Using Bayesian Game Model for Intrusion Detection in Wireless Ad Hoc Networks

Wireless ad hoc network is becoming a new research fronter, in which security is an important issue. Usually some nodes act maliciously and they are able to do different kinds of Denial of Service (Dos). Because of the limited resource, intrusion detection system (IDS) runs all the time to detect intrusion of the attacker which is a costly overhead. We use game theory to model the interactions between the intrusion detection system and the attacker, and a realistic model is given by using Bayesian game. We solve the game by finding the Bayesian Nash equilibrium. The results of our analysis show that the IDS could work intermittently without compromising its effectiveness. At the end of this paper, we provide an experiment to verify the rationality and effectiveness of the proposed model.


Introduction
A wireless ad hoc network (WANET) is a collection of mobile nodes in which the nodes communicate with each other without the help of any fixed infrastructure [1].Nodes within each other's radio range communicate directly via wireless links, while those that are far apart use other nodes as relays.Because of the limited resource, some nodes may act selfishness.Ad hoc network misbehavior maybe inflicted by malicious nodes, each of which aims at harming the network operation; consequently, mechanisms that enforce security present a particular challenge.In order to avoid the harm of malicious nodes, one way is the use of an intrusion detection system, which watches out for any intrusion and sets out an alarm when an intrusion is detected.The intrusion detection and response mechanism is described in [2].
In recent years, we have seen researchers using game theory in the area of ad hoc networks.It is a powerful tool in that it can be used to model any system which exhibits the characteristics of a game.In WANET, mobile nodes typically have selfish motivations, lack of cooperation among themselves, and have conflicting interests with each other.These characteristics make game theory (GT) a promising tool to model, analyze, and design various aspects of WANET.We have given a two-player game to model the interactions between an intrusion detection system and an attacker in wireless ad hoc network.Each defender is equipped with an intru-sion detection system (IDS) in order to monitor the activeness of an attacker.
The rest of the paper is organized as follows.Section 2 discusses related work.Section 3 describes the one-stage game and multi-stage game, and Bayesian Nash equilibrium solutions are investigated.Section 4 presents numerical examples to verify the effectiveness of the proposed game.The conclusion of the paper is in section 5.

Related Work
Game theory has been successfully applied to many disciplines including economics, political science, and computer science.Game theory usually considers a multiplayer decision problem where multiple players with different objectives can compete and interact with each other.In the context of intrusion detection, several game theoretic approaches have been proposed to wired networks, sensor networks, and ad hoc networks.
Yenumula B. Reddy [3] discuss currently available intrusion detection techniques, attack models using game theory, and then propose a new framework to detect malicious nodes in wireless sensor networks using zero sum game approach for nodes in the forward data path.The first part of the research provides the game model with probability of energy required for transferring the data packets.The second part derives the model to detect the malicious nodes using probability of acknowledgement at source.Yuhan Moon, Violet R. Syrotiuk [4] present CCM-MAC, a cooperative CDMA-based multi-channel medium access control (MAC) protocol for mobile ad hoc networks (MANET) in which each node has one half-duplex transceiver.They provide an analysis of the maximum throughput of CCM-MAC and validate it through simulation in MATLAB, and also compare the throughput it achieves to IEEE 802.11, a multi-channel MAC protocol, and a CDMA-based MAC protocol.
In [4] Hadi Otrok et al. address the problem of increasing the effectiveness of an intrusion detection system (IDS) for a cluster of nodes in ad hoc networks, and formulate a zero-sum non-cooperative game between the leader and intruder.They solve the game by finding the Bayesian Nash equilibrium where the leader's optimal detection strategy is determined.Finally, empirical results are provided to support their solutions.
Yu Liu, Cristina Comaniciu and Hong Man [5] have used static Bayesian game and dynamic Bayesian game to model the interactions between attacker and defender in ad hoc networks.They have shown that the static game leads to a mixed-strategy Bayesian nash equilibrium when the defender's belief of the attacker being malicious is high, and the dynamic game has a mixedstrategy Perfect bayesian equilibrium.In [6], they have used game theory for developing efficient defense strategies for a network with multiple IDSs.They have formulated a non-zero-sum, noncooperative attacker/defender game where the payoffs of players are non-strictly competitive.They have showed that the game achieves at least a Nash equilibrium that leads to a defense strategy for the defender.
A two-player, non-cooperative, non-zero-sum game has also been studied by Agah et al. [7] and Alpan and Basar [8] to address attack-defense problems in sensor networks.In their models, each player's optimal strategy depends only on the payoff function of the opponent and the game is assumed to have complete information.[9][10][11] have given the similar model, but the game is assumed to have incomplete information.
Our model is similar to the ones mentioned in the aforementioned works in that it is a two-player, nonzero-sum and noncooperative game.However, our work is not aimed at giving the best strategy of the defender.In this paper, we have given a one-stage game and multi-stage game.In the proposed works, the IDS of defender runs all the time, which is a costly overhead for a battery-powered mobile device since nodes have limited resource.The results of our model show that the IDS could work intermittently.

Game Model
In this section we present our game model.An IDS attempts to detect intrusion from an attacker.Hence, we may look at this as a game between two players, the IDS and the attacker.The attacker is denoted by and IDS is denoted by .The player 's intent is to attack the network without getting caught, whereas that of the player is to detect intrusion when the attacker attacks.There is no cooperation whatsoever between the two players.

i j i j
Player has two types, regular that is denoted by i 0 i   and malicious is denoted by Node's type is his private information and IDS is uncertain about its opponent's type.IDS has only one type, that is regular or 0 j   and it is common knowledge for both players.
To present our model, we make the following assumptions.An IDS needs not be running all the time during which the wireless ad hoc network is up.The pure strategy space of this player is denoted by j S = (Monitor t of the time, Not monitor), . The first strategy of player depicts the situation when the IDS is active for some percentage (denoted by ).For example, if the IDS detects by monitoring the traffic, the IDS periodically monitors the traffic and the rest of the time, it sits idle.Likewise, an attacker need not be trying to attack 100% of the time.The malicious type of player has two pure strategies: Attack s of the time and Not attack, The regular type of player has one pure strategy: Not attack.The two players choose their strategies simultaneously at the beginning of the game, assuming common knowledge about the game (costs and beliefs). i We first consider the scenario of the IDS.Tables 1-2 illustrate the payoff matrix of the game in strategic form.In the matrix, represents the detection rate of the IDS, represents the false alarm rate of the IDS, and . In the Table 1(a), the payoff matrix for the

\ i j
(1 (1 )  .When the player is not active and there is an attack, so the payoff of the player is . The entry at position (row 2, column 1) is .is the overall loss incurred by the player for the false detection.The rest of the entry of the matrix is zero as the player plays Not attack.
The payoff matrix for the player when the player is malicious is defined as shown in Table 1(b).In contrast, the gain of player i is the loss of player , which is (1 -2a)tsm + (1 -t)sl.The entry at (row 1. column 2) is the same as in previous scenario.For the other entries, when the player plays (Not attack), his payoff is always .
The payoff matrix for the player when it is regular is given in Table 2.The player has only one strategy when it is regular.The payoff of player i is always 0. If player i ecides not to monitor, his payoff is 0; if he decides to play S j (1), he has the monitoring cost and an expected loss due to the false alarm, so his payoff is .

One-Stage Game
The intent of both players is to maximize their own payoff.This implies that we assume that both players are rational.Suppose player assigns a prior probability j 0  to player i is malicious.In the following, we use Bayesian Nash equilibrium (BNE) to analyze the game model, based on the assumption that is a common prior.
If player plays his pure strategy pair (Attack s of the time if malicious, Not attack if regular), then the ex-pected payoff of player is .
We previously showed that no pure-strategy BNE exists for the game when 0 2 d bn c asm sm sl bn there is a mixed-strategy BNE.Let be the probability with which the player plays its first strategy.Hence, is the probability with which it plays the second strategy.Similarly, let be the probability with which the player plays its first strategy.Hence, (1 is the probability with which it plays the second strategy.Then the expected payoff of player is j (1 ) ) , we get that the malicious type of player 's equilibrium strategy is to play first strategy with probability and the expected payoff of player is i ( ( 1)) ( (1 ) ( 1)

From
, we get that the equilibrium strategy of player is to play first strategy with probability The above described game is a static game, for which the players maximize their utilities based on the payoff matrix for the game.Due to the difficulty of assigning accurate prior probabilities for player i's type, we extend the static to dynamic game, where the player j can update his beliefs according to the Bayes' rule.

Multi-Stage Game
The aforesaid one-stage game is static Bayesian game, for which the player maximizes his payoff based on a fixed prior about the maliciousness of his opponent.The lifetime of the network could be broken down into intervals of the time and our game could be used as a repeated game over these intervals.So, we extend the one-stage game to multi-stage game.

j
We assume that the one-stage game is repeatedly played in each time period , where k = 0, 1, … An interval of T seconds maybe selected for each stage game.In order to get a simple model, we assume that T = 1.The payoffs of the players in each stage game are the same as in the proceeding one-stage game, and we assume that there is no discount factor with respect to the payoffs of the players.The extensive form of each game can be represented in a similar manner as for the static one-stage game.

k t
In our model, the player 's type is known to all the player while the player 's type is selected from the type set ={malicious, regular}.Knowing that the player 's type is a private information.Bayesian equilibrium [12] dictates that the player 's action depends on his type By observing the behavior of the player , the player can calculate the posterior belief evaluation function the equilibrium strategy of player is to play his first strategy with probability So the PBE of the game is given as ( , , ()) with ( , , ())  given by Equations ( 1)-(3).

Example
For .From Figure 1, we see that the higher is, the faster posterior belief converges to 1.By contrast, Figure 2 shows that the lower is, the faster posterior belief converges to 1.In other words, the detection accu-a racy of the IDS affects the convergence speed of player 's posterior belief.From Figure 3, we see that the lower time of attacking, the faster posterior belief converges to 1. From Figure 4, we see that the higher ,    converges to 1 faster than the second scenario.This is because in the first scenario the player starts to attack earlier compared to the second scenario.Once the belief reaches 1, it does not go down even if the player is not attacking since the type has already been identified.

Conclusions
In this paper, our goal is to determine whether it is essential to always keep the IDS running without compromising on its effectiveness.First of all, we assume that the IDS works intermittently.Then, we model the interaction between intrusion detection system and an attacker as a one-stage game, and show that this game has two Bayes ian Nash equilibriums.Second, we model this game as a multi-stage game, where IDS does not have fixed prior probabilities about the type of its opponent and can update its belief at the end of each stage of the game, and show that this game has a mixed-strategy perfect Bayesian equilibrium.The results of the proposed two games show that IDS could work intermittently while getting the same effectiveness.

d
of detecting the attack depends on the value of , which is

THEOREM 2 :
In the described game-theoretic model, the strategy pair ((Attack s of the time with probability if malicious, Not attack if regular), Monitor t of the time with probability ,

Figure 5 Figure 1 .
Figure5shows the posterior belief of the player for these two scenarios.The belief for the first scenario j

Figure 2 .
Figure 2. Convergence of player j 's posterior beliefs given the observations of a sequence of a sequence of consecutive Attack actions under various b.

Figure 3 .
Figure 3. Convergence of player j 's posterior beliefs given the observations of a sequence of a sequence of consecutive Attack actions under various s.

Figure 4 .
Figure 4. Convergence of player j 's posterior beliefs given the observations of a sequence of a sequence of consecutive Attack actions under various .d c

Table 2 . The type of player is regular.
i S (1) i S(2) ) )We can see that the multistage game satisfies (2) from Equation (1).In our multistage game context, player 's signal is part of attack actions, thus (3) is satisfied.Because there are only two players in the game at any stage, the condition (4) is satisfied.