is exactly what is done in traditional honeypot techniques — simulation of high-value targets that actually have very low value. In this game, the true payoffs have not changed and are still 1/– 1 as in our
original game model. The attacker has analyzed the
game and chosen (what they believe to be) the new
Nash equilibrium strategy. The attacker’s new probability of attacking is now fixed at p = 1/4. This is good
for the defender. Fewer attacks are occurring, but the
defender is free to defend with the original strategy of
1/3 instead of 1/2. The defender now has an advantage due to the decrease in attack frequency. Furthermore, the attacker believes they are playing the Nash
strategy and that they can do no better.
It is important to note that falling back on the
original strategy is a safe strategy for the defender to
take. Even if the attacker becomes aware of the
deceptive payoffs, the defender cannot do worse
than the original game. However, if the defender is
confident in their deception, they might also adjust
their strategy, potentially decreasing their rate of
defense to better take advantage of the decrease in
attack frequency. We leave computation of the new
optimal defender strategy, given the fixed attacker
strategy, as an exercise for the reader.
A common practical example of where this analysis is important is when a network is completely
secured against known threats. The attacker will seek
novel defects or misconfigurations, which will often
be unknown and undetectable to the defender. However, if the defender presents a suboptimal strategy,
one that presents service ports and versions that are
vulnerable, the attacker will take the lower-cost strategy of attacking the known vulnerability. The suboptimal play by the defender lures the attacker into
making a false payoff prediction and making a decision to commit to using a greedy strategy. Assuming
the attacker has taken the bait, the defender can use
deception to continue the ruse while performing
adjustments to the network or to the behavior of systems with which the attacker is interacting. Cyber
deception techniques can make the initial suboptimal
play (having a vulnerable service, for example) just an
illusion, and thus as safe as any other type of defense.
Hypergame theory is an extension of game theory
that is particularly applicable to games of cyber
deception. A hypergame is a complex game in which
at least one player has a misperception about the
model of the game being played. In a hypergame,
players might (a) be unaware that they are playing
the game, and (b) be unaware of the possible moves
in the game (Kovach, Gibson, and Lamont 2015).
The attacker might not even know a cyber deception
game is being played, and even if made aware of the
certainty of deception, would not know what types
of deceptive moves were available to the defender. In
a cyber deception game, the defender’s game tree
might look very different from that of the attacker,
and the hypergame model can encompass all of the
subgame trees as they are played out for each indi-
vidual player’s perception of the game. Further dis-
cussion, game tree examples, and formal notation for
modeling cyber deception as hypergames is present-
ed in a paper by Ferguson-Walter et al. (2018).
Manipulating the Gameboard
Cyber deception is a powerful tool for defenders
because it allows them to manipulate the gameboard,
which has traditionally been a possibility only for
attackers. We believe that the use of deception itself
is a primary cause of the current asymmetry of cyber
warfare. However, as the owners of the network,
cyber defenders should be able to control the information the network distributes and potentially
change the way the network behaves. Such control
would be akin to the defender changing the gameboard in the midst of a game of conflict with the
attacker. In our estimation, this type of game manipulation is able to give the defender an asymmetric
advantage over an attacker. The gameboard can be
manipulated in several ways, which can have various
effects on the attacker.
By changing the gameboard that the attacker sees,
the defender is able to limit the strategies available.
If the attacker has the wrong information about a system, the strategies they think are applicable to attack
will likely fail. Additionally, as noted, the hypergame
model can encompass both the manipulations of the
gameboard and the nonrational strategy policy used
by the defender.
One major advantage that cyber deception provides to a defender is the ability to change the perceived payoff to the attacker. Each player is selecting
actions and trying to maximize a long-term payoff.
The payoff is an estimation of how good or bad the
outcome is for that player. Recall that many game
theory games are structured as zero-sum games,
where the payoffs for each outcome add up to zero
across the players.
Since the defender can control the information the
attacker uses to make their decisions (and form their
game tree), the defender can manipulate the payoffs
that the attacker associates with certain paths. For
example, a defender can make a system look more
vulnerable or more interesting. This distortion will
cause the attacker’s perceived payoff for that
machine to be much higher than the true payoff.
Furthermore, if the defender is using decoys or honeypots, the attacker’s perceived payoff might be very
high, while the true payoff is instead very high for
the defender. This negative true payoff for the attacker is due to the time and energy wasted on a fake system, which is evident in human subjects studies on
the effects of cyber deception (Ferguson-Walter,
LaFon, and Shade 2017).