A Game-Theoretic Approach for Dynamic Information Flow Tracking to Detect Multi-Stage Advanced Persistent Threats

Advanced Persistent Threats (APTs) infiltrate cyber systems and compromise specifically targeted data and/or resources through a sequence of stealthy attacks consisting of multiple stages. Dynamic information flow tracking has been proposed to detect APTs. In this paper, we develop a dynamic information flow tracking game for resource-efficient detection of APTs via multi-stage dynamic games. The game evolves on an information flow graph, whose nodes are processes and objects (e.g., file, network endpoints) in the system and the edges capture the interaction between different processes and objects. Each stage of the game has pre-specified targets that are characterized by a set of nodes of the graph. The goal of the APT is to evade detection and reach a target node of each stage. The goal of the defender is to maximize the detection probability while minimizing performance overhead on the system. The resource costs of the players are different and the information structure is asymmetric, resulting in a nonzero-sum imperfect information game. We first calculate the best responses of the players and then compute Nash equilibrium for single stage attacks. We then provide a polynomial-time algorithm to compute a correlated equilibrium for the multi-stage attack case. Finally, we simulate our model and algorithm on real-world nation state attack data obtained from the Refinable Attack INvestigation (RAIN) system.