Patterns of Strategies

For a more mathematical explanation of patterns of strategies, please see Mathematics of Strategy Patterns

The patterns here are not the same as "Strategy Pattern" as a design pattern. However the term "strategy" in design patterns has the idea of using one class that encapsulates different approaches to doing a task, and thus shares the idea of generalization with strategies in games. Our use of "Strategy Patterns" or "Patterns of Strategies" is the same as the notion of strategies in games - here the games are against intruders. Let us start with a confidence game.

A Nigerian scam promises you a part of some ill-gotten booty in return for providing an initial investment. The promise takes many different forms. The email writer may be a military general or assistant to a minister or bank employee who has access to some illegally obtained wealth. Usually there is some convoluted reason provided for needing your help to get this illegal wealth.

Even though the actual letters tell various creative stories, the general plot of the letters is the same. But if you classify these letters using the old but popular vector space text classification method, the actual words matter, and different letters are not seen as part of the same plot. Since most people have received such letters some time, we understand the pattern of the Nigerian Scam.. We quickly learn to ignore the words in the stories and recognize the strategy behind these letters.

It would be nice to filter out these letters so that nobody falls victim to these scams. Software for filtering involves some patterns associated with words in the letters. This is not a very reliable method. To see that word-based schemes are not reliable, see how Google News classifies news stories incorrectly. For example, often you will see stories involving "firewall" whether it is in politics or an actual fire wall in Yosemite getting classified with computer security news.

Word-based email classification, which is similar to byte-pattern-based malware classification, does not always work right, because the concept or equivalently strategy is not found from the common patterns of words or bytes. In fact, since we do not want to miss potential malware, we match too many patterns and thus create a lot of false positives, i.e. things that are classified as potentially bad, but are not truly so. As a result, human analysts cannot realistically study each of these possible problems, and that causes us to miss potential problems.

With strategy patterns, we know there are only a few strategies to consider. Even though there are different hosts or byte patterns or emails involved, there are only a few strategies that relate to security threats. Thus identifying strategies instead of word or byte patterns dramatically reduces the number of false positives.

What are strategies?

Strategy is a term used for some method to do something. In computation, we may have strategies to play a game like chess. The computer may have a strategy that evaluates a play and selects the next move.

Just like there are different types of speech samples, there are different types of strategies. For chess, a strategy may be one that assigns values to the pieces on the board then picks the next move to enhance this value. One such value assignment method may give 10 points to a queen, 5 points to a rook etc. Suppose instead the assignment gives 15 points to a queen and 4 points to a rook. The strategy based on this assignment has the same strategy pattern as the one based on the original assignment.

Many forms of malware make similar types of modifications rapidly. This is a tactic to evade anti-virus systems, since such systems may look for a particular pattern of bytes to identify malware among email attachments. But if the malware program changes these bytes without changing its function, the anti-virus system may not recognize the malware. In this case, the function of the malware is the strategy to do something bad. This does not change, but the pattern of bytes making up the malware may change.

Just like we can recognize Nigerian scams, we can recognize malware strategies once we study various attacks. For example, we recognize strategies used in sports. But it is difficult to describe strategies. For example, in (American) football, strategies are often described with pictures showing the starting position of various players. The following picture from Wikipedia


shows the shotgun strategy in Football. This is only the starting position. The actual strategy involves starting with this position and doing various things depending on the actions of the opposing team. A picture cannot show all these plays since there many variations depending on the movements of opposing players.

For malware also, it is difficult to show the strategy pattern from pictures. But we can find what is common among several pictures to get an idea of the strategy. One such example shows examples of a file locking type attack and the strategy pattern associated with that.

There is a mathematical way to describe and study strategies. This is related to game theory.

Game Trees

We can understand strategies by looking at changes to a playing field or a game board. There is a general way to think about this, by looking at different outcomes as a tree that can grow.

This shows different types of trees where they grow downwards. For example, an organization has a CEO or Chairman, and the rest of the organization grows downwards from this person. A file system grows from its starting location. A real root system for a plant also grows like this.

We can use an abstract picture of a triangle opening downwards to indicate all sorts of trees like these. That tree shows the whole playing space (could be a field, board, or organization.) Often we can understand strategies by seeing how the game gets localized to different parts.

This picture shows a conceptual tree of a file system, where there are subtrees for each user. We can try to understand the strategy of an attack partly by considering the area of the file system that is under attack. For example, one part of storage, say /home/carol may be the file system of an administrator, and a hacker may search that area to find some system-wide passwords. We can understand something about the strategy of the hacker from this activity, though we may not understand everything. For a similar example, think of soccer. Even if we do not understand all the strategies in a soccer game, we can at least make out the different ways that the players move based on whether the ball is near the middle of the field or near one of the goals.

This movement between areas is helpful in understanding strategies. We can see how an attacker moves through a system. To understand malware movement in particular, it is useful to compare attacker movements to the behavior of pesky bugs.

Mosquitoes of Malware

Even though we commonly think of a hacker as an evil mastermind, in many cases a mosquito is a better representation of a "threat agent." Mosquitoes are small, but can cause an enormous amount of harm. The victim barely notices the infecting bite which later causes severe illness, even spreading to others. Quite like malware.

Let us consider how a mosquito behaves, and how we recognize that it is a mosquito versus other random bugs. The mosquito persistently explores ways to find her victim, other happy-go-lucky bugs fly around and perhaps get into your nose, but they may have no such diligent purpose. We have to recognize the mosquito by its relentless pursuit of the human victim shown by the red trail in the following picture.

Suppose we imagine being in a hotel in an exotic (i.e. full of bugs) location. The human victim of mosquito attacks can try to protect himself by being in room and even within the room, inside a mosquito net. But often somebody holds a door open too long, leaves a window open, ignores a mosquito hitching a ride on their clothes and lets one or two in. The mosquito gets lucky in each of these situations, but its strategy is not that lucky incident. Instead, as shown in the picture, the mosquito persistently searches for an opportunity by trying every possible gap in the human defenses.

More abstractly we can think of spaces. We may think of the hotel as the big space, with a room inside it as a subspace. A firewall is something similar, generally closed to malware, with a few ports opened to choice visitors. We hope the firewall stops all malware

In this case, let us suppose that a hacker, like a mosquito, wants to get to the database area of storage. The hacker may probe the firewall for any open port, just like a mosquito would search for a way to get inside.

Just as in the hotel, we may have layers of security. Beyond the first firewall, we may have more localized barriers. For example, we may have a few open ports in the firewall, but even if the hacker gets in through there, he is likely to face some other barrier before getting inside the database. The hacker's approach is to again persistently search for an opening, perhaps guessing a password, perhaps exploiting a little-known vulnerability.

Again, just like with the mosquito, we should be able to recognize the persistent movement of the attacker as he tries to get through the database barriers.

Recognize the malware strategy

The strategy of the mosquito is similar to the strategies of hackers. They generally have to experiment to find openings. It may be an unpatched exploit. It may be an open port. The hacker usually does not know in advance where he may find a lucky gap. But by looking persistently, he is likely to find some gaps, and often do.

We can't hope to close all gaps, since people are careless and leave doors and ports open. But we can recognize the hacker's strategy. It has the persistence behavior that we can see in the mosquito's behavior.

Such persistences are mathematical objects considered in Game Theory. They can be extracted out of network and system logs of various kinds. You can see one example of how this is done in a Netresec data analysis example. Here there are persistent attempts to break in through any open port, but what we recognize is not the break in, but rather the strategy pattern of experimenting to find a way to compromise a system.