A prepared cyber defender must frequently ask: “What if the adversaries targeting me are trying something other than what I think they will do?” The answer is not whether this will happen but when. Given this conundrum, we are interested in how a defender can gain an anticipatory edge. Advance knowledge is essential, especially in an environment that is stacked to the attacker’s advantage, leaving the defender always one step behind.
One approach is to explore defensive configurations that have been tested against multiple possible attacks and then, in anticipation, select and deploy the best configuration that takes into account any attack’s expected impact, goal, strategies or tactics. Note that the selection criteria can vary and will depend on the decision maker and context. For example, impact can be any one or combination of financial cost, disruption level or outcome risk. Or, a decision maker could prioritize a worst case over an average case or a trade-off configuration when there is a lot to lose.
In considering this approach, an important observation is that the dynamics of the adversaries — their engagements and the arms race between them, are coevolutionary. That is, over time, the strategies and actions of both cyber attacks and cyber defenses adapt — usually in asynchronous and alternating steps, based on the best attackers/defenses surviving (survival of the fittest) and regenerating themselves with slight variations (genetic inheritance), some of which lead to escalations in capabilities. This indicates that competitive coevolutionary algorithms would be an integral and ideal component of a framework to realize an anticipatory approach. They serve as the technical means by which the framework supports intelligent, learning and adapting adversaries.
Competitive coevolutionary algorithms are used when the quality of a potential solution to the problem (defense) is determined by its performance when interacting with some set of tests (attacks). An algorithm maintains two populations: defense and attack. The update of each is directed by computational mechanisms inspired by natural selection and genetic inheritance. The two populations are coupled by the engagements of members of one population (defenses) with the other (attacks). Engagements yield fitness information which informs selection (survival of the fittest). For more information, we list some more information at the end of this story, see (Popovici 2012). Here’s a figure:
A coevolutionary algorithm suite is needed to provide behavioral diversity because the framework should generate a breadth of potential attack-defense engagements. The algorithms, as one form of differentiation, can use different measures of adversarial success or objectives.
The framework needs to also include a second component that sets up the environment for an adversarial engagement and measures the outcome for each adversary. This component serves the black box above labeled “Fitness Evaluation”. The component’s measures interface with the coevolutionary algorithm to inform it of an adversary’s fitness. For example, if denial of service attacks were being adapted towards hardening the defensive configurations of a network, the environment would simulate, emulate or run some set of tasks on a network while testing its use of a defensive configuration from the defense population vs one or more attacks from the attacks population. How much the mission succeeded would be fitness of the defense and mission disruption, the fitness of the attack. Attacks would adapt with the objective of maximizing mission disruption while defenses would adapt with the objective of minimizing mission disruption. Here’s a general picture:
Finally, the framework must be linked to a decision support module or compendium. The engagements of every run of any of the coevolutionary algorithms must be archived. Subsequently, high performing attacks and defenses from these runs can be united and all the adversaries of one side competed against those of the other side. This will yield a ranking for each side’s members according to multiple criteria. Visualizations of adversarial behaviors and comparisons of their behavior would also help. This feedback informs the decision process of a defensive manager by describing possible attacks and how well different defenses work.
We’re evolving this framework (couldn’t resist the pun, sorry!) and reusing it to examine how it works in general and how it supports expressing specific cyber adversarial domains. To date our use-cases include i) defending a peer-2-peer network against Distributed Denial of Service (DDOS) attacks, ii) defending against spreading device compromise in a segmented enterprise network, and ii) deceptive defense against the internal reconnaissance of an adversary within a software-defined network. A paper further describing the framework in more of its glory appeared in the 2018 AAAI Fall Symposia Series at the symposium on Adversary-Aware Learning Techniques and Trends in Cybersecurity.
(Introduction to Coevolution)
(Popovici 2012) Coevolutionary principles. Elena Popovici, Anthony Bucci, R Paul Wiegand, and Edwin D De Jong. In Handbook of Natural Computing, pages 987–1033. Springer, 2012