A fictitious play-based response strategy for multistage intrusion defense systems



The recent developments of advanced intrusion detection systems in the cyber security field provide opportunities to proactively protect the computer network systems and minimize the impacts of attackers on network operations. This paper is intended to assist the network defender find its best actions to defend against multistage attacks. The possible sequences of interactions between the attackers and the network defender are modeled as a two-player non-zero-sum non-cooperative dynamic multistage game with incomplete information. The players are assumed to be rational. They take turns in making decisions by considering previous and possible future interactions with the opponent and use Bayesian analysis after each interaction to update their knowledge about the opponents. We propose a Dynamic game tree-based Fictitious Play (DFP) approach to describe the repeated interactive decisions of the players. Each player finds its best moves at its decision nodes of the game tree by using multi-objective analysis. All possibilities are considered with their uncertain future interactions, which are based on learning of the opponent's decision process (including risk attitude and objectives). Instead of searching the entire game tree, appropriate future time horizons are dynamically determined for both players. In the DFP approach, the defender keeps tracking the opponent's actions, predicts the probabilities of future possible attacks, and then chooses its best moves. Thus, a new defense algorithm, called Response by DFP (RDFP), is developed. Numerical experiments show that this approach significantly reduces the damage caused by multistage attacks and it is also more efficient than other related algorithms. Copyright © 2013 John Wiley & Sons, Ltd.