The Improvement of the GMCR Model Based on Statistical Analysis of the Game’ Graph (Case Study: Malwares and Countermeasures Actions Based on Detection-Independent and Deductive Evidence)

Document Type : Original Article

Authors

1 Instructor, Faculty of Computer and Cyber ​​Power, Imam Hossein University, Tehran, Iran

2 Assistant Professor, Imam Hossein University, Tehran, Iran

Abstract

The GMCR model is one of the approaches used for modeling and analyzing the real-world conflicts based on the game theory. In this model, as the number of players’ options increases, the number of game states (problem state space) increases exponentially. As the number of feasible game states increases, so does the number of game equilibrium states. ​Extracting favorable equilibrium states and effective options is one of the requirements of applying the GMCR model in view of the widespread conflicts such as malware games and countermeasures. ​In this paper, based on the GMCR, a MAG architecture with four processing layers is presented. The MAG's architecture was evaluated and analyzed based on methods of detecting and analyzing detection-independent and deductive evidence of malware and countermeasures in the form of three related games. The evaluation results show that among the attacker options, the option of "fileless cyber-attacks" and among the defense options, the options of "network communication disconnection", "path exploration techniques" and "symbolic execution", at a rate of 100%, are the effective options of the actors. Reducing the game state space by using the game abstraction algorithm, scenario-based and repeated games, extracting effective actions and favorable equilibrium states of the players are some of the advantages of MAG architecture. The MAG architecture can be used in the cyber operations decision support systems and the tabletop cyber wargames to make the right decisions and respond appropriately .

Keywords


[1]          J. Pawlick, E. Colbert, and Q. Zhu, “A Game-Theoretic Taxonomy and Survey of Defensive Deception for Cybersecurity and Privacy,” ACM Comput. Surv., vol. 52, no. 4, 2019,
[2]          M. Husák, J. Komárková, E. Bou-Harb, and P. Čeleda, “Survey of Attack Projection, Prediction, and Forecasting in Cyber Security,” IEEE Commun. Surv. Tutorials, vol. 21, no. 1, pp. 640–660, 2019,
[3]          H. Akbari, S. M. Safavi, and R. Khandani, “The Distributed Denial of Service Attacks Situation Awareness Based  on The Prediction of Battle Scene Using Dempster-Shefer Evidences Theories and Bayesian Rules,” Electron. Cyber Def., vol. 7, no. 1, pp. 77–94, 2019, [Online]. Available: https://ecdj.ihu.ac.ir/article_204480.html
[4]          A. Afianian, S. Niksefat, B. Sadeghiyan, and D. Baptiste, “Malware Dynamic Analysis Evasion Techniques: A Survey,” CoRR, vol. abs/1811.0, 2018.
[5]          A. Bulazel and B. Yener, “A survey on automated dynamic malware analysis evasion and counter-evasion: PC, Mobile, and Web,” ACM Int. Conf. Proceeding Ser., pp. 1–21, 2017,
[6]          Y. Huang, U. Verma, C. Fralick, G. Infantec-Lopez, B. Kumar, and C. Woodward, “Malware Evasion Attack and Defense,” pp. 34–38, 2019,
[7]          S. Ghasemi and S. Parsa, “An Effective Method to Detect Environment-Aware Malware Based on the Behavioral Distances Comparison,” Electron. Cyber Def., vol. 6, no. 4, pp. 123–133, 2019.
[8]          C. Kiennert, Z. Ismail, H. Debar, and J. Leneutre, “A Survey on Game-Theoretic Approaches for Intrusion Detection and Response Optimization,” ACM Comput. Surv., vol. 51, no. 5, Aug. 2018,
[9]          J. Z. Bakdash et al., “Malware in the future? Forecasting of analyst detection of cyber events,” J. Cybersecurity, vol. 4, no. 1, Jan. 2018,
[10]        H. Zhang et al., “Defense Against Advanced Persistent Threats: Optimal Network Security Hardening Using Multi-stage Maze Network Game,” in 2020 IEEE Symposium on Computers and Communications (ISCC), 2020, pp. 1–6.
[11]        M. Abbasi, M. Sheikhmohamadi, and M. Ghaioory, “Modeling and Analysis of competition between malware authors and security analysts, using game theory,” Strateg. Stud. public policy, vol. 7, no. 23, pp. 19–41, 2017.
[12]        D. M. Kilgour and K. W. Hipel, “The graph model for conflict resolution: past, present, and future,” Gr. Decis. Negot., vol. 14, no. 6, pp. 441–460, 2005,
[13]        C. Phillips and L. P. Swiler, “A Graph-Based System for Network-Vulnerability Analysis,” in Proceedings of the 1998 Workshop on New Security Paradigms, 1998, pp. 71–79.
[14]        O. M. Sheyner, “Scenario graphs and attack graphs,” CARNEGIE-MELLON UNIV PITTSBURGH PA SCHOOL OF COMPUTER SCIENCE, 2004.
[15]        J. Zeng, S. Wu, Y. Chen, R. Zeng, and C. Wu, “Survey of attack graph analysis methods from the perspective of data and knowledge processing,” Secur. Commun. Networks, vol. 2019, 2019.
[16]        A. Mpanti, S. D. Nikolopoulos, and I. Polenakis, “A Graph-Based Model for Malicious Software Detection Exploiting Domination Relations between System-Call Groups,” in Proceedings of the 19th International Conference on Computer Systems and Technologies, 2018, pp. 20–26.
[17]        S. D. Nikolopoulos and I. Polenakis, “A graph-based model for malware detection and classification using system-call groups,” J. Comput. Virol. Hacking Tech., vol. 13, no. 1, pp. 29–46, 2017,
[18]        P. K. Mishra and G. Tyagi, “Game Theory based Attack Graph Analysis for Cyber War Strategy”.
[19]        E. Doynikova and I. Kotenko, “Improvement of Attack Graphs for Cybersecurity Monitoring: Handling of Inaccuracies, Processing of Cycles, Mapping of Incidents and Automatic Countermeasure Selection,” SPIIRAS Proc., vol. 2, p. 211, Apr. 2018,
[20]        M. Angelini, S. Bonomi, E. Borzi, A. Del Pozzo, S. Lenti, and G. Santucci, “An Attack Graph-Based On-Line Multi-Step Attack Detector,” 2018.
[21]        A. Souri and R. Hosseini, “A state-of-the-art survey of malware detection approaches using data mining techniques,” Human-centric Computing and Information Sciences, vol. 8, no. 1. 2018.
[22]        R. Sihwail, K. Omar, and K. A. Z. Ariffin, “A survey on malware analysis techniques: Static, dynamic, hybrid and memory analysis,” Int. J. Adv. Sci. Eng. Inf. Technol., vol. 8, no. 4–2, pp. 1662–1671, 2018,
[23]        S. Karandikar, M. Amin, S. Deshpande, and Y. Khalid, “Network-based malware detection.” Google Patents, May 23, 2017.
[24]        C. S. Veerappan, P. L. K. Keong, Z. Tang, and F. Tan, “Taxonomy on malware evasion countermeasures techniques,” in IEEE World Forum on Internet of Things, WF-IoT 2018 - Proceedings, May 2018, vol. 2018-Janua, pp. 558–563.
[25]        Ö. A. Aslan and R. Samet, “A Comprehensive Review on Malware Detection Approaches,” IEEE Access, vol. 8, pp. 6249–6271, 2020,
[26]        M. V. Yason and Ncent, “The Art of Unpacking,” Black Hat 2007, 2007. https://wikileaks.org/hbgary-emails//fileid/21224/6926
[27]        Walter Kong, “Unlocking LockScreen,” 2013. https://www.virusbulletin.com/virusbulletin/2013/07/unlocking-lockscreen
[28]        “Overview of the Kronos banking malware rootkit,” Lexi Security Hub, 2014. https://www.lexsi.com/securityhub/overview-kronos-banking-malware-rootkit/?lang=en
[29]        V. L. Le, I. Welch, X. Gao, and P. Komisarczuk, “Anatomy of drive-by download attack,” in Proceedings of the Eleventh Australasian Information Security Conference-Volume 138, 2013, pp. 49–58.
[30]        D. Ugarte, D. Maiorca, F. Cara, and G. Giacinto, “PowerDrive: Accurate De-obfuscation and Analysis of PowerShell Malware,” in International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, 2019, pp. 240–259.
[31]        Y. Oyama, “Trends of anti-analysis operations of malwares observed in API call logs,” J. Comput. Virol. Hacking Tech., vol. 14, no. 1, pp. 69–85, 2018,
[32]        The Cylance Threat Research Team, “threat-spotlight-satan-raas,” 2017. [Online]. Available: https://threatvector.cylance.com/en_us/home/threat-spotlight-satan-raas.html
[33]        B. Bencsáth, G. Pék, L. Buttyán, and M. Felegyhazi, “The cousins of stuxnet: Duqu, flame, and gauss,” Futur. Internet, vol. 4, no. 4, pp. 971–1003, 2012.
[34]        Arunpreet Singh and Clemens Kolbitsch, “Not so fast my friend – Using Inverted Timing Attacks to Bypass Dynamic Analysis,” 2014. https://www.lastline.com/labsblog/not-so-fast-my-friend-using-inverted-timing-attacks-to-bypass-dynamic-analysis/
[35]        R. Paleari, L. Martignoni, G. F. Roglia, and D. Bruschi, “A fistful of red-pills: How to automatically generate procedures to detect CPU emulators,” in Proceedings of the USENIX Workshop on Offensive Technologies (WOOT), 2009, vol. 41, p. 86.
[36]        M. Lindorfer, C. Kolbitsch, and P. M. Comparetti, “Detecting Environment-Sensitive Malware Diplom-Ingenieurin,” in International Workshop on Recent Advances in Intrusion Detection, 2011, pp. 338–357.
[37]        R. Rubira Branco, G. Negreira Barbosa, P. Drimel Neto, R. R. Branco, G. N. Barbosa, and P. D. Neto, “Scientific but Not Academical Overview of Malware Anti-Debugging, Anti-Disassembly and Anti- VM Technologies,” Black Hat, 2012, [Online]. Available: internal-pdf://117.26.35.53/BH_US_12_Branco_Scientific_Academic_WP.pdf
[38]        N. Falliere, L. O. Murchu, and E. L. B. Chien, “W32. stuxnet dossier,” White Pap. Symantec Corp., Secur. Response, vol. 5, p. 29, 2011,
[39]        D. Brumley, C. Hartwig, Z. Liang, J. Newsome, D. Song, and H. Yin, “Automatically identifying trigger-based behavior in malware,” in Botnet Detection, Springer, 2008, pp. 65–88.
[40]        A. Kapravelos, Y. Shoshitaishvili, M. Cova, C. Kruegel, and G. Vigna, “Revolver: An automated approach to the detection of evasive web-based malware,” in Presented as part of the 22nd {USENIX} Security Symposium ({USENIX} Security 13), 2013, pp. 637–652.
[41]        A. Kapravelos, M. Cova, C. Kruegel, and G. Vigna, “Escape from monkey island: Evading high-interaction honeyclients,” in International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, 2011, pp. 124–143.
[42]        S. Shiva, S. Roy, and D. Dasgupta, “Game theory for cyber security,” in Proceedings of the Sixth Annual Workshop on Cyber Security and Information Intelligence Research, 2010, p. 34.
[43]        K. W. Hipel, D. M. Kilgour, L. Fang, and X. Peng, “The decision support system GMCR II in negotiations over groundwater contamination,” in IEEE SMC’99 Conference Proceedings. 1999 IEEE International Conference on Systems, Man, and Cybernetics (Cat. No. 99CH37028), 1999, vol. 5, pp. 942–948.
[44]        M. Sheikhmohammady, H. Bitalebi, A. Moatti, and K. W. Hipel, “Formal Strategic Analysis of the Conflict over Syria,” in Proceedings of the 2013 IEEE International Conference on Systems, Man, and Cybernetics, 2013, pp. 2442–2447.
[45]        M. Sheikhmohammady, K. W. Hipel, H. Asilahijani, and D. Marc Kilgour, “Strategic analysis of the conflict over Iran’s nuclear program,” in Conference Proceedings - IEEE International Conference on Systems, Man and Cybernetics, 2009, pp. 1911–1916.
[46]        M. Sheikhmohammadi and M. Abbasi, “Game Theory Approach to Modeling and Analyzing Inheritance Allocation of a Passed-away Couple,” Econ. Model., vol. 10, no. 33, pp. 23–48, 2016.
[47]        R. A. Kinsara, O. Petersons, K. W. Hipel, and D. M. Kilgour, “Advanced Decision Support for the Graph Model for Conflict Resolution,” J. Decis. Syst., vol. 24, no. 2, pp. 117–145, 2015,
[48]        M. A. Bashar, K. W. Hipel, D. M. Kilgour, and A. Obeidi, “Interval Fuzzy Preferences in the Graph Model for Conflict Resolution,” Fuzzy Optim. Decis. Mak., vol. 17, no. 3, pp. 287–315, Sep. 2018,
[49]        S. He, K. W. Hipel, H. Xu, and Y. Chen, “A Two-Level Hierarchical Graph Model for Conflict Resolution with Application to International Climate Change Negotiations,” J. Syst. Sci. Syst. Eng., vol. 29, no. 3, pp. 251–272, Jun. 2020,
[50]        S. He, D. M. Kilgour, and K. W. Hipel, “A Three-Level Hierarchical Graph Model for Conflict Resolution,” IEEE Trans. Syst. Man, Cybern. Syst., pp. 1–10, 2019,
[51]        Y. Huang, B. Ge, B. Zhao, and K. Yang, “Course of Action Generation Using Graph Model for Conflict Resolution,” in 2020 IEEE 15th International Conference of System of Systems Engineering (SoSE), 2020, pp. 249–254.
[52]        K. W. Hipel, L. Fang, and D. M. Kilgour, “The Graph Model for Conflict Resolution: Reflections on Three Decades of Development,” Gr. Decis. Negot., vol. 29, no. 1, pp. 11–60, 2020,
[53]        RealWorldCyberSecurity, “Negative Rings in Intel Architecture: The Security Threats That You’ve Probably Never Heard Of.” https://medium.com/swlh/negative-rings-in-intel-architecture-the-security-threats-youve-probably-never-heard-of-d725a4b6f831 (accessed Jun. 22, 2021).
 
[54]        D. Reference, “Report on AES implementation with speed and side channel immunity improvements,” no. 783163, 2021.
[55]        O. Or-Meir, N. Nissim, Y. Elovici, and L. Rokach, “Dynamic Malware Analysis in the Modern Era—A State of the Art Survey,” ACM Comput. Surv., vol. 52, no. 5, Sep. 2019,
[56]        D. Javaheri and M. Hosseinzadeh, “A Framework for Recognition and Confronting of Obfuscated Malwares Based on Memory Dumping and Filter Drivers,” Wirel. Pers. Commun., vol. 98, no. 1, pp. 119–137, 2018,
[57]        P. Mell, K. Scarfone, and S. Romanosky, “Common vulnerability scoring system,” IEEE Secur. Priv., vol. 4, no. 6, pp. 85–89, 2006.
[58]        M. Keramati, “A Security Model Based Approach for Dynamic Risk Assessment of Multi-Step Attacks in Computer Networks,” Electron. Cyber Def., vol. 9, no. 1, pp. 157–173, 2021.
[59]        A. Singh, “Malware Evasion Techniques: Same Wolf – Different Clothing,” 2017. https://www.lastline.com/labsblog/malware-evasion-techniques/
[60]         D. Kirat, G. Vigna, and C. Kruegel, “Barecloud: bare-metal analysis-based evasive malware detection,” in 23rd {USENIX} Security Symposium ({USENIX} Security 14), 2014, pp. 287–301.
Volume 9, Issue 4 - Serial Number 36
Serial No. 36, Winter Quarterly
February 2022
Pages 99-123
  • Receive Date: 21 August 2021
  • Revise Date: 24 September 2021
  • Accept Date: 13 December 2021
  • Publish Date: 20 February 2022