Keywords

[The] cyber threat is one of the most serious economic and national security challenges we face as a nation. —President Barack Obama, 29 May 2009

1 Introduction

Revolutionary advancement in information and communication technologies (ICT) has brought many changes to the nature of war. Cyberspace has become both a crucial enabler and a critical vulnerability for military forces. It has become the new battlefield, on par with air, land, and maritime, but with its own lot of complex and challenging problems. The cyber weapons could be social engineering, upgraded viruses, Trojan horses, worms, flooding denial-of-service (DoS), distributed denial-of-service (DDoS) or botnets, and advanced persistent threat (APTs) (Bernier et al. 2012; Aslanoglu and Tekir 2012).

In a social engineering attack, an attacker pieces together enough information to infiltrate an organization’s network. The attacker can, for example, claim to be a new employee, repair person, or researcher and ask questions to different sources about an organization or its computer systems. A virus is a computer program designed to deliberately damage files or spread to other computers. A Trojan horse is a computer program with a good purpose that hides a damaging program that performs a malicious action. A worm is a virus that can spread from a computer to another without human interaction. It takes up memory, exhausts network bandwidth, and causes a computer to stop responding. It can also allow attackers to gain access to computers remotely. Most of these threats are included as attachments or links contained in email messages.

A DoS attack occurs when an attacker prevents legitimate users from accessing information or services such as email and online banking accounts. In this attack, an attacker overloads a network or server with information or requests. In a DDoS attack, an attacker takes advantage of security weaknesses to control multiple computers. These computers are used afterward to launch a DoS attack (McDowell 2009). These attacks can cause public or private institutions to lose important data, money, or their reputations (Liang and Xiao 2013). APTs use sophisticated techniques to monitor and extract sensitive data from a specific target over a long period of time while remaining undetected.

These cyber weapons are shaped based on the knowledge of target’s vulnerabilities. The National Institute of Standards and Technology (NIST) defines vulnerability as a weakness in system security procedures, design, internal controls, or implementation that could be exploited by a threat source (NIST 2002). A vulnerability is exploitable when an attacker has the knowledge about it and the skills to exploit it.

Vulnerabilities are characterized by their dynamic nature. When a vulnerability is detected by the defender, the attacker’s weapon exploiting it becomes useless and the target’s defense becomes upgraded. This refers to the two paradoxes of cyber weapons. The first paradox states that cyber weapons are subject to time decay. The second paradox states that cyber weapons usage may shortly enhance the target’s defense (Podins and Czosseck 2012).

Without being directly lethal, cyberattacks can cause loss of data confidentiality (e.g., unauthorized disclosure of information), integrity (e.g., unauthorized modification of information), or availability (e.g., disruption of access) (Bowen et al. 2006). It can also cause damage or destruction of equipment (Ziolkowski 2010; Podins and Czosseck 2012). The extent and severity of cyberattacks vary from local (loss of email confidentiality) to nation-wide (Ottis 2008). But without exploitable vulnerabilities, cyberattacks would be limited to DoS, DDOS, and social engineering attacks (Moore et al. 2010; Podins and Czosseck 2012).

In 2007, Estonia was the subject of the first massive nation-wide cyberattack in the world. A campaign of cyberattacks was conducted during 3 weeks against government websites, banks, critical national infrastructure, newspapers, and broadcasters. Attacks included massive DDoS, phishing, email spam, and website defacing (Aslanoglu and Tekir 2012; van Vuuren et al. 2012; Podins and Czosseck 2012).

In 2009, an APT exploited a previously unknown vulnerability in Internet Explorer to compromise systems at Google, Adobe, and more than 30 large companies. The main objective was to steal intellectual property from these security and defense contractor companies (Aslanoglu and Tekir 2012).

In 2010, the Stuxnet worm against the Iranian nuclear program was considered as the real start of cyber warfare (Adams et al. 2012). This unprecedented and highly sophisticated attack infected more than 30,000 computers in Iran. The virus continued to spread via Internet and infect about the same number of computers in other countries including the USA, the UK, China, and Germany.

This attack has changed the face of the battlefield and has broken down a common belief stating that control systems are protected, if (1) nothing on computers connects to the Internet, (2) new memory sticks are used for data exchange, and (3) viruses are detectable by the unusual behavior of computers (Miyachi et al. 2011; Aslanoglu and Tekir 2012; Podins and Czosseck 2012).

In 2013, Target Corporation came under an APT resulting in an unauthorized access to credit card numbers and personal information of 40 million customers (Acquaviva 2017). Since then, there has been a growing discussion about the best ways to protect potential target areas against offensive cyberattacks (Bier et al. 2009). To overcome these problems, a variety of protective and reactive measures have been employed. As shown in Table 1, traditional network security techniques include (1) tamperproof techniques, (2) cryptography, (3) detection and prevention techniques, (4) honeypots, and (5) technical attribution.

Table 1 Traditional protective and reactive measures in cyberspace
Full size table

Although these techniques are crucial mechanisms for cybersecurity, they are not a panacea (Roy et al. 2010). They may be sufficient against casual attackers using well-known techniques, but the complex cybersecurity problem is still far from being completely solved. There is a continuous race between attackers and security specialists. When a smart security solution is proposed a smarter way to circumvent, it is found. There will be an ongoing and challenging need to design tools that protect our systems and networks against sophisticated and well-organized adversaries (Roy et al. 2010).

Many researchers including Roy et al. (2010), Zakrzewska and Ferragut (2011), Kiekintveld et al. (2015), and Tambe (2011) have argued that the game-theoretic reasoning is well-suited to many problems in network security and cyber warfare. This mathematical approach examines how agents or players might act when trying to optimize a utility function (Acquaviva 2017). The United States Department of Defense (DoD), for example, states that applying game theory techniques in cyberspace may assist in analyzing an adversary’s preferred tactics (DoD 2011). Game theory can also guide resource allocations to defend against intelligent antagonists by explicitly taking into account the intelligent and adaptive nature of the threat (Bier et al. 2009). The arguments put forward to justify this approach are numerous. They particularly include (but are not limited to) its ability to model the non-cooperative and cooperative strategic interactions between multiple decision-makers with conflicting goals. The analytical setting may be static or dynamic, discrete or continuous, deterministic or stochastic, and linear or non-linear.

A cooperative game model examines how players might be working together to optimize a collective utility function (Acquaviva 2017). Cooperative games describe at high level the structure, strategies, and payoffs of subsets of players or coalitions. They are generally characterized by a characteristic function describing the outcome of each coalition.

A typical cooperative game in cyber domain may include a number of organizations or countries exchanging vulnerability information and attack detection procedures. By exchanging information on vulnerabilities, each member of the coalition will build new weapons using the newly learned vulnerabilities (Podins and Czosseck 2012). The UK government, for example, has initiated a cybersecurity hub that enables the exchange of information on cybersecurity threats between the public and private sectors (van Vuuren et al. 2012).

In a non-cooperative game, players seek to optimize their individual utility functions regardless of the utilities of the other players involved (Acquaviva 2017). Non-cooperative games are more general than cooperative games. They describe in detail the individual strategies and payoffs of each player. They focus on analyzing Nash equilibrium that no player can do better by unilaterally deviating from it (Breton et al. 2008; Bachrach et al. 2013; Brandenburger 2007).

Interactions in cyberspace are generally adversarial and inherently selfish. A game between a system administrator and an attacker trying to compromise or destroy the system is a typical non-cooperative game in this domain. In this case, the time spent controlling the system or the reward for destroying it may be the utility function for the attacker. The reward for controlling the system may be the utility function for the defender (Acquaviva 2017).

The aim of this chapter is to discuss the suitability of game theory to adversarial interaction between attackers and defenders in cyberspace. The chapter also sheds light on the main challenging issues surrounding its applicability in this domain. A new game formulation combining simulation and game-theoretic approaches is proposed to solve the problem of uncertain observability in the payoff matrix.

This chapter is organized into six sections. Following the introduction, Sect. 2 provides a comprehensive review of literature on the application of game theory in the cyber domain. Section 3 presents a resource allocation problem to show how the new approach can be used in cyberspace. In Sect. 4, a case study is presented to illustrate the suggested approach. The main challenges associated with the applicability of game-theoretic methods in cyberspace are discussed in Sect. 5. Concluding remarks as well as future research directions are indicated in Sect. 6.

2 Literature Review

Game theory is a common formalized way to inspire the development of defense algorithms in the physical world (Moisan and Gonzalez 2017; Coniglio 2013; Tambe 2011; Roy et al. 2010). A growing body of literature recognizes game theory as a sound theoretical foundation for modeling the strategic interactions between selfish agents in the cyber world. This literature can be divided into three main categories: resource allocation, network security, and cooperation models.

2.1 Resource Allocation

Game theory can guide resource allocations to defend against intelligent attacks by explicitly taking into account the adaptive nature of the threat. In this game, the defender seeks to find the optimal resource allocation that maximizes his payoffs. The attacker seeks to minimize the risk of being traced back and punished (Acquaviva 2017). This problem is known in the game-theoretic literature as the allocation game (Bier et al. 2009).

Fielder et al. (2014), for example, proposed a game-theoretic model to optimally allocate cybersecurity resources such as administrators’ time across different tasks. In this game, the defender’s solution is optimal independently from the attacker’s strategy. The authors also found that a particular Nash equilibrium provides the most effective defense strategy and used real-life statistics to validate their result. More recently, Sokri (2018) used an allocation game to analyze the problem of common knowledge in cyberspace. The author incorporated uncertainty on each imprecise variable by changing its static value to a range of values.

Game theory is also used to determine the optimal investment in critical infrastructures such as networked systems. In this case, defensive investment is used to increase the effort needed by an attacker to achieve a certain probability of success. It can also be used to reduce the success probability of an attack, rather than increasing its effort. The game-theoretic framework determines the optimal allocation of the total defensive budget over the various components of the system in order to minimize the success probability of a potential attack or to maximize its expected cost (Azaiez and Bier 2007).

Game theory can also be used to investigate the optimal strategies for managing a sensitive security resource in response to APTs. Depending on the setting being modeled, the resource may be a password or an entire infrastructure. FlipIt, for example, is a two-player dynamic game where players may take control of the resource at any time by executing a stealthy move (i.e., not immediately detected). This idea implies that each player is allowed to move at arbitrary points in time, and the timing of the moves may be kept hidden from the other player. The objective is to maximize the fraction of time the player controls the resource while minimizing the cumulative move cost. FlipIt is characterized by the idea of stealthy moves or stealthy takeover (Rasouli et al. 2014; Hobbs 2015).

2.2 Network Security

Game theory has also been proposed by several studies to understand defense strategies in network security. It offers a sound theoretical foundation for managing information security, modeling the strategic interactions in intrusion detection, and analyzing network defense mechanism design. It is useful for generalization of problems, formalizing the existing ad-hoc schemes, and future research (Alpcan and Basar 2004).

Bloem et al. (2006), for example, developed a stochastic and dynamic game to examine intrusion detection in access control systems. The authors used a game-theoretic approach to model the interaction between an attacker and a distributed IDS. They introduced the sensor network as a third player with a fixed probability distribution representing the output of the sensor network during the attack. The authors discussed the properties of the resulting system analytically and numerically.

Roy et al. (2010) presented a taxonomy for classifying the existing game-theoretic solutions designed to enhance network security. The authors provided a systematic description of how games can be played and what the outcomes might be. This information is used to define games with relevant concepts for network security problems.

Jafarian et al. (2013) combined game theory and constraint satisfaction optimization to proactively defend against denial-of-service attacks. In this static game, Nash equilibrium is determined by players’ strategies and the cost associated with them. The optimal strategy for attack deterrence is determined while satisfying security and performance requirements of the network. Results showed that the method improves the protection of flow packets from being attacked against persistent attackers without causing any disruption for flows.

More recently, Musman and Turner (2018) described a game-oriented approach to minimizing cybersecurity risks for a given investment level. The game formulation uses the defender strategies to minimize the maximum cyber risk. The interested reader is referred to Information Resources Management Association (2018) for further information on this topic.

Game theory has also been used for studying the effects of deception on the interactions between an attacker and a defender of a computer network (Baston and Bostock 1988). In this literature, the defender can employ camouflage by disguising, for example, a honeypot as a normal system. Deception increases the attackers’ uncertainty and effort (e.g., time and money) to determine whether a system is true or fake. Even long before computers existed, deception was widely used for information protection (Cohen 1998; Rowe et al. 2007; Carroll and Grosu 2011). Rowe et al. (2007), for example, summarized some game-theoretic aspects of introducing honeypots. The authors developed a mathematical model of deception and counterdeception to see at what point people could detect deception. Results show that attacks on honeypots decreased over time.

Carroll and Grosu (2011) performed a game-theoretical investigation of deception in network security. The authors used a dynamic game of incomplete information to examine a scenario where a defender can disguise normal systems as honeypots or honeypots as normal systems. The attacker observes the system and decides whether or not to proceed compromising the system. The authors determined and characterized the perfect Bayesian equilibria of the game. At an equilibrium, the players do not have any incentives to unilaterally deviate by changing their strategies.

2.3 Agent Cooperation

Cooperative game theory can determine how the collective reward can be shared between selfish agents. It can also provide a mechanism to sustain the cooperative solution which is not a self-enforcing contract (Breton et al. 2008). A typical cooperative game in the existing literature may include a number of selfish agents and a principal controlling a computer network. To allow a reliable connectivity between a certain set of critical servers, the principal can incentivize the agents to cooperate by offering them a certain reward (Bachrach et al. 2013). It can also consist of a multi-mode attack combining different types of warfare that are more effective in tandem than when employed alone (Browne 2000).

Liu et al. (2005), for example, developed a preliminary game-theoretic formalization to capture the interdependency between attacker and defender objectives and strategies. The authors showed that the concept of incentives and utilities can be used to model attacker objectives. Bachrach et al. (2013) modeled a communication network where a failure of one node may disturb communication between other nodes as a simple coalitional game. The authors showed how various game-theoretic solution concepts can be used to characterize the fair share of the revenues an agent is entitled to.

Shamshirband et al. (2014) combined a game-theoretic approach and a fuzzy Q-learning algorithm in Wireless Sensor Networks. The authors implemented cooperative defense counter-attack scenarios for the victim node and the base station to operate as rational decision-maker players through a game theory strategy. The proposed model’s attack detection and defense accuracy yield a greater improvement than the existing machine learning methods.

A recent survey of the existing game-theoretic approaches for cybersecurity can be found in Do et al. (2017).

3 Resource Allocation Game

In this section, we will show how a game-theoretic model can be used to optimally allocate resources in the cyber domain. The main challenges and open research questions associated with this formulation will be presented and discussed in Sect. 5.

Consider a security game between an attacker a and a defender d in a cyberinfrastructure system. Following Korzhyk et al. (2011), let A = {t 1, t 2,  … , t n } be a set of n targets that the attacker may choose to attack. The defender seeks to prevent attacks by covering targets using cybersecurity resources from the set R = {r 1, r 2,  … , r m }. In the physical world, targets may be flights and resources may be air marshals. In the cyber world, targets may be software vulnerabilities and resources may be protective devices such as firewalls (Gueye 2011).

The set A corresponds to pure strategies for the attacker where each pure strategy refers to a single target to attack. Let D be the set of all the possible resource allocations over the set of targets. If at most one resource is assigned to a target, there will be n Choose m combinations to allocate m resources to n targets (Jain et al. 2010). The defender pure strategies are represented by these resource allocations. The two players are allowed to play mixed strategies by assigning a probability distribution over the set of pure strategies (Coniglio 2013; Jain et al. 2010). If a player adopts his mixed strategy, the outcome of the game will be expressed as an expected value.

Let δ be a leaders mixed strategy consisting of a vector of the defenders pure strategies. Denote by δ i the proportion of times assigned to the pure strategy i when the defender plays the mixed strategy δ.

Similarly, we denote by ρ a mixed strategy of the attacker (the follower) and by ρ j the probability of the pure strategy j when he plays the mixed strategy ρ. Let E(U d(i, j)) be the expected utility of the defender and E(U a(i, j)) the expected utility of the attacker when the defender plays pure strategy i and the attacker plays pure strategy j.

One of the main challenging issues in security games is the problem of common knowledge concept. It is generally assumed in these games that the players are able to exactly evaluate their own payoffs and the payoffs of their opponents. In most real-world cybersecurity problems, this assumption is not always true. Using deterministic values of payoffs may make the committed strategies ineffective (Coniglio 2013; Sokri 2018). In this paper, utilities are seen as random variables generated by a stochastic simulation. Uncertainty is incorporated in the theoretical framework using their expected values.

Fixing the policy of the defender to some mixed strategy δ, the first problem to solve is to find the attackers best response to δ. This optimization problem can be formulated as a linear program where the follower maximizes his expected utility given δ.

$$ {\mathit{\operatorname{Max}}}_{\rho }{\sum}_{i\in D}{\sum}_{j\in A}{\delta}_i{\rho}_jE\left({U}_a\left(i,j\right)\right) $$
(1)
$$ \mathrm{s}.\mathrm{t}.{\sum}_{j\in A}{\rho}_j=1 $$
(2)
$$ {\rho}_j\ge 0,\forall j. $$
(3)

While the constraints define the set of feasible solutions \( \rho\ \mathrm{a}\mathrm{s}\ \mathrm{a}\ \mathrm{probability}$\break $ \mathrm{distribution}\ \mathrm{over}\ \mathrm{the}\ \mathrm{s}\mathrm{et}\ \mathrm{of}\ \mathrm{targets}\ A,\mathrm{it}\ \mathrm{is}\ \mathrm{straightforward}\ \mathrm{to}\ \mathrm{s}\mathrm{ee}\ \mathrm{that}\ \mathrm{the}\ \mathrm{optimal}$\break $\mathrm{strategy}\ \mathrm{for}\ \mathrm{the}\ \mathrm{follower}\ \mathrm{is}\ \mathrm{a}\ \mathrm{pure}\ \mathrm{strategy}\ {\rho}_j=1\ \mathrm{for}\ \mathrm{a}\ j\ \mathrm{that}\ \mathrm{maximizes}$\break $ \sum_{j\in A}{\delta}_iE\left({U}_a\left(i,j\right)\right). \) This result can also be obtained using the corresponding dual problem which has the same optimal solution value

$$ {\mathit{\operatorname{Min}}}_v\ v $$
(4)
$$ \mathrm{s}.\mathrm{t}.v\ge {\sum}_{i\in D}{\delta}_iE\left({U}_a\left(i,j\right)\right),\kern0.75em j\in A. $$
(5)

The corresponding complementary slackness condition is given by

$$ {\rho}_j\left(v-{\sum}_{i\in D}{\delta}_iE\left({U}_a\left(i,j\right)\right)\right)=0,\kern0.75em j\in A. $$
(6)

This condition implies that the follower expected reward is maximal for any pure strategy with ρ j > 0.

Denoting by ρ(δ) the followers best response to δ, the leader seeks to solve the following problem:

$$ {\mathit{\operatorname{Max}}}_{\rho }{\sum}_{i\in D}{\sum}_{j\in A}{\delta}_i\rho {\left(\delta \right)}_jE\left({U}_d\left(i,j\right)\right) $$
(7)
$$ \mathrm{s}.\mathrm{t}.{\sum}_{i\in D}{\delta}_i=1 $$
(8)
$$ {\delta}_i\in \left[0,1\right],\kern1em \forall i\in D. $$
(9)

The two constraints enforce the leader’s mixed strategy to be feasible.

If we complete the leader’s problem by including the follower’s optimality conditions, the two programs can be formulated as a single mixed-integer quadratic problem (MIQP).

$$ {\mathit{\operatorname{Max}}}_{\delta, \rho, v}{\sum}_{i\in D}{\sum}_{j\in A}{\delta}_i{\rho}_jE\left({U}_d\left(i,j\right)\right) $$
(10)
$$ \mathrm{s}.\mathrm{t}.{\sum}_{i\in D}{\delta}_i=1 $$
(11)
$$ {\sum}_{j\in A}{\rho}_j=1 $$
(12)
$$ 0\le \left(v-{\sum}_{i\in D}{\delta}_i{U}_a\left(i,j\right)\right)\le \left(1-{\rho}_j\right)M,\kern1em \forall j\in A $$
(13)
$$ {\delta}_i\in \left[0,1\right],\kern1em \forall i\in D $$
(14)
$$ {\rho}_j\in \left\{0,1\right\},\kern0.75em \forall j\in A $$
(15)
$$ v\in R $$
(16)

To simplify the complementary slackness condition represented by the rightmost inequality in Eq. (13), the attacker plays only pure strategies. Equations (12) and (15) characterize a feasible pure strategy for this player. In this formulation, v is the follower’s maximum payoff value and M is a large number.

4 Illustration

To illustrate the approach suggested in Sect. 3, consider the game in compact form in Table 2 (Sokri 2018; Jain et al. 2010; An et al. 2011). In this example, there are three targets and two defender resources. Each of defender’s resources can only cover one target at a time. For each target, there are two payoffs: the payoff of the attacker and the payoff of the defender. Each payoff consists of two parts: one when the attacked target is covered and one when it’s uncovered.

Table 2 Payoff table
Full size table

Let \( {U}_d^c(t) \) be the defender’s payoff if the attacked target t is covered and \( {U}_d^u(t) \) his payoff if the target is uncovered. Similarly, denote by \( {U}_a^u(t) \) the attacker’s payoff if the attacked target t is uncovered and by \( {U}_a^c(t) \) the attacker’s payoff if the attacked target t is covered. For each target t, the expected utilities of the defender and the attacker are respectively given by

$$ {U}_d(t)={\rho}_t\left({\delta}_t{U}_d^c(t)+\left(1-{\delta}_t\right){U}_d^u(t)\right) $$
(17)
$$ {U}_a(t)={\rho}_t\left(\left(1-{\delta}_t\right){U}_a^u(t)+{\delta}_t{U}_a^c(t)\right) $$
(18)

The expected utilities in Eqs. (17) and (18) depend simply on the attacked targets and their coverage. Uncertainty can furthermore be placed on each payoff using three-point estimates instead of single values.

This game has multiple equilibria of the form

$$ \left\langle \delta =\left({\delta}_1,{\delta}_2, 1\right),\kern0.5em \rho =\left(0,0,1\right)\right\rangle . $$
(19)

This standard solution indicates that the attacker would aim the most valuable target no matter how defended it might be (Sokri 2018; Jain et al. 2010; An et al. 2011). A solution for the defender–attacker Stackelberg game that satisfies the constraints and the numerical convergence criterion is given by

$$ \left\langle \delta =\left(0.75, 0.25, 1\right),\kern0.5em \rho =\left(0,0,1\right)\right\rangle . $$
(20)

To find a robust solution, further refinement is needed. The equilibrium refinement may be based on some utility dominance criteria such as Pareto dominance (An et al. 2011).

5 Application of the Game in Cyberspace: Challenges and Opportunities

Game theory has already produced several notable successes in numerous physical security domains. It was applied, for example, to randomize checkpoints at the Los Angeles International Airport (LAX), to assign federal air marshals to protect flights (Jain et al. 2010; Kiekintveld et al. 2015; Acquaviva 2017). Researchers have also used game theory to understand security and defense strategies in the cyber world. The application of game theory to this domain presents at least three main challenges: (1) the complexity of the cyber domain, (2) the dynamic nature of the analyzed games, and (3) the validity of the adopted assumptions.

5.1 Complexity of the Cyber Domain

Cybersecurity is more complex than in physical security domains. In the cyber domain, digital attacks are often sophisticated and imperceptible to the human senses. They are highly dynamic overstepping all geographic and political boundaries (Moisan and Gonzalez 2017). To interact appropriately in the cyber domain under dynamically changing real-world scenarios, it is important to understand the entire cyberinfrastructure system. To this end, the holistic game inspired defense architecture suggested by Shiva et al. (2012) would be a good starting point.

Shiva et al. (2012) proposed a four-layer decision-making framework inspired by game theory. As illustrated in Fig. 1, the security scheme is organized into four layers. The first and innermost layer in the framework contains self-checking hardware and software components. The second layer consists of secure built-in or bolt-on applications employing self-checking concepts and components. The third layer is the security infrastructure consisting of intrusion detection system (IDS), firewalls, and antivirus software. The fourth and outermost layer uses game-theoretic analysis to provide the best action strategies. It receives input from the inner three layers, evaluates the committed or probable attack information, and elects the optimal decision for defense.

Fig. 1
figure 1

Game inspired decision model (Adapted from Shiva et al. 2012)

Full size image

5.2 Static Versus Dynamic Perspectives

A static model is a model where the system state is independent of time. It is an interaction where each player makes a single decision in isolation and under imperfect information. The well-known prisoner’s dilemma falls under the category of static games. Decisions in static games can be seen as made simultaneously. Real-world security interactions are inherently dynamic where recent attacks are built upon previous attacks. A dynamic model is a model where the system state changes with time, and players are able to observe the outcome of previous moves before responding. Stealthy move games are examples of dynamic games. The dynamic perspective can be introduced to the suggested framework by playing the game within a finite or infinite time horizon. Factors that determine the objective function such as rewards and costs should be explicitly presented as functions of time. This addition can, however, result in a more complex and challenging problem.

5.3 Validity of Assumptions

The game-theoretic framework in Sect. 3 relies on two main key assumptions. The game considers (1) two rational players with certain observability and (2) limited amount of homogeneous resources and targets with no explicit cost of moving. In real world, the defender may face multiple rational or irrational attackers, and the common knowledge on payoffs may be missing. The number of targets to be protected can be large and the attacker may aim more than a single target. The defender’s resources may also be numerous and with explicit cost of moving. By making the formalism more realistic, the algorithm would not be able to find an optimal solution in a reasonable time. It is, therefore, necessary to combine game theory with other potential tools and techniques to enhance cyber conflict analysis. Table 3, adapted from DoD (2011), presents the potential techniques, their definitions, and their potential use in cyberspace.

Table 3 Potential tools and techniques that may be combined in cyber conflict analysis
Full size table

Combining game theory with other techniques in cyberspace is still at its beginnings, and many open issues are still to be tackled. The future combined frameworks should be able:

  • To be dynamic where recent attacks are built upon previous ones;

  • To model multiple self-interested agents (e.g., multiple unknown attackers from multiple locations);

  • To handle multiple uncertainties in adversary payoffs and observations;

  • To deal with bounded rationality of human adversaries by introducing stochastic actions.

6 Conclusion

The extensive use of ICT in military sector has changed the face of the battlefield and made cybersecurity an increasingly important concern. Cyber weapons are malicious software that exploit unknown vulnerabilities in the target’s defense. The players in this new space can be individuals, devices, or software. Theirs interactions are generally non-cooperative and their objectives are inherently conflicting.

The game-theoretic reasoning has been recognized as well-suited to many problems in the cyber world.

The arguments put forward to justify its use are abundant. Game theory uses proven mathematics to investigate a large range of security decisions. It provides a sound theoretical foundation for understanding the strategic interactions between selfish agents and optimally allocating limited resources and sharing collective rewards.

Defense algorithms inspired by game theory have become very popular in the physical security world. Cyberinfrastructure systems are, however, more complex and the corresponding security threats are highly dynamic and sophisticated. Despite considerable effort from the research community, the application of game theory in cyber defense is still at its beginnings and needs further adaptation to deliver according to its potential.

Current cyber algorithms generally use static settings and rely on idealized assumptions such as common knowledge about the payoff matrix. They also assume that players are able to remember and process large amounts of information accurately. Applying game theory under these simplified conditions may make the resulting strategies ineffective. Scaling up the formalism to real-world-sized problems would make it very complex and intractable.

To be able to make the formalism more realistic and obtain sound and effective solutions in a reasonable time, we recommend combining game theory with other techniques and tools. The suggested techniques include computer simulation, genetic algorithms, graph theory, reliability modeling, and cyber forensic analysis. Tools may consist of IDS, firewalls, and antivirus software. Using these techniques and tools under a solid game-theoretic setting will provide huge potential to solve many cybersecurity standard problems.