Optimizing Preventive and Reactive Defense Resource Allocation with Uncertain Sensor Signals

TL;DR

This paper explores how to optimally allocate resources between preventive and reactive cyber defenses under uncertain sensor signals, showing that better sensors lead to more preventive investment and improved security, especially against low-success attacks.

Contribution

It introduces a new resource allocation framework considering sensor uncertainty, revealing how sensor quality influences strategic defense investments and overall security.

Findings

Higher sensor quality increases preventive investment.

Reactive investment decreases with better sensors.

Performance gains are greatest against low-success attack scenarios.

Abstract

Cyber attacks continue to be a cause of concern despite advances in cyber defense techniques. Although cyber attacks cannot be fully prevented, standard decision-making frameworks typically focus on how to prevent them from succeeding, without considering the cost of cleaning up the damages incurred by successful attacks. This motivates us to investigate a new resource allocation problem formulated in this paper: The defender must decide how to split its investment between preventive defenses, which aim to harden nodes from attacks, and reactive defenses, which aim to quickly clean up the compromised nodes. This encounters a challenge imposed by the uncertainty associated with the observation, or sensor signal, whether a node is truly compromised or not; this uncertainty is real because attack detectors are not perfect. We investigate how the quality of sensor signals impacts the defender's strategic investment in the two types of defense, and ultimately the level of security that can be achieved. In particular, we show that the optimal investment in preventive resources increases, and thus reactive resource investment decreases, with higher sensor quality. We also show that the defender's performance improvement, relative to a baseline of no sensors employed, is maximal when the attacker can only achieve low attack success probabilities.