Simulation of Attacker Defender Interaction in a Noisy Security Game
This work addresses cybersecurity defense strategies by providing a simulation framework to understand attacker behavior, but it appears incremental as it builds on existing game theory concepts.
The paper tackles the problem of modeling attacker-defender interactions in cybersecurity by introducing a security game framework that simulates interplay in noisy environments, showing significant outcome differences based on assumptions about attackers and a measurable trade-off between false-positives and true-positives.
In the cybersecurity setting, defenders are often at the mercy of their detection technologies and subject to the information and experiences that individual analysts have. In order to give defenders an advantage, it is important to understand an attacker's motivation and their likely next best action. As a first step in modeling this behavior, we introduce a security game framework that simulates interplay between attackers and defenders in a noisy environment, focusing on the factors that drive decision making for attackers and defenders in the variants of the game with full knowledge and observability, knowledge of the parameters but no observability of the state (``partial knowledge''), and zero knowledge or observability (``zero knowledge''). We demonstrate the importance of making the right assumptions about attackers, given significant differences in outcomes. Furthermore, there is a measurable trade-off between false-positives and true-positives in terms of attacker outcomes, suggesting that a more false-positive prone environment may be acceptable under conditions where true-positives are also higher.