Advanced Persistent Threats (APTs) are stealthy customized attacks by intelligent adversaries. This paper deals with the detection of APTs that infiltrate cyber systems and compromise specifically targeted data and/or infrastructures. Dynamic information flow tracking is an information trace-based detection mechanism against APTs that taints suspicious information flows in the system and generates security analysis for unauthorized use of tainted data. In this paper, we develop an analytical model for resource-efficient detection of APTs using an information flow tracking game. The game is a nonzero-sum, turn-based, stochastic game with asymmetric information as the defender cannot distinguish whether an incoming flow is malicious or benign and hence has only partial state observation. We analyze equilibrium of the game and prove that a Nash equilibrium is given by a solution to the minimum capacity cut set problem on a flow-network derived from the system, where the edge capacities are obtained from the cost of performing security analysis. Finally, we implement our algorithm on the real-world dataset for a data exfiltration attack augmented with false-negative and false-positive rates and compute an optimal defender strategy.

中文翻译：

---

用于检测高级持续威胁的动态信息流跟踪：一种随机博弈方法

高级持续威胁 (APT) 是智能对手进行的隐蔽的定制攻击。本文涉及检测渗透网络系统并破坏特定目标数据和/或基础设施的 APT。动态信息流跟踪是针对 APT 的一种基于信息跟踪的检测机制，它污染系统中的可疑信息流，并为未经授权使用污染数据生成安全分析。在本文中，我们开发了一个使用信息流跟踪游戏的 APT 资源高效检测分析模型。该博弈是非零和、回合制、随机信息不对称博弈，因为防御者无法区分传入的流是恶意的还是良性的，因此只有部分状态观察。我们分析了博弈的均衡并证明纳什均衡是由系统导出的流网络上的最小容量割集问题的解决方案给出的，其中边容量是从执行安全分析的成本中获得的。最后，我们在真实世界的数据集上实施我们的算法，以增加假阴性和假阳性率的数据泄露攻击，并计算最佳防御策略。