-theoretic framework. This is based on a Bayesian game of incomplete information played on a multi-host cyber forensics investigation graph of actions traversed by both players. The edges of the graph represent players’ actions across different hosts in a network. In alignment with the concept of Bayesian games, we define two Attacker types to represent their ability of deploying anti-forensic techniques to conceal their activities. In this way, our model allows the Investigator to identify the optimal investigating policy taking into consideration the cost and impact of the available actions, while coping with the uncertainty of the Attacker’s type and strategic decisions. To evaluate our model, we construct a realistic case study based on threat reports and data extracted from the MITRE ATT&CK STIX repository, Common Vulnerability Scoring System (CVSS), and interviews with cyber-security practitioners. We use the case study to compare the performance of the proposed method against two other investigative methods and three different types of Attackers. |
format | Online Article Text |
id | pubmed-8401095 |
institution | National Center for Biotechnology Information |
language | English |
publishDate | 2021 |
publisher | MDPI |
record_format | MEDLINE/PubMed |
spelling | pubmed-84010952021-08-29 Game-Theoretic Decision Support for Cyber Forensic Investigations Nisioti, Antonia Loukas, George Rass, Stefan Panaousis, Emmanouil Sensors (Basel) Article The use of anti-forensic techniques is a very common practice that stealthy adversaries may deploy to minimise their traces and make the investigation of an incident harder by evading detection and attribution. In this paper, we study the interaction between a cyber forensic Investigator and a strategic Attacker using a game-theoretic framework. This is based on a Bayesian game of incomplete information played on a multi-host cyber forensics investigation graph of actions traversed by both players. The edges of the graph represent players’ actions across different hosts in a network. In alignment with the concept of Bayesian games, we define two Attacker types to represent their ability of deploying anti-forensic techniques to conceal their activities. In this way, our model allows the Investigator to identify the optimal investigating policy taking into consideration the cost and impact of the available actions, while coping with the uncertainty of the Attacker’s type and strategic decisions. To evaluate our model, we construct a realistic case study based on threat reports and data extracted from the MITRE ATT&CK STIX repository, Common Vulnerability Scoring System (CVSS), and interviews with cyber-security practitioners. We use the case study to compare the performance of the proposed method against two other investigative methods and three different types of Attackers. MDPI 2021-08-05 /pmc/articles/PMC8401095/ /pubmed/34450740 http://dx.doi.org/10.3390/s21165300 Text en © 2021 by the authors. https://creativecommons.org/licenses/by/4.0/Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/). |
spellingShingle | Article Nisioti, Antonia Loukas, George Rass, Stefan Panaousis, Emmanouil Game-Theoretic Decision Support for Cyber Forensic Investigations |
title | Game-Theoretic Decision Support for Cyber Forensic Investigations |
title_full | Game-Theoretic Decision Support for Cyber Forensic Investigations |
title_fullStr | Game-Theoretic Decision Support for Cyber Forensic Investigations |
title_full_unstemmed | Game-Theoretic Decision Support for Cyber Forensic Investigations |
title_short | Game-Theoretic Decision Support for Cyber Forensic Investigations |
title_sort | game-theoretic decision support for cyber forensic investigations |
topic | Article |
url | https://www.ncbi.nlm.nih.gov/pmc/articles/PMC8401095/ https://www.ncbi.nlm.nih.gov/pubmed/34450740 http://dx.doi.org/10.3390/s21165300 |
work_keys_str_mv | AT nisiotiantonia gametheoreticdecisionsupportforcyberforensicinvestigations AT loukasgeorge gametheoreticdecisionsupportforcyberforensicinvestigations AT rassstefan gametheoreticdecisionsupportforcyberforensicinvestigations AT panaousisemmanouil gametheoreticdecisionsupportforcyberforensicinvestigations |