My Research

During my PhD studies I focus on application of the game-theoretic approaches in the network security domain. Aim is to create a system that would optimally recommend the administrator with the network hardening actions.


I model the problem as a two-player extensive-form game, where the defender (administrator) can harden his network (e.g., deploying honeypots, IDS, etc.) and the attacker attacks the network. Core problem is to model reliably and precisely the attacker's behavior. I model the attacker based on the attack graphs, which is a compact representation of all known ways how the computer network can be compromised. Here is an example of the dependency attack graph:

Green rectangles represent initially true facts and violate diamonds represent the initially false fact. Fact have rewards for the attacker when they are achieved (e.g., for Net Access the attacker obtains +100). The rounded rectangles are actions that the attacker can do. Every action has a set of preconditions (facts connected to the action) and effects (fact connected from the action). Every action is probabilistic with the probability of being successful if preformed, cost that the attacker pays for performing the action (regardless whether the action is successful or not) and set of hosts that the action touches in the computer network.

Here is the optimal attack policy for the attack graph above:
It is a recommendation of an action in every stage of the attack, depending whether the previous actions succeeded or failed. It is optimal in a sense, that the expected reward is maximal for this attack strategy/policy. Action T means that it is recommended for the attacker to terminate the attack since otherwise his expected reward is negative. If previous action succeeds, follow the subpolicy after solid line, otherwise follow the dashed line.

The whole game is them modeled as follows:
The defender chooses the honeypots that are introduced into the network (red hosts). It creates various networks and for each of them I compute the optimal attack policy. The defender chooses such option, that maximizes his expected utility.



Future work: In future I want to extend the model to introduce an imperfect-information in it, bounded rationality of the attacker, etc.