Inducement Game Model of Data-Stealing Trojan Based on Stochastic Game Nets

doi:10.3969/j.issn.1671-1122.2024.08.010

Abstract

Abstract:

To achieve the long-term goal of information theft, data-stealing Trojans typically employ the trigger execution strategy, providing high concealment and uncertainty in the execution of their malicious actions. The mainstream defense model against data-stealing Trojans adopts a passive defense strategy that involves monitoring and detecting the behavior of these Trojans, but is prone to omissions and delayed detection. To improve the defense effectiveness, this paper introduced the concept of inducement operation to construct an inducement-based defense strategy targeting data-stealing Trojans. Using stochastic game nets, this paper modeled and analyzed the confrontation process between the data-stealing Trojans and defenders, resulting in the development of the Inducement Game Model of Data-Stealing Trojan (IGMDT-SGN). IGMDT-SGN provides a clear illustration of the strategic logic and temporal dynamics of employing the inducement defense strategy against these Trojans. Quantitative analysis conducted through model calculations shows that the inducement defense strategy, as presented in IGMDT-SGN, outperforms the passive defense strategy in terms of defense success rate and average defense time. This finding provides useful guidance for defending against data-stealing Trojans.

Key words: data-stealing Trojan, game model, inducement operation, stochastic game nets

CLC Number:

TP309

GUO Yuzheng, GUO Chun, CUI Yunhe, LI Xianchao. Inducement Game Model of Data-Stealing Trojan Based on Stochastic Game Nets[J]. Netinfo Security, 2024, 24(8): 1241-1251.

Figures/Tables 18

References 26

[1]	WOODHAMS S. Spyware: An Unregulated and Escalating Threat to Independent Media[M]. Washington: Center for International Media Assistance, 2021.
[2]	MARCZAK B, SCOTT-RAILTON J, BERDAN K, et al. Hooking Candiru: Another Mercenary Spyware Vendor Comes into Focus[R]. Toronto: University of Toronto, Citizen Lab Research Report No. 139, 2021.
[3]	MALWAREBYTE. 2022 Threat Review[EB/OL]. (2023-01-28)[2024-04-23]. https://www.malwarebytes.com/wp-content/uploads/sites/2/2023/08/mwb_threatreview_2022_ss_v1.pdf.
[4]	ALSMADI T, ALQUDAH N. A Survey on Malware Detection Techniques[C]// IEEE. 2021 International Conference on Information Technology (ICIT). New York: IEEE, 2021: 371-376.
[5]	MANIRIHO P, MAHMOOD A N, CHOWDHURY M J M. A Study on Malicious Software Behaviour Analysis and Detection Techniques: Taxonomy, Current Trends and Challenges[J]. Future Generation Computer Systems, 2022, 130: 1-18.
[6]	MAO Ting, CHE Shengbing, DENG Wei. Research on the Hidden Technology of Troy Trojan-Horse[C]// Atlantis Press. 2017 2nd International Conference on Modelling, Simulation and Applied Mathematics (MSAM2017). Paris: Atlantis Press, 2017: 304-307.
[7]	YANG Runqing, CHEN Xutong, XU Haitao, et al. RATScope: Recording and Reconstructing Missing RAT Semantic Behaviors for Forensic Analysis on Windows[J]. IEEE Transactions on Dependable and Secure Computing, 2022, 19(3): 1621-1638.
[8]	JAVAHERI D, HOSSEINZADEH M, RAHMANI A M. Detection and Elimination of Spyware and Ransomware by Intercepting Kernel-Level System Routines[J]. IEEE Access, 2018, 6: 78321-78332.
[9]	LYSENKO S, BOBROVNIKOVA K, POPOV P T, et al. Spyware Detection Technique Based on Reinforcement Learning[C]// RWTH Aachen University. CEUR Workshop Proceedings. Aachen: RWTH Aachen University. 2020: 307-316.
[10]	HU Guangjun, ZHU Ping. Research on Trojan Detection Strategy Based on Dynamic Game[C]// China Computer Federation Computer Security Professional Committee. Proceedings of the National Computer Security Academic Exchange Conference (Volume 24). China University of Science and Technology Press, 2009: 357-360.
	胡光俊, 朱平. 基于动态博弈的木马检测策略研究[C]// 中国计算机学会计算机安全专业委员会.全国计算机安全学术交流会论文集(第二十四卷).中国科学技术大学出版社, 2009: 357-360.
[11]	GAO He, WANG Yuanzhuo, WANG Li, et al. Trojan Characteristics Analysis Based on Stochastic Petri Nets[C]// IEEE. Proceedings of 2011 IEEE International Conference on Intelligence and Security Informatics. New York: IEEE, 2011: 213-215.
[12]	FAN Lejun, WANG Yuanzhuo, CHENG Xueqi, et al. Privacy Theft Malware Multi-Process Collaboration Analysis[J]. Security and Communication Networks, 2015, 8(1): 51-67.
[13]	YU Min, LIU Chao, QIU Xinliang, et al. Modeling and Analysis of Information Theft Trojan Based on Stochastic Game Nets[C]// IEEE. 2015 2nd International Conference on Information Science and Control Engineering. New York: IEEE, 2015: 318-322.
[14]	YAN Qing, SONG Lipeng. Modelling and Control of Trojan Propagation via Online Game Accelerators[J]. Mathematical Problems in Engineering, 2021, 2021(10): 1-10.
[15]	PENG Jiaxin, GUO Chun, PING Yuan, et al. SNDMI: Spyware Network Traffic Detection Method Based on Inducement Operations[EB/OL]. (2024-03-13)[2024-04-23]. https://www.sciencedirect.com/science/article/abs/pii/S016740482400107X?via%3Dihub.
[16]	MI Yan, ZHANG Hengwei, HU Hao, et al. Optimal Network Defense Strategy Selection Method: A Stochastic Differential Game Model[EB/OL]. (2021-08-24)[2024-04-23]. https://www.xueshufan.com/publication/3195737479.
[17]	WANG Yuanzhuo, LIN Chuang, CHENG Xueqi, et al. Analysis for Network Attack-Defense Based on Stochastic Game Model[J]. Chinese Journal of Computers, 2010, 33(9): 1748-1762.
	王元卓, 林闯, 程学旗, 等. 基于随机博弈模型的网络攻防量化分析方法[J]. 计算机学报, 2010, 33(9): 1748-1762.
[18]	NOURREDINE O, MENOUAR B, CAMPO E, et al. A New Generalized Stochastic Petri Net Modeling for Energy-Harvesting-Wireless Sensor Network Assessment[J]. International Journal of Communication Systems, 2023, 36(11): 1-25.
[19]	LIU Shuanglei, LI Weijun, GAO Peng, et al. Modeling and Performance Analysis of Gas Leakage Emergency Disposal Process in Gas Transmission Station Based on Stochastic Petri Nets[EB/OL]. (2022-07-02)[2024-04-23]. https://www.sciencedirect.com/science/article/abs/pii/S0951832022003337?via%3Dihub.
[20]	WU Zenan, TIAN Liqin, CHEN Nan. Research on Quantitative Analysis of System Security Based on Stochastic Petri Net[J]. Netinfo Security, 2020, 20(9): 27-31.
	毋泽南, 田立勤, 陈楠. 基于随机Petri网的系统安全性量化分析研究[J]. 信息网络安全, 2020, 20(9): 27-31.
[21]	HO E, RAJAGOPALAN A, SKVORTSOV A, et al. Game Theory in Defence Applications: A Review[EB/OL]. (2022-01-28)[2024-04-23]. tps://www.xueshufan.com/publication/3210652180.
[22]	ZIMMERMANN A. Modeling and Evaluation of Stochastic Petri Nets with TimeNET 4.1[C]// IEEE. Proceedings of the 6th International Conference on Performance Evaluation Methodologies and Tools. New York: IEEE, 2012: 54-63.
[23]	ZIMMERMANN A. Modelling and Performance Evaluation with TimeNET 4.4[C]// Springer. International Conference on Quantitative Evaluation of Systems. Heidelberg: Springer, 2017: 300-303.
[24]	SUN Xiaoyun, YU Zhenhua, GAO Hongxia, et al. Trustworthiness Analysis and Evaluation for Command and Control Cyber-Physical Systems Using Generalized Stochastic Petri Nets[EB/OL]. (2023-04-23)[2024-04-23]. https://www.sciencedirect.com/science/article/abs/pii/S002002552300511X?via%3Dihub#preview-section-cited-by.
[25]	CHEN Xiaohui, HAO Zhiyu, LI Lun, et al. CruParamer: Learning on Parameter-Augmented API Sequences for Malware Detection[J]. IEEE Transactions on Information Forensics and Security, 2022, 17: 788-803.
[26]	LI Ce, LYU Qiujian, LI Ning, et al. A Novel Deep Framework for Dynamic Malware Detection Based on API Sequence Intrinsic Features[EB/OL]. (2022-03-08)[2024-04-23]. https://www.sciencedirect.com/science/article/abs/pii/S0167404822000840.

参与者	序号	行为描述
窃密木马	$t_{a}^{1}$	木马自启动
	$t_{a}^{2}$	探测特定的用户行为或信息
	$t_{a}^{3}$	记录信息并写入日志
	$t_{a}^{4}$	发送日志
防御方	$t_{d}^{1}$	监测软件运行行为
	$t_{d}^{2}$	监测系统对软件行为进行记录
	$t_{d}^{3}$	判别木马行为
	$t_{d}^{4}$	执行诱导操作
	$t_{d}^{5}$	终止木马运行

位置	含义	变迁	含义
P₀	正常系统	T₀	木马启动
P₁	木马运行	T₁	木马探测特定的用户行为和信息
P₂	木马等待信息	T₂	木马将所记录信息写入日志
P₃	木马记录信息	T₃	木马发送日志
P₄	木马进行网络通信	T₄	木马探测特定的用户行为和信息
P₅	防御方开始防御	T₅	木马探测特定的用户行为和信息
P₆	监测木马运行行为	T₆	木马探测特定的用户行为和信息
P₇	软件行为待判别	T₇	监测软件运行行为
P₈	软件行为待判别	T₈	监测系统对软件行为进行记录
P₉	判别结果	T₉	监测系统对软件行为进行记录
P₁₀	判别结果	T₁₀	判别木马行为
P₁₁	未判别出木马行为	T₁₁	判别木马行为
P₁₂	未判别出木马行为	T₁₂	监测软件运行行为
P₁₃	判别出木马行为	T₁₃	监测软件运行行为
P₁₄	木马行为被诱发	T₁₄	终止木马运行
P₁₅	软件行为待判别	T₁₅	执行诱导操作
P₁₆	判别结果	T₁₆	监测系统对软件行为进行记录
P₁₇	未判别出木马行为	T₁₇	判别木马行为
-	-	T₁₈	监测软件运行行为

参与者	序号	行为描述	λ	π
窃密木马	$t_{a}^{1}$	木马自启动	1	1
	$t_{a}^{2}$	探测特定的用户行为和信息	3	0.5785
	$t_{a}^{3}$	记录信息并写入日志	1.5	0.2479
	$t_{a}^{4}$	发送日志	0.5	0.1736
防御方	$t_{d}^{1}$	监测软件运行行为	2	1
	$t_{d}^{2}$	监测系统对软件行为进行记录	0.8	0.3077
	$t_{d}^{3}$	判别木马行为	1	1
	$t_{d}^{4}$	执行诱导操作	0.5	0.6923
	$t_{d}^{5}$	终止木马运行	2	1

时间/s 模型	5	10	15	20	25	30	35	40	45	50
PGMDT-SGN	0.049	0.182	0.302	0.405	0.493	0.567	0.631	0.685	0.732	0.771
IGMDT-SGN	0.133	0.537	0.795	0.914	0.965	0.986	0.994	0.998	0.999	1

模型	最大值	最小值	平均值
PGMDT-SGN	0.771	0.049	0.490
IGMDT-SGN	1	0.133	0.864