When to Deceive: A Cross-Layer Stackelberg Game Framework for Strategic Timing of Cyber Deception

TL;DR

This paper introduces a game-theoretic framework for strategically timing cyber deception techniques, balancing costs and effectiveness to improve defense against sophisticated attacks like APTs.

Contribution

It develops a cross-layer Stackelberg game model combining tactical and strategic layers for optimal deception timing and introduces a computational algorithm for practical implementation.

Findings

Strategically timed deception improves defender utility.

The framework effectively models attacker-defender dynamics.

Numerical results show reduced asset compromise risk.

Abstract

Cyber deception is an emerging proactive defense strategy to counter increasingly sophisticated attacks such as Advanced Persistent Threats (APTs) by misleading and distracting attackers from critical assets. However, since deception techniques incur costs and may lose effectiveness over time, defenders must strategically time and select them to adapt to the dynamic system and the attacker's responses. In this study, we propose a Stackelberg game-based framework to design strategic timing for cyber deception: the lower tactical layer (follower) captures the evolving attacker-defender dynamics under a given deception through a one-sided information Markov game, while the upper strategic layer (leader) employs a stopping-time decision process to optimize the timing and selection of deception techniques. We also introduce a computational algorithm that integrates dynamic programming and belief-state updates to account for the attacker's adaptive behavior and limited deception resources. Numerical experiments validate the framework, showing that strategically timed deceptions can enhance the defender's expected utility and reduce the risk of asset compromise compared to baseline strategies.