Sage Journals: Discover world-class research

Abstract

The multi-mesh distributed and open structure of cloud computing is more weak and vulnerable to security threats. Intrusion detection system should be incorporated in cloud infrastructure to monitor cloud resources against security attacks. In this article, the interaction between rational cloud resource defender and the potential malicious user in the cloud as a differential game is investigated. The feedback Nash equilibrium of the game is reviewed and a complex decision-making process and interactions between the cloud resource defender and a malicious user of cloud are also analyzed. The system results support a theoretical foundation in detecting the malicious attack, which can help cloud intrusion detection system make the optimal dynamic strategies to improve the defensive ability.

Keywords

Differential game cloud security intrusion detection feedback Nash equilibrium

Introduction

Cloud computing has fundamentally revolutionized the way of business services in many industries with its services provisioning infrastructure, more efficient computing resources deployment, less cost, high scalability, and rapid accessibility. According to International Data Corporation (IDC)’s latest guide, worldwide spending on public IT cloud services will grow to more than US$141 billion in 2019, representing a compound annual growth rate (CAGR) of 19.4%.¹ Cloud computing is not an independent phenomenon in the IT industry, but it has impacted the software and hardware industry.

Security and privacy issues have become an urgent problem for cloud computing. The multi-mesh distributed and open structure of cloud computing is more weak and vulnerable to security threats. This multi-user and multi-domain platform has become a target for potential attackers. Cloud computing suffers from various attacks such as IP spoofing, flooding, denial of service (DoS), and distributed denial of service (DDoS).² A strong defense system is needed to protect cloud users and data. As an essential component of defensive measure, intrusion detection system (IDS) can provide active and dynamic defense for network and computer system against various attacks.³ IDS is an important part of traditional network security defense system. By analyzing the anomalies such as unusual determines when the network is under attack. However, no matter in detection capability, response time, or system scale, there are many security system limitations for traditional IDS, which make it unable to meet the requirements of the cloud detection. Consequently, a cloud IDS decision issue arises and needs to be optimized.

In dynamic cloud environment, the attack/defensive behaviors or state variables cannot be separated. The previous optimal decisions may no longer be the best, even be the worst in the next moment. Policymakers of IDS in cloud need to develop appropriate countermeasures in time according to the environment changes. Recently, game theory has been used extensively to model and analyze network security issues. It provides a formal analytical and mathematical framework to model rational decision-making or strategies of multiple players having different objectives interacting with each other.⁴ To detect intrusions, this article uses differential game theory to solve the problem of cloud IDS. Differential game derives from game theory and optimal control theory, which belongs to one of the most practical and complex branch of game theory, proposed by Dixit⁵ and Isaacs.⁶ It can be used to solve dynamic problem which depends on the players’ profit function and the relationships (cooperative or non-cooperative) between the players.⁷

We have recently investigated a game theoretic model to cloud security where the interaction between the IDS and malicious attackers is modeled using a two-player static game in Li and Liu.⁸ In this article, we consider a dynamic extension of this game theoretic framework. After introducing the differential game model, the behavior of IDS as a defender and malicious user as an attacker is modeled, and the complex decision-making processes and interactions between the cloud resource defender and a malicious user of cloud are also analyzed. Considering the detection rate and false alarm rate, an optimal decision of cloud computing intrusion detection based on differential game is proposed, which ensures the security of cloud computing and reduces energy consumption at the same time. The IDS security strategy is formulated in which the defender and the attacker can adjust their resources according to the workload. It is investigated that this model in the defender role and the malicious attacker role can update their strategies until they reach a Nash equilibrium. Through simulations, we study the properties of the resulting equilibrium. The results show that the formula is feasible.

The remainder of this article is organized as follows: section “Related work” explains the related work. In section “Problem formulation,” the payoff matrix of cloud IDS and the differential game are constructed. The feedback Nash equilibrium solution to the proposed game is derived in section “Equations.” The simulation results are presented and discussed in section “Numerical simulation and analysis.” Finally, conclusions of the work are drawn in section “Conclusion.”

Related work

As an essential component of security measure, IDS provides the ability to monitor the network activities for internal or external malicious attacks or policy violations.⁹ In recent years, several research works which focus on intrusion detection solutions for cloud computing have been proposed.¹⁰ To handle large-scale network access traffic and administrative control of data and application in the cloud, Gul and Hussain³ proposed a multi-threaded distributed cloud IDS model, which can deal with large flows of data packets and generate reports effectively. Facing the coordinated attack, Zhou et al.¹¹ proposed a collaborative IDS, which improves the efficiency of intrusion detection. Claudio et al.¹² proposed a kind of lightweight network IDS; through a series of defending rules, the intrusive behavior can be determined. This system has a high detection rate in detecting external attacks. Ficco¹³ presented a cloud intrusion detection approach using event correlation. Using complex event processing to identify the cause of the incident, the captured events were analyzed. Attack detection by correlating the casual events was also described with the consideration of time and other constraints

Game theory provides a set of mathematical tools to analyze the conflict of interest between IDS and the attacker. By weighting the cost of different strategies based on the limited resource, it can increase the efficiency of IDS. In fact, a variety of game approaches are used to study intrusion detection in different network environment, such as the wireless network^14,15 and grid computing.¹⁶ Shahaboddin et al.¹⁷ proposed a three-player cooperative game, which improved the existing machine learning methods, and increased the successful defense rate. In Lin and Leneutre,¹⁸ the interaction between the jammer and the victim network was modeled as a non-cooperative game. The proposed defense strategy can eliminate the undesirable equilibrium and increase the jammer’s energy consumption. To address the attacker and IDS behavior within a sensor network, the two-player non-cooperative game has also been studied in Alpcan and Basar¹⁹ and Agah et al.²⁰ In the proposed model, the game is assumed to have a complete information and each player’s optimal strategy depends only on the payoff function of the opponent. A Bayesian game theoretic solution for wireless ad hoc networks that model the interactions between pairs of attacking/defending nodes is discussed in Liu et al.²¹ In this article, Lui et al. analyzed the obtainable Nash equilibrium for the attacker/defender game in both static and dynamic settings. Since the dynamic approach allows the defender to consistently update his belief about the maliciousness of the opponent player as the game evolves, it is a more realistic model which produces energy-efficient monitoring strategies for the defender, while improving the overall hybrid detection power. For economic deployment of intrusion detection agent, Chen et al.²² proposed a framework that applies two different game theoretic schemes. The interaction behaviors between the attacker and intrusion detection agent within a non-cooperative game are modeled and analyzed in the first scheme model. The security risk value is then derived from the Nash equilibrium solution. With this security risk value, the Shapley value of the intrusion detection agent is computed in the second scheme. With this two-stage game theoretic model, the network administrator can quantitatively evaluate the security risk of each IDS agent and easily select the most critical and effective IDS agent deployment to meet the various threat levels to the network. In Bayu et al.,²³ multi-stage Bayesian game was studied for IDS strategy in the context of a local cloud platform, which can help the defender to converge its belief even quicker.

In summary, most of these non-game theories based on IDS schemes above are subject to a problem that they continuously use additional resources for monitoring, which lead to more power consumption. On the other hand, most of the game theory–based IDS schemes above are static in nature where the strategies and utilities of players are fixed and repeated over a period of time. These approaches fail in cloud environment where players adopt different strategies at various stages of the game. Differential game is one of the most complex and useful branches of game theory. It originated from game theory and optimal control theory, but more universal. Differential game can be used to solve dynamic system, in which the strategy each player used is dynamic and evolving over time.²⁴ From this perspective, the differential game is of great practical value on cloud computing security issues.

Problem formulation

In this section, a cloud computing system with a fixed number of nodes is considered. It is assumed that any cloud node, acting as a defender, is equipped with an IDS. Depending on the capability of the IDS, the cloud node can detect any attacker in the cloud network.

Definition 1

The differential IDS game for cloud computing G is defended as $G \overset{Δ}{=} {P, A, U}$ , where

$P = {P^{D}, P^{A}}$ is a set of players.

$A = A^{D} \times A^{A}$ , where $A^{D} = {d, nd}$ and $A^{A} = {a, na}$ are the sets of actions by players P^D and P^A, respectively.

$U = U_{D} \times U_{A}$ , where U_D and U_A are the payoff functions of players P^D and P^A, respectively.

The players of the game are the IDS and the potential malicious users, denoted by the defender P^D and the attacker P^A, respectively. We make an implicit assumption that both players are rational and their main objective is to maximize their own payoffs. In our model, the IDS, as the defender P^D, is always trying to ensure the cloud services with minimal resource by monitoring the network against the malicious attack. On the other hand, the potential malicious user, as the attacker P^A, will always try to use minimal energy to attack the cloud computing network and maximize its damage.

Both the players will select their own action from the action spaces at each time slot. We abstract the action of the participants in the game model as $A = {A^{D}, A^{A}}$ . The action space of defender P^D can be expressed as $A^{D} = {d, nd}$ , where d is expressed as the monitoring status and nd represents the non-monitoring status. Analogous to the defender, for the malicious user P^A, its action space can be expressed as $A^{A} = {a, na}$ , where a is expressed as the behavior of destroy or attack cloud network and na is defined as non-attack state correspondingly.

Each defender has a set of resources $Resources = {1, 2, \dots, N}$ to be protected. Each resource $m \in Resources$ contains CPU, bandwide, and other physical and virtual resources. Each resource in the cloud network has a security value. And the security value of each m can be denoted as R_m, where $R_{m} > 0$ .²¹R_m represents the economic value of cloud computing resources, and it depends on the level value of the information owned. Correspondingly, $- R_{m}$ is the loss of security value caused by a successful attack, such as stealing important information or tampering data. In a successful attack of cloud computing resource m, the defender P^D and the attacker P^A will loss/gain R_m equally. That is, the payoff of the defender P^D and the attacker P^A is $- R_{m}$ and R_m, respectively.

We define $x (t)$ as the probability that IDS P^D discovers the malicious users P^A at time t. Obviously, the expected gain of P^D is $x (t) R_{m} - [1 - x (t)] R_{m} = [2 x (t) - 1] R_{m}$ . Meanwhile, the expected gain of P^A is $[1 - 2 x (t)] R_{m}$ .

Let $α_{Attack} u_{Aj} (t)^{2}$ and $α_{Monitor} u_{Di} (t)^{2}$ denote the cost of attacking and monitoring, respectively. $α_{Attack}$ and $α_{Monitor}$ are the non-negative parameters, which mean the unit costs of attacking by malicious users $P_{j}^{A}$ and monitoring by IDS $P_{i}^{D}$ . $u_{Aj} (t)$ and $u_{Di} (t)$ are the resource consumption of $P_{j}^{A}$ and $P_{i}^{D}$ at time t, respectively. Similarly, $α_{False} u_{Di} (t)^{2}$ denotes an expected loss due to the false alarm, where $α_{False}$ is the unit cost of false alarm. The main parameters in this article are defined as shown in Table 1. The payoff matrixes of IDS P^D and malicious users P^A are shown in Tables 2 and 3, respectively.

Table 1.

Parameters’ table.

Symbol	Meaning
$R_{m}$	Security value of cloud computing resources
$α_{Attack}$	Unit cost of attacking by malicious users $P_{j}^{A}$
$α_{Monitor}$	Unit cost of monitoring by IDS $P_{i}^{D}$
$α_{False}$	Unit cost of false alarm by IDS $P_{i}^{D}$
$u_{Aj} (t)$	Resource consumption of $P_{j}^{A}$ at time t
$u_{Di} (t)$	Resource consumption of $P_{i}^{D}$ at time t
$ρ_{A}$	Probability with which malicious users P^A choose to attack
$ρ_{D}$	Probability with which IDS P^D choose to monitor
$g_{i} [•]$	Profit function of $P_{j}^{A}$ and $P_{i}^{D}$ at time t
$x (t)$	Probability with which IDS P^D discover the malicious users at time t
$t_{0}$	Game start time
T	Game end time
$γ$	Discount rate
$S_{Di}$	Terminal revenue (at time T) of $P_{i}^{D}$
$S_{Aj}$	Terminal revenue (at time T) of $P_{j}^{A}$

IDS: intrusion detection system.

Table 2.

The payoff matrix of IDS P^D.

P^D	Monitor	Not monitor
Attack	$[2 x (t) - 1] R_{m} - α_{Monitor} u_{Di} (t)^{2}$	$- R_{m}$
Not attack	$- α_{Monitor} u_{Di} (t)^{2} - α_{False} u_{Di} (t)^{2}$	0

Table 3.

The payoff matrix of malicious users P^A.

P^A	Monitor	Not monitor
Attack	$[1 - 2 x (t)] R_{m} - α_{Attack} u_{Aj} (t)^{2}$	$R_{m} - α_{Attack} u_{Aj} (t)^{2}$
Not attack	0	0

In this study, let $ρ_{A}$ be the probability with which malicious user P^A chooses to attack, where $0 \leq ρ_{A} \leq 1$ . Hence, when P^A chooses to not attack, the probability is $1 - ρ_{A}$ . Similarly, $ρ_{D}$ denotes the probability with which IDS P^D chooses to monitor, where $0 \leq ρ_{D} \leq 1$ . $1 - ρ_{D}$ is the probability that P^D chooses to not monitor.

Figure 1 shows the extensive form of the differential game in Definition 1. According to the figure, the profit functions $g_{i} [•]$ for P^D and P^A can be governed by the following equations

\begin{matrix} g_{Di} [•] & = ρ_{A} ρ_{D} {\begin{matrix} [2 x (t) - 1] R_{m} \\ - α_{Monitor} u_{Di} (t)^{2} \end{matrix}} \\ + ρ_{A} (1 - ρ_{D}) (- R_{m}) + (1 - ρ_{A}) ρ_{D} \\ [- α_{Monitor} u_{Di} {(t)}^{2} - α_{False} u_{Di} {(t)}^{2}] \\ = ρ_{A} ρ_{D} R_{m} + 2 ρ_{A} ρ_{D} R_{m} x (t) \\ + (ρ_{A} ρ_{D} α_{False} - ρ_{D} α_{Monitor} - ρ_{D} α_{False}) u_{Di} (t)^{2} \end{matrix}

(1)

\begin{matrix} g_{Aj} [•] = ρ_{A} ρ_{D} [(1 - 2 x (t)) R_{m} - α_{Attack} u_{Aj} {(t)}^{2}] \\ + ρ_{A} (1 - ρ_{D}) [R_{m} - α_{Attack} u_{Aj} {(t)}^{2}] \\ = ρ_{A} R_{j} - 2 ρ_{A} ρ_{D} R_{m} x (t) - ρ_{A} α_{Attack} u_{Aj} (t)^{2} \end{matrix}

(2)

Figure 1.

Extensive form of the differential game.

Based on the above definitions, the optimization overall payoffs of P^D and P^A with dynamic game can be modeled as follows⁷

U_{D} = max_{u_{Di} (t)} {\int_{t_{0}}^{T} A e^{- r (t - t_{0})} ds + S_{Di} (x (T)) e^{- r (t - t_{0})}}

(3)

U_{A} = max_{u_{Aj} (t)} {\int_{t_{0}}^{T} B e^{- r (t - t_{0})} ds + S_{Aj} (1 - x (T)) e^{- r (t - t_{0})}}

(4)

where $A = ρ_{A} ρ_{D} R_{m} + 2 ρ_{A} ρ_{D} R_{m} x (t) + ζ u_{Di} (t)^{2}$ $B = ρ_{A} R_{j} - 2 ρ_{A} ρ_{D} R_{m} x (t) - ρ_{A} α_{Attack} u_{Aj} (t)^{2}$ , and $ζ = ρ_{A} ρ_{D} α_{False} - ρ_{D} α_{Monitor} - ρ_{D} α_{False}$ .

The time interval of the game is assumed as $t \in [t_{0}, T]$ , and t is continuous. The discount rate of the game is r, where $r > 0$ . $S_{Di}$ and $S_{Aj}$ are the terminal values associated with the state of algorithm influences of P^D and P^A, respectively. The objective of $P^{D} / P^{A}$ is to find the optimal strategies $u_{Di}^{*} (t)$ and $u_{Aj}^{*} (t)$ .

When $x (t) = 0$ , the probability of detecting the malicious user is 0. At this time, the defender P^D does not have any defensive measures against malicious attacks, which would threaten the security of the whole cloud environment. Increasing $x (t)$ means to increase the intensity of defense. When $x (t) = 1$ , the instantaneous probability that detects malicious attacks is 100%. However, it will also bring a lot of unnecessary consumption of resources. Therefore, the defender needs to reduce the strength of defense strategy in an appropriate way, thus saving its resources. For simplicity, the probability $x (t)$ of detecting a malicious user can dynamically expressed as equation (5)

{\begin{matrix} \frac{dx (t)}{dt} = \sum_{i = 1}^{m} u_{Di} (t) {[1 - x (t)]}^{1 / 2} - \sum_{j = 1}^{n} u_{Aj} (t) x (t)^{1 / 2} \\ x (0) = x_{0} \end{matrix}

(5)

Equations

In this section, the feedback Nash equilibrium solution to the differential game will be discussed. A feedback Nash equilibrium for the differential games (3), (4), and (5) can be characterized by Theorem 1, which was developed by Yeung⁷ and Nash.²⁵

Theorem 1

A set of strategies $[u_{Di}^{*} (t, x), u_{Aj}^{*} (t, x)]$ provides a feedback Nash equilibrium solution to the differential games (3), (4), and (5) if there exist continuously differentiable functions $V^{i} (t, x)$ defined on $V^{i} (t, x) : [t_{0}, T] \times ℜ \to ℜ$ and satisfying the following Bellman equation

- V_{_{t}}^{i} (t, x) = max_{u} {g_{i} [•] + V_{x}^{i} (t, x) C}

(6)

V^{i} (T, x) = S_{i} x \exp (- r (T - t_{0}))

(7)

where $C = \sum_{i = 1}^{m} u_{Di} (t) [1 - x]^{1 / 2} - \sum_{j = 1}^{n} u_{Aj} (t) x^{1 / 2}$ .

Proof

See the proof of Theorem 2.1.1 in Yeung and Petrosjan.⁷

In this case, x defines the state, and t denotes the time. $V^{i} (t, x)$ is the value function of player i in time interval $[t_{0}, T]$ . For the IDS $P_{i}^{D}$ , where $i \in {1, 2, \dots, m}$ , the value function $V^{Di} (t, x)$ can be represented as follows

V^{Di} (t, x) = \int_{t_{0}}^{T} A e^{- r (t - t_{0})} dt

(8)

Then we have

- {V_{t}}^{Di} (t, x) = max_{u_{Di}} {A e^{- r (t - t_{0})} + {V_{x}}^{Di} (t, x) C_{1}}

(9)

where ${V_{T}}^{Di} (T, x) = S_{Di} x e^{- r (T - t_{0})}$ and $C_{1} = u_{Di} (t) [1 - x]^{1 / 2} + \sum_{k \neq i = 1}^{m} u_{Dk}^{*} (t) [1 - x]^{1 / 2} - \sum_{j = 1}^{n} u_{Aj}^{*} (t) x^{1 / 2}$ .

$V_{t}^{Di} (t, x)$ and $V_{x}^{Di} (t, x)$ are the first-order partial derivatives of $V^{Di} (t, x)$ with respect to t and x, respectively. Performing the indicated maximization in equation (9), calculating the partial derivative for $u_{Di}$ , and making it equal to 0, we obtain the following equation

2 ζ u_{Di} (t) e^{- r (t - t_{0})} + [1 - x]^{1 / 2} {V_{x}}^{i} (t, x) = 0

(10)

where $ζ = ρ_{A} ρ_{D} α_{False} - ρ_{D} α_{Monitor} - ρ_{D} α_{False}$ .

We can get the Nash equilibrium to the control problem (9) as follows

u_{Di}^{*} (t) = - \frac{{[1 - x]}^{1 / 2} {V_{x}}^{Di} (t, x) e^{r (t - t_{0})}}{2 ζ}

(11)

Similar to the defender, for the cloud malicious user $P_{j}^{A}$ , where $j \in {1, 2, \dots, n}$ , the feedback Nash equilibrium strategies’ formula of equations (4) and (5) should satisfy the following conditions

- {V_{t}}^{Aj} (t, x) = max_{u_{Aj}} {B e^{- r (t - t_{0})} + {V_{x}}^{Aj} (t, x) C_{2}}

(12)

where ${V_{T}}^{Aj} (T, x) = S_{Aj} (1 - x) e^{- r (T - t_{0})}$ and $C_{2} = \sum_{i = 1}^{m} u_{Di}^{*} [1 - x]^{1 / 2} - u_{Aj} x^{1 / 2} - \sum_{l \neq j = 1}^{n} u_{Aj}^{*} x^{1 / 2}$

And we have

u_{Aj}^{*} (t) = - \frac{x^{1 / 2} {V_{x}}^{Aj} (t, x) e^{r (t - t_{0})}}{2 ρ_{A} α_{Attack}}

(13)

By formulas (9) and (12), we can get

V^{Di} (t, x) = [Φ_{Di} (t) x + Ψ_{Di} (t)] e^{- r (t - t_{0})}

(14)

V^{Ai} (t, x) = [Φ_{Aj} (t) (1 - x) + Ψ_{Aj} (t)] e^{- r (t - t_{0})}

(15)

where $i \in {1, 2, \dots, m}$ and $j \in {1, 2, \dots, n}$ .

For defender $P_{i}^{D}$ , formulas (16) and (17) can get from formula (14)

\begin{array}{l} - V_{t}^{D i} (t, x) = x e^{- r (t - t_{0})} [r Φ_{D i} (t) - \frac{d Φ_{D i} (t)}{d t}] \\ + e^{- r (t - t_{0})} [r Ψ_{D i} (t) - \frac{d Ψ_{D i} (t)}{d t}] \end{array}

(16)

V_{x}^{Di} (t, x) = Φ_{Di} (t) e^{- r (t - t_{0})}

(17)

Substituting equations (11) and (16) into equation (9), we have

\begin{matrix} - {V_{t}}^{Di} (t, x) = e^{- r (t - t_{0})} {ρ_{A} ρ_{D} R_{m} + 2 ρ_{A} ρ_{D} R_{m} x + \frac{{[{(1 - x)}^{1 / 2} {V_{x}}^{Di} (t, x) e^{r (t - t_{0})}]}^{2}}{4 ζ}} \\ + Φ_{Di} (t) e^{- r (t - t_{0})} [- \frac{(1 - x) Φ_{Di} (t)}{2 ζ} + \sum_{j = 1}^{n} \frac{x Φ_{Aj} (t)}{2 ρ_{A} α_{Attack}} - \sum_{k \neq i = 1}^{m} \frac{(1 - x) Φ_{Dk} (t)}{2 ζ}] \\ = e^{- r (t - t_{0})} x [\begin{matrix} 2 ρ_{A} ρ_{D} R_{m} + \frac{Φ_{Di} {(t)}^{2}}{4 ζ} + \sum_{j = 1}^{n} \frac{Φ_{Di} (t) Φ_{Aj} (t)}{2 ρ_{A} α_{Attack}} \\ + \sum_{k \neq i = 1}^{m} \frac{Φ_{Di} (t) Φ_{Dk} (t)}{2 ζ} \end{matrix}] \\ + e^{- r (t - t_{0})} [ρ_{A} ρ_{D} R_{m} - \frac{Φ_{Di} {(t)}^{2}}{4 ζ} - \sum_{k \neq i = 1}^{m} \frac{Φ_{Di} (t) Φ_{Dk} (t)}{2 ζ}] \end{matrix}

(18)

Solving formulas (16) and (18), we have

\begin{array}{l} \frac{d Φ_{D i} (t)}{d t} = r Φ_{D i} (t) - 2 ρ_{A} ρ_{D} R_{m} - \frac{Φ_{D i} {(t)}^{2}}{4 ζ} \\ - \sum_{k \neq i = 1}^{m} \frac{Φ_{D i} (t) Φ_{D k} (t)}{2 ζ} - \sum_{j = 1}^{n} \frac{Φ_{D i} (t) Φ_{A i} (t)}{2 ρ_{A} α_{A t t a c k}} \end{array}

(19)

Φ_{Di} (T) = S_{Di}

(20)

\begin{array}{l} \frac{d Ψ_{D i} (t)}{d t} = r Ψ_{D i} (t) - ρ_{A} ρ_{D} R_{m} + \frac{Φ_{D i} {(t)}^{2}}{4 ζ} \\ + \sum_{k \neq i = 1}^{m} \frac{Φ_{D i} (t) Φ_{D k} (t)}{2 ζ} \end{array}

(21)

Ψ_{Di} (T) = 0

(22)

Similarly, for attacker $P_{j}^{A}$ , we can get the following results

\begin{array}{l} \frac{d Φ_{A j} (t)}{d t} = r Φ_{A j} (t) - 2 ρ_{A} ρ_{D} R_{m} + \frac{Φ_{A j} {(t)}^{2}}{4 ρ_{A} α_{A t t a c k}} \\ - \sum_{k \neq i = 1}^{m} \frac{Φ_{D i} (t) Φ_{A j} (t)}{2 ζ} + \sum_{l \neq j = 1}^{n} \frac{Φ_{A j} (t) Φ_{A l} (t)}{2 ρ_{A} α_{A t t a c k}} \end{array}

(23)

Φ_{Aj} (T) = S_{Ai}

(24)

\frac{d Ψ_{Aj} (t)}{dt} = r Ψ_{Aj} (t) - ρ_{A} R_{j} - \frac{Φ_{Aj} (t) Φ_{Di} (t)}{2 ζ}

(25)

Ψ_{Aj} (t) = 0

(26)

Upon substituting the relevant partial derivatives of $V^{Di} (t, x)$ and $V^{Aj} (t, x)$ from equations (14) and (15) into equations (11) and (13), we have the feedback Nash equilibrium strategies as follows

u_{Di}^{*} (t) = - \frac{{(1 - x)}^{1 / 2} Φ_{Di} (t)}{2 ζ}

(27)

u_{Aj}^{*} (t) = \frac{x^{1 / 2} Ψ_{Aj} (t)}{2 ρ_{A} α_{Attack}}

(28)

Substituting equations (14) and (15) into equation (5), we also can get formula (29)

\frac{dx (t)}{dt} = [\sum_{i = 1}^{m} \frac{Φ_{Di} (t)}{2 ζ} - \sum_{j = 1}^{n} \frac{Φ_{Aj} (t)}{2 ρ_{A} α_{Attack}}] x (t) - \sum_{i = 1}^{m} \frac{Φ_{Di} (t)}{2 ζ}

(29)

where $ζ = ρ_{A} ρ_{D} α_{False} - ρ_{D} α_{Monitor} - ρ_{D} α_{False}$ .

Numerical simulation and analysis

In this section, the numerical analysis was presented to help understand the concepts of proposed cloud IDS game model. The study simulates the proposed scheme based on the MATLAB software simulation environment. Table 4 reports a pseudo-code for the proposed scheduler. The parameters’ set for simulations is shown in Table 5.

Table 4.

IDS differential game model algorithm.

The algorithm for IDS differential game model
Inputs: $x (t)$ , $t = 0$
Outputs: optimal strategy
1. Initialize game parameters $ρ_{D}$ , $ρ_{A}$ , $α_{Attack}$ , $α_{Monitor}$ , $α_{False}$ , $R_{m}$ , and r.
2. For t = 0 to T
3. Waked by monitored events;
4. IF the IDS differential game is not existed
5. Construct the game;6. Else
7. Get the stored game;
8. END IF9. Compute $u_{Di}^{}$ and $u_{Aj}^{}$ according to equations (24) and (25);10. Compute $x (t)$ according to equation (26);11. Update $x (t)$ and store it;
12. End For
13. Return $(u_{Di}^{}, u_{Aj}^{})$ ;

IDS: intrusion detection system.

Table 5.

The setting of simulation parameters.

	$ρ_{D}$	$ρ_{A}$	$α_{Attack}$	$α_{Monitor}$	$α_{False}$	$R_{m}$	r	t
$i = 1$	0.30	0.90	2	2.4	2.3	200	0.15	[0, 1] h
$i = 2$	0.60	0.60
$i = 3$	0.90	0.30

According to the feedback Nash equilibrium solution proposed above, the variations in parameters $Φ_{Di} (t)$ and $Φ_{Aj} (t)$ will impact $u_{Di}^{*} (t)$ and $u_{Aj}^{*} (t)$ directly. Figures 2 and 3 show how the key parameters $Φ_{Di} (t)$ and $Φ_{Aj} (t)$ vary with time. Please note $Φ_{Di} (t)$ and $Φ_{Aj} (t)$ are almost proportional to the time variation with different values of $ρ_{D}$ and $ρ_{A}$ , where $t \in [0, 1] h$ . $Φ_{Aj} (t)$ is an increasing function of time, while $Φ_{Di} (t)$ is a decreasing function of time.

Figure 2.

$Φ_{Di} (t)$ trends vary with time.

Figure 3.

$Φ_{Aj} (t)$ trends vary with time.

Figures 4 and 5 show the relationship between the optimal strategy $u_{Di}^{*} (t)$ , $u_{Aj}^{*} (t)$ , and time t. The attack strategy $u_{Aj}^{*} (t)$ is an increasing function of time t, which are consistent with the variables $Φ_{Aj} (t)$ . However, on the other hand, $u_{Di}^{*} (t)$ is more complex than strategy $u_{Aj}^{*} (t)$ . After a slow decline, $u_{Di}^{*} (t)$ is increased sharply at a particular time. Once achieving the maximum value, $u_{Di}^{*} (t)$ will slowly decrease again. In fact, this series of changes is affected by the change in $x (t)$ , which we will illustrate below. Since the resource consumption of cloud computing IDS will continually increase over time, the IDS will incessantly adjust its defense policy based on the resource consumption.

Figure 4.

$u_{Di}^{*} (t)$ trends vary with time.

Figure 5.

$u_{Aj}^{*} (t)$ trends vary with time.

We then observe how the IDS dynamically changes the capability of security to maximizing its profit. According to the algorithm in Table 4, the optimal dynamic controls for cloud IDS are depicted in Figure 6. In the beginning, IDS needs to have a strong defense capability to protect the security of network. However, over time, it is not necessary for IDS to always keep this strong ability. After a short time, $x (t)$ will decrease at a rapid rate. The smaller the attack probability, the earlier the $x (t)$ decreases.

Figure 6.

$x (t)$ trends vary with time.

We also compare the profit of IDS between static and dynamic optimal strategies with different monitoring and attack probabilities. In the static strategies, we let $x (t)$ be 1 and keep static, which indicates that the cloud system continuously exerts a maximum effort to protect the network. According to equations (1) and (3), we approximately compute the profits of IDS under the different strategies and show the results in Figure 7. As can be seen from the figure, when taking the dynamic optimal strategies, the profits of IDS are always more than these under the static strategies, which means the dynamic optimal strategies can improve the security of cloud computing system.

Figure 7.

The profit of IDS: static strategies versus optimal strategies.

Finally, the energy consumed by the optimal strategy compared to the static strategy is studied. Figure 8 provides the comparison under the different monitoring and attack probabilities throughout the simulation runtime. Since the strategy is static which means that the $x (t)$ and $u_{Di} (t)$ are constant, the energy consumption in static strategy is constant over the time. On the other hand, the energy consumption in the proposed optimal strategy continually changes with the strategy. It can be observed from the figure that the energy consumption in the proposed optimal strategy is significantly lower than the static strategy.

Figure 8.

The energy consumption of IDS: static strategies versus optimal strategies.

Conclusion

In this article, a game theoretic framework for intrusion detection in cloud computing was proposed. We formulated the IDS problem as a differential game mode, in which the detection rate and false alarm rate of the IDS were considered. The feedback Nash equilibrium for each stage game was presented, and the optimal amount of resource $u_{Di}^{*} (t, x)$ and $u_{Aj}^{*} (t, x)$ was obtained. An analytical framework for rational defenders and malicious users was provided, in which both players can adjust their resources according to the workload. In the third numerical example, we analyzed the probability with which IDS discovers the malicious users. The simulation results show the changes in the probability under the optimal strategies condition. Using the game theoretic framework, we can improve the chance of intrusion detection.

Footnotes

Academic Editor: Chin-Tser Huang

Declaration of conflicting interests

The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.

Funding

The author(s) disclosed receipt of the following financial support for the research, authorship, and/or publication of this article: This work was supported by the National Science Foundation Project of P. R. China (No. 61501026), and Fundamental Research Funds for the Central Universities (No. FRF-TP-15-032A1).

References

IDC. Worldwide public cloud services spending forecast to double by 2019, According to IDC, https://www.idc.com/getdoc.jsp?containerId=prUS40960516 (accessed 3 January 2016).

Ficco

Rak

Stealthy denial of service strategy in cloud computing. IEEE Trans Cloud Comput 2015; 3(1): 80–94.

Gul

Hussain

Distributed cloud intrusion detection model. Int J Adv Sci Tech 2011; 34: 71–82.

Alpcan

Basar

An intrusion detection game with limited observations. In: Proceedings of the 12th international symposium on dynamic games and applications, Sophia Antipolis, 26 July 2006.

Dixit

Model of duopoly suggesting a theory of entry barriers. J Econ 1979; 10(1): 20–32.

Isaacs

Differential games III: The basic principles of the solution process. Santa Monica, CA: RAND Corporation, RM-1411-PR, 1954.

Yeung

DWK

Petrosjan

. Cooperative stochastic differential games. Berlin: Springer Science & Business Media, 2006.

Liu

. A non-cooperative game model of intrusion detection system in cloud computing. In: Proceedings of the third international conference on cyberspace technology (CCT 2015), Beijing, China, 17–18 October 2015, pp.1–4. New York: IEEE.

Patel

Taghavi

Bakhtiyari

. An intrusion detection and prevention system in cloud computing: a systematic review. J Netw Comput Appl 2013; 36: 25–41.

10.

Iti

Chhikara

Hasteer

Intrusion detection and prevention in cloud environment: a systematic review. Int J Comput Appl 2013; 68(24): 7–11.

11.

Zhou

Leckie

Karunasekera

A survey of coordinated attacks and collaborative intrusion detection. Comput Secur 2010; 29: 124–140.

12.

Claudio

Bifulco

Canonico

Integrating a network IDS into an open source cloud computing environment. In: Proceedings of the 2010 sixth international conference on information assurance and security, Atlanta, GA, 23–25 August 2010, pp.265–270. New York: IEEE.

13.

Ficco

Security event correlation approach for cloud computing. Int J High Perform C 2013; 7(3): 173–185.

14.

Hoang

Niyato

. Applications of repeated games in wireless networks: a survey, http://arxiv.org/abs/1501.02886 (accessed 11 January 2015).

15.

Hossein

Zhu

Alpcan

. Game theory meets network security and privacy. ACM Comput Surv 2013; 45(25): 25.

16.

Kim

THJ

Brancik

. Cyber–physical security of a smart grid infrastructure. P IEEE 2012; 100(1): 195–209.

17.

Shahaboddin

Patel

Anuar

. Cooperative game theoretic approach using fuzzy Q-learning for detecting and preventing intrusions in wireless sensor networks. Eng Appl Artif Intel 2014; 32: 228–241.

18.

Lin

Leneutre

Fight jamming with jamming—a game theoretic analysis of jamming attack in wireless networks and defense strategy. Comput Netw 2011; 55(9): 2259–2270.

19.

Alpcan

Basar

A game theoretic approach to decision and analysis in network intrusion detection. In: Proceedings of the 42nd IEEE conference on decision and control, Maui, HI, 9–12 December 2003, vol. 3, pp.2595–2600. New York: IEEE.

20.

Agah

Das

Basu

. Intrusion detection in sensor networks: a non-cooperative game approach. In: Proceedings of the third IEEE international symposium on network computing and applications (NCA 2004), Cambridge, MA, 1 September 2004, pp.343–346. New York: IEEE.

21.

Liu

Comaniciu

Man

. A Bayesian game approach for intrusion detection in wireless ad hoc networks. In: Proceeding from the 2006 workshop on game theory for communications and networks, Pisa, 14 October 2006, vol. 4. New York: ACM.

22.

Chen

. A game theoretic framework for multi-agent deployment in intrusion detection systems. In: Yang

Chau

Wang

. (eds) Security informatics. New York: Springer, 2010, pp.117–133.

23.

Bayu

Rashmi Prasad

Prasad

. An intrusion detection game in access control system for the M2M local cloud platform. In: Proceedings of the 19th Asia-Pacific conference on communications (APCC), Denpasar, 29–31 August 2013, pp.345–350. New York: IEEE.

24.

Basar

Dynamic noncooperative game theory, vol. 200. London: Academic Press, 1995.

25.

Nash

Non-cooperative games. Ann Math 1951; 54(2): 286–295.

A differential game model of intrusion detection system in cloud computing

Abstract

Keywords

Introduction

Related work

Problem formulation

Definition 1

Equations

Theorem 1

Proof

Numerical simulation and analysis

Conclusion

Footnotes

Declaration of conflicting interests

Funding

References