A Game Theoretic Model of Computer Network Exploitation Campaigns

Presented at RVAsec 2018, June 8, 2018, 1 p.m. (50 minutes).

Increasingly, cyberspace is the battlefield of choice for twenty first century criminal activity and foreign conflict. This suggests that traditional modeling and simulation approaches have stalled in the information security domain. We propose a game theoretic model based on a multistage model of computer network exploitation (CNE) campaigns comprising reconnaissance, tooling, implant, lateral movement, exfiltration and cleanup stages. In each round of the game, the attacker chooses whether to proceed with the next stage of the campaign, nature decides whether the defender is cognizant of the campaign’s progression, and the defender chooses to respond in an active or passive fashion. We propose a dynamic, asymmetric, complete-information, general-sum game to model CNE campaigns and techniques to estimate this game’s parameters. Researchers can extend this work to other threat models, and practitioners can use this work for decision support.


Presenters:

  • Robert Mitchell - MITRE
    Dr. Robert Mitchell is currently a member of technical staff at Sandia National Laboratories. He received the Ph.D, M.S. and B.S. from Virginia Tech. Robert served as a military officer for six years and has over 12 years of industry experience, having worked previously at Boeing, BAE Systems, Raytheon and Nokia. His research interests include game theory, linkography, moving target defense, computer network operations, network security, intrusion detection and cyber physical systems. Robert has published 23 peer reviewed articles.

Links:

Similar Presentations: