Game Theoretic, Multi-agent Approach to Network Traffic Monitoring

Abstract : The aim of the presented project was to investigate the potential of game-theoretical modeling of the attacker-defender interaction in the intrusion detection game. The key difference with respect to the past work is the integration of the game-theoretical methods with an actual, industry-strength anomaly detection system and operating this combination on live traffic data. Given the results presented, we can conclude that the simplified model presented in Section 3.2 and the extensive game model used in the core of this work can be integrated with live IDS under reasonable, but very restrictive assumptions. We conclude that this area of research has a very high potential to produce relevant, deployable results within next 5 years, based on the trend in the computational power of current processors, average memory required for the computation and the growing sophistication of methods for efficient solving of realistic IDS games. The critical assumptions need to be addressed related to the following problems: 1) Time representation and time-related assumptions in the game theoretical model. 2) Handling of several concurrent attackers. 3) Identification of attacker coalitions, where the actions from several attackers aim to achieve a common goal. 4) Sufficient detection precision and more thorough, two-way integration between the IDS and the game-theoretical model. We argue that applied research in this area should concentrate on progressive reduction of assumptions that are currently necessary to make the game theoretical model computationally solvable. The advances in game theory and gameplaying will need to be reflected in the security games domain. Further IDS and network security research is necessary to address the assumptions from the other side: by identifying the coalitions of attackers and treating them as a single individual.