Game-Theoretic Approach

to
Digital Forensics Investigation
A Seminar for UCD on 24th Aug 2012
Ali Dehghantanha
Senior Lecturer- University Putra Malaysia
AliD@fsktm.upm.edu.my

About Me
Ph.D and M.Sc in Security in Computing

CISSP, ISMS L.A, C|EI, E|CSA, C|EH, C|HFI,

Relevant research projects:
Linear Temporal Formal Privacy Models: My Ph.D!
A Formal Rule-Based Privacy Respecting Forensics
Investigation: Invited Speech EC-SPRIDE- Germany.
Cyber Warfare Investigation Techniques; Past, Present and
Future: Keynote DEIS2012- Czech Republic.

And several real-case investigations

A Happy Investigator Until

Airport X investigation!!
Complex
Limited resources
All sorts of devices that you can
think of!!

How can I deploy my limited resources to

maximize investigation efficiency?!!!

What is the Main Cause for Following?!

Siberia- 1982

Estonia- 27 Apr 2007

Brazil- 2007
Iran- 01 Jun 2010

Am I the Only One?!

Clouds
Enterprise networks
IH in heterogeneous networks
Nationwide investigations
limited resources + maximum effectiveness

Not Far Investigation Cases?!

Game-Theory are you Kidding?!

Cyberwar G.T- Penn university
GUARDS - Game Theoretic Security Allocation
on a National Scale- USC

ARMOR: Assistant for

Randomized Monitoring Over
Routes- USC

G.T provides sound mathematical

approach for deploying limited resources to
maximize their effectiveness

1. Optimizes crime monitoring

systems
2. Provides best responses to
Cyberwar
3. Assists in patrolling systems
1. Provides best possible evidence
locations!
2. Best incident response!
3. Maximizes resource efficiency in
I.H and digital forensics

Elements of our Game!

A repetitive continuous actions
strategic game between
multiple possibly irrational hackers
and multiple investigators with
multiple strategies for both parties!
It is a leader (hacker)- follower
(investigator) game with
incomplete information
While hackers payoff is to maximize
the damage and minimize tracks and
investigators payoff is to contain
incident and find more evidences.

Research Stages
1- Non-repetitive, rational hackers with finite actions
2- Rational hackers, finite actions but with learning

3- Irrational hackers, continuous actions

Expected Contributions
1. Modeling real-world attack strategies.
2. A solution for efficient investigation and incident
handling in heterogeneous networks.
3. Computational algorithms to find exact or approximate
equilibriums.

4. Formally defining new area in game-theory known as

Digital Forensics Games

Potential Applications
1. For investigators as an efficient solution for enterprise
investigation!
2. For incident handlers to find most probable cause of
incidents and best containment strategies.
3. For security defenders to find efficient protection
solutions that bring them needed equilibrium.
4. Assisting cyber-warriors in their strategic modeling

More Details of 1st Stage

(limited information + multiple parties + multiple strategies) - (finite actions +
non-repetitive + rational)

So
1. Non-Zer0 Sum Bayesian Stackelberg game!
2. Looking for exact SSE such that Not-Attacking would
be the best attackers choice for the asset!
3. Based-on evidences and finite strategies finding current
approximate SSE!
4. Advice on not sufficiently protected assets that caused
current SSE!

Thanks!
And Sun Tzu old rules still working!!
One who knows the enemy and knows himself
will not be endangered in a hundred engagements
One who does not know the
enemy but knows himself
will sometimes be victorious

One who knows neither the enemy nor himself will

invariably be defeated in every engagement
Ali Dehghantanha
AliD@fsktm.upm.edu.my