Game-Theoretic Modeling of Stealthy Intrusion Defense against MDP-Based Attackers

TL;DR

This paper models the strategic interaction between attackers and defenders in cyber networks using game theory, analyzing different information scenarios to develop optimal defense strategies against stealthy APT attacks.

Contribution

It introduces a game-theoretic framework for modeling APT evolution with asymmetric information and derives optimal defense strategies for various informational regimes.

Findings

Optimal defense strategies vary with attacker knowledge levels.

The model captures asymmetric temporal dynamics of attack and defense.

Strategies are derived for Stackelberg, blind, and belief-based regimes.

Abstract

The rapid expansion of Internet use has increased system exposure to cyber threats, with advanced persistent threats (APTs) being especially challenging due to their stealth, prolonged duration, and multi-stage attacks targeting high-value assets. In this study, we model APT evolution as a strategic interaction between an attacker and a defender on an attack graph. With limited information about the attacker's position and progress, the defender acts at random intervals by deploying intrusion detection sensors across the network. Once a compromise is detected, affected components are immediately secured through measures such as backdoor removal, patching, or system reconfiguration. Meanwhile, the attacker begins with reconnaissance and then proceeds through the network, exploiting vulnerabilities and installing backdoors to maintain persistent access and adaptive movement. Furthermore, the attacker may take several steps between consecutive defensive operations, resulting in an asymmetric temporal dynamic. The defender's goal is to reduce the likelihood that the attacker will gain access to a critical asset, whereas the attacker's purpose is to increase this likelihood. We investigate this interaction under three informational regimes, reflecting varying levels of attacker knowledge prior to action: (i) a Stackelberg scenario, in which the attacker has full knowledge of the defender's strategy and can optimize accordingly; (ii) a blind regime, where the attacker has no information and assumes uniform beliefs about defensive deployments; and (iii) a belief-based framework, where the attacker holds accurate probabilistic beliefs about the defender's actions. For each regime, we derive optimal defensive strategies by solving the corresponding optimization problems.