Table of Contents
Fetching ...

Coordinated Multi-Domain Deception: A Stackelberg Game Approach

Md Abu Sayed, Asif Rahman, Ahmed Hemida, Christopher Kiekintveld, Charles Kamhoua

TL;DR

The paper tackles cross-domain deception in cyber-physical systems by modeling attacker–defender interactions as a Stackelberg game, with the defender as the leader deploying cyber and physical replicas to mislead reconnaissance. It introduces a CVE-based utility framework using CVSS v2/v3 scores derived from NVD data and solves for the Stackelberg equilibrium via a Mixed-Integer Quadratic Program (MIQP), enabling identification of the most strategically critical vulnerabilities. The defender and attacker utilities are formulated as $U^d = A_d^T R_d A_a$ and $U^a = A_d^T R_a A_a$, with vulnerability exploitation probabilities computed from $Pr(i)$ and $Pr(j)$, respectively. Results show that coordinated multilayer deception significantly improves defender utility over single-layer strategies and baseline policies, and the method can pinpoint high-impact CVEs (e.g., $a_1$ under CVSS v2 and $a_5$ under CVSS v3) for targeted mitigation, offering a scalable approach to strengthening CPS resilience under cross-domain threats.

Abstract

This paper explores coordinated deception strategies by synchronizing defenses across coupled cyber and physical systems to mislead attackers and strengthen defense mechanisms. We introduce a Stackelberg game framework to model the strategic interaction between defenders and attackers, where the defender leverages CVSS-based exploit probabilities and real-world vulnerability data from the National Vulnerability Database (NVD) to guide the deployment of deception. Cyber and physical replicas are used to disrupt attacker reconnaissance and enhance defensive effectiveness. We propose a CVE-based utility function to identify the most critical vulnerabilities and demonstrate that coordinated multilayer deception outperforms single-layer and baseline strategies in improving defender utility across both CVSS versions.

Coordinated Multi-Domain Deception: A Stackelberg Game Approach

TL;DR

The paper tackles cross-domain deception in cyber-physical systems by modeling attacker–defender interactions as a Stackelberg game, with the defender as the leader deploying cyber and physical replicas to mislead reconnaissance. It introduces a CVE-based utility framework using CVSS v2/v3 scores derived from NVD data and solves for the Stackelberg equilibrium via a Mixed-Integer Quadratic Program (MIQP), enabling identification of the most strategically critical vulnerabilities. The defender and attacker utilities are formulated as and , with vulnerability exploitation probabilities computed from and , respectively. Results show that coordinated multilayer deception significantly improves defender utility over single-layer strategies and baseline policies, and the method can pinpoint high-impact CVEs (e.g., under CVSS v2 and under CVSS v3) for targeted mitigation, offering a scalable approach to strengthening CPS resilience under cross-domain threats.

Abstract

This paper explores coordinated deception strategies by synchronizing defenses across coupled cyber and physical systems to mislead attackers and strengthen defense mechanisms. We introduce a Stackelberg game framework to model the strategic interaction between defenders and attackers, where the defender leverages CVSS-based exploit probabilities and real-world vulnerability data from the National Vulnerability Database (NVD) to guide the deployment of deception. Cyber and physical replicas are used to disrupt attacker reconnaissance and enhance defensive effectiveness. We propose a CVE-based utility function to identify the most critical vulnerabilities and demonstrate that coordinated multilayer deception outperforms single-layer and baseline strategies in improving defender utility across both CVSS versions.
Paper Structure (11 sections, 11 equations, 4 figures, 3 tables, 1 algorithm)

This paper contains 11 sections, 11 equations, 4 figures, 3 tables, 1 algorithm.

Figures (4)

  • Figure 1: Multi-layer setting: The blue dashed lines represent the replication of nodes across the cyber and physical layers.
  • Figure 2: Defender reward over different Cap and Esc values for CVSS v2.
  • Figure 3: Defender reward over different Cap and Esc values for CVSS v3.
  • Figure 4: Single vs Coordinated Deception