Proactive Population-Risk Based Defense Against Denial of Cyber-Physical Service Attacks
This work addresses security vulnerabilities in IoT and CPS for applications like energy, healthcare, and transportation, offering a quantitative foundation for proactive defense, though it is incremental in extending game theory to this domain.
The paper tackles the problem of physical denial-of-service (PDoS) attacks in IoT-based cyber-physical systems by quantifying population-based risk and analyzing defense mechanisms, finding that incentivizing active defense can arbitrarily decrease botnet activity while legislating minimum security has limited effect.
While the Internet of things (IoT) promises to improve areas such as energy efficiency, health care, and transportation, it is highly vulnerable to cyberattacks. In particular, DDoS attacks work by overflowing the bandwidth of a server. But many IoT devices form part of cyber-physical systems (CPS). Therefore, they can be used to launch a "physical" denial-of-service attack (PDoS) in which IoT devices overflow the "physical bandwidth" of a CPS. In this paper, we quantify the population-based risk to a group of IoT devices targeted by malware for a PDoS attack. To model the recruitment of bots, we extend a traditional game-theoretic concept and create a "Poisson signaling game." Then we analyze two different mechanisms (legal and economic) to deter botnet recruitment. We find that 1) defenders can bound botnet activity and 2) legislating a minimum level of security has only a limited effect, while incentivizing active defense can decrease botnet activity arbitrarily. This work provides a quantitative foundation for designing proactive defense against PDoS attacks.