Network Attack and Defense Game Theory Based on Bayes-Nash Equilibrium

Abstract

In the process of constructing the traditional offensive and defensive game theory model, these are some shortages for considering the dynamic change of security risk problem. By analysing the critical indicators of the incomplete information game theory model, incomplete information attack and defense game theory model and the mathematical engineering method for solving Bayes-Nash equilibrium, the risk-averse income function for information assets is summarized as the problem of maximising the return of the equilibrium point. To obtain the functional relationship between the optimal strategy combination of the offense and defense and the information asset security probability and risk probability. At the same time, the offensive and defensive examples are used to visually analyse and demonstrate the incomplete information game and the Harsanyi conversion method. First, the incomplete information game and the Harsanyi conversion problem is discussed through the attack and defense examples and using the game tree. Then the strategy expression of incomplete information static game and the engineering mathematics method of Bayes-Nash equilibrium are given. After that, it focuses on the offensive and defensive game problem of unsafe information network based on risk aversion. The problem of attack and defense is obtained by the issue of maximizing utility, and then the Bayes-Nash equilibrium of offense and defense game is carried out around the security risk of assets. Finally, the application model in network security penetration and defense is analyzed by designing a simulation example of attack and defense penetration. The analysis results show that the constructed income function model is feasible and practical.

1. INTRODUCTION

 With the rapid development and popularisation of Internet technology, the cybersecurity has developed from a series of technical problems to a strategic concept [1-2]. Globalization and the Internet give individuals, organizations, and countries amazing new capabilities based on the continuous development of network technologies. Meanwhile, information collection, communications, fundraising, and public relations have all gone digital. As a result, all political, economic and military conflicts now have a cyber dimension whose scope and impact are hard to predict. Battles in cyberspace may be more important than any other on the ground. For this reason, cyber-attacks capabilities and cyber defense levels will determine the outcome of a cyber war game. All in all, the Internet makes the distance of world grow short, and cyber confrontation has become a serious strategic issue for all countries in the world.

 Both the network attack and defense are carried out around the information assets of the target network. The result is related to the utility (revenue) function of both parties, and the utility (revenue) function is not only a function of the security risk probability of the target network system but also a function of the strategic combination of both attacking and defending parties [3-5]. Therefore, when constructing the network attack and defense game model, the change of the security risk probability of the target network system should be considered. At the same time, we should also consider the impact of the strategic combination of both offensive and defensive sides on the overall performance of the system.

 This paper is going to present the function between the optimal strategic combination (Bayes-Nash equilibrium point) of the two parties, the security probability and risk probability of information assets based on incomplete information game model and engineering mathematics method to solve Bayes-Nash equilibrium. In this paper, we mainly study how to construct the risk-averse utility (revenue) function for information assets, and reduce the solution of equilibrium point to the problem of maximizing utility (revenue).

 Information imperfection game model is common in cyber warfare, and most policymakers are risk-averse. If both the attacking and defending parties have accurate knowledge of the game situation and the game benefits, it is called the complete information attacking and defending game. If the above requirements are not met, it is incomplete information attacking and defending game [6-8]. Also, if both the offensive and defensive parties have observed and remembered the behaviour schemes chosen by both parties before, it is called the perfect information game [9-10]. Otherwise, it is called imperfect information game. Harsanyi proposed a way to handle the incomplete information game between 1967 and 1968, which is widely introduced in other research [11-14]. His method translates incomplete information into imperfect information by introducing virtual player zero, which is “nature”. This transformation is called the Harsanyi conversion, which is very important for studying the problem of the uncertain game model [15-21].

 At present, research on network security based on the information game has made some progress, but most of the models applied in the cybersecurity are based on the complete information game theory. Wei J and his team [22] uses privileged state to construct the complete information game model. LYE [23] analyzes the strategic interaction between attackers and defenders through complete information game. WEI L [24] proposes a complete information stochastic game method to protect the power grid from the attacks. LEI [25] studies the incomplete model but does not address the applicability of benefit functions. In our paper, by the above research, we build the incomplete information game model and Bayesian-Nash equilibrium solution. We also propose the revenue function model under different scenarios, so as to obtain the relationship between the optimal strategic combination and the risk probability. More importantly, different from the laboratory environment simulation of many researches, this paper makes the game analysis with actual cases.

 Our innovations are as follows:

 (1) The incomplete information game and the transformation of Harsanyi are discussed intuitively through an attack and defense example.

 (2) The strategy formulation of incomplete information static game and the engineering mathematics method are proposed to solve Bayes-Nash equilibrium.

 (3) The problem of incomplete information network attack and defense game based on risk aversion is mainly discussed.

 The remainder of this paper is organized as follows: Section 2 discussed the incomplete information game and Harsanyi conversion. The strategy formulation and Bayes-Nash equilibrium are explained in Section 3. This is followed by incomplete information attack and defense game model based on risk aversion in Section 4. Finally, application examples and simulation analysis in Section 5.

 

2. INCOMPLETE INFORMATION GAME AND HARSANYI CONVERSION

 The main research method of this paper is to discuss and deduce the incomplete information game and several core issues in the complex attack and defense environment. This paper studies from the perspective of decision making, including attackers, defenders and network points. By deducing the strategy choices of different decision makers in the incomplete information game, the game problem is discussed in depth.

 The example assumes that the target network system has a defender and a potential attacker. The defending party decides to adopt two strategies that are defensive or non-defensive, and the attacking party decides whether to launch an attack against the target network. We know that cyber defense is costly, including high and low costs. Suppose the attacker does not know whether the defense cost is high or low, but the defender knows it. The benefits of this game model are shown in Table 1. The benefits of attacking party depend on whether the defense adopts a defensive strategy, not directly on the cost of defense. It is profitable for an attacker to choose to attack if and only if the defender chooses not to defend. However, the choice of defense depends on the defense cost.

Table 1. An attack and defense game of incomplete information (strategic) Benefits when defense costs are high

 A common approach In this case, the attacker seems to be playing with two different defenders, one the high-cost and the other a low-cost defensive guard. Generally, if the defender has possible different cost functions, it means the attacker seems to be playing with different guards. Before 1967, game theorists argued that such problems were impossible to analyze because the rules of a game were not defined when a player did not know whom he was playing with. It was not to solve the problem until 1967-1968 that Harsanyi proposed his conversion.

 In order to simulate and handle the problem of incomplete information game, we introduce the virtual player “0”, namely “nature” according to Harsanyi’s method. “Nature” first chooses the type (defense cost) of the defender. In this transition game, the attacker’s incomplete information about the defender’s defense costs becomes imperfect information about “natural” action, so that the transition game can be analysed using standard techniques.

 The conversion from incomplete information game to imperfect information game is shown in Figure 1. In the figure, “0” stands for “nature”, “1” for defender, “2” for attacker, the numbers in brackets for the probability of “nature” action, and the numbers in parentheses for the benefits of game (the numbers on the left represent the benefits of the defense side, and the numbers on the right represent the benefits of the attack side). Also, the figure contains an implicit standard assumption that the attacking and defending parties have a consistent judgment of the probability distribution of “natural” action (although this is a standard assumption. It makes more sense for a “natural” action to represent a public event, such as cybersecurity than the action to describe a personal feature, such as the benefits of person). Once this hypothesis is adopted, the problem will convert a standard game model. Thus the standard game model can be handled with the concept of Nash equilibrium. The Bayes equilibrium (or Bayes-Nash equilibrium) of Harsanyi refers to the equilibrium of the imperfect information game.

Fig. 1. The transformation of incomplete information game to imperfect information game (game tree)

 In Table 1, x  represent the probability that defenders choose to defense the attack when the defense cost is low (it is irrational for the guards to select protection when the defense cost is high).  y represent the probability that the attacker decides to launch an attack. The optimal strategy of the attacker is, if \(x=\frac{1}{2\left(1-p_{1}\right)}\) , then \(y =1 (attack)\)  (attack). If \(x>\frac{1}{2\left(1-p_{1}\right)}\) , then y=0(non-attack). If \(y<\frac{1}{2}\) , then  \(y<\frac{1}{2}\) . Similarly, the defense’s optimal response at low defense costs is, if \(y \in[0,1]\) , then \(y<\frac{1}{2}\)  (defense). If  \(y>\frac{1}{2}\) , then x=0   (non-defense). If \(y=\frac{1}{2}\), then \(x \in[0,1]\) . To solve the Bayes-Nash equilibrium, we need to find a group of   \((x, y)\) that make x is the optimal strategy of the defender when the defense cost is low. Meanwhile, the optimal strategy of the attacker is given in the case of the attacker’s judgment  p₁ about the defense situation and the strategy of the defense party. For example, for any p₁ , the policy portfolio (x=0, y=1)  is a balance (that is the defender is not defending, and the attacker is attacking). If and only if \(p_{1} \leq \frac{1}{2}\) , the strategic combination (x=1, y=0)  constitutes a balance ( that is, when the defense cost is low, the defender chooses to defense and the attacker abandons the attack).

 From the above example, the basic approach to the Harsanyi conversion can be summarized as follows:

 (1) Introduce a virtual person, namely “nature” or “god”, he does not have to think about his gains and losses. His only role is to give players the type vector \(\theta=\left(\theta_{1}, \theta_{2}, \ldots, \theta_{n}\right)\)in the game. Where \(\theta_{i} \in \Theta_{i} \)  \( \Theta_{i}\) is called available type space. It is a complete description of the characteristics of person i  .

 (2) The virtual person “nature” tells the true type \(\theta_{i}\)   of person i  to himself, but does not let other persons know. However, “nature” will tell each person the probability distribution  \(p\left(\theta_{1}, \theta_{2}, \ldots, \theta_{n}\right)\)  on  \(\theta=\left(\theta_{1}, \theta_{2}, \ldots, \theta_{n}\right)\).

 (3) All roles make choices at the same time. The strategy  s_i is selected from the strategy space s_i  by the players, where the strategy space of player i  is related to the type space  \(\theta_{i}\) of player i , generally denoted as \(S_{i}\left(\theta_{i}\right)\)  .

 (4) The payment (revenue) function for all players except “nature” is:

\(u_{i}=u_{i}\left(S_{1}, S_{2}, \ldots, S_{n} ; \theta_{i}\right), i=1,2, \ldots, n\)

 According to the “nature” action, the static game of incomplete information is converted into a complete but imperfect information game. The game consists of two stages, the first is the preparatory stage. In this stage, the “nature” takes action, and it determines the probability vector \(p\left(\theta_{1}, \theta_{2}, \ldots, \theta_{n}\right)\). The second stage is the actual game stage. Players n  will move simultaneously. Although they know the type that “nature” had chosen for themselves, they did not know the type that “nature” had chosen for other people (at least one other person). So at least one player in the bureau has an imperfect message about “natural” action. However, the type space of each person and its probability distribution are common knowledge. In this way, we can analyse the problem of incomplete information game by the probability theory (especially “Bayes’ rule”).

 With the Harsanyi conversion, in example 1, “nature” determines that the defender has two types that are \(\theta_{1}=\left(\theta_{11}, \theta_{12}\right)\) . In this formula, \(\theta_{11}\)  stands for high defense cost and \(\theta_{12}\)  stands for low cost. “Nature” determines that attackers have a type that is \(\theta_{2}=\left(\theta_{21}\right)\) . If the defender belongs to type \(\theta_{11}\)  (high defense cost) and the attacker has only one type \(\theta_{21}\) , it constitutes a static complete information game on the left side of Table 1. In contrast, if the defender belongs to type  \(\theta_{12}\)  (low defense cost), and the attacker has only one type \(\theta_{21}\) , it constitutes a static complete information game on the right side of Table 1.

 The defense knows its type, and the attacker does not know the type of defense. However, in our research, both the offense and defense have consistent judgments about the probability distribution of the defense type determined by “nature”.

 

3. STRATEGY FORMULATION AND BAYES-NASH EQUILIBRIUM

 In the previous chapter, we introduced the standard solution to incomplete information, which is the Harsanyi conversion. In this solution, the incomplete information game is transformed into the game under different players. Thus the game results can be solved. However, the effect depends on the type of player in the situation. We give the following definitions in the paper:

 Definition 3.1 The type set of players is the set of information about their own decision-making characteristics in the game. All the elements of this set of information types are called the types of player in the bureau. Each player does not hope that other players know exactly which type the player is.

 Definition 3.2 Incomplete information static game includes the following four elements:

 The set of players  \(\underline{N}=\{1,2, \ldots, n\}\)

 Each player’s type space \(\mathbf{\Theta}_{i}=\left\{\theta_{i}\right\}, i \in \underline{N}\) . Moreover, probability distribution \(p\left(\theta_{1}, \theta_{2}, \ldots, \theta_{n}\right)\)  in the total type space  \(\mathbf{\Theta}_{i}=\left\{\theta_{i}\right\}, i \in \underline{N}\) .

 Each player has a policy set \(S_{t}=\left\{s_{t}\right\}, i \in \underline{N}\)  associated with its type  \({\theta}_{i}\) . Moreover, the policy set S_i  is independent of the other players’ type \({\theta}_{i}\) .

 Each player has its revenue function \(u_{i}\left(s_{1}, s_{2}, \dots, s_{n} ; \theta_{i}\right)\) , which depends not only on the strategy combination \(\left(s_{1}, s_{2}, \dots, s_{n}\right)\)  but also on its type.

 All four elements are common knowledge. In the situation, each participate chooses strategies to maximize their benefits.

 This game is called incomplete information static game, also known as Bayes static game [7]. The game model can be expressed by the following formula:

\(G=\left[\underline{N},\left\{\Theta_{i}\right\}, p,\left\{S_{i}\left(\theta_{i}\right)\right\},\left\{u_{i}\right\}\right]\)       (1)

 In the formula,  \(\underline{N}\{1,2, \ldots, n\}\) is the set of players.  \({\Theta}_{i}\) is the type set of player   i and \(\forall i \in \underline{N}\) .  \({\Theta}_{i}\)  is  the probability distribution function on all type space p . \(S_{i}\left(\theta_{i}\right)\)  is the strategy set of player i . When the type \({\theta}_{i}\)  of  i  changes, so does  S_i  and similarly \(\forall i \in \underline{N}\) . u_i  is the revenue function of player i  . It depends on the strategy and type of all the players. We introduce the notation as follows:

\(\theta_{-i}\left(\theta_{1}, \ldots, \theta_{i-1}, \theta_{i+1}, \ldots, \theta_{n}\right)\)

 It represents the type combination of all players except for n-1. It is also \(\theta=\left(\theta_{1}, \theta_{2}, \ldots, \theta_{n}\right)=\left(\theta_{t}, \theta_{t}\right), i=1,2, \ldots, n\) . Any game player i , although knows oneself type \({\theta}_{i}\) , do not knows the type of other players \({\theta}_{-i}\) . But  i is not totally don’t know about \({\theta}_{-i}\) , at least understand \(p\left(\theta_{1}, \ldots, \theta_{n}\right)\) . At the same time, it is assumed that they have a knowledge of conditional probability \(p_{i}\left(\theta_{-i} | \theta_{i}\right)\), that is, player i  see the distribution probability of each type \({\theta}_{-i}\)  of the other n-1 players when the player’s type is \({\theta}_{i}\) .

Definition 3.3 The conditional probability  \(p_{i}\left(\theta_{-i} | \theta_{i}\right)\)  of player’s type is called the belief of the type for the other players’ type. According to the Bayes rule:

\(p_{i}\left(\theta_{-i} | \theta_{i}\right)=\frac{p\left(\theta_{i}, \theta_{-i}\right)}{p\left(\theta_{i}\right)}=\frac{p\left(\theta_{i}, \theta_{-i}\right)}{\sum_{\theta_{i} \in \Theta_{-i}} p\left(\theta_{i}, \theta_{-i}\right)}\)       (2)

 In the formula,

\(\Theta_{-i} \triangleq \prod_{j=1 \atop j \neq i}^{n} \Theta_{j}, \quad i=1,2, \ldots, n\)

 When players have common knowledge of the rules, they will know the distribution of other players.

 When the type of player i   is  \(\boldsymbol{\theta}_{i}\) , the expected benefit of strategy s_i  is:

\(\sum_{\theta_{-i} \in \Theta_{-i}} p\left(\theta_{-i} | \theta_{i}\right) u_{i}\left(s_{-i}\left(\theta_{-i}\right), s_{i}, \theta_{i}\right)\)       (3)

 Through the expectation criterion, the concept of Nash equilibrium has a natural extension of Bayes-Nash equilibrium in the incomplete information static game.

 Definition 3.4 A game formula is given as follows:

\(G=\left[\underline{N},\left(\Theta_{i}\right),\left(p_{i}\right),\left(S_{i}\right),\left(u_{i}\right)\right]\)       (4)

 If the strategic combination satisfies the condition, that is for every  i  and any  \(s_{i} \in S_{i}, \theta_{i} \in \Theta_{i}\), there is

\(\sum_{\theta_{-i} \in \Theta_{-i}} p\left(\theta_{-i} | \theta_{i}\right) u_{i}\left(s_{-i}^{*}\left(\theta_{-i}\right), s_{i}^{*}, \theta_{i}\right) \geq\sum_{\theta_{-i} \in \Theta_{-i}} p\left(\theta_{-i} | \theta_{i}\right) u_{i}\left(s_{-i}^{*}\left(\theta_{-i}\right), s_{i}, \theta_{i}\right)\)       (5)

 The strategic combination  \(\left(s_{1}^{*}\left(\theta_{1}\right), \ldots, s_{i}^{*}\left(\theta_{i}\right), \ldots, s_{n}^{*}\left(\theta_{n}\right)\right)\)  is a Bayes-Nash equilibrium.

 Bayes-Nash equilibrium is obtained by Bayes formula. It considers its excepted returns through the probability distribution. The expected revenue in Bayes static game is the expected return under different types of other players, rather than the expected return under its type. Bayes-Nash equilibrium studies the strategic choices of players in a situation, and this strategic choice depends on their type. Thus when the type is different, the strategy they choose is different.

 

4. INCOMPLETE INFORMATION ATTACK AND DEFENSE GAME BASED ON RISK AVERSION

 The target network can be divided into lots of attack and defense points N, where the assets included in the point  k  are denoted as A_k . The probability that A_k  will be at risk due to attack is q_k , so its security probability can be expressed as:

\(p_{k}=1-q_{k}\)       (6)

 The attacking and defending parties carry out the game against the points  k(that is an asset A ). Among the game, the defensive side has a defensive strategy set as follows:

\(S_{1}\left(\theta_{1}\right)=\left(s_{11}\left(\theta_{1}\right), s_{12}\left(\theta_{1}\right), \ldots, s_{1 m}\left(\theta_{1}\right)\right)\)

 Meanwhile, the attacker has their attack strategy set as follows:

\(S_{2}\left(\theta_{2}\right)=\left(\mathrm{s}_{21}\left(\theta_{2}\right), \mathrm{s}_{22}\left(\theta_{2}\right), \ldots, \mathrm{s}_{2 n}\left(\theta_{2}\right)\right)\)

 When the defensive party choose a strategy \(s_{1 i}\left(\theta_{1}\right) \in S_{1}\left(\theta_{1}\right), 1 \leq i \leq m\), and the attacking party choose a strategy \(s_{2 j}\left(\theta_{2}\right) \in S_{2}\left(\theta_{2}\right), 1 \leq j \leq n\left\{\mathbf{s}_{1 i}\left(\theta_{1}\right), \mathbf{s}_{2 j}\left(\theta_{2}\right)\right\}\) , constitutes a strategic combination. For each strategic combination \(\left\{\mathbf{s}_{1 i}\left(\theta_{1}\right), s_{2 j}\left(\theta_{2}\right)\right\}\), the security probability of asset  A_k is \(p_{k}\left(\mathbf{s}_{1 i}\left(\theta_{1}\right), s_{2 j}\left(\theta_{2}\right)\right)\), then the risk probability is:

\(q_{k}\left(\mathrm{s}_{1 i}\left(\theta_{1}\right), s_{2 j}\left(\theta_{2}\right)\right)=1-p_{k}\left(s_{1 i}\left(\theta_{1}\right), s_{2 j}\left(\theta_{2}\right)\right)\)       (7)

 In the formula,  \({\theta}_{1}\)  is the type set of the defending party and  \({\theta}_{2}\)  is the type set of the attacking party. In the practice of cyber-attacks, there is much evidence that a majority of decision-makers will avoid the risk. They are called risk-averse decision-makers. We assume that both attacking and defending sides are risk-averse. Also, the defenders have only one type, that is  \(\theta_{1}=\left\{\theta_{11}\right\}\) , and the attackers have two types  \(\theta_{2}=\left\{\theta_{21}, \theta_{22}\right\}\) , that indicates the level of risk aversion of the attacker. In the formula, \(\boldsymbol{\theta}_{21}\)  is the risk aversion Ι and   \(\boldsymbol{\theta}_{22}\) is the risk aversion ΙΙ. In the cyber-attack situation, the attackers usually will make a decision first so that the defender can make a decision according to the strategy of the attacker. By the Harsanyi conversion for incomplete information game. It can be considered that “nature” determines the types of attackers and defenders and informs them which types they are. If the probability distribution in the type space given by “nature” is

\(\mathrm{p}(\text { risk aversion } \mathrm{I})=\mu, \quad \mathrm{p}(\text { risk aversion } \mathrm{II})=1-\mu\)

\(\mu\)  is a constant and  \(\mu=\frac{1}{3}\) in the example, then  

\(\begin{aligned}&\mathrm{p}\left(\theta_{21} | \theta_{11}\right)=\frac{1}{3}\\&\mathrm{p}\left(\theta_{22} | \theta_{11}\right)=\frac{2}{3}\\&\mathrm{p}\left(\theta_{11} | \theta_{21}\right)=p\left(\theta_{11} | \theta_{22}\right)=1\end{aligned}\)

 By increasing or decreasing the risk probability q_k   (security probability p_k ) of  A_k, we can obtain the attack and defense benefits of asset  A_k . The defenders hope that p_k  is big enough (so q_k  is as small as possible), while the attackers want the opposite. Therefore, the benefit function of attack and defense is not only the function of strategic combination \(\left\{\mathrm{s}_{1 i}\left(\theta_{1}\right), \mathrm{s}_{2 j}\left(\theta_{2}\right)\right\}\), but also the function of security risk probability \(\left\{p_{k}, q_{k}\right\}\).

 Due to different levels of risk aversion (different types) of attackers, their revenue functions should also be different. u'₂   represent the revenue of risk aversion I and  u^H₂ represent the revenue of risk aversion II. Both functions are concave functions [6]. According to the features of offensive and defensive confrontation and the strategy dependence of both parties, u'₂  、u^H₂    can be described as follows:

\(\left.u_{2}^{I}=p_{k}-q_{k}\left[\mathrm{s}_{2 j}\left(\theta_{21}\right)-s_{1 i}\left(\theta_{11}\right)\right]\right\} \cdot s_{2 j}\left(\theta_{21}\right)\)       (8)

\(\left.u_{2}^{II}=q_{k}-p_{k}\left[{\text s}_{2 j}\left(\theta_{22}\right)-s_{1 i}\left(\theta_{11}\right)\right]\right\} \cdot s_{2 j}\left(\theta_{22}\right)\)       (9)

 The defender has only one type compared to two types of attacker. From the formula (3) the expected revenue obtained by the defense party when defender select strategy  \(s_{u}\left(\theta_{11}\right)\)  is:

\(\begin{aligned}&u_{1}=\frac{1}{3}\left\{\mathrm{p}_{k}-q_{k}\left[\mathrm{s}_{2 j}\left(\theta_{21}\right)-s_{1 i}\left(\theta_{11}\right)\right]-K\right\}\\&\cdot\left(-s_{1 i}\left(\theta_{11}\right)\right)+\\&\frac{2}{3}\left\{q_{k}-p_{k}\left[\text{s}_{2 j}\left(\theta_{22}\right)-s_{1 i}\left(\theta_{11}\right)\right]\right\} \cdot\left(-s_{1 i}\left(\theta_{11}\right)\right)\end{aligned}\)       (10)

Kw   is the “risk premium” [6] that the defense is willing to pay for reducing the defense risk.

 For the attacker, the question of revenue maximization arises the function as follows:

\(\begin{array}{l}\frac{\partial u_{2}^{\prime}}{\partial s_{2 j}\left(\theta_{21}\right)}=p_{k}-2 q_{k} s_{2 j}\left(\theta_{21}\right)+q_{k} s_{1 i}\left(\theta_{11}\right)=0 \\\frac{\partial u_{2}^{H}}{\partial s_{2 j}\left(\theta_{22}\right)}=q_{k}-2 p_{k} s_{2 j}\left(\theta_{22}\right)+p_{k} s_{1 i}\left(\theta_{11}\right)=0\end{array}\)

 Thus the response function of the attacker is:

\(s_{2 j}\left(\theta_{21}\right)=\frac{1}{2} \frac{p_{k}}{q_{k}}+\frac{1}{2} s_{1 i}\left(\theta_{11}\right)\)       (11)

\(s_{2 j}\left(\theta_{22}\right)=\frac{1}{2} \frac{q_{k}}{p_{k}}+\frac{1}{2} s_{1i }\left(\theta_{11}\right)\)       (12)

 For the defender, the question of revenue maximization arises the function as follows:

\(\begin{aligned}&\left.\frac{\partial u_{1}}{\partial s_{1 i}\left(\theta_{11}\right)}=\frac{1}{3}\left\{\mathrm{p}_{k}-k-q_{k}{s_{2 j}} \theta_{21}\right)+2 q_{k}s_{1i}\left(\theta_{11}\right)\right\}\\&+\frac{2}{3}\left\{q_{k}-k-p_{k} s_{2 j}\left(\theta_{22}\right)+2 p_{k} s_{1 i}\left(\theta_{11}\right)\right\}\\&=0\end{aligned}\)

 Thus the response function of the defender is:

\(\begin{aligned}&s_{1 i}\left(\theta_{11}\right)=\frac{1}{2} \frac{3 K-p_{k}-2 q_{k}}{2 p_{k}+q_{k}}+\frac{1}{2} \frac{q_{k}}{2 p_{k}+q_{k}} s_{2 j}\left(\theta_{21}\right)\\&+\frac{p_{k}}{2 p_{k}+q_{k}} s_{2 j}\left(\theta_{22}\right)\end{aligned}\)       (13)

 Bayes-Nash equilibrium  \(\left\{\mathbf{s}_{1 i}^{*}\left(\theta_{11}\right), \mathbf{s}_{2 j}^{*}\left(\theta_{21}\right), \mathbf{s}_{2 j}^{*}\left(\theta_{22}\right)\right\}\)  can be obtained by equation (11-13), which is related to the attack and defense game of asset    security risk. The equilibrium is:

\(\left\{\begin{array}{c}s_{1 i}^{*}\left(\theta_{11}\right)=\frac{1}{3} \frac{6 K-p_{k}-2 q_{k}}{2 p_{k}+q_{k}} \\s_{2 j}^{*}\left(\theta_{21}\right)=\frac{1}{2} \frac{p_{k}}{q_{k}}+\frac{1}{6} \frac{6 K-p_{k}-2 q_{k}}{2 p_{k}+q_{k}} \\s_{2 j}^{*}\left(\theta_{22}\right)=\frac{1}{2} \frac{q_{k}}{p_{k}}+\frac{1}{6} \frac{6 K-p_{k}-2 q_{k}}{2 p_{k}+q_{k}}\end{array}\right.\)       (14)

 

5. CASE AND SIMULATION ANALYSIS

 The case is an essential cyber penetration. In the process of network boundary intrusion, the attackers obtain relevant information, which is the target company has several servers on the network boundary for the customers. Different web applications and database systems are respectively running in the hosts, in which a service system is written using Tomcat middleware and JSP framework, and the database is SQL server.

 The system topology of the service is shown in Fig. 2.

Fig. 2. Topology diagram of a company's network service system

 After investigation analysis of service system, it is found that the system has three critical points for penetration. The priority of attack and defense should be determined by game theory.

 (1) Point of password brute. Because this application has a management background, the password of management account can be exploded. By comparing the application user password leaked by the company and the password dictionary used in the penetration process, it is found that the password coverage of dictionary is only 20%, so the probability of the attack point being attacked is q₁=0.2. Thus the security probability   can be calculated from formula (6).

 (2) Point of database SQL injection. SQL injection is a common type of vulnerability in Web applications. According to the evaluation of the target framework in the process of penetration, the probability of the risk of SQL injection point being attacked is q₂=0.6 , so p₂=0.4 .

 (3) Point of upload vulnerability. Penetration testers can upload special files to attack the server by the server file parsing vulnerabilities. The success of an attack depends on the system’s code logic and the parsing vulnerability of the server. Compared with other Web server middleware, Tomcat has less vulnerability in parsing files, so the success rate of file upload attack is only 0.5. So we know q₃=p₃=0.5 .

 First, the point of password burst is discussed. According to the company’s emphasis on the security of cyberspace and the security protection requirements for enterprises, it can be known that the company has two types. The two types are high defense cost and low defense cos, \(\theta_{1}=\left\{\theta_{11}, \theta_{12}\right\}\) . In this case, \(p\left(\theta_{11}\right)=0.3\)  represent the probability distribution of high defense cost and \(p\left(\theta_{12}\right)=0.7\)  describe the probability distribution of low defense cost. The company has a defensive strategy set, which is  \(S_{1}\left(\theta_{1}\right)=\left(s_{11}\left(\theta_{1}\right), s_{12}\left(\theta_{1}\right), \quad s_{13}\left(\theta_{1}\right), \ldots, s_{11}\left(\theta_{1}\right)\right)\). The attacker has only one type, so he can choose the attack strategy set, which is  \(S_{2}\left(\theta_{2}\right)=\left(s_{21}\left(\theta_{2}\right), s_{22}\left(\theta_{2}\right), \ldots, s_{2 j}\left(\theta_{2}\right)\right)\).

 At this time there are

\(\begin{array}{l}p\left(\theta_{11} | \theta_{21}\right)=0.3 \\p\left(\theta_{12} | \theta_{21}\right)=0.7 \\p\left(\theta_{21} | \theta_{11}\right)=p\left(\theta_{21} | \theta_{12}\right)=1\end{array}\)

 By referring to the function of the strategy dependence of the stacking and defending parties in equation (8) and (9), it can be seen that the expected revenue of the defending party is:

\(u_{1}^{I}=\left\{p_{1}-q_{1}\left[s_{1 i}\left(\theta_{11}\right)-s_{2 j}\left(\theta_{21}\right)\right]\right\} \cdot\left(s_{1 i}\left(\theta_{11}\right)\right)\)

which represent the expected revenue under high defense cost. The formula

\(u_{1}^{II}=\left\{q_{1}-p_{1}\left[s_{1 i}\left(\theta_{12}\right)-s_{2 j}\left(\theta_{21}\right)\right]\right\} \cdot\left(s_{1 i}\left(\theta_{12}\right)\right)\)

represent the expected revenue under low defense cost.

 About equation (10), the expected revenue of strategy   selected by two defense types for the attacker is

\(\begin{array}{l}u_{2}=0.3\left\{p_{1}-q_{1}\left[s_{1 i}\left(\theta_{11}\right)-s_{2 j}\left(\theta_{21}\right)\right]-K\right\} \cdot\left(-s_{2 j}\left(\theta_{21}\right)\right) \\+0.7\left\{q_{1}-p_{1}\left[s_{1 i}\left(\theta_{12}\right)-s_{2 j}\left(\theta_{21}\right)\right]\right\} \cdot\left(-s_{2 j}\left(\theta_{21}\right)\right)\end{array}\)       (14)

In this equation,    is the “risk premium” paid by the attacker to reduce the attack risk. According to the revenue maximization principle, the response function of the attacking party and the defending party can be calculated respectively. The response function of the attacker is calculated as follows:

\(\begin{aligned}\frac{\partial u_{2}}{\partial s_{2 j}\left(\theta_{21}\right)} &=0.3\left\{p_{1}+2 q_{1} s_{2 j}\left(\theta_{21}\right)-q_{1} s_{1 i}\left(\theta_{11}\right)-K\right\} \\&+0.7\left\{q_{1}+2 p_{1} s_{2 j}\left(\theta_{21}\right)-p_{1} s_{1 i}\left(\theta_{12}\right)\right\}=0 \\s_{2 j}\left(\theta_{21}\right) &=\frac{3 K-3 p_{1}-7 q_{1}}{14 p_{1}+6 q_{1}}+\frac{7 p_{1} s_{1 i}\left(\theta_{m}\right)}{14 p_{1}+6 q_{1}}+\frac{3 q_{1} s_{1 i}\left(\theta_{11}\right)}{14 p_{1}+6 q_{1}}\end{aligned}\)       (15)

The response function of the defender is calculated as follows:

\(\begin{array}{c}\frac{\partial u_{1}^{I}}{\partial s_{1 i}\left(\theta_{11}\right)}=p_{1}+q_{1} s_{2 j}\left(\theta_{21}\right)-2 q_{1} s_{1 i}\left(\theta_{11}\right)=0 \\\frac{\partial u_{1}^{II}}{\partial s_{1 i}\left(\theta_{12}\right)}=q_{1}+p_{1} s_{2 j}\left(\theta_{21}\right)-2 p_{1} s_{1 i}\left(\theta_{12}\right)=0 \\s_{1 i}\left(\theta_{11}\right)=\frac{p_{1}+q_{1} s_{2 j}\left(\theta_{21}\right)}{2 q_{1}} \\s_{1 i}\left(\theta_{12}\right)=\frac{q_{1}+p_{1} s_{2 j}\left(\theta_{21}\right)}{2 p_{1}}\end{array}\)       (16)

 Combined with the response function of both attack and defense, the Bayes-Nash equilibrium   of the game for the point of password brute is:

\(\left\{\begin{array}{l}s_{1 i}^{*}\left(\theta_{11}\right)=\frac{1}{2} \frac{p_{1}}{q_{1}}+\frac{6 K-3 p_{1}-7 q_{1}}{42 p_{1}+18 q_{1}} \\s_{1 i}^{*}\left(\theta_{12}\right)=\frac{1}{2} \frac{q_{1}}{p_{1}}+\frac{6 K-3 p_{1}-7 q_{1}}{42 p_{1}+18 q_{1}} \\s_{2 j}^{*}\left(\theta_{21}\right)=\frac{6 K-3 p_{1}-7 q_{1}}{9 q_{1}+21 p_{1}}\end{array}\right.\)       (17)

 In this formula, “risk premium” should satisfy  \(K>\frac{7 q_{1}+3 p_{1}}{6}\). After we think about all of the possible risks, we get k=10 . By using the probability distribution \(\left(p_{1}, q_{1}\right):(0.8,0.2)\)  of point of password brute, the optimal strategic combination is

\(\left\{s_{1 i}^{*}\left(\theta_{11}\right), s_{1 i}^{*}\left(\theta_{12}\right), s_{2 j}^{*}\left(\theta_{21}\right)\right\}=\left(\frac{653}{186}, \frac{1217}{744}, \frac{281}{93}\right)\)

 Further use the revenue function of attack and defense, the revenue of both sides at the point of password explosion is:

\(\begin{aligned}&u_{1}^{I}\left(\frac{653}{186}, \frac{281}{93}\right)=\frac{426409}{172980}\\&u_{1}^{II}\left(\frac{1217}{744}, \frac{281}{93}\right)=\frac{1481089}{691920}\\&u_{2}\left(\frac{653}{186}, \frac{1217}{744}, \frac{281}{93}\right)=\frac{78961}{13950}\end{aligned}\)

 Similarly, the revenue of point SQL injection and upload attack can be calculated respectively. The optimal strategic combination of SQL injection is

\(\left\{s_{1 i}^{*}\left(\theta_{11}\right), s_{1 i}^{*}\left(\theta_{12}\right), s_{2 j}^{*}\left(\theta_{21}\right)\right\}=\left(\frac{319}{138}, \frac{251}{92}, \frac{91}{23}\right)\)

 The revenue of both sides is

\(\begin{array}{l}u_{1}^{I}\left(\frac{653}{186}, \frac{281}{93}\right)=\frac{426409}{172980} \\u_{1}^{I}\left(\frac{319}{138}, \frac{91}{23}\right)=\frac{101761}{31740} \\u_{1}^{I}\left(\frac{653}{186}, \frac{281}{93}\right)=\frac{426409}{172980}\end{array}\)

According to the calculation, the revenue of different offense and defense points are compared as shown in Table 2.

Table 2. Byes-Nash balanced income statement for three offensive and defensive points

 According to comparing the Bayes-Nash equilibrium revenue generated by different penetration points, the Bayes-Nash equilibrium revenue of SQL injection point is higher than other attack points. Therefore, considering the time cost and the risk of penetration, the attacker first launches the attack to the point of SQL injection and successfully obtains the database data. Fig. 3  shows the desensitised system information obtained using the point of SQL injection.

Fig. 3. SQL injection attack data after desensitization

 Through the analysis of real case, we can find the Bayesian-Nash equilibrium is real in the security attack and defense. This game decision model can be used to deduce the attack behavior and predict the attack intention in advance. The game model of network attack and defense based on Bayesian-Nash equilibrium proposed in this paper not only derive the mathematical relationship of the model theoretically but also verifies the effectiveness of the model in the penetration environment.