The Internet of Things (IoT) will impact a diverse set of consumer, public sector, and industrial systems. Smart homes and buildings, autonomous vehicles and transportation , and the interaction between wearable fitness devices and social networks  provide a few examples of application areas which will be particularly impacted by the IoT. One definition of the IoT is a “dynamic global network infrastructure with self-configuring capabilities based on standard and interoperable communication protocols where physical and virtual ‘things’ have identities, physical attributes, and virtual personalities” . This definition envisions a decentralized, heterogeneous network with plug-and-play capabilities. The related concept of cyber-physical systems (CPS) refers to “smart networked systems with embedded sensors, processors, and actuators” .  provides a detailed introduction to CPS and reports on its development status. The term CPS emphasizes the “systems” nature of these networks. In both IoT and CPS, “the joint behavior of the ‘cyber’ and physical elements of the system is critical—computing, control, sensing, and networking can be integrated into every component” . The importance of sensing, actuation, and control to devices in the IoT has given rise to the term “Internet of controlled things,” or IoCT. Hereafter, we refer to the IoCT as a way to address challenges of both CPS and IoT.
The IoCT requires an interface between heterogeneous components. Local clouds (or fogs or cloudlets) offer promising solutions. In these networks, a cloud provides services for data aggregation, data storage, and computation. In addition, the cloud provides a market for the services of software developers and computational intelligence experts . Figure 1 depicts a cloud-enabled IoCT. In this network, sensors push environment data to the cloud, where it is aggregated and sent to devices (or “things”), which use the data for feedback control. These devices modify the environment, and the cycle continues. Note that the control design of the IoCT is distributed, since each device can determine which cloud services to use for feedback control.
I-a Advanced Persistent Threats in the Cloud-Enabled IoCT
Unfortunately, cyberattacks on the cloud are increasing as more businesses utilize cloud services . To provide reliable support for IoCT applications, sensitive data provided by the cloud services needs to be well protected . In this paper we focus on the attack model of advanced persistent threats (APTs): “cyber attacks executed by sophisticated and well-resourced adversaries targeting specific information in high-profile companies and governments, usually in a long term campaign involving different steps” . In the initial stage of an APT, an attacker penetrates the network through techniques such as social engineering, malicious hardware injection, theft of cryptographic keys, or zero-day exploits . For example, the Naikon APT, which targeted governments around the South China Sea in 2010-2015, used a bait document that appeared to be a Microsoft Word file but which was actually a malicious executable that installed spware . The cloud is particularly vulnerable to initial penetration through application-layer attacks, because many applications are required for developers and clients to interface with the cloud. Our iSTRICT can be applied to many cyberattack scenarios. For example, cross-site scripting (XSS) and SQL injection are two types of application-layer attacks. In SQL injection, attackers insert malicious SQL code into fields which do not properly process string literal escape characters. The malicious code targets the server, where it could be used to modify data or bypass authentication systems. By contrast, XSS targets the execution of code in the browser on the client side. All of these attacks give attackers an initial entry point into a system, from which they can begin to gain more complete, insider control. This control of the cloud can be used to transmit malicious signals to CPS and cause physical damage.
I-B Strategic Trust
Given the threat of insider attacks on the cloud, each IoCT device must decide which signals to trust from cloud services. Trust refers to positive beliefs about the perceived reliability of, dependability of, and confidence in another entity . These entities may be agents in an IoCT with misaligned incentives. Many specific processes in the IoCT require trust, such as data collection, aggregation and processing, privacy protection, and user-device trust in human-in-the-loop interactions . While many factors influence trust, including subjective beliefs, we focus on objective properties of trust. These include 1) reputation, 2) promises, and 3) interaction context. Many trust management systems are based on tracking reputation over multiple interactions. Unfortunately, agents in the IoCT may interact only once, making reputation difficult to accrue . This property of IoCT also limits the effectiveness of promises such as contracts or policies. Promises may not be enforceable for entities that interact only once. Therefore we focus on strategic trust that is predictive rather than reactive. We use game-theoretic utility functions to capture the motivations for entities to be trustworthy. These utility functions change based on the particular context of the interaction. In this sense, our model of strategic trust is incentive-compatible, i.e., consistent with each agent acting in its own self-interest.
I-C Game-Theoretic iSTRICT Model
We propose a framework called iSTRICT, which is composed of three interacting layers: a cloud layer, a communication layer, and a physical layer. In the first layer, the cloud-services are threatened by attackers capable of APTs and defended by network administrators (or “defenders”). The interaction at each cloud-service is modeled using the FlipIt game recently proposed by Bowers et al.  and van Dijk et al. . iSTRICT uses one FlipIt game per cloud-service. In the communication layer, the cloud-services—which may be controlled by the attacker or defender according to the outcome of the FlipIt game—transmit information to a device which decides whether to trust the cloud-services. This interaction is captured using a signaling game. At the physical layer, the utility parameters for the signaling game are determined using optimal control. The cloud, communication, and physical layers are interdependent. This motivates an overall equilibrium concept called Gestalt Nash equilibrium (GNE). GNE requires each game to be solved optimally given the results of the other games. Because this is a similar idea to best-response in Nash equilibrium, we call the multi-game framework a game-of-games.
In summary, we present the following contributions:
Trust Model: We develop a multi-layer framework (iSTRICT) and associated equilibrium concept (GNE) to capture interdependent strategic trust in the cloud-enabled IoCT. iSTRICT combines analysis at the cloud, communication, and physical layers.
GNE Analysis: We prove the existence of GNE, and we show that strategic trust in the communication layer guarantees a worst-case probability of compromise regardless of attack costs in the cyber layer.
Adaptive Algorithm: We present an adaptive algorithm using best-response dynamics to compute a GNE.
Autonomous Vehicle Application: We simulate the control of a pair of autonomous vehicles using iSTRICT, and show improvement over the performance under naive policies.
The rest of the paper proceeds as follows. In Section II, we give a broad outline of the iSTRICT model. Section III presents the details of the FlipIt game, signaling game, physical layer control system, and equilibrium concept. Then, in Section IV, we study the equilibrium analytically using an adaptive algorithm. Finally, we apply the framework to the control of autonomous vehicles in Section V.
I-E Related Work
Designing trustworthy cloud service systems has been investigated extensively in the literature. Various methods, including a feedback evaluation component, Bayesian game, and domain partition have been proposed [16, 17, 18]. Trust models to predict the cloud trust values (or reputation) can be mainly divided into objective and subjective classes. The first are based on the quality of service parameters, and the second are based on feedback from cloud service users [16, 19].
In the IoCT, however, agents may not have sufficient number of interactions, which makes reputation challenging to obtain . In addition, trust value-based cloud trust management systems can be compromised by reputation attacks through fake feedback which can severely degrade the system performance [16, 20]. Therefore, in this work, we aim to design a strategic trust mechanism which is predictive rather than reactive through an integrative game-theoretic framework. Rather than using trust value [21, 20], IoCT devices in our iSTRICT model make decisions based on the strategies of players at the cloud layer as well as based on the physical system performance. This multi-layer design provides resilience to reputation attacks.
Cyber-physical systems security becomes a critical concern due to the prevailing threats from both cyber and physical components in the system [22, 23, 24] . To facilitate a secure system design,
game theory has been widely adopted to model and capture the strategic interactions between the attackers and defenders
. To facilitate a secure system design, game theory has been widely adopted to model and capture the strategic interactions between the attackers and defenders[25, 26, 27]. Our iSTRICT framework builds on two existing game models. One is the signaling game which has been used in intrusion detection systems  and network defense . The other one is the FlipIt game [10, 15] which has been applied to security of a single cloud service [25, 30] as well as AND/OR combinations of cloud services . In contrast to previous works, in this paper we propose a three-layer interdependent model to enable devices to decide whether to trust cloud services that may be compromised. Specifically, trust management decisions are coupled by the dynamics of cloud-enabled devices, because data provided by the cloud services is used for feedback control. Devices must balance the need for as many data sources as possible (in order to increase the quality of the feedback control) with the imperative to reject data sources that are compromised by attackers.
In terms of the technical framework, iSTRICT builds on existing achievements in IoCT architecture design [6, 32, 33, 34], which describe the roles of different layers of the IoCT at which data is collected, processed, and accessed by devices . Each layer of the IoCT consists of different enabling technologies such as wireless sensor networks and data management systems . Our perspective, however, is distinct from this literature because we emphasize an integrated mathematical framework. iSTRICT leverages game theory to obtain optimal defense strategies for IoCT components, and it uses control theory to quantify the performance of devices.
Ii iSTRICT Overview
We consider a cyber-physical attack in which an adversary penetrates a cloud service in order to transmit malicious signals to a physical device and cause improper operation. This type of cross-layer attack is increasingly relevant in IoCT settings. Perhaps the most famous cross-layer attack is the Stuxnet attack that damaged Iran’s nuclear program. But even more recently, an attacker allegedly penetrated the supervisory control and data acquisition (SCADA) system that controls the Bowman Dam, located less than miles north of Manhattan. The attacker gained control of a sluice gate which manages water level111The sluice gate happened to be disconnected for manual repair at the time, however, so the attacker could not actually change water levels. . Cyber-physical systems ranging from the smart grid to public transportation need to be protected from similar attacks.
The iSTRICT framework offers a defense-in-depth approach to IoCT security. In this section, we introduce each of the three layers of iSTRICT very briefly, in order to focus on the interaction between the layers. We describe an equilibrium concept for the simultaneous steady-state of all three layers. Later, Section III describes each layer in detail. Table I lists the notation for the paper.
|Cloud services (CSs)|
|Attackers, defenders, device|
|Values of CSs for|
|Values of CSs for|
|Probabilities that controls CSs|
|Probabilities that controls CSs|
|FlipIt mapping for CS|
|Signaling game mapping|
|’s utility in FlipIt game|
|’s utility in FlipIt game|
|Types of CSs|
|Type spaces of CSs|
|Messages from CSs|
|Low or high risk message|
|Actions for CSs|
|Trust or not trust action|
|Signaling game utility of and|
|Signaling game utility for|
|Signaling game mixed strategies of|
|Signaling game mixed strategies of|
|Signaling game mixed strategy for|
|Beliefs of about CSs|
|Signaling game utility for|
|Signaling game utility for|
State, estimated state, control
|bias terms of and|
|cloud type matrix|
|Measurements without and with biases|
|Covariance matrices of noises|
|Innovation, innovation thresholds|
|Ratios of CSs’ value for and|
|Spaces of and in a GNE|
|Redefined FlipIt mapping for CS|
|Redefined signaling game mapping|
|Composition of and|
|Fixed-point requirement for a GNE|
Ii-a Cloud Layer
Consider a cloud-enabled IoCT composed of sensors that push data to a cloud, which aggregates the data and sends it to devices. For example, in a cloud-enabled smart home, sensors could include lighting sensors, temperature sensors, and blood pressure or heart rate sensors that may be placed on the skin or embedded within the body. Data from these sensors is processed by a set of cloud services which make data available for control.
For each cloud service let denote an attacker who attempts to penetrate the service using zero-day exploits, social engineering, or other techniques described in Section I. Similarly, let denote a defender or network administrator attempting to maintain the security of the cloud service. and attempt to claim or reclaim control of the each cloud service at periodic intervals. We model the interactions at all of the services using FlipIt games, one for each of the services.
In the FlipIt game [10, 15], an attacker and a defender gain utility proportional to the amount of time that they control a resource (here a cloud service), and pay attack costs proportional to the number of times that they attempt to claim or reclaim the resource. We consider a version of the game in which the attacker and defender are restricted to attacking at fixed frequencies. The equilibrium of the game is a Nash equilibrium.
Let and denote the values of each cloud service to and respectively. These quantities represent the inputs of the FlipIt game. The outputs of the FlipIt game are the proportions of time for which and control the cloud service. Denote these proportions by and respectively. To summarize each of the FlipIt games, define a set of mappings such that
maps the values of cloud service for and to the proportion of time for which the service will be compromised in equilibrium. We will study this mapping further in Section III-A.
Ii-B Communication Layer
In the communication layer, the cloud services which each may be controlled by or send data to a device which decides whether to trust the signals. This interaction is modeled by a signaling game. The signaling game sender is the cloud service. The two types of the sender are attacker or defender. The signaling game receiver is the device While we used FlipIt games to describe the cloud layer, we use only one signaling game to describe the communication layer, because must decide which services to trust all at once.
The prior probabilities in the communication layer are the equilibrium proportionsand
from the equilibrium of the cloud layer. Denote the vectors of the prior probabilities for each sensor byThese prior probabilities are the inputs of the signaling game.
The outputs of the signaling game are the equilibrium utilities received by the senders. Denote these utilities by and Importantly, these are the same quantities that describe the incentives of and to control each cloud service in the FlipIt game, because the party which controls each service is awarded the opportunity to be the sender in the signaling game. Define vectors to represent each of these utilities by
Finally, let be a mapping that summarizes the signaling game, where is the power set of According to this mapping, the set of vectors of signaling game equilibrium utility ratios and that result from the vector of prior probabilities is given by
This mapping summarizes the signaling game. We study the mapping in detail in Section III-B.
Ii-C Physical Layer
Many IoCT devices such as pacemakers, cleaning robots, appliances, and electric vehicles are dynamic systems that operate using feedback mechanisms. The physical-layer control of these devices requires remote sensing of the environment and the data stored or processed in the cloud. The security at the cloud and the communication layers of the system are intertwined with the performance of the controlled devices at the physical layer. Therefore the trustworthiness of the data has a direct impact on the control performance of the devices. This control performance determines the utility of the device as well as the utility of each of the attackers and defenders The control performance is quantified using a cost criterion for observer-based optimal feedback control. The observer uses data from the cloud services that elects to trust, and ignores the cloud services that decides not to trust. We study the physical layer control in Section III-C.
Ii-D Coupling of the Cloud and Communication Layers
Clearly, the cloud and communication layers are coupled through Eq. (1) and Eq. (2). The cloud layer security serves as an input to the communication layer. The resulting utilities of the signaling game at the communication layer further becomes an input to the FlipIt game at the cloud layer. In addition, the physical layer performance quantifies the utilities for the signaling games. Fig. 2 depicts this concept. In order to predict the behavior of the whole cloud-enabled IoCT, iSTRICT considers an equilibrium concept which we call Gestalt Nash equilibrium (GNE). Informally, a triple is a GNE if it simultaneously satisfies Eq. (1) and Eq. (2).
GNE is useful for three reasons. First, cloud-enabled IoCT networks are dynamic. The modular structure of GNE requires the FlipIt games and the signaling game to be at equilibrium given the parameters that they receive from the other type of game. This imposes the requirement of perfection, in the sense that each game must be optimal given the other game. In GNE, perfection applies in both directions, because there is no clear chronological order or directional flow of information between the two games. Actions in each sub-game must be chosen by prior-commitment relative to the results of the other sub-game.
Second, GNE draws upon established results from FlipIt games and signaling games instead of attempting to analyze one large game. IoCT networks promise plug-and-play capabilities, in which devices and users are easily able to enter and leave the network. This also motivates plug-and-play availability of solution concepts. The solution to one sub-game should not need to be totally recomputed if an actor enters or leaves another subgame. GNE follows this approach.
Finally, GNE serves as an example of a solution approach which could be called game-of-games. The equilibrium solutions to the FlipIt games and signaling game must be rational “best responses” to the solution of the other type of game.
Iii Detailed iSTRICT Model
In this section, we define more precisely the three layers of the iSTRICT framework.
Iii-a Cloud Layer: FlipIt Game
We use a FlipIt game to model the interactions between the attacker and the defender over each cloud service.
Iii-A1 FlipIt Actions
For each service, and choose and the frequencies with which they claim or reclaim control of the service. These frequencies are chosen by prior commitment. Neither player knows the other player’s action when she makes her choice. Figure 3 depicts the FlipIt game. The green boxes above the horizontal axis represent control of the service by and the red boxes below the axis represent control of the service by
From and it is easy to compute the expected proportions of the time that and control service [10, 15]. Let denote the set of non-negative real numbers. Define the function such that gives the proportion of the time that will control the cloud service if he attacks with frequency and renews control of the service (through changing cryptographic keys or passwords, or through installing new hardware) with frequency We have
Notice that when , i.e., the attacking frequency of is greater than the renewal frequency of , the proportion of time that service is insecure is , and when , we obtain .
Iii-A2 FlipIt Utility Functions
Recall that and denote the value of controlling service for and respectively. These quantities define the heights of the red and green boxes in Fig. 3. Denote the costs of renewing control of the cloud service for the two players by and Finally, let and be expected utility functions for each FlipIt game. The utilities of each player are given in Eq. (4) and Eq. (5) by the values and of controlling the service multiplied by the proportions and with which the service is controlled, minus the costs and of attempting to renew control of the service.
Therefore, based on the attacker’s action , the defender determines strategically to maximize the proportional time of controlling the cloud service , , and minimize the cost of choosing .
Note that in the game, the attacker knows and , and the defender knows and . Furthermore, is public information, and hence both players know the frequencies of control of the cloud through (3). Therefore, the communication between two players at the cloud layer is not necessary when determining their strategies.
Iii-A3 FlipIt Equilibrium Concept
The equilibrium concept for the FlipIt game is Nash equilibrium, since it is a complete information game in which strategies are chosen by prior commitment.
From the equilibrium frequencies and let the equilibrium proportion of time that controls cloud service be given by according to Eq. (3). The Nash equilibrium solution can then be used to determine the mapping in Eq. (1) from the cloud service values and to the equilibrium attacker control proportion , where . The mappings, constitute the top layer of Fig. 2.
Iii-B Communication Layer: Signaling Game
Because the cloud services are vulnerable, devices which depend on data from the services should rationally decide whether to trust them. This is captured using a signaling game. In this model, the device updates a belief about the state of each cloud service and decides whether to trust it. Figure 4 depicts the actions that correspond to one service of the signaling game. Compared to the trust value-based cloud trust management system where the reputation attack can significantly influence the trust decision [16, 20], in iSTRICT, ’s decision is based on the strategies of each and at the cloud layer as well as the physical layer performance, and hence it does not depend on the feedback of cloud services from users which could be malicious due to attacks. We next present the detailed model of signaling game.
Iii-B1 Signaling Game Types
The types of each cloud service are where indicates that the service is compromised by , and indicates that the service is controlled by . Denote the vector of all the service types by
Iii-B2 Signaling Game Messages
Denote the risk level of the data from each service by where and indicate low-risk and high-risk messages, respectively. (We define this risk level in Section III-C.) Further, define the vector of all of the risk levels by
Next, define mixed strategies for and Let and be functions such that and give the proportions with which and send messages with risk levels and respectively, from each cloud service that they control. Note that only observes or depending on who controls the service Let
denote risk level of the message that actually observes. Finally, define the vector of observed risk levels by
Iii-B3 Signaling Game Beliefs and Actions
Based on the risk levels that observes, it updates its vector of prior beliefs Define such that gives the belief of that service is of type given that observes risk level Also write the vector of beliefs as As a direction for future work, we note that evidence-based signaling game approaches could be used to update belief in a manner robust to reputation attacks [29, 36, 37].
Based on these beliefs, chooses which cloud services to trust. For each service chooses where denotes trusting the service (i.e., using it for observer-based optimal feedback control) and denotes not trusting the service. Assume that aware of the system dynamics, chooses actions for each service simultaneously, i.e.,
Next, define such that gives the mixed strategy probability with which plays the vector of actions given the vector of risk levels
Iii-B4 Signaling Game Utility Functions
Let ’s utility function be denoted by such that gives the utility that receives when is the vector of cloud service types, is the vector of risk levels, and chooses the vector of actions
For define the functions and such that and give the utility that and receive for service when the risk levels are given by the vector and plays the vector of actions
Next, consider expected utilities based on the strategies of each player. Let denote the expected utility function for such that gives ’s expected utility when he plays mixed strategy given that he observes risk levels and has belief We have
In order to compute the expected utility functions for and define and the sets of the strategies of all of the senders except the sender on cloud service Then define such that gives the expected utility to when he plays mixed strategy and the attackers and defenders on the other services play and Define the expected utility to by in a similar manner.
Let denote the player that controls service and denote the set of players that control each service. Then the expected utilities are computed by
Iii-B5 Perfect Bayesian Nash Equilibrium Conditions
Finally, we can state the requirements for a perfect Bayesian Nash equilibrium (PBNE) for the signaling game .
(PBNE) For the device, let be formulated according to Eq. (8). For each service let be given by Eq. (9) and be given by Eq. (10). Finally, let vector give the prior probabilities of each service being compromised. Then, a perfect Bayesian Nash equilibrium of the signaling game is a strategy profile and a vector of beliefs such that the following hold:
if and if Additionally, in both cases.
Iii-C Physical Layer: Optimal Control
The utility function is determined by the performance of the device controller as shown in Fig. 2. A block illustration of the control system is shown in Fig. 5. Note that the physical system in the diagram refers to the IoCT devices.
Iii-C1 Device Dynamics
Each device in the IoCT is governed by dynamics. We can capture the dynamics of the things by the linear system model
where , , is the system state, is the control input,
denotes the system white noise, andis given. Let represent data from cloud services which suffers from white, additive Gaussian sensor noise given by the vector We have where is the output matrix. Let the system and sensor noise processes have known covariance matrices where and are symmetric, positive, semi-definite matrices, and and denote the transposes of the noise vectors.
In addition, for each cloud service the attacker and defender in the signaling game choose whether to add bias terms to the measurement Let denote these bias terms. The actual noise levels that observes depends on who controls the service in the FlipIt game. Recall that the vector of types of each service is given by Let represent the indicator function, which takes the value of if its argument is true and otherwise. Then, define the matrix
Including the bias term, the measurements are given by
where is the
-dimensional identity matrix.
Iii-C2 Observer-Based Optimal Feedback Control
Let and be positive-definite matrices of dimensions and respectively. The device chooses the control that minimizes the operational cost given by
subject to the dynamics of Eq. (17).
In this context, the term is the innovation. Label the innovation by This term is used to update the estimate of the state. We consider the components of the innovation as the signaling-game messages that the device decides whether to trust. Let us label each component of the innovation as low-risk or high-risk. For each
we classify the innovation as
where is a vector of thresholds. Since is strategic, it chooses whether to incorporate the innovations using the signaling game strategy given the vector of messages
Define a strategic innovation filter by such that, given innovation the components of gated innovation are given by
for Now we incorporate the function into the estimator by
Iii-C4 Feedback Controller
The optimal controller is given by the feedback law with gain
where is obtained by the backward Riccati difference equation
Iii-C5 Control Criterion to Utility Mapping
The control cost determines the signaling game utility of the device This utility should be monotonically decreasing in We consider a mapping defined by where and denote maximum and minimum values of the utility, and represents the sensitivity of the utility to the control cost.
Iii-D Definition of Gestalt Nash Equilibrium
We now define the equilibrium concept for the overall game, which is called Gestalt Nash equilibrium (GNE). To differentiate with the equilibria in FlipIt game and signaling game, we use notations with a superscript to emphasize the solution at GNE.
According to Definition 3, the overall game is at equilibrium when, simultaneously, each of the FlipIt games is at equilibrium and the one signaling game is at equilibrium.
Iv Equilibrium Analysis
In this section, we give conditions under which a GNE exists. We start with a set of natural assumptions. Then we narrow the search for feasible equilibria. We show that the signaling game only supports pooling equilibria, and that only low-risk pooling equilibria survive selection criteria. Finally, we create a mapping that composes the signaling and FlipIt game models. We show that this mapping has a closed graph, and we use Kakutani’s fixed-point theorem to prove the existence of a GNE. In order to avoid obstructing the flow of the paper, we briefly summarize the proofs of each lemma, and we refer readers to the GNE derivations for a single cloud service in  and .