A GAME THEORETICAL APPROACH TO NETWORK SECURITY
Abstract - This paper studies the network
security problem from the perspective of
game theory. The paper specifically studies
the eavesdropping network intrusion type in
which the goal for the intruder is to obtain as
much data as possible. The situation is then
modeled as a two-person zero-sum game.
The payoff of both sides of the game is
quantified and the game situations are
obtained by analyzing network security
states. In addition to the general definition of
the problem as a game theoretical model, a
simplified specific scenario is modeled,
quantified and analyzed.
as possible from an information distribution
connection between an information/service
provider and a client. The client is assumed to
be passive when network security is the
problem. Therefore the game consists of two
players, service provider or the defender,
adversary or the attacker, a two person game.
1 - Introduction
2 - Related Work
Improvements in internet and World Wide Web
technologies have allowed new and inspiring
methods for gathering and distribution of
information as well as new facilities in
establishing communication for people to utilize.
As the ease of use of these services is in a
never ending increase mode, our everyday
chores became more and more dependent on
these technologies. This dependency, as a
result, brought the need for security of
information in providing these services.
Game theory is a very useful tool which helps
answer the question “What is the best way to
play a game?” in strategy games.
A network security problem does not only
depend on the tools, strategies, etc. available to
the defender but it is also highly affected by the
actions taken and/or tools used by the
adversary. Therefore the network security
problem can easily be modeled by using the
game theory. Application of game theory to
network security has recently been studied by
many researchers and it still is a promising
research area. This paper studies network
security problem based on game theory model
in a way that has not received enough attention.
Game theoretical approaches to network
security problem are mainly focusing on the
network administration level. This paper studies
a network security problem which is related to
more low levels of the network, namely, this
paper will use game theory approach to study
the eavesdropping attack in which the goal of
the adversary is to gather as much information
We will study the possibility of apply game
theory to network security problem by trying to
identify the game for the general case, and
study a smaller case with specific strategies,
and choices to analyze effectiveness of game
theory in studying network security.
3 - The Game
We define the game to be the collection of
choices, actions and pay-offs between the two
players in this game, attacker and defender. Of
course this is a simplification of the general
problem. A network can be attacked by more
than one attacker at any given time. The
scenario of the game is as follows;
The defender has established a multimedia
connection with a client, and sending a video
stream. The client is not a part of the game as
the client is not expected to cooperate with, or
react to other players. The defenders goal is to
keep this connection as safe as possible. So,
the goal is to allow attacker to capture minimum
amount of data from the stream. Any given part
of the stream is equally important. Defender
uses active probing to detect intrusion.
The attacker is trying to capture as much of the
stream as possible by intercepting the stream.
We assume that the attacker does not have full
information of the network, especially the routes
available from source to destination. The
attacker chooses routers to attack at random
with equal probability.
In general the game is defined as G = { Ω,S,U }.
(1)
Probe
Identification
Ω = {A,D} is the set of players, A = attacker, D =
defender.
SA = {S1A, S2A, … , SnA } are the set of strategies
available to attacker, and SD is the set of
strategies of defender likewise.
UA = { U1A, U2A, … , UnA } is the utility of attacker
for strategy n.
3.1 Attack and Defense Classification
For attacker’s goal, only the type of attacks that
allow data capturing is useful. Table I
summarizes attackers strategies.
Strategy Tool
Type of Attack
Number of targets
at a time
Explanation
Attacker can chose any
type of attack (Infecting
routers
to
forward
everything to the attacker,
exploit vulnerabilities to
confuse
routers
to
forward every packet to
every destination, etc.)
Attacker may choose to
attack on or more targets
to attack.
As a result of such strategies, attacker’s success
probability, time to success, etc. will be affected.
The defender has the goal to keep data as safe
as possible. Table II summarizes defenders
available strategies to minimize the risk.
Strategy Tool
Type of Defense
Time
Route
Explanation
Defender may choose to
defend by using active
probes, or switching the
route periodically or non
periodically
(route
dependent), or use a mix
of the first two
Time for the defender
refers to time between
probes or time between
switching routes
Choosing which route to
use for transfer
Defender may choose
probing in a sequential
order or may use other
intelligent techniques
Defender may chose to
act
upon
intrusion
detection or try to identify
the attacker
It is possible to have more possible strategies
for both players, but for simplicity Table I and II
will suffice for now.
3.2 Utilities
Utility in general can be defined as U = G – C,
where G is the gain and C is the cost. But,
because the relative values of gain and cost are
subjective, we will utilize another function for
utility.
Definition 1: Utility of defender is the quality of
session security. Defenders goal is to minimize
the amount of data the attacker captures, which
is equivalent to maximizing the safe time for the
session, and the defender uses probes to
achieve this. Therefore the utility function is
defined as follows,
UD = [Time in seconds the Systems is safe –
Time in Seconds System is unsafe] per probes
per second (2)
Since the goal for the attacker is the opposite,
we can choose between two possible utilities for
the attacker both of which will have the same
effect on the game. Therefore we will choose
attackers utility as follows,
UA = - U D
(3)
This choice makes the game a two-person zerosum game. In addition to that, our game is also
a game of imperfect information (as players
have no information on each other’s moves),
and simultaneous (players do not wait for other
player to make their moves).
3.3 Solution of the Game
According to the existence principle of Nash
Equilibrium Theory,
a game has at least one
mixed strategy Nash equilibrium if the game is a
limited game. Given such an attack defense
game, if probability distribution of attacker [ pA =
{p1A, … prA} ] and defender [ pD = {p1D, … pkD} ]
respectively for their strategies SA = { S1A, … ,
SrA } and SD = { S1D, … , SkD }, where, pi ‘s are
probabilities and ∑ pi = 1 for all I’s for both
attacker and defender. Then the mixed strategy
Nash equilibrium can be found by solving the
following equations.
VA (pA,pD) = ∑∑ pmApnDUA(SmASnD) and
VD (pA,pD) = ∑∑ pmApnDUD(SmASnD) for m 1 to r
and n 1 to k. Then, (pA*,pD*) is a Nash
equilibrium if for all pA ; VA (pA*,pD*) >= VA (pA,pD*)
and for all pD ; VD (pA*,pD*) >= VD (pA*,pD).
4 – Sample Scenario
because the router that creates ICMP-TE will
add its address to the packet. Therefore,
allowing the defender to detect that the packets
are out of the route. Of course, for this to be
possible, the defender must enforce a specific
route at any given time. We are also assuming
for this scenario that the defender using a very
simple search. Probe routers in the route
starting from first to the last and repeat this
periodically.
4.2 Assumptions and Definitions
We have the following assumptions for the
scenario;

Defender is using probe detection with
periodic probing.
Defender is probing sequentially.
Defender
switches
routes
upon
detection and does not try to identify.
Attacker is only attacking one node at a
time.
Our goal in this paper is to show that game
theory can be used to solve security problems in
a computer network even at the network layer.
In order to study a game theoretical solution to
the problem, we will introduce a much simpler
version of the game. In the rest of this paper, we
will mainly study the strategy of choosing the
time intervals between probes for the defender
and also the effect of probability of attack for the
attacker. Here, the probability of attack should
not be considered as a strategy choice for the
attacker, but we are rather investigating the
effect of assumed attack probability for the
defender. Such probability is nothing but an
assumption for the defender as this is a game of
imperfect information.
Ri = Route i,
4.1 Probes
Tja = Time to attack node j (with success or fail)
We propose a very simple active probing
technique for the defender to detect intrusions in
this scenario. The probe used by the defender in
this game is a special packet that resembles a
regular data packet; in this case it is a packet
that looks like a video packet. As the attacker
attacks routers (making the router forward
everything to the attacker or forward everything
to every destination), it basically haves the
router duplicate everything. In order to detect
this duplication, the probe is designed to die
before reaching the destination. This is done by
giving specific values to TTL of the packet. The
goal for using TTL is to create an ICMP Time
Exceeded message by the router where the
packet is destroyed. Therefore, if the packet is
duplicated before purge, the defender will
receive more than one copy of the ICMP-TE,
thus detecting the intrusion. This probe will work
just as fine if the attacker is having the router
forward everything to it without duplication
Aj = Average time it takes to successfully break
into node j



Nj = Node j,
Mi = Time between probes for route i,
P = Probability of attack
Tid = Average time to detect an attack on route i
Ts = Average time for successful attack
4.3 Calculating the Utility
In order to calculate the Utility function as
described in section 3.2, we need to make the
following calculations. Let P the probability that a
single malicious packet is successful in breaking
into the router, then;
P{Breaking into a node in j th attempt} = (1-P)j-1
P
Number of attacks required to break into node:
A = ∑ j ( 1-P ) j-1 P = 1/P
Therefore,
Aj = Tja / P
If there are N nodes in total, and r nodes in a
route and attacker is choosing any node to
attack with equal probability.
because it is the only tool for the defender to
detect intrusion. Of course this is true for the
scenario chosen and because of simplifications
to the general problem.
To find expected number of nodes until route is
found, let X be the number of nodes attacked
until route is successfully compromised.
To find E[X], let
Bi = 1, if i th node out of route is selected before
any node in the network,
0, otherwise
Then, X-1 = ∑ Bi (sum from 1 to N-r)
E[Bi] = 1 / (r+1)
Therefore,
Figure – 1
E[X-1] = ∑ 1 / (r+1) = (N-r) / (r+1)
Figure 1 depicts the relationship between
interarrival time of probes and utility of the
defender with everything else is fixed. Best utility
for the defender is 260 and is achieved at 69 ms
between probes
E[X] = E[X-1] + 1 = (N-r) / (r+1) + 1 = (N+1) /
(r+1)
Then,
Ts = E[X] * Tja / P = ( (N+1) * Tja) / ( (r+1) * P) (4)
Then, for detection, there are r nodes in the
route, the probability of a node being
compromised given that one of them is
compromised is 1/r (i.e. attacker is choosing
nodes with equal probability). Neglecting
differences in distances between nodes, if
detecting an attack on first node is t, then
second is 2t, third is 3t, …
In this simulation, the size of the network is 50
nodes with an average of 10 intermediate nodes
per available route is assumed. Another
important observation is worth mentioning in this
experient is, as the the network size increases,
the size of the routes should increase at a
decreasing rate if the same utility is to be
achieved.
Then,
Tid = ∑ kt * 1/r = r * (r+1) * t / (2r) = (r+1)*t / 2 (5)
Where t is Mi + (transmission and propagation
time).
By using (4) and (5) the utility function of the
defender is;
UD = [Ts – Tid] * Mi (6)
5 Analysis
In this section we will analyze the utility function.
First of all, the most important factor in our
scenario is the time between probes, Mi,
Figure – 2
Figure 2 shows a network of size 100 with
average route size of 20. This shows that if the
average route size to network size ratio stays
same as network size increases then the max
utility expected for the defender is reduced.
Figure 3 –
Figure 3 is showing the relationship between
assumed value of P, which is the probability of
the success of an attack, and Utility value and
Mi. Again, the value for P here is the value
assumed by the defender in use for strategy
determination. It also shows how mistakes in
this assumptions will affect the expected utility of
the defender.
6 Conclusions
In this paper we tried to show that Game Theory
can be applied to the network security problem.
Even in our very simple scenario, game theory
proves to be a useful tool in the decision making
process for network security. However, finding
the solution to the complete model as given in
section 3.3 may not always be possible. The
Nash equilibrium is proven to exist for a finite
problem. Therefore, in order to guarantee
existence of a solution, problem needs to be
translated into a finite problem. In our specific
case for example, time between probes is not a
finite set of available options. But, using some
tools, it can easily be turned into a finite set
which is a very good representative of the actual
set. For example, equipment capabilities can
dictate the minimum time between probes and
one way to find a maximum value for the same
could be achieved by setting a limitation on
allowable percent of time the network is in
unsafe state.