Simulation of Attacker Defender Interaction in a Noisy Security Game

TL;DR

This paper introduces a security game model simulating attacker-defender interactions in noisy environments, highlighting how assumptions about attacker knowledge impact outcomes and revealing a trade-off between false positives and true positives.

Contribution

It presents a novel framework for modeling attacker-defender dynamics under various knowledge conditions in noisy cybersecurity environments.

Findings

Assumptions about attacker knowledge significantly affect outcomes.

False-positive environments can be acceptable if true-positives are high.

Different knowledge scenarios lead to distinct strategic behaviors.

Abstract

In the cybersecurity setting, defenders are often at the mercy of their detection technologies and subject to the information and experiences that individual analysts have. In order to give defenders an advantage, it is important to understand an attacker's motivation and their likely next best action. As a first step in modeling this behavior, we introduce a security game framework that simulates interplay between attackers and defenders in a noisy environment, focusing on the factors that drive decision making for attackers and defenders in the variants of the game with full knowledge and observability, knowledge of the parameters but no observability of the state (``partial knowledge''), and zero knowledge or observability (``zero knowledge''). We demonstrate the importance of making the right assumptions about attackers, given significant differences in outcomes. Furthermore, there is a measurable trade-off between false-positives and true-positives in terms of attacker outcomes, suggesting that a more false-positive prone environment may be acceptable under conditions where true-positives are also higher.