CyGATE: Game-Theoretic Cyber Attack-Defense Engine for Patch Strategy Optimization
This addresses the challenge for cybersecurity defenders needing adaptable strategies against multi-stage attacks, though it appears incremental as it builds on existing game-theoretic models with LLM integration.
The paper tackles the problem of dynamic patch prioritization in cyber defense under uncertainty by presenting CyGATE, a game-theoretic framework that models attacker-defender interactions using LLMs with RAG, resulting in effective prioritization of high-risk vulnerabilities in a dynamic patch scheduling scenario.
Modern cyber attacks unfold through multiple stages, requiring defenders to dynamically prioritize mitigations under uncertainty. While game-theoretic models capture attacker-defender interactions, existing approaches often rely on static assumptions and lack integration with real-time threat intelligence, limiting their adaptability. This paper presents CyGATE, a game-theoretic framework modeling attacker-defender interactions, using large language models (LLMs) with retrieval-augmented generation (RAG) to enhance tactic selection and patch prioritization. Applied to a two-agent scenario, CyGATE frames cyber conflicts as a partially observable stochastic game (POSG) across Cyber Kill Chain stages. Both agents use belief states to navigate uncertainty, with the attacker adapting tactics and the defender re-prioritizing patches based on evolving risks and observed adversary behavior. The framework's flexible architecture enables extension to multi-agent scenarios involving coordinated attackers, collaborative defenders, or complex enterprise environments with multiple stakeholders. Evaluated in a dynamic patch scheduling scenario, CyGATE effectively prioritizes high-risk vulnerabilities, enhancing adaptability through dynamic threat integration, strategic foresight by anticipating attacker moves under uncertainty, and efficiency by optimizing resource use.