Proactive Population-Risk Based Defense Against Denial of Cyber-Physical Service Attacks

While the Internet of things (IoT) promises to improve areas such as energy efficiency, health care, and transportation, it is highly vulnerable to cyberattacks. In particular, DDoS attacks work by overflowing the bandwidth of a server. But many IoT devices form part of cyber-physical systems (CPS). Therefore, they can be used to launch a “physical” denial-ofservice attack (PDoS) in which IoT devices overflow the “physical bandwidth” of a CPS. In this paper, we quantify the populationbased risk to a group of IoT devices targeted by malware for a PDoS attack. To model the recruitment of bots, we extend a traditional game-theoretic concept and create a “Poisson signaling game.” Then we analyze two different mechanisms (legal and economic) to deter botnet recruitment. We find that 1) defenders can bound botnet activity and 2) legislating a minimum level of security has only a limited effect, while incentivizing active defense can decrease botnet activity arbitrarily. This work provides a quantitative foundation for designing proactive defense against PDoS attacks.