\subsection{Solving the game}
To solve ... Double oracle \todo{add definition}
Each attacker action is a vector $f \in \mathbb{R}^n$ which constists of $n$
features. Each feature is some property of DNS request, but the selection of
features heavily affect the final result. Initially I'm using only 2 features so
the results might be smoothly visualised: entropy and length of the request.
Utility function used in game $G$ depends on the chosen features. In my case
the attacker wants to maximize both of my features, that's why I've used such
\REQUIRE request
\STATE $e \leftarrow 0$
\STATE $occurrence \leftarrow emptyMap$, initival value 0
\FORALL{char in request}
\STATE $occurrence$[char]$ \leftarrow occurrence$[char]$+1$
\FORALL{key, value in $occurrence$}
\STATE $p \leftarrow \dfrac{value}{length(request)}$
\STATE $ e \leftarrow e - (p \cdot \log_2 p)$
Other features of dns request to consider for future development might be bigrams, trigrams, occurrence of unusual letters or number of digits.
\subsection{Solving the game}
To find Nash Equilibrium of the game I use double oracle algorithm \cite{doubleoraclepaper}. Double oracle basicly works in these steps:
\caption{Double oracle}
\STATE $a_{p1} \leftarrow$ \text{array with 1 random player1 action}
\STATE $a_{p2} \leftarrow$ \text{array with neural network classifying all
requests as benign}
\STATE $probs_{p1}, probs_{p2} \leftarrow$ \text{ solve\_game($a_{p1}, a_{p2}$)}
\STATE $best\_response_{p1} \leftarrow$ \text{ best response of player1}
\STATE $best\_response_{p2} \leftarrow$ \text{ best response of player2}
\IF{$best\_response_{p1} \in a_{p1} \textbf{ AND } best\_response_{p2} \in a_{p2}$}
\RETURN $probs_{p1}, probs_{p2}$
\STATE $a_{p1}$\text{.add($best\_response_{p1}$)}
\STATE $a_{p2}$\text{.add($best\_response_{p2}$)}
The algorithm rises next questions - more precisely how to search for best responses,
how to solve the game given the set of possible actions and how to compare 2 neural
networks for equaility.
Given the utility function $u$ and 2 neural networks $nn_1$ and $nn_2$ I say
that these neural networks are similar enough to be seen as equal if and only if
\mid u(a_i, nn_1) - u(a_i, nn_2) \mid < \varepsilon \qquad \forall a_i \in a_{p1}
\qquad \varepsilon \in \mathbb{R}^+
\todo{TODO} talk linear solver and about searching bestresponse (a little data talk)
Speaking about dataset \todo{dataset}
......@@ -230,7 +290,7 @@ school gitlab repository for bachelor thesis in \textit{research\_project} branc
See \url{}.
todo todo{todo}
Other result using for example syntetic data might be found in my reference
implementation in \textit{results} directory.
......@@ -240,8 +300,9 @@ implementation in \textit{results} directory.
\item What needs to be done moree...
\item Cons of my solution (false positives)
\item Reference test \cite{testreference}
\item Reference test
\item use more features
\item find way to find attacker's actions
