The mathematical dual binary game of two parties one of which was PJSC “Zborivgaz” information security system and the other were intruders attacks aimed at breaking the integrity, confidentiality or accessibility of information was performed. The strategy of selection the information-communication system security tools under the conditions of the enterprise limited budget was developed.
1.2.
Review of the publications on the investigated topic
The general issues of game theory application for solving cyber security problems are discussed in
papers [
In paper [
We carried out the investigation of relationships between the attacker of the corporate informationcommunication system and security administrator of PJSC “Zborivgaz” enterprise. The subject of the Company activity is: uninterrupted gas supply; execution of construction works and design of new and expansion of existing gas distribution networks. The problem of information security of strategic infrastructure objects is important for Ukraine. This is proved by a series of power plant cyber attacks in 2015, conducted using BlackEnergy malware. As a result of this effect, a large number of settlements remained without energy supply for several hours.
Let us simulate the mathematical dual binary game of two parties, one of which is the information security system of PJSC “Zborivgaz” and the other is intruders attacks.
According to the methodology developed in [
The intruder strategies are the types of local and network attacks that can be implemented at PJSC
“Zborivgaz”. Let us determine the most probable ones based on the sources conclusions [
The common attack is spoofing - the substitution of the traffic on the network or content on the site by that one which is beneficial to the intruder. The fraudulent offline scheme where gas consumers received payment bills containing the details of the fraudulent bank account was revealed in Kyiv. Several hundred people suffered. This one and similar schemes can also be implemented online if effective corporate information security measures are not taken.
DDOS-attacks are one of the most common attacks on corporate servers today. One of the famous DDOS attacks in Ukraine was the overloading of Ukrzaliznytsia server by requests, which resulted in the lack of access to servers during the day. Today, a large number of DDOS-attacks are performed from botnets built on the Internet of Things infrastructure. This is the Mirai botnet created by compromised routers, camcorders, DVD-players, smart TV ssets, wireless presentation systems and other devices connected to the network. Their number reaches 500,000.
Financial data, personal information of PJSC “Zborivgaz” customers is stored in databases. Therefore, code injection attacks, including SQL injection, are probable. This type of attack provides a variety of opportunities for the intruder, limited only by the programming language and the access rights to the desired organization assets. For example, you can view all the database entries available for the current session of the user whose name the intruder managed to access. You can emulate fake server responses to the customers requests. This attack is particularly dangerous because anyone who has access to the organization web-site and is able to enter data into text boxes can potentially be a source of attack by SQL injections.
Functional abuse attacks require no additional tools or special knowledge, so the possibility of their occurrence is high. The essence of these attacks is that the regular program funds are used for malicious purposes. For example, chat or email can be used to send all contacts the website address with harmful exploit loading. Abuse of functionality is more characteristic for insider attacks. The insider attack in modern execution is the action of the intruder on behalf of corporate information-communication system user account.
The intruder can get unauthorized access not to the user account, as in the previous attack type, but to the operating system. Then OS-commanding attack is implemented. If accessed was done through the web server, malicious commands can be executed directly from the browser. For PJSC “Zborivgaz” there is the probability of downloading the malicious code to the compromised server and its starting, as one of the most common cyber threats in recent years is phishing, which affected many Ukrainian companies.
Administrator strategies include the use of information security tools. Firewall is the device designed to manage Internet access, encrypt data and transfer network traffic between zones of different levels of access restriction in accordance with security policies. In the work of the information-communication system of PJSC “Zborivgas” the firewall provides WAN interfaces for connection to different ISPs, LAN interface for connection to the internal network of PJSC “Zborivgas”, DMZ interface for the implementation of the zone of public servers, support for NAT technology, management of access to the LAN and zone of the shared servers and protection against attacks from the outside.
Cloud DDOS security services (such as Incapsula) ensure protection against DDOS-based attacks and reduce attack intensity within minutes.
Antivirus protects the enterprise assets from malicious software that can get onto the computers of PJSC "Zborivgaz" from the Internet or removable media.
Biometric user identification hardware makes it possible to perform authentication at PJSC "Zborivgaz" workplaces quickly and error-free according to the features difficult to fake.
The hardware-cryptographic complex protects the traffic from reviewing while intercepted because it is impossible to resume the encrypted message by the intruder attacker.
The elements of mathematical game matrix we performed in order to develop the cyber security strategy for PJSC "Zborivgaz" are the probability of successful implementation of the intruder attack, determined by the expert assessments method (Table 1).
Assessed value (UAH) of each security tool Хі (і=1,…,5): (5800, 20000, 21000, 33000, 50000) and amount of estimated loss from the implementation of a particular attack Yj
We used the online service https://math.semestr.ru/games/index.php to solve the obtained game matrix using Brown-Robinson method. The window for data entry and selection of the problem–solving method is shown in Fig. 1.
We check if the payment matrix has a saddle point. If this is a case, then we write out the game solution in pure strategies. The pure strategy of the security administrator is to select one of the gains matrix lines, and the pure strategy of the intruder is to select one of the columns of this matrix. We believe that the security administrator selects his strategy in such a way as to obtain the full maximum gain, and the intruder chooses his strategy in a way that minimizes the administrator gain.
The minimum cost values and maximum cost savings are defined in Table 3.
Let us find the guaranteed gain, which is determined by the lower game price a = max(ai) = 4000 indicating the maximum pure strategy for antivirus use. The upper game price is b = min(bj) = 7500. This indicates the absence of saddle point, since a ≠ b, then the game price ranges within 4000 ≤ y ≤ 7500.
We find the game solution in mixed strategies. This is explained by the fact that security administrator and intruder cannot report the opponent their pure strategies, they should hide their actions.
code injection 18500 4700 600 1200 1700 18500
abuse of functionali
ty 3200 4000 7500 7500 2500 7500 ОS-commanding 18000 8900 2800 2700 2700 18000
Let's check the payment matrix for dominant lines and dominant columns. Sometimes, based on a simple consideration of the game matrix, it can be said that some pure strategies can enter the optimal mixed strategy with zero probability.
The i-th strategy of the 1st player dominates his k-th strategy if aij ≥ akj for all j ∋ N and at least for one j aij > akj. In this case, they also say that the i-th strategy (or line) is dominanting, k-th is dominant. It is said that the j-th strategy of the 2nd player is dominating his l-th if for all j ∋ M aij ≤ ail and at least for one i aij < ail. In this case, the j-th strategy (column) is called dominating, the l-у is dominated.
The use of firewall security strategy dominates the use of cryptosystem strategy (all elements of line 1 are greater than or equal to the values of line 5), thus we remove the 5th line of the matrix (Table 4). The probability is p5 = 0.
Table 4 Game matrix after dominated line removal
spoofing DDOS code injection firewall antivirus cloud defense biometry 21400 14400 7800 17400 40200 18000 2000 5000 18500 4300 600 1200
From the intruder loss position, the code injection strategy dominates the spoofing strategy (all column 3 elements are smaller than column 1 elements), so we remove the first column of the matrix (Table 5). Probability is q1 = 0. From the intruder loss position, the code injection strategy dominates the DDOS attack strategy (all column 3 elements are smaller than column 2), and we remove the second column of the matrix (Table 5). The probability is q2 = 0.
We reduced the game 5x5 to the game 4x3. The players select their pure strategies at random, so the gain of the information security administrator is random value. The administrator must select his strategies in such a way as to maximize the average gain. The intruder must choose his strategies in such a way as to minimize the mathematical expectation of the administrator.
Every playing off in pure strategies is called the game. The Brown-Robinson method is an iterative procedure for constructing the sequence of pairs of players mixed strategies that converges to the matrix game solution.
Let us select the strategy of firewall use at the first step. Iteration # 1: the minimum element is 3200 and is numbered j=2, hence the intruder selects the strategy for functionality abuse. The maximum element equals 7500 and is j=3, so the administrator chooses the cloud security strategy. Iteration # 1: the minimum element is 10700 and is j=2, hence the intruder selects the strategy for functionality abuse. The maximum element is 15000 and is numbered j=3, so the administrator chooses the cloud security strategy.
The iterations results are summarized in Tables 6-7. 3. Conclusions and prospects of further research
The interests of the information security administrator and the hacker regarding the computer assets of the enterprise are the same: to use them for their own activities. Therefore, to solve the problem of choosing a protection system, methods of game theory are proposed. The study confirmed the feasibility of using game theory to solve cybersecurity problems. Based on the proposed method, it is possible to choose a system of information security for the enterprise, taking into account the current landscape of threats and the available budget.
We are going to carry out investigations in the field of the development of corporate information security system having certain security level. There are many international methods and standards for determination of the information systems security reflecting the scientists and experts interest to this problem. However, there is no generally accepted method of security evaluation. We believe this is due to the rapid growth of cybersecurity as a new field of information technologies. Our further investigations will be aimed at generalization of methods for determination of the informationcommunication system security level and universal methodology formation.