Cyber Hide-and-Seek: Ph.D. Viva Presentation
King’s College London
November 30, 2015
Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 1 / 45
High level overview of key themes in work; some comment on
Designed as potential points for discussion; not exhaustive.
Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 2 / 45
Problem: Network attacks are becoming more frequent.
Traditional response to a network attack is to use human expertise.
(Generally) reliable and suited to the situation.
Automated techniques exist, but they lack sophistication in that they
can only perform trivial remedial actions.
Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 3 / 45
Formal decision-making frameworks explicitly quantify the salient
elements of a phenomena such as a network attack.
This provides the opportunity for both fast...
Once a problem is quantiﬁed within a framework, it can be solved
Frameworks distill the knowledge of experts, such that each
framework can be applied to new situations, potentially with an
adjustment of variables (attacker or defender strategies, payoﬀ values
etc.) to account for the particular situation.
... and scalable...
Capturing this knowledge allows situations to be addressed on a larger
Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 4 / 45
Existing Models I
Known as Network Security Games.
Game theoretic, in order to enable multi-player strategic
Some models contain variables that can altered (as described
previously) and solution concepts that relate these variables in a
certain way :
αf + αc + αm
βc + βs
Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 5 / 45
Existing Models II
βc represents the detection penalty for an attacker, βs the beneﬁt
to an attacker from a successful attack, αc the beneﬁt to a defender
of detecting an attack, αf the cost of a false alarm and αm the
cost of missing an attack.
1 is a probability distribution for the attack, where the potential for
attack increases with the potential for false alarm.
1 is a probability distribution for the defender, where potential for
defending (i.e. the IDS monitoring) increases with the beneﬁt to
This constitutes one solution to the game.
Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 6 / 45
Existing Models III
Some models estimate these variables instead, in an attempt to
make general comments about how to approach security situations
(e.g. attackers will often operate at a slightly lower capacity, in order
not to trigger a reaction from the defender ).
Most importantly, for our purposes, this ﬁeld demonstrates an
important idea: games and game theory can be used to both model
and solve the problems exhibited by network attacks.
Common approach: take an existing game, and apply it to a
security scenario, based upon parallels between properties of the
game, and properties of the scenario e.g. a Stackelberg game;
attacker leads, defender follows .
Provides an accepted format in which problems can be understood.
May bring existing solutions to bear on a new problem.
Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 7 / 45
Multiple Node Attacks I
A speciﬁc, yet important, category of network attacks, that haven’t
been examined in detail in the security games literature.
Attacks involve a signiﬁcant number of intermediate nodes.
Botnets (a compromised set of slave nodes)
Problem: How do we discern compromised nodes in an overlay
network, such as a P2P network, from legitimate nodes?
Attack Pivoting (incremental intrusion into a network)
Problem: How do we organise the network, and the sensitive resources
within it, in order to account for incremental intrusion?
Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 8 / 45
Multiple Node Attacks II
Same methodology: Find parallels between these types of attack,
and a game.
The link: two-sided search problem
Traditional search, but the item(s) being sought is not just lost but it
has been concealed.
Must take into account the strategy of the ‘concealer’.
Multiple node attacks exhibit the two-sided search problem with
multiple hidden objects.
When facing a pivoting attack, the problem must be considered from
the reverse perspective (i.e. how will the attacker attempt to second
guess my hide locations).
Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 9 / 45
Hide-and-Seek games I
Search games are designed to model and investigate the two-sided
search problem. Hide-and-seek games, a subset of search games, are
designed to do this for multiple hidden objects.
It is logical to study hide-and-seek games in order to study multiple node
Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 10 / 45
Hide-and-Seek games II
Diﬀerent permutations on same basic model. The permutation of
interest to us:
Two competing players; the hider and the seeker
A search space; for our purposes, a network
Hidden objects to be concealed on the network
Some cost to seeker for undertaking a search; the hider is rewarded in
an inverse amount.
This model is simple, but already promising in what it can capture
from a multiple node attack.
Richer variants to the model are natural, why aren’t they explored?
Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 11 / 45
Complexity of analytic solution
Gal: ‘Networks of arbitrary topology are likely to have a very diﬃcult
analytic solution’ 
Increasing the richness of a game representation makes it increasingly
diﬃcult to derive a solution
It becomes less apparent what the payoﬀ values attributed to each
potential strategy are or how to formalise a relationship between the
variables in the framework as part of a solution.
Richer games often have diﬀerent conﬁgurations. This greatly
increases the strategy space.
Tacking this complexity: Empirical Game Theoretic Analysis
Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 12 / 45
Empirical Game Theoretical Analysis (EGTA) estimates the payoﬀ
values associated with diﬀerent strategies by realising computational
representations of them.
This computational environment, and the EGTA methodology, also
indirectly fosters the derivation of the strategies themselves.
Candidate strategies Estimated payoﬀ matrix
Strategic reasoningAdd candidates
Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 13 / 45
Research Questions I
In order to study a richer hider-and-seek model, amenable to
capturing the elements of a network attack at a less abstract level,
we choose to adopt this approach.
Studies that follow the EGTA methodology naturally pursue the
following three research questions:
1 Which strategies exist for both players?
2 What are the payoﬀs for each strategy?
3 What is the solution to the game?
Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 14 / 45
Research Questions II
Therefore, in this thesis, we ask:
1 Which strategies exist for both the hider and the seeker?
2 What are the payoﬀs for each of these strategies?
3 What is the solution to the game?
Contribution: Recommendations for the hide-and-seek game, that
can directly inﬂuence how the defender of a network approaches the
potential for, and responds to, a multiple node attack.
Long term aim: To provide a framework within which further
strategic experimentation can take place.
First, we need to deﬁne a new model of the game that facilitates
Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 15 / 45
Conceptual Model I
Despite the chosen methodology, it is still important to still deﬁne our
model conceptually; this provides the potential for future analytic
Our model exhibits a new constraint derived from explicitly treating
the hider and the objects as separate entities; the hider must traverse
the network in order to reach desired hide locations. This creates a
novel payoﬀ structure:
A seeker’s payoﬀ is inversely proportional to the total cost of their
traversal in one interaction: Payoﬀ (S) = −TCost(S).
A hider’s payoﬀ is a seeker’s traversal cost, minus their own traversal
cost in one interaction: Payoﬀ (H) = TCost(S) − TCost(H).
Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 16 / 45
Conceptual Model II
This constraint coupled with an existing constraint – an unknown
network – creates challenges for the hider (and indeed the seeker)
not seen previously (e.g. strategies must respond as more is learnt
about the network, a hider no longer has complete freedom to move
These features are the source of complexity, as previously described.
Complexity is also in the computational model...
Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 17 / 45
Computation Model I
Conceptual model makes no assumption about the format of the
topology, but the actual variations in topology are provided within
the computational model.
Supported by the library JGraphT.
We end up with something tangible that can be run for an arbitrary
number of iterations
Implemented in Java as an interactive platform.
Structured for use by the community as a distributed research game.
Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 18 / 45
Computation Model II
A run of the computational model (otherwise known as a game) is
A set of hider and seeker strategies.
All pairwise meetings between the hider and the seeker, for each
A particular conﬁguration of variables in the model.
Each game is repeated multiple times to increase validity.
Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 19 / 45
Model conﬁguration I
1 G Graph topology
2 N Number of nodes in network
3 K The number of hidden objects
4 c Upper limit on edge costs
5 R Number of interactions
Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 20 / 45
Model conﬁguration II
The conditions under which we answer each research question.
Some conditions have a greater impact on some questions than others
(e.g. increasing the number of nodes doesn’t necessarily open up a
space for introducing a greater number of strategies.).
Default conﬁguration: 5% of nodes will contain hidden objects (K
= 5, N = 100). Why?
Reﬂect the ‘needle in a haystack’ element of a multiple node attack.
Other conﬁguration: 50% of nodes will contain hidden objects
(N = 2K), for 1 ≤ K ≤ 100. Why?
Understand the impact that a greater number of nodes has on
Understand the impact that having a higher ratio of hidden objects to
nodes has on diﬀerent strategies
Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 21 / 45
1 Games containing a single interaction.
2 Games containing multiple interactions.
Other variables are considered as sub-conﬁgurations within these.
Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 22 / 45
Single Interaction Games I
Each game consists of a single interaction.
High frequency of attacks, but may be from diﬀerent parties with
A speciﬁc attack that is diﬃcult to replicate (e.g. a targeted piece of
malware such as Stuxnet).
Player Strategy Description
Hider hRandomSet Chooses a subset of K nodes stochastically from all N nodes.
Seeker sBacktrackGreedy Traverses the graph by choosing the cheapest, unvisited outgoing edge from
amongst those edges connected to the current node, and previously visited
Hider hFirstK Hides its start node, and the ﬁrst K −1 locations it reaches on a random walk.
Seeker sLinkedPath Attempts to ﬁnd the trail of objects left by hFirstK by exploring until one
object is found, and then iteratively examining each connected node in turn,
backtracking if the path ends.
Hider hNotConnected Hides in the ﬁrst K nodes which it visits that have no connections to any of
the nodes that already exist in the hide set.
Hider hLeastConnected Expresses a preference for concealing objects in nodes that have the lowest
Hider hMaxDistance Expresses a preference for concealing objects in a set of nodes that exist at the
maximum distance from one another.
Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 23 / 45
Single Interaction Games II
Example application of methodology:
1 Enumerate strategies; in response to the behaviour of opponents,
behaviour in a network attack or simply natural behaviour. hFirstK,
hRandomSet, sBacktrackGreedy and sLinkedPath
2 Realise strategies in computational model.
3 Conﬁgure parameters (K = 5, N = 100, c = 1).
4 Run simulation (containing suﬃcient number of games (typically
5 Measure performance of strategies in simulation (payoﬀ is the typical
Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 24 / 45
Single Interaction Games III
6 Plot results for analysis.
Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 25 / 45
Single Interaction Games IV
7 Translate to payoﬀ information in order to solve game.
Hider: hFirstK (57.14%) hRandomSet (42.86%) (Payoﬀ: 5.14) and
Seeker: sBacktrackGreedy (71.43%) sLinkedPath (28.57%) (Payoﬀ:
Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 26 / 45
Single Interaction Games V
Examples of translating solutions to the hide-and-seek game into
recommendations for network attacks.
‘The best strategy for a hider to adopt against sBacktrackGreedy,
depending on the existence of other strategies, is hFirstK’.
The hider is the defender.
Concealing vulnerabilities arbitrarily (hRandomSet) is costly, yet
desirable because it deters an attacker; the attacker knows this will
necessitate extensive tours once inside the network. This threat can
be maintained by adopting a strategy in which resource, unbeknown to
the attacker, and placed in close proximity, while simultaneously
An element of psychology, further supporting the use of game theory.
Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 27 / 45
Single Interaction Games VI
‘The best strategy for a hider to adopt against sBacktrackGreedy and
sLinkedPath is hNotConnected’.
The hider is the defender.
We now have a strategy that is dominant against a range of choices by
the defender; correctly balancing eﬀort with anonymity can deter an
attacker as much as taking the eﬀort to hide completely anonymously,
without the additional cost (as with hFirstK) and without the potential
Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 28 / 45
Multiple Interaction Games (Reactive Strategies) I
Multiple interaction game: the same attacker and defender meet
each other multiple times. Natural if an attacker exerts eﬀort
establishing a botnet.
Limitation of strategies in a single game: Preference strategies
are natural, but ill-suited to a single game interaction.
Instead, with the multiple interaction dynamic, we consider how
strategies (existing and new) are able to react based upon acquiring
incremental knowledge of their environment, their opponent’s
actions and their own past actions.
Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 29 / 45
Multiple Interaction Games (Reactive Strategies) II
Player Strategy Description
Seeker sLeastConnectedFirst Visits those nodes with the lowest connectivity,
Seeker sMaxDistanceFirst Visits those nodes that it computes to be at the
diameter of the graph, ﬁrst.
Seeker sHighProbability Visits those nodes that have been hidden in most
frequently by a hider, ﬁrst.
Seeker sInverseHighProbability Visits those nodes that a hider has not yet hidden
Hider hDeceptive Hides in K nodes for a set number of rounds, and
then in the remaining rounds never hides in these
Hider hUniqueRandomSet Does not repeat its choice of hide location for as
along as possible, and then restarts this process.
Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 30 / 45
Multiple Interaction Games (Reactive Strategies) III
‘The best strategy for a seeker to adopt against hMaxDistance, when
there are multiple interactions, is sMaxDistanceFirst, but this is the
worst strategy to play against hLeastConnected’
The seeker is the defender.
If a defender is able to correctly second guess the mentality (i.e. the
strategy) of the attacker, in terms of their selection of nodes to
compromise as bots, they are rewarded highly. However, if their
estimation is wrong, they suﬀer.
Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 31 / 45
Multiple Interaction Games (Reactive Strategies) IV
‘The best strategy for a seeker to adopt against both hMaxDistance
and hLeastConnected is sHighProbability’
The seeker is the defender.
Rather than trying to second guess the actions of an attacker, a
defender can wait for evidence of their behaviour. In this instance,
they cannot exploit the attacker to the same extent as if they made a
correct estimation, but instead protect themselves by reacting to
The best response from an attacker to this is to ‘space’ bots out within
the compromised overlay network (i.e. hMaxDistance). Achieving this
in practice requires additional eﬀort, and is a challenge logistically, so
the attacker may be deterred from attacking the network outright.
Again about psychology.
Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 32 / 45
Multiple Interaction Games (Meta Strategies) I
Limitation of reactive strategies: A short-sighted, reactive
approach has its limitations.
Meta-strategies: A framework that facilitates the gradual
acquisition of knowledge; react to how the opponent is playing, not
simply to patterns in their behaviour.
Abstracts the notion of strategy selection to a single strategy with
Player Strategy Description
Seeker sMetaProbability Assesses whether an opponent is playing hRandom-
Set or hUniqueRandomSet, and acts accordingly.
Hider hMetaConnected Assesses whether there are a suitable number of low
connectivity nodes in the graph to make hLeastCon-
nected a viable strategy.
Hider hMetaRandom Aims to understand the suitability of the strategy
currently being emulated in order to respond to a
seeker playing either sHighProbability or sInverse-
Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 33 / 45
Multiple Interaction Games (Meta Strategies) II
‘The best strategy to play against an opponent playing a concrete
strategy is a meta strategy’
A warning to a defender adopting a speciﬁc defence mechanism (e.g.
speak up ); once an attacker understands that this is the mechanism
being used, they can adjust for it.
Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 34 / 45
Multiple Interaction Games (Meta Strategies) III
‘The best strategy to play against an opponent playing a meta
strategy is a concrete strategy’
Meta-strategies are useful when the opponent does not recognise that
their behaviour is being monitored, and respond.
If they do, we end up with a large amount of ﬂux in the choice of
strategy, as each player tries to better the other.
Reﬂects current state of aﬀairs: defenders continually patch, while
attackers continually exploit.
Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 35 / 45
Parameter conﬁgurations (e.g. the relative values of N and K), are
made without the inject of real data; setting values is a move towards
this, but more could easily be done.
Some may ﬁnd the notion that strategies defeat each other
unintuitive; a component of the EGTA method, import tests for
Relationship with Security Literature
Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 36 / 45
Relationship with Existing Security Literature
Existing security literature is contemporary. This work is essential.
Our work aims to complement this work by looking at the bigger
picture; aims to contribute some, or at least provide a framework in
which, ‘timeless’ strategies can be developed.
Focusses on literature from well established areas; game theory,
network security games etc.
As such, compromises some contemporary themes; easy to update
the model to account for more contemporary information.
Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 37 / 45
Recommendation Caveats I
The model is abstract; it is not a network simulator, nor was it
designed to be (explained momentarily...). This means
recommendations require further veriﬁcation; they are heuristics.
Important to diﬀerentiate them as heuristics by leaving them in the
context of the model.
This is not an exhaustive list (but logical within the scope deﬁned);
we are not claiming to have all the answers; instead the model
provides a framework within which further recommendations can be
Recommendations are often intuitive, but sometimes not; changing
strategy in response to your opponent’s change in strategy (i.e. also
adopting a meta-strategy) is of no beneﬁt. Knowing something is
diﬀerent to showing it.
Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 38 / 45
Recommendation Caveats II
In the end, the recommendations are important, but the impact of
this work goes above that, in accordance with the aim highlighted
Furthers the important methodology of abstraction, and the
methodology of applying games to new problems.
Contributes a model (both in its conceptual and computation form) to
the research community as a whole; distributed research game.
Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 39 / 45
Recommendation Caveats III
You’re helping the attacker as well as the defender!
Because an attacker and a defender can be either the hider or the
seeker, recommendations could, in theory, help both.
Understanding how an attacker may think, and their optimal
course of play, is essential.
Often ﬁnd that there are natural restrictions when the attacker is the
e.g. While it may seem that an attacker will also beneﬁt from the
recommendation that hiding in adjacent nodes achieves comparable
anonymity to hiding uniformly randomly, being in a network outside of
their control limits the freedom they have to hide anywhere.
Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 40 / 45
Why do we approach the problem at this level?
An important ﬁrst step in solving problems.
Studies that attempt to model problems such as multiple node attacks
directly, often end up unwieldly.
Initially motivated by multiple node attacks, but could have
Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 41 / 45
1 Veriﬁcation (mentioned)
Common in computer science. There are therefore mechanisms in place
to enable this.
2 Implicit expectation that hider and seeker can be used
interchangeably with attacker or defender; nice because it helps
harmonise the concepts, but may lead to ambiguities, or further
questions of applicability e.g. Chapter 1 considers the hider as the
benign entity, while Chapter 2 considers the seeker as the benign entity.
Flexibility outweighs the potential ambiguity.
Important to consider the level of abstraction in relation to existing
Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 42 / 45
Multiple Interaction Games with Meta Strategies (Chapter 5).
Distributed Research Game (DRG)
Abstraction, while a challenge, is also a signiﬁcant strength in terms
of versatility and providing a new perspective on problems.
Classiﬁcation of Network Attacks (D2C3).
Investigating the hide-and-seek game from a computational
perspective, and search games in general, is itself a whole new ﬁeld.
Also could provide the basis for future publication
Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 43 / 45
Looking to the future...
In the process of listing desirable features to extend a search game
prior to conducting the study, we also introduce the potential for
Strategies with a greater number of topological preferences.
A greater number of rounds in a game.
Further permutations on the meta-strategy model (varying degrees
of knowledge regarding when and how to change behaviour).
Further validate heuristics; provide more heuristics as a result of
expanding the model.
Where cost falls in the model (Edges and Nodes?)
The impact of multiple hiders and seekers.
Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 44 / 45
Tansu Alpcan and Tamer Ba¸sar.
Network Security: A Decision and Game-theoretic Approach.
Cambridge University Press, 2010.
In Wiley Encyclopedia of Operations Research and Management Scilence. Wiley,
Jorma Jormakka and Jarmo M¨ols¨a.
Modelling Information Warfare as a Game.
Journal of Information Warfare, 4(2):12–25, 2005.
Heinrich Von Stackelberg.
Market Structure and Equilibrium.
Springer Science and Business Media, 2010.
Michael Walﬁsh, Mythili Vutukuru, Hari Balakrishnan, David Karger, and Scott
Ddos Defense by Oﬀense.
In Proceedings of The 2006 Conference on Applications, Technologies,
Architectures, and Protocols for Computer Communications (SIGCOMM 06),
pages 303–314, 2006.
Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 45 / 45