The security in networked systems depends greatly on recognizing and identifying adversarial behaviors. Traditional detection methods focus on specific categories of attacks and have become inadequate for increasingly stealthy and deceptive attacks that are designed to bypass detection strategically. This work aims to develop a holistic theory to countermeasure such evasive attacks. We focus on extending a fundamental class of statistical-based detection methods based on Neyman-Pearson's (NP) hypothesis testing formulation. We propose game-theoretic frameworks to capture the conflicting relationship between a strategic evasive attacker and an evasion-aware NP detector. By analyzing both the equilibrium behaviors of the attacker and the NP detector, we characterize their performance using Equilibrium Receiver-Operational-Characteristic (EROC) curves. We show that the evasion-aware NP detectors outperform the passive ones in the way that the former can act strategically against the attacker's behavior and adaptively modify their decision rules based on the received messages. In addition, we extend our framework to a sequential setting where the user sends out identically distributed messages. We corroborate the analytical results with a case study of anomaly detection.
翻译:网络系统的安全性在很大程度上取决于对对抗性行为的识别与判定。传统检测方法主要针对特定类别的攻击,面对日益隐蔽且具有欺骗性、旨在策略性绕过检测的攻击已显不足。本研究旨在建立一套完整的理论体系以应对此类规避式攻击。我们重点扩展了一类基于奈曼-皮尔逊假设检验框架的基础统计检测方法,提出了博弈论框架以刻画策略性规避攻击者与具备规避感知能力的奈曼-皮尔逊检测器之间的对抗关系。通过分析攻击者与奈曼-皮尔逊检测器的均衡行为,我们采用均衡接收者操作特征曲线来表征其性能。研究表明,具备规避感知能力的奈曼-皮尔逊检测器性能优于被动式检测器,前者能够针对攻击者行为采取策略性应对,并根据接收到的信息自适应调整决策规则。此外,我们将该框架扩展至用户发送独立同分布信息的序列检测场景,并通过异常检测案例研究验证了理论分析结果。