Abstract
It is well known that computer and network security is an adversarial challenge. Attackers develop exploits and defenders respond to them through updates, service packs or other defensive measures. In non-adversarial situations, such as automobile safety, advances on one side are not countered by the other side and so progress can be demonstrated over time. In adversarial situations, advances by one side are countered by the other and so oscillatory performance typically emerges. This paper contains a detailed study of the coevolution of the Conficker Worm and associated defenses against it. It demonstrates, in concrete terms, that attackers and defenders each present moving targets to the other. After detailing specific adaptations of attackers and defenders in the context of Conficker and its variants, we briefly develop a quantitative model for explaining the coevolution based on what we call Quantitative Attack Graphs (QAG) which involve attackers selecting shortest paths through an attack graph with defenders investing in hardening the shortest path edges appropriately.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
This implies a Nash Equilibrium test: If, after revealing the player’s strategies to one another, no player changes his strategy, despite knowing the actions of his opponents, a Nash Equilibrium has been reached.
References
Bilar, D.: Degradation and subversion through subsystem attacks. IEEE Security and Privacy 8, 70–73 (2010). DOI10.1109/MSP.2010.122. http://ieeexplore.ieee.org/xpl/articleDetails.jsp?arnumber=5523869
Bilar, D., Saltaformaggio, B.: Using a novel behavioral stimuli-response framework to defend against adversarial cyberspace participants. In: Cyber Conflict (ICCC), 2011 3rd International Conference on, pp. 169–185. CCD COE, IEEE, Tallinn, Estonia (2011). http://www.ccdcoe.org/publications/2011proceedings/UsingANovelBehavioralStimuli-ResponseFramework...-Bilar-Saltaformaggio.pdf
Bowden, M.: Worm : The First Digital World War. Grove Press (2011)
Carin, L., Cybenko, G., Hughes, J.: Cybersecurity strategies: The queries methodology. Computer 41(8), 20–26 (2008). DOI10.1109/MC.2008.295. http://dx.doi.org/10.1109/MC.2008.295
Fudenberg, D., Tirole, J.: Game Theory. The MIT Press, Cambridge MA (1991)
Greengard, S.: The war against botnets. Commun. ACM 55(2), 16–18 (2012). DOI10.1145/2076450.2076456. http://doi.acm.org/10.1145/2076450.2076456
Group, C.W.: Lessons learned. http://www.confickerworkinggroup.org/wiki/uploads/Conficker_Working_Group\_Lessons\_Learned\_17\_June\_2010\_final.pdf (2010)
Hart, S., Mas-Colell, A.: Uncoupled dynamics do not lead to Nash equilibrium. American Economic Review 93, 1830–1836 (2003)
Hofbauer, J., Sigmund, K.: Evolutionary game dynamics. Bulletin (New Series) of the Amer. Math. Soc. 40(4), 479–519 (2003)
Ingols, K., Lippmann, R., Piwowarski, K.: Practical attack graph generation for network defense. In: Proceedings of the 22nd Annual Computer Security Applications Conference, ACSAC ’06, pp. 121–130. IEEE Computer Society, Washington, DC, USA (2006). DOI10.1109/ACSAC.2006.39. http://dx.doi.org/10.1109/ACSAC.2006.39
Langner, R.: Stuxnet: Dissecting a cyberwarfare weapon. IEEE Security and Privacy 9(3), 49–51 (2011). DOI10.1109/MSP.2011.67. http://dx.doi.org/10.1109/MSP.2011.67
Levine, D.F.D.K.: The Theory of Learning in Games (Economic Learning and Social Evolution). The MIT Press, Cambridge MA (1998)
Microsoft: Microsoft Security Intelligence Report, Volume 12, July through December 2011. http://download.microsoft.com/download/C/9/A/C9A544AD-4150-43D3-80F7-4F1641EF910A/Microsoft_Security_Intelligence_Report_Volume_12_English.pdf (2012)
Phillips, C., Swiler, L.P.: A graph-based system for network-vulnerability analysis. In: Proceedings of the 1998 workshop on New security paradigms, NSPW ’98, pp. 71–79. ACM, New York, NY, USA (1998). DOI10.1145/310889.310919. http://doi.acm.org/10.1145/310889.310919
Porras, P., Saidi, H., Yegneswaran, V.: Conficker c p2p protocol and implementation. SRI International, Menlo Park, CA, Tech. Rep (2009)
Porras, P., Saïdi, H., Yegneswaran, V.: A foray into conficker’s logic and rendezvous points. In: Proceedings of the 2nd USENIX conference on Large-scale exploits and emergent threats: botnets, spyware, worms, and more, LEET’09, pp. 7–7. USENIX Association, Berkeley, CA, USA (2009). http://dl.acm.org/citation.cfm?id=1855676.1855683
Ren, H., Ong, G.: Exploit ms-08-067 bundled in commercial malware kit. http://www.avertlabs.com/research/blog/index.php/2008/11/14/exploit-ms08-067-bundled-in-commercial-malware-kit/ (14 Nov 2008)
Rodionov, E., Matrosov, A.: The evolution of TDL: Conquering x64. http://go.eset.com/us/resources/white-papers/The_Evolution_of_TDL.pdf (2011)
Rubinstein, A.: http://arielrubinstein.tau.ac.il/papers/afterwards.pdf (2007)
Rubinstein, A.: Theory of Games and Economic Behavior (Commemorative Edition). John von Neumann and Oskar Morgenstern (with an introduction by Harold Kuhn and an afterword by Ariel Rubinstein). Princeton University Press, Princeotn NJ (2007)
Shin, S., Gu, G.: Conficker and beyond: a large-scale empirical study. In: Proceedings of the 26th Annual Computer Security Applications Conference, ACSAC ’10, pp. 151–160. ACM, New York, NY, USA (2010). DOI10.1145/1920261.1920285. http://doi.acm.org/10.1145/1920261.1920285
Sicilia, D., Cybenko, G.: Application of the replicator equation to decision-making processes in border security. Proceedings of SPIE Defense and Security, 2012, Baltimore MD (2012)
Sparrow, C., van Strien, S., Harris, C.: Fictitious play in 3 x 3 games: the transition between periodic and chaotic bahavior. Games and Economic Behavior 63, 259–291 (2008)
Sweeney, P., Cybenko, G.: An analytic approach to cyber adversarial dynamics. Proceedings of SPIE Defense and Security, 2012, Baltimore MD (2012)
Acknowledgements
We thank Vincent Berk, Patrick Sweeney, David Sicilia, Gabriel Stocco, James Thomas House and other colleagues at Process Query Systems, Dartmouth College, Siege Technologies and elsewhere for discussions and contributions that have led to these findings. This work was partially supported by DARPA Contract FA8750-11-1-0253 at Dartmouth College and US DoD contracts to Process Query Systems. All opinions and results expressed in this article are those of the authors and do not represent the positions or opinions of the US Government or sponsoring agencies.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer Science+Business Media New York
About this paper
Cite this paper
Bilar, D., Cybenko, G., Murphy, J. (2013). Adversarial Dynamics: The Conficker Case Study. In: Jajodia, S., Ghosh, A., Subrahmanian, V., Swarup, V., Wang, C., Wang, X. (eds) Moving Target Defense II. Advances in Information Security, vol 100. Springer, New York, NY. https://doi.org/10.1007/978-1-4614-5416-8_3
Download citation
DOI: https://doi.org/10.1007/978-1-4614-5416-8_3
Published:
Publisher Name: Springer, New York, NY
Print ISBN: 978-1-4614-5415-1
Online ISBN: 978-1-4614-5416-8
eBook Packages: Computer ScienceComputer Science (R0)