Active Cyber Defense: Theoretical Approaches

Approaches to active cyber defense

In the same way as with fields of study, there are purely theoretical approaches and other purely practical ones that, in many cases, present significant divergences, especially when their degree of maturity is not sufficiently high. The case of active cyber defense, being among the most modern areas of knowledge in cybersecurity, has no de facto references or authoritative sources, beyond its analogies with the military field. Below we will look at the most current theoretical frameworks.

Theoretical approaches

From the defensive point of view, a system that is assumed to be secure is secure as long as the adversary model and trust assumptions are met in practice. If the defender can adaptively select a specific strategy by trying to predict the attacker's actions and interrupt or block the process, while maximizing his own benefits, then one enters the realm of active defense. Active cyber defense (ACD) can also be characterized by four features: the scope of effects (internal/external), the degree of cooperation (knowledge and consent), the type of effect (sharing, collecting, blocking, preventing) and the degree of automation (automatic or manual)[1].

In the contest between attack and defense, the effectiveness of the latter not only depends on its own action, but is also influenced and limited by the action of the counterpart. The main difficulty is to select the optimal defense strategy in a confrontational environment with limited information. The characteristics of conflicting objectives, strategic dependence and non-cooperative relationships in attack and defense are in line with game theory, i.e., the search for the optimal decision in a conflict environment.

Approaches from game theory have been used in recent years to capture the interactions between adversaries and defenders, in order to model strategic decision making to maximize benefits taking into account the counterpart's movement spaces. This led to the proposal of non-cooperative game-theoretic models, which recognize the possibility of influencing each other's behavior. Optimizing multiple-participant systems converge, in the best case, to the Nash equilibrium state, which denotes the best strategies for both. The decisions arrived at by this mechanism help the defender to allocate resources, balance perceived risks and take into account the underlying incentive methods[2].

However, from a purely theoretical point of view, active defense is not for all cases a better approach than passive defense, since this can only occur in the situation of perfect knowledge of the adversary, and the situation becomes even more complex if elements of deception are introduced, as in the case of CDA. Although we do not intend to delve into the effectiveness of the different existing models, the main characteristics and applications will be detailed below in order to obtain an understanding of the state of knowledge on the subject.

Models based on Game Theor

El primer modelo matemático estocástico para estudiar la eficacia de la CDA fue propuesto en 2015[3] y fue ampliado el mismo año mediante la idea de que la dinámica puede exhibir fenómenos de caos y bifurcación. El caos se refiere a la imposibilidad de predecir el estado global de una situación, dada la alta sensibilidad a la precisión de la estimación del estado inicial. La bifurcación se refiere al punto crítico donde cambia la estabilidad de un sistema y surge una solución periódica, que en este caso se presenta como fenómeno cuando el poder de ataque o defensa varía en determinados regímenes. Tanto el caos como las bifurcaciones implican la inviabilidad de medir y predecir con precisión ciertas circunstancias, y sugieren que el defensor debe manipular la dinámica para evitar dichas condiciones inmanejables en las operaciones reales[4].

The first stochastic mathematical model to study the effectiveness of CDA was proposed in 2015[3] and was extended the same year by the idea that the dynamics can exhibit chaos and bifurcation phenomena. Chaos refers to the impossibility of predicting the global state of a situation, given the high sensitivity to the accuracy of the initial state estimate. Bifurcation refers to the critical point where the stability of a system changes and a periodic solution emerges, which in this case occurs as a phenomenon when the attack or defense power varies in certain regimes. Both chaos and bifurcations imply the infeasibility of accurately measuring and predicting certain circumstances, and suggest that the defender must manipulate the dynamics to avoid such unmanageable conditions in real operations[4]. If a certain equilibrium point exists under a certain defense, its effectiveness can be quantified by the concept of effectiveness because the dynamics converges to that point. Moreover, the stability of an equilibrium reflects the effect of perturbations that can be caused by manipulations to the initial global state. Thus, a small change in the initial state in the model parameters or in the structure can lead to a substantial change in the dynamics. From a broader perspective, CDA dynamics can be seen as the nonlinear generalization of the so-called voter model[5] for complex networks, which considers chaotic dynamics in discrete networks (time-limited imitation contagion model in random networks). In this sense, the problem is made more difficult by having to solve the characterization of non-homogeneous equilibria, and to find a framework for modeling and quantifying the CDA from an integral perspective, instead of modifying and analyzing the security of the constituent components or blocks.

It is worth noting that theoretical models take as their structure the interactions through networks, or within a system (interaction between malware and the rest of the software). The fundamental drawbacks found in general in game theory applied to CDA is that its performance is adequate for a certain number of variables, but as their order of magnitude increases, the models are no longer sufficiently accurate.

The most modern models developed as of 2019, propose bidirectional signaling games in which, starting from the solution of a perfect Bayesian equilibrium (extension of the Nash equilibrium for games with incomplete information), a defense strategy selection algorithm is presented. These are finite games formed by several basic signaling games, where attacker and defender act alternatively as signal senders and receivers and the single-role equilibrium solution is no longer applicable. The perfect Bayesian equilibrium solution being the optimal strategy for the player, the defender must determine his CDA strategy based on his role and the equilibrium of the game. In the multistage continuous confrontation process, the defending party can gradually modify the motivation and behavioral preference of the attacker using the stimulus-response learning mechanism, reduce the impact of the attacker's deception signal, and apply a specific strategy to maximize the expected performance. It follows that deception signals can improve both attack and defense performance, so strategy selection is the key to defense effectiveness. Under confrontational conditions with limited information, the defender's optimal strategy is difficult to determine; however, a signaling game model allows solving this problem[6].

Traditional game theory assumes that both parties are in a situation of complete information (players know the information of the whole environment) and complete rationality (players can choose their best strategy after obtaining each other's strategy and their outcomes. Evolutionary game theory starts from the condition of opaque information, takes the learning mechanism as its core, and influences selection behavior through various factors (previous experience, learning, and imitation of behavior), which best expresses the process. However, its application still presents challenges, such as the need for manual calculation of the parameters entered and their quantification by experts (there are no automatic calculation methods). This model cannot effectively feed back failure information to the next stage of the game, leading to shortcomings of the algorithm for selecting the best defense strategy in terms of timing, accuracy and efficiency.

In order to extend such a horizon, several multi-stage Bayesian dynamic evolutionary dynamic models were proposed since 2020 to address the difficulty of selecting the optimal defense strategy. Then, a selection intensity factor was introduced to improve the dynamic replication equation of each stage, and increase the randomness of the evolution process. More recently, to improve the predictability of the attack and defense game, a model based on the so-called quantal response dynamics (QRD) was proposed that introduced parameters into the evolutionary game to describe the rationality of the attack and defense sides. The dynamic replication equation is a differential equation that describes the probability that a certain strategy is used in a group of people and the degree of probability that the main body of the game chooses a strategy during the game. Its basic principle is that players gradually adopt more strategies with a better-than-average outcome, and it can also guarantee that the evolutionary stable strategy is the Nash equilibrium, thus obtaining the most beneficial strategy[7].

When a situation of defense strategy failure occurs, the accuracy of many methods is reduced. To solve this, a reward value learning mechanism has been proposed, which automatically updates (incentivizes or punishes) the reward values of attack and defense for the next stage based on the previous stage, which reduces the probability of failure of the defense strategy. This element was introduced under incomplete information, and a multistage evolutionary game model with a learning mechanism was constructed. Based on this, an optimal defense strategy selection algorithm was proposed, which improves accuracy over previous models, allowing to overcome the problem of quantifying incentives and punishments in the face of the bounded rationality of attackers and defenders, which at the same time reduces manual involvement. This resulted in an evolutionary model with multi-stage learning mechanism combining the learning mechanism with a multi-stage game model, and the optimal strategy selection algorithm of the game model was designed[8].

Conclusions

While game theory traditionally allowed modeling attack and defense relationships, the adaptive characteristic and the possibility of adversary deception proposed by active cyber defense required the design of more complex mathematical models, which only in the last three years achieved a realistic sense with respect to the modern practice of it.

Future research in this field is directed at how to dynamically add new feasible defense strategies and reasonably extend the model when one fails. In addition, work is being done on the application of methods such as deep learning and machine learning to the automatic calculation of the built-in factor. With these advances, it is possible that we will have better and more complete models to put into practice.