Skip navigation

Game-theoretic decision support for cyber forensic investigations

Game-theoretic decision support for cyber forensic investigations

Nisioti, Antonia, Loukas, George ORCID logoORCID: https://orcid.org/0000-0003-3559-5182, Rass, Stefan and Panaousis, Emmanouil ORCID logoORCID: https://orcid.org/0000-0001-7306-4062 (2021) Game-theoretic decision support for cyber forensic investigations. Sensors, 21 (16):5300. ISSN 1424-8220 (doi:10.3390/s21165300)

[thumbnail of Open Access Article]
Preview
PDF (Open Access Article)
33601_PANAOUSIS_Game_theoretic_decision_support_for_cyber_forensic_investigations.pdf - Published Version
Available under License Creative Commons Attribution.

Download (355kB) | Preview

Abstract

The use of anti-forensic techniques is a very common practice that stealthy adversaries may deploy to minimise their traces and make the investigation of an incident harder by evading detection and attribution. In this paper, we study the interaction between a cyber forensic Investigator and a strategic Attacker using a game-theoretic framework. This is based on a Bayesian game of incomplete information played on a multi-host cyber forensics investigation graph of actions traversed by both players. The edges of the graph represent players’ actions across different hosts in a network. In alignment with the concept of Bayesian games, we define 8 two Attacker types to represent their ability of deploying anti-forensic techniques to conceal their activities. In this way, our model allows the Investigator to identify her optimal investigating 10 policy taking into consideration the cost and impact of the available actions, while coping with the uncertainty of the Attacker’s type and strategic decisions. To evaluate our model, we construct a realistic case study based on threat reports and data extracted from the MITRE ATT&CK STIX repository, Common Vulnerability Scoring System (CVSS), and interviews with cyber-security practitioners. We use the case study to compare the performance of the proposed method against 15 two other investigative methods and three different types of Attackers.

Item Type: Article
Uncontrolled Keywords: cyber forensics; digital forensics; game theory; bayesian game; multi-stage attacks; decision support; optimisation
Subjects: Q Science > QA Mathematics > QA75 Electronic computers. Computer science
Q Science > QA Mathematics > QA76 Computer software
Faculty / School / Research Centre / Research Group: Faculty of Engineering & Science
Faculty of Engineering & Science > Internet of Things and Security Research Centre (ISEC)
Faculty of Engineering & Science > School of Computing & Mathematical Sciences (CMS)
Last Modified: 23 May 2022 10:24
URI: http://gala.gre.ac.uk/id/eprint/33601

Actions (login required)

View Item View Item

Downloads

Downloads per month over past year

View more statistics