A Game-Theoretic Taxonomy and Survey of Defensive Deception for Cybersecurity and Privacy

TL;DR

This paper surveys game-theoretic models of defensive deception in cybersecurity and privacy, proposing a taxonomy of six deception types to clarify their roles and guide future research.

Contribution

It introduces a rigorous taxonomy of six types of defensive deception based on game theory, clarifying their distinctions and applications in cybersecurity and privacy.

Findings

Identified six types of deception: perturbation, moving target defense, obfuscation, mixing, honey-x, attacker engagement.

Provided a systematic framework for understanding defensive deception strategies.

Surveyed 24 relevant articles from 2008-2018 to map the current landscape.

Abstract

Cyberattacks on both databases and critical infrastructure have threatened public and private sectors. Ubiquitous tracking and wearable computing have infringed upon privacy. Advocates and engineers have recently proposed using defensive deception as a means to leverage the information asymmetry typically enjoyed by attackers as a tool for defenders. The term deception, however, has been employed broadly and with a variety of meanings. In this paper, we survey 24 articles from 2008-2018 that use game theory to model defensive deception for cybersecurity and privacy. Then we propose a taxonomy that defines six types of deception: perturbation, moving target defense, obfuscation, mixing, honey-x, and attacker engagement. These types are delineated by their information structures, agents, actions, and duration: precisely concepts captured by game theory. Our aims are to rigorously define types of defensive deception, to capture a snapshot of the state of the literature, to provide a menu of models which can be used for applied research, and to identify promising areas for future work. Our taxonomy provides a systematic foundation for understanding different types of defensive deception commonly encountered in cybersecurity and privacy.