Adaptive Honeypot Allocation in Multi-Attacker Networks via Bayesian Stackelberg Games
Dongyoung Park, Gaby G. Dagher
TL;DR
This work models defense against multiple concurrent attackers as a Bayesian Stackelberg game, where a defender pre-commits to honeypot placements and adversaries observe and respond on layered attack graphs. A MILP-based framework computes defender strategies while anticipating heterogeneous attacker types and dynamic belief updates from IDS observations, enabling adaptive reallocation of decoys over multiple rounds. The approach captures non-zero-sum interactions, exploit-aware path costs, and Bayesian updating to distill attacker intents, achieving rapid reductions in attack success and scalability to networks with hundreds of nodes. Empirical results demonstrate near-zero attack success within a few rounds and favorable scalability up to 500 nodes and 1,500+ edges, highlighting practical impact for real-world network defense.
Abstract
Defending against sophisticated cyber threats demands strategic allocation of limited security resources across complex network infrastructures. When the defender has limited defensive resources, the complexity of coordinating honeypot placements across hundreds of nodes grows exponentially. In this paper, we present a multi-attacker Bayesian Stackelberg framework modeling concurrent adversaries attempting to breach a directed network of system components. Our approach uniquely characterizes each adversary through distinct target preferences, exploit capabilities, and associated costs, while enabling defenders to strategically deploy honeypots at critical network positions. By integrating a multi-follower Stackelberg formulation with dynamic Bayesian belief updates, our framework allows defenders to continuously refine their understanding of attacker intentions based on actions detected through Intrusion Detection Systems (IDS). Experimental results show that the proposed method prevents attack success within a few rounds and scales well up to networks of 500 nodes with more than 1,500 edges, maintaining tractable run times.