An Intelligent Game Theory Framework for Detecting Advanced Persistent Threats

The advanced persistent threat (APT) is a stealthy cyber attack perpetrated by a group that gains unauthorized access to a computer network and remains undiscovered to steal specific data and resources. Fast detection and defense of APT attacks are critical tasks in cyber security. Previous works use simple feature extraction and classification methods to distinguish APT information flow from the normal one. However, APT attacks are latent, with very little flow and mixed in many normal information flows. Moreover, APT attacks can adjust their behavior according to the environment, making it challenging to be discovered and extract features. Meanwhile, dynamic information flow tracking (DIFT) is a tool for tracking information flow, which can also adjust the marking strategy according to the environment and is often used to track and detect APT information flow. On the other hand, game theory is a mathematical model that expresses the game of two or more parties. Therefore, this motivates us to model a game theory to solve the above challenge. In this paper, to solve the above obstacles, we propose an intelligent game theory framework named DPS, which models the strategic interaction between APTs and DIFT and aims to get a high reward for DIFT. Our proposed DPS framework utilizes deep reinforcement learning to find the Nash equilibrium. The game model is a nonzero-sum, average reward stochastic game. Specifically, we design a subgraph pruning strategy and deep Q-network to guide the player in exploring new strategies in the information flow graph. Finally, we implement our framework to compute an optimal defender strategy to defend cyber security. Based on 2 real-world datasets, the experiment results demonstrate that the DPS framework can delay APT intrusions under equilibrium in 3 epochs and get a better reward than the Uniform policy.