基于专家系统的高级持续性威胁云端检测博弈

云计算系统是高级持续性威胁(advanced persistent threats, APT)的重要攻击目标.自动化的APT检测器很难准确发现APT攻击，用专家系统对可疑行为进行二次检测可以减少检测错误.但是专家系统完成二次检测需要花费一段额外的时间，可能导致防御响应延迟，而且专家系统本身也会产生误判.在综合考虑APT检测器和专家系统的虚警率和漏报率的基础上，用博弈论方法讨论在云计算系统的APT检测和防御中，利用专家系统进行二次检测的必要性.设计了一个基于专家系统的APT检测方案，并提出一个ES-APT检测博弈模型，推导其纳什均衡，据此研究了专家系统对云计算系统安全性能的改善作用.此外，当无法获得APT攻击模型时，提出了一种利用强化学习算法获取最优防御策略的方案.仿真结果表明：基于WoLF-PHC算法的动态ES-APT检测方案较之其他对照方案能够提高防御者的效用和云计算系统的安全性.

Advanced Persistent Threats Detection Game with Expert System for Cloud

Cloud computing systems are under threaten of advanced persistent threats (APT). It is hard for an autonomous detector to discover APT attacks accurately. The expert system (ES)can help to reduce detection errors via double-checking suspicious behaviors. However, it takes an extended period of time for the ES to recheck, which may lead to a defense delay. Besides, the ES makes mistakes too. In this paper, we discuss the necessity of the ES to participate in APT detection and defense for a cloud computing system by game theory, based on the consideration of miss detection rates and false alarm rates of both the APT detector and the ES. The ES-based APT detection method is designed, and the ES-APT game between an APT attacker and a defender is formulated. We derive its Nash equilibrium and analyze how the ES enhances the security of the cloud computing system. Also, the dynamic game is studied, in case that the APT attack model is unknowable. We present a reinforcement learning scheme for the cloud computing system with ES to get the optimal strategy. Simulation results show that, with the knowledge of the ES, both the defenders utility and the cloud computing systems security are improved compared with benchmark schemes.