On a Generic Security Game Model

To protect the systems exposed to the Internet against attacks, a security system with the capability to engage with the attacker is needed. There have been attempts to model the engagement/interactions between users, both benign and malicious, and network administrators as games. Building on such works, we present a game model which is generic enough to capture various modes of such interactions. The model facilitates stochastic games with imperfect information. The information is imperfect due to erroneous sensors leading to incorrect perception of the current state by the players. To model this error in perception distributed over other multiple states, we use Euclidean distances between the outputs of the sensors. We build a 5-state game to represent the interaction of the administrator with the user. The states correspond to 1) the user being out of the system in the Internet, and after logging in to the system; 2) having low privileges; 3) having high privileges; 4) when he successfully attacks and 5) gets trapped in a honeypot by the administrator. Each state has its own action set. We present the game with a distinct perceived action set corresponding to each distinct information set of these states. The model facilitates stochastic games with imperfect information. The imperfect information is due to erroneous sensors leading to incorrect perception of the current state by the players. To model this error in perception distributed over the states, we use Euclidean distances between outputs of the sensors. A numerical simulation of an example game is presented to show the evaluation of rewards to the players and the preferred strategies. We also present the conditions for formulating the strategies when dealing with more than one attacker and making collaborations.

💡 Research Summary

The paper introduces a generic security‑game framework designed to capture the dynamic interaction between a system administrator and a user (who may be benign or malicious) in an Internet‑exposed environment. Building on earlier works that modeled specific attacks with stochastic games, the authors propose a five‑state stochastic game with imperfect information. The five states represent (1) the user being outside the system on the Internet, (2) the user logged in with low privileges, (3) the user with high privileges, (4) a successful attack, and (5) the user trapped in a honeypot. Each state has its own distinct action set for both players.

A key contribution is the treatment of sensor errors that cause players to misperceive the current state. Instead of assuming a single erroneous transition, the authors distribute the error over the four alternative states using Euclidean distances between the sensor outputs associated with each state. The smaller the distance between the true state’s sensor vector and that of another state, the higher the probability that the player will mistakenly believe they are in that other state. This distance‑based error model is incorporated into the transition probabilities, yielding information sets that are larger than a single state and thus creating a genuine imperfect‑information game.

The administrator’s sensor is assumed to be noisy, whereas the user’s sensor is error‑free except when the game reaches the honeypot (Trap) state. In the honeypot, the administrator deliberately obscures the user’s perception, expanding the user’s perceived action set and making the user’s decision problem more ambiguous. This mechanism is intended to lure suspicious users into a controlled environment where their behavior can be observed and classified.

The reward structure is a general‑sum formulation: the administrator gains when attacks are thwarted or when the user is safely isolated, while the attacker gains when a successful intrusion occurs. By solving the stochastic game (using a C‑based numerical simulation), the authors compute expected payoffs for each information set and identify Nash equilibria and best‑response strategies. The simulation shows that higher sensor error increases the likelihood of the attacker being diverted to the honeypot, thereby reducing the attacker’s expected payoff and increasing the administrator’s defensive advantage.

The paper also extends the model to multiple attackers. Each attacker initially has an independent information set, but the authors define “collaboration incentives” and “separation incentives” that can encourage or discourage attackers from sharing information and coordinating actions. The conditions for forming such coalitions are expressed analytically, and the impact on the overall game dynamics is explored through additional simulation runs.

Beyond the core game, the authors describe a broader architecture called the Game‑Inspired Defense Architecture (GIDA). GIDA consists of a target system, Internet interface, sensors & actuators, a Knowledge Management System (KMS), a Control Unit (GCU), and a honeypot. Anomalous events detected by sensors are reported to the GCU, which queries the KMS for up‑to‑date attack knowledge, selects an appropriate game model, and issues control commands to actuators. This architecture positions the game model as a decision‑making engine within a real‑time security platform.

In summary, the paper contributes: (1) a generic five‑state security game that can be instantiated for various attack scenarios; (2) a novel distance‑based sensor‑error model that yields realistic imperfect‑information dynamics; (3) analytical expressions for the “Imperfect Information Factor” and for coalition formation among multiple attackers; (4) a C‑implemented simulation that validates the theoretical findings; and (5) a systems‑level architecture (GIDA) that integrates the game model into an operational security infrastructure. The work lays a foundation for future research on adaptive, game‑theoretic cyber‑defense mechanisms, including extensions to bidirectional sensor errors, reinforcement‑learning based strategy synthesis, and deployment in IoT or critical‑infrastructure contexts.