基于博弈论对手建模的物联网SSH自适应蜜罐策略

doi:10.3969/j.issn.1671-1122.2023.11.005

摘要/Abstract

摘要：

物联网设备数量迅速增多使得针对物联网的攻击越来越多，网络安全人员急需使用主动防御技术将被动转化为主动。SSH（Secure Shell）蜜罐技术的引入让防御方能够捕获攻击者的交互信息，对物联网安全具有十分重要的意义。然而，传统蜜罐由于特征或行为模式固定，很容易被攻击者识别和利用。文章从博弈论的角度出发，建立蜜罐与攻击者的交互模型，并使用SAC（Soft Actor-Critic）算法进行求解，通过计算得到防御方的最佳响应策略。仿真结果表明，将强化学习与博弈论相结合的自适应蜜罐能够在多种场景下快速找出最优交互策略，并且加入策略网络的强化学习方法与攻击者的交互收益要优于仅基于价值网络的传统强化学习方法。

关键词: 物联网, 欺骗防御, 蜜罐, 强化学习, 博弈论

Abstract:

The proliferation of IoT devices has led to an increasing number of attacks against the Internet of things, it’s urgent for cybersecurity personnel to use proactive defense techniques to turn reactive defense into proactive defense. The introduction of SSH (secure shell) honeypot technology allows defenders to capture learn attackers’ interaction informationacting strategy, which is of great significance for IoT security. However, traditional honeypots are easily identified and exploited by attackers because of their fixed characteristics or behavioral patterns. From the perspective of game theory, this paper established an interaction model between honeypots and attackers, and we calculated the best response strategy of the defender by useing SAC (soft actor-critic) algorithm. Simulation results show that adaptive honeypot by combining reinforcement learning and game theory can quickly find the optimal interaction strategy in a variety of scenarios, and the reinforcement learning method added to the policy network is better than the traditional reinforcement learning method based on the value network alone.

Key words: Internet of things, deception defense, honeypot, reinforcement learning, game theory

中图分类号:

TP309

宋丽华, 张津威, 张少勇. 基于博弈论对手建模的物联网SSH自适应蜜罐策略[J]. 信息网络安全, 2023, 23(11): 38-47.

SONG Lihua, ZHANG Jinwei, ZHANG Shaoyong. An Adaptive IoT SSH Honeypot Strategy Based on Game Theory Opponent Modeling[J]. Netinfo Security, 2023, 23(11): 38-47.

图/表 12

图1

表1

表2

图2

图3

表3

图4

表4

图5

图6

图7

图8

参考文献 21

[1]	SPITZNER L. Honeypots: Tracking Hackers[M]. Boston: Addison Wesley, 2003.
[2]	LOGANADEN V, MARK D. Baushke. Increase the Secure Shell Minimum Recommended Diffie-Hellman Modulus Size to 2048 Bits[EB/OL]. (2017-12-01)[2023-05-30]. https://rfc-editor.org/rfc/rfc8270.txt.
[3]	METONGNON L, SADRE R. Prevalence of IoT Protocols in Telescope and Honeypot Measurements[EB/OL]. (2019-04-04)[2023-05-30]. https://dl.acm.org/doi/pdf/10.1145/3229598.3229604.
[4]	KRAWETZ N. Anti-Honeypot Technology[J]. IEEE Security & Privacy, 2004, 2(1): 76-79.
[5]	PAWLICK J, COLBERT E, ZHU Quanyan. A Game-Theoretic Taxonomy and Survey of Defensive Deception for Cybersecurity and Privacy[J]. ACM Computing Surveys (CSUR), 2019, 52(4): 1-28.
[6]	JIANG Yangyang, SONG Lihua, XING Changyou, et al. Belief Driven Attack and Defense Policy Optimization Mechanism in Honeypot Game[J]. Computer Science, 2022, 49(9): 333-339. doi: 10.11896/jsjkx.220400011
	姜洋洋, 宋丽华, 邢长友, 等. 蜜罐博弈中信念驱动的攻防策略优化机制[J]. 计算机科学, 2022, 49(9): 333-339. doi: 10.11896/jsjkx.220400011
[7]	KROER C, SANDHOLM T. Limited Lookahead in Imperfect-Information Games[EB/OL]. (2020-03-19)[2023-05-30]. https://arxiv.org/abs/1902.06335.
[8]	WAGENER G, STATE R, ENGEL T, et al. Adaptive and Self-Configurable Honeypots[C]// IEEE. 12th IFIP/IEEE International Symposium on Integrated Network Management (IM 2011) and Workshops. New York: IEEE, 2011: 345-352.
[9]	HAYATLE O, OTROK H, YOUSSEF A. A Game Theoretic Investigation for High Interaction Honeypots[C]// IEEE. 2012 IEEE International Conference on Communications (ICC). New York: IEEE, 2012: 6662-6667.
[10]	PAWLICK J, COLBERT E, ZHU Quanyan. Modeling and Analysis of Leaky Deception Using Signaling Games with Evidence[J]. IEEE Transactions on Information Forensics and Security, 2018, 14(7): 1871-1886. doi: 10.1109/TIFS.10206 URL
[11]	WANG Juan, YANG Hongyuan, FAN Chengyang. A SDN Dynamic Honeypot with Multi-Phase Attack Response[J]. Netinfo Security, 2021, 21(1): 27-40.
	王鹃, 杨泓远, 樊成阳. 一种基于多阶段攻击响应的SDN动态蜜罐[J]. 信息网络安全, 2021, 21(1): 27-40.
[12]	PANDA S, RASS S, MOSCHOYIANNIS S, et al. HoneyCar: A Framework to Configure Honeypot Vulnerabilities on the Internet of Vehicles[J]. IEEE Access, 2022(10): 104671-104685.
[13]	WAGENER G, STATE R, DULAUNOY A, et al. Heliza: Talking Dirty to the Attackers[J]. Journal in Computer Virology, 2011(7): 221-232.
[14]	PAUNA A, BICA I. RASSH-Reinforced Adaptive SSH Honeypot[C]// IEEE. 2014 10th International Conference on Communications (COMM). New York: IEEE, 2014: 1-6.
[15]	PAUNA A, IACOB A, BICA I. A Self-Adaptive SSH Honeypot Driven by Q-Learning[C]// IEEE. International Conference on Communications. New York: IEEE, 2018: 417-422.
[16]	PAUNA A, BICA I, POP F, et al. On the Rewards of Self-Adaptive IoT Honeypots[J]. Annals of Telecommunications, 2019(74): 501-515.
[17]	TOUCH S, COLIN J N. A Comparison of an Adaptive Self-Guarded Honeypot with Conventional Honeypots[EB/OL]. (2022-05-19)[2023-05-30]. https://doi.org/10.3390/app12105224.
[18]	LOPEZ Y J S, FAGETTE A. Increasing Attacker Engagement on SSH Honeypots Using Semantic Embeddings of Cyber-Attack Patterns and Deep Reinforcement Learning[C]// IEEE. 2022 IEEE Symposium Series on Computational Intelligence (SSCI). New York: IEEE, 2022: 389-395.
[19]	SUTTON R S. On the Significance of Markov Decision Processes[C]// Springer. Artificial Neural Networks-ICANN’97: 7th International Conference Lausanne. Berlin: Springer, 1997: 273-282.
[20]	HAARNOJA T, ZHOU A, HARTIKAINEN K, et al. Soft Actor-Critic Algorithms and Applications[EB/OL]. (2018-12-13)[2023-05-30]. https://arxiv.org/abs/1812.05905.
[21]	HESSEL M, MODAYIL J, HASSELT H V, et al. Rainbow: Combining Improvements in Deep Reinforcement Learning[EB/OL]. (2017-10-06)[2023-05-30]. https://arxiv.org/abs/1710.02298.

符号	含义
${{\mu }_{1}}$	攻击者以先验概率${{\mu }_{1}}$认为所攻击的系统是蜜罐，与防御者部署的蜜罐数量有关
${{\mu }_{i}}$	在每轮博弈开始时，攻击者以${{\mu }_{i}}$的概率认为访问的系统是蜜罐，$i$表示当前博弈轮次
${{l}_{h}}$	当攻击者访问的系统是蜜罐时，执行high动作，被蜜罐捕获后所造成的损失
${{l}_{l}}$	当攻击者访问的系统是蜜罐时，执行low动作，被蜜罐捕获后所造成的损失
${{r}_{t}}$	当攻击者访问的系统是蜜罐时，执行test，蜜罐选择block时，攻击者所得到的收益
${{r}_{h}}$	当攻击者访问的系统是物联网生产系统时，攻击者执行high 动作成功时所得到的收益
${{r}_{l}}$	当攻击者访问的系统是物联网生产系统时，攻击者执行low 动作成功时所得到的收益
${{c}_{t}}$	攻击者选择test动作所需要的攻击成本
${{c}_{h}}$	攻击者选择high动作所需要的攻击成本
${{c}_{l}}$	攻击者选择low动作所需要的攻击成本
${{p}_{t}}$	攻击者以概率${{p}_{t}}$选择执行test动作
${{p}_{h}}$	攻击者以概率${{p}_{h}}$选择执行high动作
${{p}_{l}}$	攻击者以概率${{p}_{l}}$选择执行low动作
${{o}_{t}}$	当攻击者选择test动作时，蜜罐系统执行allow动作需要付出的成本
${{o}_{h}}$	当攻击者选择high动作时，蜜罐系统执行allow动作需要付出的成本
${{o}_{l}}$	当攻击者选择low动作时，蜜罐系统执行allow动作需要付出的成本
${{q}_{t}}$	真实物联网生产系统允许执行命令的概率，本文为0.9
${{U}_{a}}$	攻击者的期望收益
${{U}_{d}}$	防御方的期望收益

动作	high	low	test
allow	${{l}_{h}}-{{o}_{h}}$	${{l}_{l}}-{{o}_{l}}$	$-{{o}_{t}}$
block	${{l}_{h}}$	${{l}_{l}}$	${{r}_{t}}$

${{r}_{h}}=6$	${{o}_{h}}=3$	${{c}_{h}}=3$	${{l}_{h}}=3$	${{d}_{h}}=6$
${{r}_{l}}=3$	${{o}_{l}}=2$	${{c}_{l}}=1$	${{l}_{l}}=1$	${{d}_{l}}=3$
${{r}_{t}}=2$	${{o}_{t}}=1$	${{c}_{t}}=0.5$	—	—

信念值	策略	平均值	信念值	策略	平均值
0.1	GAME	6.77	0.3	GAME	3.11
	Rainbow	5.93		Rainbow	2.21
	cowrie	5.43		cowrie	2.40
	物理蜜罐	-8.18		物理蜜罐	-3.57
	低交互蜜罐	6.48		低交互蜜罐	2.88
0.5	GAME	-0.58	0.7	GAME	-1.39
	Rainbow	-1.30		Rainbow	-1.39
	cowrie	-0.79		cowrie	-1.44
	物理蜜罐	-2.36		物理蜜罐	-1.58
	低交互蜜罐	-3.26		低交互蜜罐	-2.58