1. Cyber Hide-and-Seek: Ph.D. Viva Presentation
Martin Chapman
King’s College London
martin.chapman@kcl.ac.uk
November 30, 2015
Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 1 / 45
Overview
High level overview of key themes in work; some comment on
methodology.
Designed as potential points for discussion; not exhaustive.
Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 2 / 45

2. Motivation I
Problem: Network attacks are becoming more frequent.
Traditional response to a network attack is to use human expertise.
(Generally) reliable and suited to the situation.
Slow.
Automated techniques exist, but they lack sophistication in that they
can only perform trivial remedial actions.
Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 3 / 45
Motivation II
Formal decision-making frameworks explicitly quantify the salient
elements of a phenomena such as a network attack.
This provides the opportunity for both fast...
Once a problem is quantified within a framework, it can be solved
automatically
...sophisticated...
Frameworks distill the knowledge of experts, such that each
framework can be applied to new situations, potentially with an
adjustment of variables (attacker or defender strategies, payoff values
etc.) to account for the particular situation.
... and scalable...
Capturing this knowledge allows situations to be addressed on a larger
scale.
...automated response.
Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 4 / 45

3. Existing Models I
Known as Network Security Games.
Game theoretic, in order to enable multi-player strategic
decision-making
Some models contain variables that can altered (as described
previously) and solution concepts that relate these variables in a
certain way [1]:
−αc αm
βc −βs
αf 0
0 0
d1 nd
a1
na
D
A
p∗
1 =
αf
αf + αc + αm
q∗
1 =
βs
βc + βs
.
Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 5 / 45
Existing Models II
βc represents the detection penalty for an attacker, βs the benefit
to an attacker from a successful attack, αc the benefit to a defender
of detecting an attack, αf the cost of a false alarm and αm the
cost of missing an attack.
p∗
1 is a probability distribution for the attack, where the potential for
attack increases with the potential for false alarm.
q∗
1 is a probability distribution for the defender, where potential for
defending (i.e. the IDS monitoring) increases with the benefit to
attacking
This constitutes one solution to the game.
Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 6 / 45

4. Existing Models III
Some models estimate these variables instead, in an attempt to
make general comments about how to approach security situations
(e.g. attackers will often operate at a slightly lower capacity, in order
not to trigger a reaction from the defender [3]).
Most importantly, for our purposes, this field demonstrates an
important idea: games and game theory can be used to both model
and solve the problems exhibited by network attacks.
Common approach: take an existing game, and apply it to a
security scenario, based upon parallels between properties of the
game, and properties of the scenario e.g. a Stackelberg game;
attacker leads, defender follows [4].
Provides an accepted format in which problems can be understood.
May bring existing solutions to bear on a new problem.
Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 7 / 45
Multiple Node Attacks I
A specific, yet important, category of network attacks, that haven’t
been examined in detail in the security games literature.
Attacks involve a significant number of intermediate nodes.
Botnets (a compromised set of slave nodes)
Problem: How do we discern compromised nodes in an overlay
network, such as a P2P network, from legitimate nodes?
Attack Pivoting (incremental intrusion into a network)
Problem: How do we organise the network, and the sensitive resources
within it, in order to account for incremental intrusion?
Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 8 / 45

5. Multiple Node Attacks II
Same methodology: Find parallels between these types of attack,
and a game.
The link: two-sided search problem
Traditional search, but the item(s) being sought is not just lost but it
has been concealed.
Must take into account the strategy of the ‘concealer’.
Multiple node attacks exhibit the two-sided search problem with
multiple hidden objects.
When facing a pivoting attack, the problem must be considered from
the reverse perspective (i.e. how will the attacker attempt to second
guess my hide locations).
Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 9 / 45
Hide-and-Seek games I
Search games are designed to model and investigate the two-sided
search problem. Hide-and-seek games, a subset of search games, are
designed to do this for multiple hidden objects.
Proposal
It is logical to study hide-and-seek games in order to study multiple node
attacks.
Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 10 / 45

6. Hide-and-Seek games II
Different permutations on same basic model. The permutation of
interest to us:
Two competing players; the hider and the seeker
A search space; for our purposes, a network
Hidden objects to be concealed on the network
Some cost to seeker for undertaking a search; the hider is rewarded in
an inverse amount.
This model is simple, but already promising in what it can capture
from a multiple node attack.
Richer variants to the model are natural, why aren’t they explored?
‘Complexity’.
Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 11 / 45
Complexity of analytic solution
Gal: ‘Networks of arbitrary topology are likely to have a very difficult
analytic solution’ [2]
Increasing the richness of a game representation makes it increasingly
difficult to derive a solution
Why?
It becomes less apparent what the payoff values attributed to each
potential strategy are or how to formalise a relationship between the
variables in the framework as part of a solution.
Richer games often have different configurations. This greatly
increases the strategy space.
Tacking this complexity: Empirical Game Theoretic Analysis
Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 12 / 45

7. Methodology
Empirical Game Theoretical Analysis (EGTA) estimates the payoff
values associated with different strategies by realising computational
representations of them.
This computational environment, and the EGTA methodology, also
indirectly fosters the derivation of the strategies themselves.
Solution concepts
Candidate strategies Estimated payoff matrix
Simulation
Strategic reasoningAdd candidates
Further simulations
Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 13 / 45
Research Questions I
In order to study a richer hider-and-seek model, amenable to
capturing the elements of a network attack at a less abstract level,
we choose to adopt this approach.
Studies that follow the EGTA methodology naturally pursue the
following three research questions:
1 Which strategies exist for both players?
2 What are the payoffs for each strategy?
3 What is the solution to the game?
Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 14 / 45

8. Research Questions II
Therefore, in this thesis, we ask:
1 Which strategies exist for both the hider and the seeker?
2 What are the payoffs for each of these strategies?
3 What is the solution to the game?
Contribution: Recommendations for the hide-and-seek game, that
can directly influence how the defender of a network approaches the
potential for, and responds to, a multiple node attack.
Long term aim: To provide a framework within which further
strategic experimentation can take place.
First, we need to define a new model of the game that facilitates
this method.
Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 15 / 45
Conceptual Model I
Despite the chosen methodology, it is still important to still define our
model conceptually; this provides the potential for future analytic
attention.
Our model exhibits a new constraint derived from explicitly treating
the hider and the objects as separate entities; the hider must traverse
the network in order to reach desired hide locations. This creates a
novel payoff structure:
A seeker’s payoff is inversely proportional to the total cost of their
traversal in one interaction: Payoff (S) = −TCost(S).
A hider’s payoff is a seeker’s traversal cost, minus their own traversal
cost in one interaction: Payoff (H) = TCost(S) − TCost(H).
Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 16 / 45

9. Conceptual Model II
This constraint coupled with an existing constraint – an unknown
network – creates challenges for the hider (and indeed the seeker)
not seen previously (e.g. strategies must respond as more is learnt
about the network, a hider no longer has complete freedom to move
anywhere etc.).
These features are the source of complexity, as previously described.
Complexity is also in the computational model...
Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 17 / 45
Computation Model I
Conceptual model makes no assumption about the format of the
topology, but the actual variations in topology are provided within
the computational model.
Supported by the library JGraphT.
We end up with something tangible that can be run for an arbitrary
number of iterations
Implemented in Java as an interactive platform.
Structured for use by the community as a distributed research game.
Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 18 / 45

10. Computation Model II
A run of the computational model (otherwise known as a game) is
defined by:
A set of hider and seeker strategies.
All pairwise meetings between the hider and the seeker, for each
strategy.
A particular configuration of variables in the model.
Each game is repeated multiple times to increase validity.
Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 19 / 45
Model configuration I
1 G Graph topology
2 N Number of nodes in network
3 K The number of hidden objects
4 c Upper limit on edge costs
5 R Number of interactions
6 ...
Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 20 / 45

11. Model configuration II
The conditions under which we answer each research question.
Some conditions have a greater impact on some questions than others
(e.g. increasing the number of nodes doesn’t necessarily open up a
space for introducing a greater number of strategies.).
Default configuration: 5% of nodes will contain hidden objects (K
= 5, N = 100). Why?
Reflect the ‘needle in a haystack’ element of a multiple node attack.
Other configuration: 50% of nodes will contain hidden objects
(N = 2K), for 1 ≤ K ≤ 100. Why?
Understand the impact that a greater number of nodes has on
different strategies
Understand the impact that having a higher ratio of hidden objects to
nodes has on different strategies
Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 21 / 45
Main Configurations
1 Games containing a single interaction.
2 Games containing multiple interactions.
Other variables are considered as sub-configurations within these.
Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 22 / 45

12. Single Interaction Games I
Each game consists of a single interaction.
High frequency of attacks, but may be from different parties with
different strategies.
A specific attack that is difficult to replicate (e.g. a targeted piece of
malware such as Stuxnet).
Player Strategy Description
Hider hRandomSet Chooses a subset of K nodes stochastically from all N nodes.
Seeker sBacktrackGreedy Traverses the graph by choosing the cheapest, unvisited outgoing edge from
amongst those edges connected to the current node, and previously visited
nodes.
Hider hFirstK Hides its start node, and the first K −1 locations it reaches on a random walk.
Seeker sLinkedPath Attempts to find the trail of objects left by hFirstK by exploring until one
object is found, and then iteratively examining each connected node in turn,
backtracking if the path ends.
Hider hNotConnected Hides in the first K nodes which it visits that have no connections to any of
the nodes that already exist in the hide set.
Hider hLeastConnected Expresses a preference for concealing objects in nodes that have the lowest
degree centrality.
Hider hMaxDistance Expresses a preference for concealing objects in a set of nodes that exist at the
maximum distance from one another.
Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 23 / 45
Single Interaction Games II
Example application of methodology:
1 Enumerate strategies; in response to the behaviour of opponents,
behaviour in a network attack or simply natural behaviour. hFirstK,
hRandomSet, sBacktrackGreedy and sLinkedPath
2 Realise strategies in computational model.
3 Configure parameters (K = 5, N = 100, c = 1).
4 Run simulation (containing sufficient number of games (typically
1000)).
5 Measure performance of strategies in simulation (payoff is the typical
metric).
Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 24 / 45

13. Single Interaction Games III
6 Plot results for analysis.
0.3
0.35
0.4
0.45
0.5
0.55
0.6
0.65
hFirstK
hRandom
Set
Payoff
Strategy
sBacktrackGreedy
***
***
sLinkedPath
***
***
Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 25 / 45
Single Interaction Games IV
7 Translate to payoff information in order to solve game.
−6.0 −3.0
6.0 3.0
−6.0 −10.0
4.0 8.0
sBacktrackGreedy sLinkedPath
hFirstK
hRandomSet
Hider: hFirstK (57.14%) hRandomSet (42.86%) (Payoff: 5.14) and
Seeker: sBacktrackGreedy (71.43%) sLinkedPath (28.57%) (Payoff:
-6.00)
Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 26 / 45

14. Single Interaction Games V
Examples of translating solutions to the hide-and-seek game into
recommendations for network attacks.
‘The best strategy for a hider to adopt against sBacktrackGreedy,
depending on the existence of other strategies, is hFirstK’.
The hider is the defender.
Concealing vulnerabilities arbitrarily (hRandomSet) is costly, yet
desirable because it deters an attacker; the attacker knows this will
necessitate extensive tours once inside the network. This threat can
be maintained by adopting a strategy in which resource, unbeknown to
the attacker, and placed in close proximity, while simultaneously
reducing cost.
An element of psychology, further supporting the use of game theory.
Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 27 / 45
Single Interaction Games VI
‘The best strategy for a hider to adopt against sBacktrackGreedy and
sLinkedPath is hNotConnected’.
The hider is the defender.
We now have a strategy that is dominant against a range of choices by
the defender; correctly balancing effort with anonymity can deter an
attacker as much as taking the effort to hide completely anonymously,
without the additional cost (as with hFirstK) and without the potential
for exploitation.
Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 28 / 45

15. Multiple Interaction Games (Reactive Strategies) I
Multiple interaction game: the same attacker and defender meet
each other multiple times. Natural if an attacker exerts effort
establishing a botnet.
Limitation of strategies in a single game: Preference strategies
are natural, but ill-suited to a single game interaction.
Instead, with the multiple interaction dynamic, we consider how
strategies (existing and new) are able to react based upon acquiring
incremental knowledge of their environment, their opponent’s
actions and their own past actions.
Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 29 / 45
Multiple Interaction Games (Reactive Strategies) II
Player Strategy Description
Seeker sLeastConnectedFirst Visits those nodes with the lowest connectivity,
first.
Seeker sMaxDistanceFirst Visits those nodes that it computes to be at the
diameter of the graph, first.
Seeker sHighProbability Visits those nodes that have been hidden in most
frequently by a hider, first.
Seeker sInverseHighProbability Visits those nodes that a hider has not yet hidden
in, first.
Hider hDeceptive Hides in K nodes for a set number of rounds, and
then in the remaining rounds never hides in these
nodes again.
Hider hUniqueRandomSet Does not repeat its choice of hide location for as
along as possible, and then restarts this process.
Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 30 / 45

16. Multiple Interaction Games (Reactive Strategies) III
‘The best strategy for a seeker to adopt against hMaxDistance, when
there are multiple interactions, is sMaxDistanceFirst, but this is the
worst strategy to play against hLeastConnected’
The seeker is the defender.
If a defender is able to correctly second guess the mentality (i.e. the
strategy) of the attacker, in terms of their selection of nodes to
compromise as bots, they are rewarded highly. However, if their
estimation is wrong, they suffer.
Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 31 / 45
Multiple Interaction Games (Reactive Strategies) IV
‘The best strategy for a seeker to adopt against both hMaxDistance
and hLeastConnected is sHighProbability’
The seeker is the defender.
Rather than trying to second guess the actions of an attacker, a
defender can wait for evidence of their behaviour. In this instance,
they cannot exploit the attacker to the same extent as if they made a
correct estimation, but instead protect themselves by reacting to
behaviour.
The best response from an attacker to this is to ‘space’ bots out within
the compromised overlay network (i.e. hMaxDistance). Achieving this
in practice requires additional effort, and is a challenge logistically, so
the attacker may be deterred from attacking the network outright.
Again about psychology.
Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 32 / 45

17. Multiple Interaction Games (Meta Strategies) I
Limitation of reactive strategies: A short-sighted, reactive
approach has its limitations.
Meta-strategies: A framework that facilitates the gradual
acquisition of knowledge; react to how the opponent is playing, not
simply to patterns in their behaviour.
Abstracts the notion of strategy selection to a single strategy with
multiple behaviours.
Player Strategy Description
Seeker sMetaProbability Assesses whether an opponent is playing hRandom-
Set or hUniqueRandomSet, and acts accordingly.
Hider hMetaConnected Assesses whether there are a suitable number of low
connectivity nodes in the graph to make hLeastCon-
nected a viable strategy.
Hider hMetaRandom Aims to understand the suitability of the strategy
currently being emulated in order to respond to a
seeker playing either sHighProbability or sInverse-
HighProbability.
Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 33 / 45
Multiple Interaction Games (Meta Strategies) II
‘The best strategy to play against an opponent playing a concrete
strategy is a meta strategy’
A warning to a defender adopting a specific defence mechanism (e.g.
speak up [5]); once an attacker understands that this is the mechanism
being used, they can adjust for it.
Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 34 / 45

18. Multiple Interaction Games (Meta Strategies) III
‘The best strategy to play against an opponent playing a meta
strategy is a concrete strategy’
Meta-strategies are useful when the opponent does not recognise that
their behaviour is being monitored, and respond.
If they do, we end up with a large amount of flux in the choice of
strategy, as each player tries to better the other.
Reflects current state of affairs: defenders continually patch, while
attackers continually exploit.
Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 35 / 45
Potential Weaknesses?
Minor:
Parameter configurations (e.g. the relative values of N and K), are
made without the inject of real data; setting values is a move towards
this, but more could easily be done.
Some may find the notion that strategies defeat each other
unintuitive; a component of the EGTA method, import tests for
robustness.
Worth elaboration:
Relationship with Security Literature
Recommendation Caveats
Abstraction
Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 36 / 45

19. Relationship with Existing Security Literature
Existing security literature is contemporary. This work is essential.
Our work aims to complement this work by looking at the bigger
picture; aims to contribute some, or at least provide a framework in
which, ‘timeless’ strategies can be developed.
Focusses on literature from well established areas; game theory,
network security games etc.
As such, compromises some contemporary themes; easy to update
the model to account for more contemporary information.
Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 37 / 45
Recommendation Caveats I
The model is abstract; it is not a network simulator, nor was it
designed to be (explained momentarily...). This means
recommendations require further verification; they are heuristics.
Important to differentiate them as heuristics by leaving them in the
context of the model.
This is not an exhaustive list (but logical within the scope defined);
we are not claiming to have all the answers; instead the model
provides a framework within which further recommendations can be
derived.
Recommendations are often intuitive, but sometimes not; changing
strategy in response to your opponent’s change in strategy (i.e. also
adopting a meta-strategy) is of no benefit. Knowing something is
different to showing it.
Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 38 / 45

20. Recommendation Caveats II
In the end, the recommendations are important, but the impact of
this work goes above that, in accordance with the aim highlighted
earlier:
Furthers the important methodology of abstraction, and the
methodology of applying games to new problems.
Contributes a model (both in its conceptual and computation form) to
the research community as a whole; distributed research game.
Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 39 / 45
Recommendation Caveats III
You’re helping the attacker as well as the defender!
Because an attacker and a defender can be either the hider or the
seeker, recommendations could, in theory, help both.
Understanding how an attacker may think, and their optimal
course of play, is essential.
Often find that there are natural restrictions when the attacker is the
hider.
e.g. While it may seem that an attacker will also benefit from the
recommendation that hiding in adjacent nodes achieves comparable
anonymity to hiding uniformly randomly, being in a network outside of
their control limits the freedom they have to hide anywhere.
Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 40 / 45

21. Abstraction I
Why do we approach the problem at this level?
An important first step in solving problems.
Studies that attempt to model problems such as multiple node attacks
directly, often end up unwieldly.
Initially motivated by multiple node attacks, but could have
applications elsewhere.
Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 41 / 45
Abstraction II
Potential issues:
1 Verification (mentioned)
Common in computer science. There are therefore mechanisms in place
to enable this.
2 Implicit expectation that hider and seeker can be used
interchangeably with attacker or defender; nice because it helps
harmonise the concepts, but may lead to ambiguities, or further
questions of applicability e.g. Chapter 1 considers the hider as the
benign entity, while Chapter 2 considers the seeker as the benign entity.
Flexibility outweighs the potential ambiguity.
Important to consider the level of abstraction in relation to existing
hide-and-seek games.
Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 42 / 45

22. Strengths
Multiple Interaction Games with Meta Strategies (Chapter 5).
Distributed Research Game (DRG)
Abstraction, while a challenge, is also a significant strength in terms
of versatility and providing a new perspective on problems.
Classification of Network Attacks (D2C3).
Investigating the hide-and-seek game from a computational
perspective, and search games in general, is itself a whole new field.
...
Also could provide the basis for future publication
Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 43 / 45
Looking to the future...
In the process of listing desirable features to extend a search game
prior to conducting the study, we also introduce the potential for
future work:
Specific:
Strategies with a greater number of topological preferences.
A greater number of rounds in a game.
Further permutations on the meta-strategy model (varying degrees
of knowledge regarding when and how to change behaviour).
General:
Further validate heuristics; provide more heuristics as a result of
expanding the model.
Where cost falls in the model (Edges and Nodes?)
The impact of multiple hiders and seekers.
...
Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 44 / 45

23. References
Tansu Alpcan and Tamer Ba¸sar.
Network Security: A Decision and Game-theoretic Approach.
Cambridge University Press, 2010.
Shmuel Gal.
Search games.
In Wiley Encyclopedia of Operations Research and Management Scilence. Wiley,
2011.
Jorma Jormakka and Jarmo M¨ols¨a.
Modelling Information Warfare as a Game.
Journal of Information Warfare, 4(2):12–25, 2005.
Heinrich Von Stackelberg.
Market Structure and Equilibrium.
Springer Science and Business Media, 2010.
Michael Walfish, Mythili Vutukuru, Hari Balakrishnan, David Karger, and Scott
Shenker.
Ddos Defense by Offense.
In Proceedings of The 2006 Conference on Applications, Technologies,
Architectures, and Protocols for Computer Communications (SIGCOMM 06),
pages 303–314, 2006.
Martin Chapman (King’s College London) Cyber Hide-and-Seek November 30, 2015 45 / 45