بهبود مدل گرافِ تحلیل مناقشه مبتنی بر تحلیل آماری گرافِ بازی مطالعه موردی: اقدامات بدافزارها و مقابله‌کنندگان بر اساس شواهد غیرمحیطی و قیاسی

نوع مقاله : مقاله پژوهشی

نویسندگان

1 دانشجوی دکتری، دانشکده کامپیوتر و قدرت سایبری، دانشگاه جامع امام حسین (ع)، تهران، ایران

2 استادیار، دانشگاه جامع امام حسین(ع)، تهران، ایران

چکیده

یکی از رویکردهای مدل‌سازی و تحلیل مناقشه‌های دنیای واقعی مبتنی بر نظریه بازی، مدل گرافِ تحلیل مناقشه است در این مدل با افزایش تعداد گزینه‌های بازیگران، تعداد وضعیت‌های بازی به‌صورت نمایی افزایش یافته و با افزایش تعداد وضعیت‌های بازی، تعداد وضعیت‌های تعادلی نیز زیاد می‌شود. با توجه به گستردگی اقدامات بدافزارها و راهکارهای مقابله‌ای، استخراج گزینه‌های تاثیرگذار بازیگران و وضعیت‌های تعادلی مطلوب بازی، از نیازمندی‌های ضروری به‌کارگیری مدل گرافِ تحلیل مناقشه در حوزه تحلیل حملات بدافزاری است. در این مقاله مبتنی بر مدل گرافِ تحلیل مناقشه، معماری به‌نام مگ ارایه شده است. معماری مگ بر اساس روش‌های تشخیص و تحلیل شواهد غیرمحیطی و قیاسی بدافزارها و مقابله‌کنندگان در قالب سه بازی مرتبط، ارزیابی و تحلیل گردید. نتایج ارزیابی نشان داد از بین گزینه‌های مهاجم، گزینه حملات سایبری بدون فایل و از بین گزینه‌های مدافع، گزینه‌های قطع ارتباطات شبکه‌ای و تکنیک‌های اکتشاف مسیر و اجرای نمادین، با میزان مشارکت 100 درصدی، گزینه‌های تاثیرگذار بازیگران هستند. کاهش فضای حالت بازی با استفاده از الگوریتم انتزاع‌سازی بازی، ارایه بازی‌های سناریو محور و تکرارپذیر، استخراج اقدامات موثر و وضعیت‌های تعادلی مطلوب بازیگران، از مزایای معماری مگ هست. از معماری مگ می‌توان در سامانه‌های بازی جنگ و تصمیم‌یار عملیات سایبری جهت تصمیم­سازی صحیح و اتخاذ پاسخ مناسب استفاده کرد.

کلیدواژه‌ها

عنوان مقاله [English]

The Improvement of the GMCR Model Based on Statistical Analysis of the Game’ Graph (Case Study: Malwares and Countermeasures Actions Based on Detection-Independent and Deductive Evidence)

نویسندگان [English]

  • mostafa abbasi 1
  • Majid Ghayoori 2
1 Instructor, Faculty of Computer and Cyber ​​Power, Imam Hossein University, Tehran, Iran
2 Assistant Professor, Imam Hossein University, Tehran, Iran
چکیده [English]

The GMCR model is one of the approaches used for modeling and analyzing the real-world conflicts based on the game theory. In this model, as the number of players’ options increases, the number of game states (problem state space) increases exponentially. As the number of feasible game states increases, so does the number of game equilibrium states. ​Extracting favorable equilibrium states and effective options is one of the requirements of applying the GMCR model in view of the widespread conflicts such as malware games and countermeasures. ​In this paper, based on the GMCR, a MAG architecture with four processing layers is presented. The MAG's architecture was evaluated and analyzed based on methods of detecting and analyzing detection-independent and deductive evidence of malware and countermeasures in the form of three related games. The evaluation results show that among the attacker options, the option of "fileless cyber-attacks" and among the defense options, the options of "network communication disconnection", "path exploration techniques" and "symbolic execution", at a rate of 100%, are the effective options of the actors. Reducing the game state space by using the game abstraction algorithm, scenario-based and repeated games, extracting effective actions and favorable equilibrium states of the players are some of the advantages of MAG architecture. The MAG architecture can be used in the cyber operations decision support systems and the tabletop cyber wargames to make the right decisions and respond appropriately .

کلیدواژه‌ها [English]

  • Graph Model
  • Conflict Analysis
  • Game Theory
  • MAG Architecture
  • Malware Analysis
  • Detection-Independent and deductive evidence
  • Effective Options

مراجع

[1]          J. Pawlick, E. Colbert, and Q. Zhu, “A Game-Theoretic Taxonomy and Survey of Defensive Deception for Cybersecurity and Privacy,” ACM Comput. Surv., vol. 52, no. 4, 2019,
[2]          M. Husák, J. Komárková, E. Bou-Harb, and P. Čeleda, “Survey of Attack Projection, Prediction, and Forecasting in Cyber Security,” IEEE Commun. Surv. Tutorials, vol. 21, no. 1, pp. 640–660, 2019,
[3]          H. Akbari, S. M. Safavi, and R. Khandani, “The Distributed Denial of Service Attacks Situation Awareness Based  on The Prediction of Battle Scene Using Dempster-Shefer Evidences Theories and Bayesian Rules,” Electron. Cyber Def., vol. 7, no. 1, pp. 77–94, 2019, [Online]. Available: https://ecdj.ihu.ac.ir/article_204480.html
[4]          A. Afianian, S. Niksefat, B. Sadeghiyan, and D. Baptiste, “Malware Dynamic Analysis Evasion Techniques: A Survey,” CoRR, vol. abs/1811.0, 2018.
[5]          A. Bulazel and B. Yener, “A survey on automated dynamic malware analysis evasion and counter-evasion: PC, Mobile, and Web,” ACM Int. Conf. Proceeding Ser., pp. 1–21, 2017,
[6]          Y. Huang, U. Verma, C. Fralick, G. Infantec-Lopez, B. Kumar, and C. Woodward, “Malware Evasion Attack and Defense,” pp. 34–38, 2019,
[7]          S. Ghasemi and S. Parsa, “An Effective Method to Detect Environment-Aware Malware Based on the Behavioral Distances Comparison,” Electron. Cyber Def., vol. 6, no. 4, pp. 123–133, 2019.
[8]          C. Kiennert, Z. Ismail, H. Debar, and J. Leneutre, “A Survey on Game-Theoretic Approaches for Intrusion Detection and Response Optimization,” ACM Comput. Surv., vol. 51, no. 5, Aug. 2018,
[9]          J. Z. Bakdash et al., “Malware in the future? Forecasting of analyst detection of cyber events,” J. Cybersecurity, vol. 4, no. 1, Jan. 2018,
[10]        H. Zhang et al., “Defense Against Advanced Persistent Threats: Optimal Network Security Hardening Using Multi-stage Maze Network Game,” in 2020 IEEE Symposium on Computers and Communications (ISCC), 2020, pp. 1–6.
[11]        M. Abbasi, M. Sheikhmohamadi, and M. Ghaioory, “Modeling and Analysis of competition between malware authors and security analysts, using game theory,” Strateg. Stud. public policy, vol. 7, no. 23, pp. 19–41, 2017.
[12]        D. M. Kilgour and K. W. Hipel, “The graph model for conflict resolution: past, present, and future,” Gr. Decis. Negot., vol. 14, no. 6, pp. 441–460, 2005,
[13]        C. Phillips and L. P. Swiler, “A Graph-Based System for Network-Vulnerability Analysis,” in Proceedings of the 1998 Workshop on New Security Paradigms, 1998, pp. 71–79.
[14]        O. M. Sheyner, “Scenario graphs and attack graphs,” CARNEGIE-MELLON UNIV PITTSBURGH PA SCHOOL OF COMPUTER SCIENCE, 2004.
[15]        J. Zeng, S. Wu, Y. Chen, R. Zeng, and C. Wu, “Survey of attack graph analysis methods from the perspective of data and knowledge processing,” Secur. Commun. Networks, vol. 2019, 2019.
[16]        A. Mpanti, S. D. Nikolopoulos, and I. Polenakis, “A Graph-Based Model for Malicious Software Detection Exploiting Domination Relations between System-Call Groups,” in Proceedings of the 19th International Conference on Computer Systems and Technologies, 2018, pp. 20–26.
[17]        S. D. Nikolopoulos and I. Polenakis, “A graph-based model for malware detection and classification using system-call groups,” J. Comput. Virol. Hacking Tech., vol. 13, no. 1, pp. 29–46, 2017,
[18]        P. K. Mishra and G. Tyagi, “Game Theory based Attack Graph Analysis for Cyber War Strategy”.
[19]        E. Doynikova and I. Kotenko, “Improvement of Attack Graphs for Cybersecurity Monitoring: Handling of Inaccuracies, Processing of Cycles, Mapping of Incidents and Automatic Countermeasure Selection,” SPIIRAS Proc., vol. 2, p. 211, Apr. 2018,
[20]        M. Angelini, S. Bonomi, E. Borzi, A. Del Pozzo, S. Lenti, and G. Santucci, “An Attack Graph-Based On-Line Multi-Step Attack Detector,” 2018.
[21]        A. Souri and R. Hosseini, “A state-of-the-art survey of malware detection approaches using data mining techniques,” Human-centric Computing and Information Sciences, vol. 8, no. 1. 2018.
[22]        R. Sihwail, K. Omar, and K. A. Z. Ariffin, “A survey on malware analysis techniques: Static, dynamic, hybrid and memory analysis,” Int. J. Adv. Sci. Eng. Inf. Technol., vol. 8, no. 4–2, pp. 1662–1671, 2018,
[23]        S. Karandikar, M. Amin, S. Deshpande, and Y. Khalid, “Network-based malware detection.” Google Patents, May 23, 2017.
[24]        C. S. Veerappan, P. L. K. Keong, Z. Tang, and F. Tan, “Taxonomy on malware evasion countermeasures techniques,” in IEEE World Forum on Internet of Things, WF-IoT 2018 - Proceedings, May 2018, vol. 2018-Janua, pp. 558–563.
[25]        Ö. A. Aslan and R. Samet, “A Comprehensive Review on Malware Detection Approaches,” IEEE Access, vol. 8, pp. 6249–6271, 2020,
[26]        M. V. Yason and Ncent, “The Art of Unpacking,” Black Hat 2007, 2007. https://wikileaks.org/hbgary-emails//fileid/21224/6926
[27]        Walter Kong, “Unlocking LockScreen,” 2013. https://www.virusbulletin.com/virusbulletin/2013/07/unlocking-lockscreen
[28]        “Overview of the Kronos banking malware rootkit,” Lexi Security Hub, 2014. https://www.lexsi.com/securityhub/overview-kronos-banking-malware-rootkit/?lang=en
[29]        V. L. Le, I. Welch, X. Gao, and P. Komisarczuk, “Anatomy of drive-by download attack,” in Proceedings of the Eleventh Australasian Information Security Conference-Volume 138, 2013, pp. 49–58.
[30]        D. Ugarte, D. Maiorca, F. Cara, and G. Giacinto, “PowerDrive: Accurate De-obfuscation and Analysis of PowerShell Malware,” in International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, 2019, pp. 240–259.
[31]        Y. Oyama, “Trends of anti-analysis operations of malwares observed in API call logs,” J. Comput. Virol. Hacking Tech., vol. 14, no. 1, pp. 69–85, 2018,
[32]        The Cylance Threat Research Team, “threat-spotlight-satan-raas,” 2017. [Online]. Available: https://threatvector.cylance.com/en_us/home/threat-spotlight-satan-raas.html
[33]        B. Bencsáth, G. Pék, L. Buttyán, and M. Felegyhazi, “The cousins of stuxnet: Duqu, flame, and gauss,” Futur. Internet, vol. 4, no. 4, pp. 971–1003, 2012.
[34]        Arunpreet Singh and Clemens Kolbitsch, “Not so fast my friend – Using Inverted Timing Attacks to Bypass Dynamic Analysis,” 2014. https://www.lastline.com/labsblog/not-so-fast-my-friend-using-inverted-timing-attacks-to-bypass-dynamic-analysis/
[35]        R. Paleari, L. Martignoni, G. F. Roglia, and D. Bruschi, “A fistful of red-pills: How to automatically generate procedures to detect CPU emulators,” in Proceedings of the USENIX Workshop on Offensive Technologies (WOOT), 2009, vol. 41, p. 86.
[36]        M. Lindorfer, C. Kolbitsch, and P. M. Comparetti, “Detecting Environment-Sensitive Malware Diplom-Ingenieurin,” in International Workshop on Recent Advances in Intrusion Detection, 2011, pp. 338–357.
[37]        R. Rubira Branco, G. Negreira Barbosa, P. Drimel Neto, R. R. Branco, G. N. Barbosa, and P. D. Neto, “Scientific but Not Academical Overview of Malware Anti-Debugging, Anti-Disassembly and Anti- VM Technologies,” Black Hat, 2012, [Online]. Available: internal-pdf://117.26.35.53/BH_US_12_Branco_Scientific_Academic_WP.pdf
[38]        N. Falliere, L. O. Murchu, and E. L. B. Chien, “W32. stuxnet dossier,” White Pap. Symantec Corp., Secur. Response, vol. 5, p. 29, 2011,
[39]        D. Brumley, C. Hartwig, Z. Liang, J. Newsome, D. Song, and H. Yin, “Automatically identifying trigger-based behavior in malware,” in Botnet Detection, Springer, 2008, pp. 65–88.
[40]        A. Kapravelos, Y. Shoshitaishvili, M. Cova, C. Kruegel, and G. Vigna, “Revolver: An automated approach to the detection of evasive web-based malware,” in Presented as part of the 22nd {USENIX} Security Symposium ({USENIX} Security 13), 2013, pp. 637–652.
[41]        A. Kapravelos, M. Cova, C. Kruegel, and G. Vigna, “Escape from monkey island: Evading high-interaction honeyclients,” in International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, 2011, pp. 124–143.
[42]        S. Shiva, S. Roy, and D. Dasgupta, “Game theory for cyber security,” in Proceedings of the Sixth Annual Workshop on Cyber Security and Information Intelligence Research, 2010, p. 34.
[43]        K. W. Hipel, D. M. Kilgour, L. Fang, and X. Peng, “The decision support system GMCR II in negotiations over groundwater contamination,” in IEEE SMC’99 Conference Proceedings. 1999 IEEE International Conference on Systems, Man, and Cybernetics (Cat. No. 99CH37028), 1999, vol. 5, pp. 942–948.
[44]        M. Sheikhmohammady, H. Bitalebi, A. Moatti, and K. W. Hipel, “Formal Strategic Analysis of the Conflict over Syria,” in Proceedings of the 2013 IEEE International Conference on Systems, Man, and Cybernetics, 2013, pp. 2442–2447.
[45]        M. Sheikhmohammady, K. W. Hipel, H. Asilahijani, and D. Marc Kilgour, “Strategic analysis of the conflict over Iran’s nuclear program,” in Conference Proceedings - IEEE International Conference on Systems, Man and Cybernetics, 2009, pp. 1911–1916.
[46]        M. Sheikhmohammadi and M. Abbasi, “Game Theory Approach to Modeling and Analyzing Inheritance Allocation of a Passed-away Couple,” Econ. Model., vol. 10, no. 33, pp. 23–48, 2016.
[47]        R. A. Kinsara, O. Petersons, K. W. Hipel, and D. M. Kilgour, “Advanced Decision Support for the Graph Model for Conflict Resolution,” J. Decis. Syst., vol. 24, no. 2, pp. 117–145, 2015,
[48]        M. A. Bashar, K. W. Hipel, D. M. Kilgour, and A. Obeidi, “Interval Fuzzy Preferences in the Graph Model for Conflict Resolution,” Fuzzy Optim. Decis. Mak., vol. 17, no. 3, pp. 287–315, Sep. 2018,
[49]        S. He, K. W. Hipel, H. Xu, and Y. Chen, “A Two-Level Hierarchical Graph Model for Conflict Resolution with Application to International Climate Change Negotiations,” J. Syst. Sci. Syst. Eng., vol. 29, no. 3, pp. 251–272, Jun. 2020,
[50]        S. He, D. M. Kilgour, and K. W. Hipel, “A Three-Level Hierarchical Graph Model for Conflict Resolution,” IEEE Trans. Syst. Man, Cybern. Syst., pp. 1–10, 2019,
[51]        Y. Huang, B. Ge, B. Zhao, and K. Yang, “Course of Action Generation Using Graph Model for Conflict Resolution,” in 2020 IEEE 15th International Conference of System of Systems Engineering (SoSE), 2020, pp. 249–254.
[52]        K. W. Hipel, L. Fang, and D. M. Kilgour, “The Graph Model for Conflict Resolution: Reflections on Three Decades of Development,” Gr. Decis. Negot., vol. 29, no. 1, pp. 11–60, 2020,
[53]        RealWorldCyberSecurity, “Negative Rings in Intel Architecture: The Security Threats That You’ve Probably Never Heard Of.” https://medium.com/swlh/negative-rings-in-intel-architecture-the-security-threats-youve-probably-never-heard-of-d725a4b6f831 (accessed Jun. 22, 2021).
 
[54]        D. Reference, “Report on AES implementation with speed and side channel immunity improvements,” no. 783163, 2021.
[55]        O. Or-Meir, N. Nissim, Y. Elovici, and L. Rokach, “Dynamic Malware Analysis in the Modern Era—A State of the Art Survey,” ACM Comput. Surv., vol. 52, no. 5, Sep. 2019,
[56]        D. Javaheri and M. Hosseinzadeh, “A Framework for Recognition and Confronting of Obfuscated Malwares Based on Memory Dumping and Filter Drivers,” Wirel. Pers. Commun., vol. 98, no. 1, pp. 119–137, 2018,
[57]        P. Mell, K. Scarfone, and S. Romanosky, “Common vulnerability scoring system,” IEEE Secur. Priv., vol. 4, no. 6, pp. 85–89, 2006.
[58]        M. Keramati, “A Security Model Based Approach for Dynamic Risk Assessment of Multi-Step Attacks in Computer Networks,” Electron. Cyber Def., vol. 9, no. 1, pp. 157–173, 2021.
[59]        A. Singh, “Malware Evasion Techniques: Same Wolf – Different Clothing,” 2017. https://www.lastline.com/labsblog/malware-evasion-techniques/
[60]         D. Kirat, G. Vigna, and C. Kruegel, “Barecloud: bare-metal analysis-based evasive malware detection,” in 23rd {USENIX} Security Symposium ({USENIX} Security 14), 2014, pp. 287–301.
پدافند الکترونیکی و سایبری
دوره 9، شماره 4 - شماره پیاپی 36
شماره پیاپی 36، فصلنامه زمستان
اسفند 1400
صفحه 99-123

فایل ها

سابقه مقاله

  • تاریخ دریافت: 30 مرداد 1400
  • تاریخ بازنگری: 02 مهر 1400
  • تاریخ پذیرش: 22 آذر 1400
  • تاریخ انتشار: 01 اسفند 1400

هم رسانی

ارجاع به این مقاله

آمار