Game Theoretic Models for Cyber Deception

Abstract

Cyber deception has great potential in thwarting cyberattacks [1, 4, 8]. A defender (e.g., network administrator) can use deceptive cyber artifacts such as honeypots and faking services to confuse attackers (e.g., hackers) and thus reduce the success rate and effectiveness of attacks. However, the attackers are often diverse and some attackers may be aware of the deception and adapt to the defender's strategy. Therefore, when the defender designs the deception strategy, he needs to take into account the attacker's strategic response. Game theory is suitable for such strategic interaction between the defender and the attacker. Building upon our previous work on security games,[2, 3] we developed a series of game-theoretic models for cyber deception, as well as algorithms to compute the equilibrium or the optimal defender strategy in the games. The first model we proposed is the Cyber Deception Game, a zero-sum Stackelberg game between the defender and an adversary. In this game, the defender is tasked to protect a set of targets, where each target corresponds to a system or a node in a network. Each target has a true configuration, which consists of a set of attributes, e.g., an operating system, services hosted, etc. The defender can choose an observed configuration for each target when responding to probes and scans that may be launched by the attacker. The observed configuration can be different from the true configuration and thus the deception. The attacker, after collecting information about the observed configuration, chooses which target to attack. We show that finding the defender's optimal strategy is NP-hard and provides mixed-integer linear programming (MILP)-based algorithms to compute the optimal deception scheme, and also several heuristic algorithms. In a follow-up work,[7] we extended this game model to a general-sum one, which captures the fact that the cost for the defender may not always be equal to the gain of the attacker. The general-sum nature of this new game model leads to new computational challenges. We provided a Fully Polynomial Time Approximation Scheme (FPTAS) for solving the game and designed a MILP-based algorithm together with several techniques to speed up the computation. In a recent work,[5] we proposed a new attack graph-based Stackelberg security game model and analyze the optimal deception strategy the defender can use. In contrast to previous models, the attacker in this new game can take sequential actions to reach the targets, which is modeled as taking a path on the attack graph. The defender can strategically manipulate the attack graph through deceptive actions in addition to allocating defensive resources to protect important targets from attackers. We provided a MILP-based solution for a special class of attack graphs and a neural architecture search-based method for general directed acyclic attack graphs. We empirically demonstrated the benefit of deception in all these game models and the scalability of the algorithms. This talk features an introduction to these models and algorithms, together with a discussion on future research directions for game theory-based cyber deception.