Method for countering strategic attacks in zero-boundary trusted networks

Abstract

This paper proposes a detection method for countering strategic attacks in zero-boundary trusted networks. In a normal network, malicious nodes are only a minority; therefore, this paper employs a simple game-theoretic approach to suppress the occurrence of malicious events. Firstly, the paper introduces a behavior-based event inference method to detect malicious events, wherein nodes reference the inference results of other nodes to form composite reports. Subsequently, the paper introduces a simple game, allowing malicious nodes to choose not to falsify reports under disadvantaged scenarios, reaching a Bayesian equilibrium with normal nodes, thereby reducing the incidence of malicious events. This method demonstrates significant effectiveness in conventional networks where malicious nodes constitute a minority.

Keywords

Trusted networks attack detection simple game

1. Introduction

The zero-border trusted network aims to establish a secure network environment so that nodes and entities can trust each other and ensure the safe operation of the network. It not only relies on traditional security protection measures but also emphasises the establishment of trust relationships and resists the attack of malicious nodes through cooperation and trust evaluation between nodes.

The zero-boundary trusted network against strategic attack detection method is an important research field in dealing with malicious node attacks in sensory networks. Abdugafforovich et al. [1] studied model development for cyber-attack detection in information and communication systems. In this paper, the possibility of intrusion detection system functionality and data mining methods and tools for detecting attacks is analyzed, and different component placement variants for applying support vector machines in distributed computing networks to detect attacks are proposed. Wang et al. [2] proposed an unknown network attack detection method based on enhanced zero-shot learning, which combines zero-shot learning algorithms and reinforcement learning algorithms. Cao et al. [3] proposed a network attack detection method suitable for cyber-physical power systems based on ensemble learning. Gong et al. [4] proposed a network attack detection scheme based on a variational quantum neural network of variational quantum circuits and traditional machine learning strategies. Wang et al. [5] designed a network attack detection model DDosTC based on a hybrid mechanism of transformers and convolutional neural networks in software-defined networks. Shen et al. [6] proposed a machine learning-based RP-NBSR network attack detection model to improve the false detection rate and F1 score of unknown intrusion behaviors to improve network security. Han et al. [7] proposed a network attack detection model combining sparse autoencoders and kernel functions to improve network security. By optimizing the sparse autoencoder and combining kernel functions, the model reconstructs the data characteristics of network attacks and solves the problem of the impact of high-dimensional data on the accuracy and efficiency of network attack detection. Popova et al. [8] Analyzed ways to reduce the number of network traffic parameters in a network attack detection system. A prototype of a network attack detection system with a network traffic parameter reduction module is proposed. Zhang et al. [9] designed an unknown attack detection system based on open-set recognition and active learning in the UAV network environment. Assiri [10] proposed an anomaly classification method based on a genetic algorithm and random forest model for cyber-attack detection. This method improves the classification accuracy of normal and abnormal network traffic by optimizing two key parameters of random forest classifiers (minimum number of instances per split and number of trees in the forest). Di et al. [11] studied how to extract features for abstract modeling by using the vulnerability sample dataset at the information network level. Zhang et al. [12] proposed a real-time and pervasive network attack detection method, combining traffic calculation and deep learning. Shi et al. [13] introduced a technique for network attack detection and visual payload marking based on Seq2Seq architecture and attention mechanism. Wang et al. [14] analyzed and investigated data-based software-defined network attack detection methods. Tariq et al. [15] proposed a CAN bus-based message attack detection framework for anomaly generation, detection, and evaluation on the CAN bus.

Overall, network security has been a key challenge, especially in applications involving the transmission of sensitive data, such as location-based applications, where attackers may perform various malicious actions, leading to privacy breaches, data integrity breaches, usability impairments, etc., questions. Therefore, malicious behavior detection in zero-boundary trusted networks becomes very important. However, the complexity of the perceived environment needs to be considered when designing these detection mechanisms.

2. Methodology

2.1 Unconditional attack detection

In zero-boundary trusted networks, attack detection is a key task. Methods based on game theory can be used to suppress malicious nodes’ behaviour. First, this paper considers the attack behaviour of malicious nodes in the normal network and then introduces a simple game method to reduce the incidence of malicious events.

Suppose there are multiple institutions in the perception network:

$\displaystyle\{{O_{1},O_{2},\ldots,O_{j}}\}$ (1)

It deploys a certain number of RFID sensing nodes in a given region R, some of which may be malicious nodes. The attack behavior of malicious nodes includes publishing wrong topology information, tampering with data packets, forging location identification, etc., resulting in privacy leakage and usability damage. In particular, the local dominant condition of malicious nodes will significantly amplify the influence of this attack.

Figure 1.

Local malicious node dominance scenario.

In malicious event detection, ordinary sensing nodes first observe the surrounding phenomena and deduce the events that cause such phenomena through certain rules to judge whether there are malicious events. However, due to the dynamics of wireless networks and the limitations of node observations, the inference of a single node may not be reliable enough, so this paper introduces the cooperation between nodes; that is, nodes refer to the derivation results of other nodes.

Assuming that the node $r_{0}$ detects anomaly $e_{i}$ , it generates a report with:

$\displaystyle E=(r_{0}:\{e_{i},m(r_{0},e_{i}),\textit{chk}(r_{0},\{e_{i},m(r_{% 0},e_{i}),t,x\}pr_{0})\})$ (2)

Among them, $E$ is the report itself, which contains multiple elements; $r_{0}$ is the identifier or address of the node where the report is generated, $e_{i}$ is the identifier of the abnormal event detected; $m(r_{0},e_{i})$ is the credibility of the event; chk is a hash function, Sign with $r_{0}^{\prime}s$ private key $pr_{0}$ to ensure the integrity of this report; x is a random number; t is the observation time.

Then, the credibility of the event has:

$\displaystyle m(r_{0},e_{i})=\{b(r_{0},e_{i}),\textit{cer}(r_{0},e_{i})\}$ (3)

Among them, $b(r_{0},e_{i})$ and $\textit{cer}(r_{0},e_{i})$ represent the confidence and uncertainty of $r_{0}$ on event $e_{i}$ , respectively.

Subsequently, node $r_{0}$ reports to the outside, reports $E$ with a signature to ensure its integrity, and broadcasts to neighbor reporting nodes. After the neighbor reporting node receives report $E$ , it adds its inference and signature to E and propagates. After several iterations, a final combined report is formed, which is:

$\displaystyle E=(r_{j}:\{(e_{i},m(r_{j},e_{i}),\textit{chk}(r_{j},\{e_{i},m(r_% {j},e_{i}),t,x\}pr_{j})\})$ (4)

Among them, the hash function part is used to verify the integrity of the report, which was the complete content of the report before. Therefore, the detection node $r_{n}$ analyzes the final report $E$ and resolves it as:

$\displaystyle E=(r_{j}:\{e_{i},m(r_{j},e_{i})\})$ (5)

That is to say, discard the hash function part and analyze the report itself. Based on this, the nodes can infer the real events based on the number of report nodes:

$\displaystyle e_{\max}=\arg\max e_{i}(\textit{count}\{m(r_{j},e_{i})\})$ (6)

In the above formula, $e_{\max}$ is the most reported event, count is the function analysis of its number, and arcmax means “the parameter that takes the maximum value”, which is the two parts of “arg” (parameter) and “max” (maximum value) combination.

The detection node accepts or rejects the report according to the results of $e_{\max}$ , and rewards and punishes the relevant reporting nodes accordingly.

Although the above method is effective for a minority of malicious nodes, it may fail when malicious nodes dominate. Therefore, this paper introduces a simple game method to solve this problem.

Considering the situation where malicious nodes want to maintain their reputation in harsh scenarios, their best strategy is not to take offensive actions, forge reports, and achieve Bayesian equilibrium with normal nodes. To achieve this goal, the malicious node hopes that the detection node will reject its report according to the optimal strategy to submit the real report faithfully. The detection node $r n$ infers the optimal strategy according to the behaviour of malicious nodes in the game process and finally reaches the dynamic Bayesian equilibrium.

2.2 Conditional attack pattern detection

Further, consider the case where malicious nodes adopt a more flexible conditional attack approach that considers malicious nodes’ perception and intelligent processing capabilities in IoT environments. In this case, malicious nodes have certain intelligence when attacking and realize that unconditional attack behaviour may lead to their identification and isolation, so they will adopt a more flexible attack strategy, a conditional attack.

This paper further extends the game theory method to deal with the conditional attack of malicious nodes. This paper considers the derivation and inverse derivation processes between intelligent malicious and detection nodes and introduces a simple game model to counter this conditional attack.

First, assume that the malicious node realizes that unrestricted attacks will be recognized by the detection node $r_{n}$ and reduce its reputation. In this case, malicious nodes will choose not to take offensive actions and not to forge reports to maintain their reputation. This paper calls this game a simple game, and its derivation process is as follows:

Node $r_{m}$ calculates the probability of different strategies adopted by detection node $r_{n}$ , and the income value of node $r_{n}$ for its own behavior; node $r_{m}$ selects the optimal strategy a1* according to the calculated strategy probability; detection node $r_{n}$ adopts the corresponding optimal strategy according to the actual behavior a1 of the malicious node Optimal strategy a2; if the optimal strategies derived by both parties are the same, then an equilibrium is reached.

In this game model, the goal of malicious node $r_{m}$ is to predict the optimal strategy adopted by detection node $r_{n}$ , and choose its optimal strategy accordingly. The detection node $r_{n}$ selects the corresponding optimal strategy according to the known behavior of the malicious node $r_{m}$ .

2.3 Malicious node dominant detection

The total size of a zero-boundary trusted network is usually significantly smaller than that of the common Internet environment, so many unknown attack modes may appear. One possible attack scenario is the advantage of malicious organizations in the local number of zero-boundary trusted network constructions. For example, in positioning applications, attackers can deploy a large number of malicious nodes in a certain local area on the path from the terminal to the network layer access point, and destroy terminal privacy by spreading false topology and stealing transmission data. When such a malicious event occurs, most malicious nodes will submit false reports to cover up the malicious event, thereby misleading and affecting the judgment of normal nodes.

Therefore, malicious organizations may carry out local advantage attacks, breaking the Bayesian equilibrium achieved by simple games. The main reason is that it is difficult for detection nodes to obtain the true prior properties of unknown nodes. Each node contributes the same to the properties of the final report in a simple game, leading to misjudgment in an environment where malicious nodes dominate. Therefore, the key to reducing the influence of malicious nodes is to correctly evaluate the prior properties of nodes and adjust their weights reasonably so that the overall report is closer to real events.

In the cooperative game, the node weight is adjusted first by selecting a reliable report as a reference report, comparing it with the reports of other nodes, identifying suspicious subjects, and updating their weights in the report.

Assume that the weight of node $i$ is $w_{i}$ , the weight of the reference report is $w_{rf}$ , the consistency measure between node $i$ and the reference report is $c_{i}$ , the consistency measure of the institution where node $i$ belongs to, and the consistency measure of node $i$ ’s historical behavior is $c_{\textit{hist}}$ . Then the new weight $w_{i}^{\prime}$ of node $i$ can be calculated by the following formula:

$\displaystyle w_{i}^{\prime}=w_{i}c_{i}c_{\textit{org}}c_{\textit{hist}}$ (7)

The weight update process of a node mainly examines the consistency of the node with the reference report, the consistency of the organization and the consistency of the node’s historical behavior. Such adjustments can effectively suppress false reports and improve the success rate of event detection.

Then, in the improved strategy derivation, the prior probability of the node is reflected by the institution’s credibility. In the game, the detection node chooses the best action by inferring the optimal strategy of other nodes and computing the utility function.

Suppose node $i$ chooses action $a_{i}$ and observes action $a_{j}(j\neq i)$ by other nodes. The utility function $U_{i}(a_{i})$ can be calculated by the following formula:

$\displaystyle U_{i}(a_{i})=U_{i}(a_{i},a_{j})+\lambda U_{i}(a_{i},a_{\textit{% ref}})$ (8)

Among them, $U_{i}(a_{i},a_{j})$ represents the game utility when node $i$ chooses action $a_{i}$ , and other nodes choose action $a_{j}$ , $\lambda$ is a balance parameter, and $U_{i}(a_{i},a_{\textit{ref}})$ represents the game utility when node $i$ chooses action $a_{i}$ , and the reference report.

The prior probability of overall node properties depends on the trust factors of nodes and institutions. In dynamic environments, node observations may be limited, so sharing reference reports can effectively converge node prior credibility. After the detection node infers the optimal strategy, it shares the result with the nodes of the same organization, rewards the same reporting node as the overall report, and punishes the opposite node, thereby further reducing the weight and prior probability of the malicious node. Assume that the credibility of the organization where node $i$ belongs to is $\textit{Trust}_{\textit{org}}$ , and the prior probability of node $i$ is $P_{i}$ . The prior probability of a node can be calculated by the following formula:

$\displaystyle P_{i}=\textit{Trust}_{\textit{org}}w_{j}$ (9)

These collaboration mechanisms and the improved strategy derivation process can effectively deal with the scenario where malicious nodes dominate, reduce its impact, and make detection nodes more inclined to take correct actions, so that the overall report tends to be more normal, and Bayesian equilibrium can be achieved again.

3. Simulation analysis

In the simulation experiment, this paper adopts an attack detection method based on game theory to identify malicious nodes through cooperation and weight adjustment among nodes. First, this paper determines the topology of the sensory network, including the number of nodes and the way the nodes are connected. These parameter settings reflect the layout and communication characteristics in the actual perception network, making the simulation experiment more realistic.

To simulate real scenarios, this paper establishes a behavior model of nodes divided into normal and malicious nodes. In the behavior model of normal nodes, this paper considers the behaviors of nodes such as data interaction, perception task collaboration and relay. For the behavior model of malicious nodes, this paper considers two cases of unconditional and conditional attacks, which simulate different attack strategies that malicious nodes may adopt. For the weight adjustment of each node, this paper considers the selection problem of consistency measures, such as collaborative consistency and institutional consistency among nodes. The selection of these metrics in the model is based on the consideration of the effectiveness of node behavior inference and prior probability estimation so that nodes can more accurately evaluate the behavior of other nodes, thereby reducing the false positive rate and false negative rate.

In addition, in the simulation experiment, this paper also considers the situation in which malicious nodes dominate; malicious organizations have numerical advantages in certain areas of the perception network. In response to this situation, this paper introduces a cooperative game and an update mechanism of node prior probability to counter the influence of malicious nodes. Such a choice is made to improve the robustness and reliability of the attack detection algorithm in an environment dominated by malicious nodes.

This paper obtains results of monitoring effectiveness and malicious node forgery through simulation experiments for different scenarios and parameter settings.

First, for the unconditional attack environment, the simulation results are:

Figure 2.

The impact of node damage rate under unconditional attack.

As shown in the figure above, in the system, when the loss of nodes increases, the monitoring accuracy rate begins to decline, while the number of forged security reports increases rapidly. This trend presents the characteristics of monotonous smooth linear growth.

As node losses increase, the number of available nodes in the system decreases. This can lead to reduced coverage of the monitoring system as fewer nodes are involved in anomaly detection and report generation. This reduction may affect the monitoring ability of the system, resulting in some abnormal events not being detected in time, thereby reducing the accuracy of monitoring.

At the same time, as the number of nodes decreases, there may be fewer trusted nodes in the system to generate real security reports. Malicious parties may take advantage of this situation, attempting to forge security reports to spread false information. As the loss of nodes increases, it may be easier for malicious parties to find gaps that are less monitored, thereby forging a large number of reports and broadcasting them, resulting in a rapid increase in the number of forged security reports.

The linear growth of this trend can be explained by the fact that the loss of nodes leads to a situation where the monitoring system is weak, making the ability of anomaly detection and report generation weaker while providing more opportunities for the propagation of fake reports. Although the decrease in monitoring accuracy and the increase in the number of falsified reports, in this case, are monotonously smooth, it should be noted that the actual system may also be affected by other factors that may cause the trend to change or intensify.

Then, considering the conditional attack strategy, the simulation results are as follows:

Figure 3.

The influence of node damage rate under conditional attack.

As shown in the figure above, this figure shows the impact of the node damage rate on the system when a conditional attack occurs. We observe that the detection accuracy of the system shows a clear downward trend as the nodes continue to be damaged. This means that the attack strategy has reduced the reliability of abnormal event detection in the system, and the ability of nodes to identify abnormal events has been significantly affected.

At the same time, the proportion of false security reports shows obvious fluctuations during the simulation. Specifically, the proportion of these false security reports gradually increases with the continuous damage of nodes, showing an increasing trend. This means that the attack strategy not only reduces the detection accuracy of the system, but also leads to the increase of false security reports, further obfuscating the real situation of abnormal events.

Taken together, our simulation results show that the impact of conditional attack strategies on the system is complex and severe. It reduces the detection ability of nodes and increases false security reports, which poses a serious threat to the credibility and stability of the entire system. This emphasizes the need to fully consider the possible impact of conditional attacks when designing security defence strategies to ensure that the system can effectively defend against various potential threats.

Finally, considering the condition that the malicious nodes are already dominant, considering the number of remaining nodes and their damage, there are:

Figure 4.

The influence of node damage rate under conditional attack under the condition that malicious nodes dominate.

As shown in the figure above, the results show that in this case, despite the existence of malicious nodes, the system’s monitoring accuracy can still maintain a certain level.

Especially in the case of malicious nodes dominating, the system can still detect abnormal events relatively accurately. This means that the normal nodes in the system can still effectively identify abnormal events to some extent, even in harsh environments. This may be due to the cooperation of some healthy nodes in the system, as well as a certain robustness of the monitoring algorithm.

However, what needs special attention is that although the monitoring accuracy rate has been maintained at a certain level, the proportion of false safety reports has further increased. This means that in the presence of malicious nodes, fake security reports account for a larger proportion. This may be caused by malicious nodes deliberately sending false reports while trying to interfere with the system’s normal operation.

In summary, although the monitoring accuracy rate is still maintained under harsh conditions, the increase in the proportion of false security reports indicates that the interference of malicious nodes is still influential to some extent. Therefore, in an environment where malicious nodes dominate, further security strategies are needed to reduce the impact of false security reports to maintain the stability and credibility of the system.

4. Conclusion

To sum up, our analysis results confirm that in a common network environment where malicious nodes are a minority of the network, the use of simple game methods can effectively suppress strategic attacks. Through this method, we successfully encourage malicious nodes to choose not to forge reports under disadvantaged conditions, thereby reducing the incidence of malicious events and effectively improving the network’s overall security.

The effectiveness of this method lies in its introduction of game theory, which enables malicious nodes to make more cautious decisions when facing disadvantages. In contrast, traditional attack strategies may rely on the number of malicious nodes to create confusion and uncertainty, thereby increasing the vulnerability of the network. By incorporating game thinking into the field of network security, we provide a novel and effective method for reducing the impact of strategic attacks.

Despite the positive results of this study, there are still some directions worthy of further exploration. Future research can consider further extending the model to apply to more complex and diverse network environments. In addition, we can explore how to integrate other theories and techniques with game methods to enhance the network’s resistance and adaptability further.

Footnotes

Declarations of interest

None.

References

Abdugafforovich

Rajaboevich

Ildarovna

. Development a model of a network attack detection in information and communication systems. Journal of Advances in Information Technology.2022; 13(4): 312-319.

Wang

Guo

. Unknown network attack detection method based on reinforcement zero-shot learning. Journal of Physics: Conference Series.2022; 2303(1): 012008.

Cao

Wang

Yuan

Wang

Chen

. Network attack detection method of the cyber-physical power system based on ensemble learning. Applied Sciences.2022; 12(13): 6498.

Gong

Guan

Gani

. Network attack detection scheme based on variational quantum neural network. The Journal of Supercomputing.2022; 78(15): 16876-16897.

Wang

. DDosTC: A transformer-based network attack detection hybrid mechanism in SDN. Sensors.2021; 21(15): 5047.

Shen

Wang

Liu

Zhao

. RP-NBSR: A novel network attack detection model based on machine learning. Computer Systems Science & Engineering.2021; 37(1): 121-133.

Han

Liu

Zhang

Lü

. Sparse auto-encoder combined with kernel for network attack detection. Computer Communications.2021; 173: 14-20.

Popova

Platonov

. Reduction of the number of analyzed parameters in network attack detection systems. Automatic Control and Computer Sciences.2020; 54: 907-914.

Zhang

Niu

Guo

. Unknown network attack detection based on open-set recognition and active learning in drone network. Transactions on Emerging Telecommunications Technologies.2022; 33(10): e4212.

10.

Assiri

. Anomaly classification using genetic algorithm-based random forest model for network attack detection. Computers, Materials Continua.2021; 66(1): 767-778.

11.

Luo

. A CNN-based information network attack detection algorithm. In International Conference on Wireless Communications and Applications. 2021. pp. 155-161.

12.

Zhang

, LY Lv

Sangaiah

Huang

.A real-time and ubiquitous network attack detection based on deep belief network and support vector machine. IEEE/CAA Journal of Automatica Sinica, 2020; 7(3): 790-799.

13.

Shi

Zhu

Zhou

Yuan

Fang

. Network attack detection and visual payload labeling technology based on Seq2Seq architecture with attention mechanism. International Journal of Distributed Sensor Networks.2020; 16(4): 1550147720917019.

14.

Wang

Yang

Nie

Ren

Kuang

. Data-driven software-defined network attack detection: State-of-the-art and perspectives. Information Sciences.2020; 513: 65-83.

15.

Tariq

Lee

Kim

Woo

. CAN-ADF: The controller area network attack detection framework. Computers Security.2020; 94: 101857.