TY - JOUR
AU - Liu, Guangjie
AB - Introduction In today’s increasingly interconnected world, the security of IoT networks has become a significant challenge, particularly at the node level, where individual devices are vulnerable to advanced and evolving cyber threats [1,2]. The complexity of protecting billions of IoT devices from attribution attacks—where attackers conceal their identity and origin—has exposed critical vulnerabilities in traditional defense mechanisms. This paper focuses on the novel challenge of defending IoT nodes from attribution attacks in an asymmetric information environment, where defenders have limited knowledge of attackers’ strategies [3]. Addressing these vulnerabilities is crucial for maintaining the integrity of IoT networks, as compromised nodes can lead to severe consequences, including data theft, privacy violations, and large-scale network disruptions. Traditional defense mechanisms, though effective in many areas, struggle to keep pace with the rapid development of attribution attack methods [4,5]. These methods, which often involve obfuscating attack sources and exploiting gaps in network defenses, present a serious challenge, especially in environments where defenders lack full knowledge of the attackers’ strategies. Attackers can exploit this information asymmetry to their advantage, launching sophisticated attacks while remaining undetected. Therefore, it is imperative to develop defense mechanisms that can anticipate such threats, even with incomplete information. Cyber adversaries frequently target IoT nodes, seeking to steal sensitive information such as financial data, personal records, or proprietary business information. In addition, attackers may compromise IoT components like edge nodes to orchestrate larger, more coordinated attacks. These threats highlight the necessity of defense strategies that go beyond reacting to attacks and proactively mitigate risks in environments where defenders are at an information disadvantage [6,7]. Furthermore, traditional defenses that rely on predefined rules or signature-based detection are often insufficient against zero-day attacks and advanced persistent threats. The ever-growing complexity of modern network environments makes it even more challenging to maintain up-to-date and comprehensive security measures. To address these challenges, this paper introduces a Node-Based Attribution Attack-Defense Bayesian Game (NAADBG) model, which incorporates a game-theoretic approach to model the interactions between attackers and defenders in an asymmetric information setting. The NAADBG model enables defenders to anticipate attacker moves, assess the risks, and strategically allocate limited resources to enhance the defense of IoT nodes. The model not only considers the behaviors and strategies of both attackers and defenders but also accounts for the uncertainties present in real-world network scenarios. The main contributions are as follows: We propose a novel game-theoretic model tailored to IoT networks that addresses the problem of attribution attacks in asymmetric information environments. The model NAADBG incorporates both attacker and defender profiles to enhance its applicability to real-world security scenarios. We refine the quantification of payoffs for both attackers and defenders by assessing the impact of node-level attack-defense actions. We analyze the existence of a Mixed Strategy Bayesian Nash Equilibrium (MSBNE) and derive an optimal defense strategy selection method. Through simulation experiments, we evaluate the performance of the proposed model. The results demonstrate that the NAADBG model significantly improves network defense by optimizing resource allocation and preemptively mitigating threats. The reminder of this paper is organized as follows. Sect 2 introduces the network attack-defense game model. Sect 3 specifies the payoff in attack-defense dynamics. Sect 4 derives the optimal defense strategy. Sect 4.3 gives the algorithm, the defender’s strategy selection is determined by solving for the mixed strategy Bayesian Nash equilibrium. Simulations are conducted and then analysed in Sect 5. Finally, Sect 6 briefly concludes the paper. 1 Related work While traditional mechanisms offer considerable protection, they often falter against novel and sophisticated cyberattacks that exploit previously unrecognized vulnerabilities. This limitation has driven the urgent need for defense mechanisms that are not only reactive but also predictive and proactive, capable of preempting threats before they manifest and optimizing defense strategies within the limited resources of network environments [8,9]. However, traditional defense mechanisms are often limited by their reliance on predefined rules and signature-based detection, which can be insufficient against zero-day attacks and advanced persistent threats. Additionally, the increasing complexity and scale of modern network environments make it challenging to maintain up-to-date and comprehensive security measures. Moreover, existing literature often overlooks the perspective of attribution in cyberattacks, which can provide valuable insights into the strategic interactions between attackers and defenders. Attribution involves analyzing and tracking the source, path, and methods of cyberattacks to identify the attacker and their intentions. This process includes log analysis, traffic monitoring, and anomaly detection techniques. The goal of attribution is to find the attack source, understand the attacker’s motives, and gather sufficient evidence for legal action or to develop more effective defense strategies. On the other hand, anti-attribution is a tactic used by attackers to conceal their true identity and attack path to avoid detection and attribution. Techniques for anti-attribution include using proxy servers, virtual private networks (VPNs), anonymous networks (such as Tor), and obfuscating and encrypting attack traffic. Attackers may also employ stepping-stone attacks, spoofing IP addresses, and utilizing botnets to further obscure their activities [10,11]. Therefore, understanding these strategic interactions between attackers and defenders is crucial for developing a comprehensive approach to network security. Game theory plays an essential role in cybersecurity involving the conceptualization of conflicts and collaborations between attackers and defenders as strategic interactions [12,13]. Each participant aims to optimize their outcomes while minimizing risks and losses. Utilizing game-theoretic approaches, researchers and cybersecurity experts can forecast and scrutinize potential adversary actions, enabling the formulation of more robust defense strategies. The models typically abstract the nuanced dynamics of attacker-defender interactions into more manageable forms and often produce solutions that are probabilistic in nature. This abstraction and the inherent uncertainty of the results often hinder their direct application in real-world scenarios. The literature reveals several insights into the potential and challenges of employing game theory in network security [14–18]. Do et al. [14] review game-theoretic approaches for cybersecurity and privacy, categorizing their application into security and privacy aspects. The paper discusses the use of game theory in various scenarios such as cyber-physical security, communication security, and privacy, detailing the advantages and limitations from design to implementation of defense mechanisms. Liang and Xiao [15] discuss the application of cooperative and non-cooperative game models to handle network attacks, highlighting the relevance of such models in enhancing network defenses against sophisticated threats. Their review underscores the utility of game-theoretic approaches in understanding and mitigating complex network security challenges, which aligns with and could potentially enhance the Bayesian game framework proposed in this paper. Additionally, Manshaei et al. [16] provide a structured overview of game theory applications across various network security and privacy issues, suggesting the necessity for strategic decision-making to combat evolving cyber threats. Iqbal et al. [17] identify key challenges in game-theoretical modeling of network/cybersecurity, such as balancing complexity with practical applicability. These insights emphasize the growing importance of strategic frameworks like game theory in enhancing cyber defenses, enabling organizations to better prepare and respond to the dynamic nature of cyber threats and the strategic interactions that define modern cybersecurity landscapes. By leveraging game-theoretic principles, cyber defense strategies can evolve from reactive to proactive, anticipating attacker moves and optimizing defensive tactics to maintain security integrity and user privacy in an increasingly interconnected world. At the node level, by considering uncertainty, research in [19] strive to develop optimal security strategies that mitigate the potential for unexpected network disruptions stemming from malicious attacks. Vijayalakshmi et al. [20] present a novel approach utilizing game theory to address the challenge of malicious packet dropping attacks in ad hoc networks. By designing an Intrusion Detection System (IDS) tailored to the unique characteristics of ad hoc networks, the proposed system effectively enhances network security by monitoring neighbor node behavior. A strategic defense resource allocation method is developed in [21] using an evolutionary game model to safeguard smart grids against potential cyber-attacks. However, these discussions primarily focus on network defense strategies and attack models, without delving deeply into the implementation of attribution attack techniques. This limitation indicates a need for future research to pay more attention to effectively countering attackers’ anti-attribution efforts in order to build a more comprehensive and robust node-level network security defense system. Moreover, these studies are conducted from the perspective of information symmetry, assuming that both attackers and defenders have equal access to information. This assumption overlooks the real-world scenario where information asymmetry often exists, putting defenders at a disadvantage. As a result, there is a significant gap in understanding how to develop effective defense mechanisms that account for this imbalance. The Bayesian game is a classic incomplete information game, where at least one participant’s information is unknown to other participants, but the participants can have an initial judgment on the probability of other participants’ types. This scenario aligns well with the realistic situation of network node attack-defense operations. Nevertheless, introducing Bayesian games with information asymmetry complicates the modeling process, making strategy optimization more challenging (Table 1). Download: PPT PowerPoint slide PNG larger image TIFF original image Table 1. Comparison of related work in game-theoretic cybersecurity. https://doi.org/10.1371/journal.pone.0313772.t001 2 NAADBG model design In the realm of industrial IoT security, the interaction between attackers and defenders hinges on their mutual drive to maximize individual gains. Strategic decisions made by both parties are paramount, as they must weigh potential gains against the costs of their actions. Due to the network’s complexity and the sensitive nature of its data, neither side can accurately ascertain the payoff of the opponent’s strategy during confrontations. Nevertheless, by analyzing historical data, attackers and defenders can probabilistically infer their adversary’s type. Employing the Harsanyi transformation, the uncertainty surrounding strategy payoffs can be translated into uncertainty about types, enabling each participant to be assigned a unique type reflecting their strategy and anticipated payoff. The ultimate aim for both parties is to safeguard their node network system, with the effectiveness of their attack or defense measured by the network system’s value. 2.1 Basic assumptions Rational Assumption: Both attackers and defenders are considered rational entities that aim to maximize their payoff without engaging in actions that result in a net loss. Their payoffs are directly influenced by the strategies they adopt.(1) Where Ui is the utility function of player i, Si is the chosen strategy of player i, and S−i is the strategy of the opponent. Type Assumption: The strategy payoff’s uncertainty is converted into type uncertainty using the Harsanyi transformation, facilitating a probabilistic analysis of opponent types.(2) where Ti is the type of player i, is the probability distribution of types and the opponent’s strategy S−i. Payoff Assumption: The payoffs for both attackers and defenders are quantifiable through the security value of the network system, emphasizing the tangible impact of attack and defense strategies on the system’s integrity and functionality.(3) where Ui represents the payoff for player i, either attacker (A) or defender (D), quantified through the security value of the network. 2.2 Game model The industrial internet’s security dynamics, characterized by a continuous attacker-defender interaction, are modeled through an incomplete information stochastic game. This model simplifies to a two-player scenario, encapsulated in a 5-tuple representation NAADBG = ( N , T , S , P , U ) : Players:(4) NA represents the node attacker, and ND represents the network defender. Types:(5) where for the attacker, e.g. advanced attacker, regular attacker, for the defender, e.g., advanced defender, regular defender. Strategies:(6) represents the set of attack strategies, e.g., phishing attack, DDoS attack, represents the set of defense strategies, e.g., intrusion detection system, firewall rule update. Beliefs:(7) represents the prior beliefs of the attacker and defender about each other’s types. Payoff Functions: and represent the payoffs for the attacker and defender, respectively. Their own type are for attacker, for defender, and their chosen strategies are for the attacker, for the defender. 2.1 Basic assumptions Rational Assumption: Both attackers and defenders are considered rational entities that aim to maximize their payoff without engaging in actions that result in a net loss. Their payoffs are directly influenced by the strategies they adopt.(1) Where Ui is the utility function of player i, Si is the chosen strategy of player i, and S−i is the strategy of the opponent. Type Assumption: The strategy payoff’s uncertainty is converted into type uncertainty using the Harsanyi transformation, facilitating a probabilistic analysis of opponent types.(2) where Ti is the type of player i, is the probability distribution of types and the opponent’s strategy S−i. Payoff Assumption: The payoffs for both attackers and defenders are quantifiable through the security value of the network system, emphasizing the tangible impact of attack and defense strategies on the system’s integrity and functionality.(3) where Ui represents the payoff for player i, either attacker (A) or defender (D), quantified through the security value of the network. 2.2 Game model The industrial internet’s security dynamics, characterized by a continuous attacker-defender interaction, are modeled through an incomplete information stochastic game. This model simplifies to a two-player scenario, encapsulated in a 5-tuple representation NAADBG = ( N , T , S , P , U ) : Players:(4) NA represents the node attacker, and ND represents the network defender. Types:(5) where for the attacker, e.g. advanced attacker, regular attacker, for the defender, e.g., advanced defender, regular defender. Strategies:(6) represents the set of attack strategies, e.g., phishing attack, DDoS attack, represents the set of defense strategies, e.g., intrusion detection system, firewall rule update. Beliefs:(7) represents the prior beliefs of the attacker and defender about each other’s types. Payoff Functions: and represent the payoffs for the attacker and defender, respectively. Their own type are for attacker, for defender, and their chosen strategies are for the attacker, for the defender. 3 Payoffs in node-level attribution attack-defense In node-level cyber conflict, the choices made by both attackers and defenders pivot on the calculus of payoffs. Thus, the effectiveness of any optimal cyber defense strategy hinges on the precise valuation of these payoffs, rooted in the tangible impacts of attack-defense strategies. 3.1 Foundations for payoff valuation The essence of deriving an optimal defense strategy lies in accurately valuing the node-level attack-defense payoff. We introduce several definitions to describe the quantitative framework for this valuation. Definition 1. Value of Network Systems. This denotes the worth of network resources, mirrored in the security attributes of network devices, namely confidentiality, integrity, and availability. The value of a network device R is delineated as , , and , corresponding to these attributes respectively. Definition 2. Impact of Attacks. This metric quantifies the effect of attacks on an IoT network system’s value. The impact, denoted by W , is divided into , , and , reflecting the influence on the confidentiality, integrity, and availability of network devices. Definition 3. Probability of Attack Success. Represented by NAADBG = ( N , T , S , P , U ) , this metric captures the likelihood of an attack breaching defenses to exploit information resources. It considers the detection probability λ and the defense success rate β, with the failure of an attack contingent upon both detection and successful defense, leading to β. Definition 4. Attack Payoff. This represents the gains an attacker secures from a successful assault. An unsuccessful attack yields defense insights, albeit at the cost of leaving traces within the defense system. Such traces prompt the defender to adjust defenses, concentrating on exposed vulnerabilities. Consequently, attackers reap benefits solely from successful attacks, with payoffs calculated based on inflicted damage to network value. Definition 5. Defense Payoff. This quantifies the gains from defensive actions, aimed at safeguarding network system value. The payoff is ascertainable regardless of the defense action’s outcome. Successful defense actions directly protect network value, yielding immediate payoffs based on the preserved system value. Unsuccessful defenses, while not directly safeguarding system value, enable defenders to gather attack intelligence, potentially enhancing future defense success rates and generating indirect benefits. Such indirect payoffs derive from both the defense’s improved efficacy and the value of potentially safeguarded network systems. 3.2 Valuation of model payoffs The attacker node type and strategy target the defense. Conversely, the defender node type and strategy aim to protect the network. The expected value for the attacker in security attribute Cx, given a successful attack, is expressed as: (8) where the detection probability by the defender is λh, and βq signifies the defense success rate. If the attack fails, the expected value of the attacker can be given as (9) Accordingly, the attacker’s payoff, upon executing action , is formulated as: (10) Here, denotes the attack node’s impact on network device security attributes Cx, represents the value of the targeted device, and indicates the cost of the attack action . This includes the expenses related to developing and deploying attack tools, the time and effort spent, and the resources consumed in bypassing defense mechanisms. For instance, in the case of a Distributed Denial of Service (DDoS) attack, may encompass the cost of purchasing or renting botnet devices, the fees for controlling these devices, and the bandwidth expenses incurred during the attack. For the defender node, the expected value following a successful defense action in security attribute x is given by: (11) The defender node’s payoff from action is determined as: (12) where μq is the discount factor for a failed defense and denotes the defense action cost. This includes the expenses for implementing and maintaining defense mechanisms, the time and effort required for continuous monitoring, and the resources allocated for updating and patching systems. Deploying an Intrusion Detection System (IDS) might include costs related to purchasing the IDS software and hardware, ongoing maintenance and updates, and the manpower needed for monitoring and responding to detected threats. When diverse defense actions impact an attack strategy, the attacker node’s payoff is the lowest of the payoffs, while the defender node’s is the highest. The strategic confrontation payoffs, when both parties opt for strategies , are articulated as: (13) where in this framework, denotes the probability that the attacker node will select action when adopting attack strategy . Similarly, represents the probability that the defender node will opt for defense action under the chosen defense strategy . 3.1 Foundations for payoff valuation The essence of deriving an optimal defense strategy lies in accurately valuing the node-level attack-defense payoff. We introduce several definitions to describe the quantitative framework for this valuation. Definition 1. Value of Network Systems. This denotes the worth of network resources, mirrored in the security attributes of network devices, namely confidentiality, integrity, and availability. The value of a network device R is delineated as , , and , corresponding to these attributes respectively. Definition 2. Impact of Attacks. This metric quantifies the effect of attacks on an IoT network system’s value. The impact, denoted by W , is divided into , , and , reflecting the influence on the confidentiality, integrity, and availability of network devices. Definition 3. Probability of Attack Success. Represented by NAADBG = ( N , T , S , P , U ) , this metric captures the likelihood of an attack breaching defenses to exploit information resources. It considers the detection probability λ and the defense success rate β, with the failure of an attack contingent upon both detection and successful defense, leading to β. Definition 4. Attack Payoff. This represents the gains an attacker secures from a successful assault. An unsuccessful attack yields defense insights, albeit at the cost of leaving traces within the defense system. Such traces prompt the defender to adjust defenses, concentrating on exposed vulnerabilities. Consequently, attackers reap benefits solely from successful attacks, with payoffs calculated based on inflicted damage to network value. Definition 5. Defense Payoff. This quantifies the gains from defensive actions, aimed at safeguarding network system value. The payoff is ascertainable regardless of the defense action’s outcome. Successful defense actions directly protect network value, yielding immediate payoffs based on the preserved system value. Unsuccessful defenses, while not directly safeguarding system value, enable defenders to gather attack intelligence, potentially enhancing future defense success rates and generating indirect benefits. Such indirect payoffs derive from both the defense’s improved efficacy and the value of potentially safeguarded network systems. 3.2 Valuation of model payoffs The attacker node type and strategy target the defense. Conversely, the defender node type and strategy aim to protect the network. The expected value for the attacker in security attribute Cx, given a successful attack, is expressed as: (8) where the detection probability by the defender is λh, and βq signifies the defense success rate. If the attack fails, the expected value of the attacker can be given as (9) Accordingly, the attacker’s payoff, upon executing action , is formulated as: (10) Here, denotes the attack node’s impact on network device security attributes Cx, represents the value of the targeted device, and indicates the cost of the attack action . This includes the expenses related to developing and deploying attack tools, the time and effort spent, and the resources consumed in bypassing defense mechanisms. For instance, in the case of a Distributed Denial of Service (DDoS) attack, may encompass the cost of purchasing or renting botnet devices, the fees for controlling these devices, and the bandwidth expenses incurred during the attack. For the defender node, the expected value following a successful defense action in security attribute x is given by: (11) The defender node’s payoff from action is determined as: (12) where μq is the discount factor for a failed defense and denotes the defense action cost. This includes the expenses for implementing and maintaining defense mechanisms, the time and effort required for continuous monitoring, and the resources allocated for updating and patching systems. Deploying an Intrusion Detection System (IDS) might include costs related to purchasing the IDS software and hardware, ongoing maintenance and updates, and the manpower needed for monitoring and responding to detected threats. When diverse defense actions impact an attack strategy, the attacker node’s payoff is the lowest of the payoffs, while the defender node’s is the highest. The strategic confrontation payoffs, when both parties opt for strategies , are articulated as: (13) where in this framework, denotes the probability that the attacker node will select action when adopting attack strategy . Similarly, represents the probability that the defender node will opt for defense action under the chosen defense strategy . 4 Optimal defense strategy selection To ensure the methodology aligns with the proposed optimal defense strategy algorithm based on the attack-defense game, we have validated the algorithm’s core structure and performance. The NAADBG model integrates both attack and defense actions into a Bayesian game framework, enabling the optimal strategy selection for defenders facing node-level attacks in IoT environments. The algorithm computes the mixed strategy Bayesian Nash equilibrium and ranks defense strategies based on their effectiveness in response to varying attacker profiles. Below, we outline the specific aspects of the validation. 4.1 Nash equilibrium analysis Within the Node-Level Attack-Defense Game (NAADBG), both the attacker and defender node aim to maximize their respective payoffs, which are influenced by their types and prior beliefs. Achieving a balance, or Nash equilibrium, under pure strategy is not always possible, thus mixed strategies often serve as a practical approach to analyze equilibrium scenarios. Definition 6. Mixed strategy. The attacker selects a pure attack strategy with the probability . Upon selecting the attack strategy, the constraints need to be considered. is a mixed strategy of the attacker node under the type . Similarly, is also a mixed strategy of the defender node under type . Definition 7. Mixed strategy Bayesian Nash equilibrium. , denotes the mixed strategy of the attacker node, and is the mixed strategy of the defender node. If the mixed strategy meets the constraints, i.e., (14) and (15) then the Bayesian Nash equilibrium can be achieved. In the game, the mixed strategy is adopted when both parties achieve a state of equilibrium. The method for calculating the mixed strategy Bayesian Nash equilibrium can be mathematically delineated as follows: (16) Theorem 1: The mixed strategy Bayesian Nash equilibrium of the NAADBG exists. Proof: First, the NAADBG consists of several independent and similar Bayesian games. Since each independent Bayesian game is a finite game, the basic theorem of Bayesian games [22] indicates that a mixed strategy Nash equilibrium exists. Furthermore, according to the definition of the network attack-defense game, its payoff function is a convex function based on transition probabilities and payoff functions. According to the existence theorem of equilibrium strategies in finite stochastic games, we can prove that the mixed strategy Bayesian Nash equilibrium of NAADBG exists. Chatterjee B [22], Cheng L et al. [23], Wang et al. [12] have reported that the solution to the mixed strategy Bayesian Nash equilibrium can be formulated as a standard nonlinear programming problem. According to the game theory, the mixed strategy can be selected when both sides reach equilibrium state. Therefore, the equilibrium strategy solution for NAADBG can be equivalently transformed into the problem of finding the optimal value of a nonlinear programming problem. By forming a quadratic programming problem that combines the objective functions, we satisfy the constraints of the objective functions. ■ 4.2 Optimal defense strategy selection method Selecting the optimal defense strategy in a network security game is a complex process, especially when dealing with incomplete information. In realistic node security defense scenarios, defender nodes must choose strategies based on limited resources and incomplete knowledge about attacker nodes’ strategies. Traditional game-theoretic methods typically yield mixed strategies as optimal solutions. However, for practical applications where network managers may prefer to implement pure strategies, a new approach is necessary. We introduce the concept of defense effectiveness as a criterion that balances the payoff of a defense strategy against an attack strategy when both parties have reached a Nash Equilibrium. To measure the effectiveness of a defense in each security state, we define a utility function based on the payoff matrix and prior probabilities of defender strategies. In the context of node-level attack-defense games, we consider to be the probability that a defender of type selects a defense strategy, and is the prior belief of the defender about the attacker type. The payoff for a chosen defense strategy is . The defense effectiveness of strategy can be quantified as follows: (17) Upon calculating the effectiveness of all defense strategies, the effect of these strategies against the possible attack actions at equilibrium can be ascertained through defense effectiveness. The defense strategies can then be ranked, and the most effective strategy can be selected given the network resources at hand. 4.3 Algorithm description Algorithm 1 Optimal defense strategy selection algorithm based on attack defense game. Require: Network attack-defense game model NAADBG Ensure: Optimal defense strategy 1: Initialize the model parameter NAADBG = { N , T , S , P , U } 2: Construct attack and defense type set and 3: Construct attack and defense strategy set and 4: Obtain attack and defense prior belief set PA and PD 5: while do 6: Calculate the payoffs of attack-defense strategies 7: Calculate the payoff of attack strategy ; 8: Calculate the payoff of defense strategy ; 9: end while 10: The mixed strategy can be obtained; 11: Return ; //output the optimal defense strategies of each security state Based on the quantification of attack-defense payoffs, the defender’s strategy selection is determined by solving for the mixed strategy Bayesian Nash equilibrium. The defense effectiveness is quantified considering the defender’s prior beliefs and the payoff matrix. The optimal defense strategy is then selected based on the criterion of maximum defense effectiveness, differentiating this approach from classical algorithms that rely on mixed strategies. Our model advocates for the selection of a pure strategy, which enhances practical operability. By selecting the optimal strategy beforehand, the network is proactively defended against potential security threats. The key steps of this novel defense strategy include: (1) quantifying payoffs for each potential defense strategy; (2) solving for the Bayesian Nash equilibrium to ascertain feasible strategies; (3) evaluating the effectiveness of each strategy based on the equilibrium analysis; and (4) implementing the defense strategy with the highest effectiveness to activate the network’s defenses prior to the occurrence of security threats. The time complexity of the proposed algorithm primarily focuses on two aspects: game payoff quantification and the Nash equilibrium solution process. During the game payoff quantification, if the attacker’s type is , then the attack strategy is selected to target. It is well known that this process has a certain complexity, which follows the order of . The number of attacker types is , and the number of attack strategies for each type is . Therefore, the time complexity of the game payoff quantification can be expressed as . In the Nash equilibrium solution process, the game model used by this algorithm is a non-zero-sum and static game. It has been demonstrated that finding a Nash equilibrium is a PPAD-incomplete problem. In a practical network environment, it is unnecessary to find all Nash equilibrium solutions. The algorithm can be terminated to enhance efficiency once an appropriate Nash equilibrium is found. In a realistic network attack-defense scenario, both the types of attackers and defenders are small constants. Thus, the complexity of the proposed algorithm can satisfy the requirements of network attack and defense. Note that in scenarios where attackers fail to achieve their optimal outcomes, particularly under asymmetric information, the NAADBG model dynamically adjusts the defender’s strategies by leveraging Bayesian updating. As the attacker deviates from optimal behavior, the defender revises their prior beliefs about the attacker’s strategy, enabling more accurate predictions of future actions. This adaptability ensures that even in cases of suboptimal attacker actions, the model remains effective at selecting defense strategies that maximize network protection. 4.1 Nash equilibrium analysis Within the Node-Level Attack-Defense Game (NAADBG), both the attacker and defender node aim to maximize their respective payoffs, which are influenced by their types and prior beliefs. Achieving a balance, or Nash equilibrium, under pure strategy is not always possible, thus mixed strategies often serve as a practical approach to analyze equilibrium scenarios. Definition 6. Mixed strategy. The attacker selects a pure attack strategy with the probability . Upon selecting the attack strategy, the constraints need to be considered. is a mixed strategy of the attacker node under the type . Similarly, is also a mixed strategy of the defender node under type . Definition 7. Mixed strategy Bayesian Nash equilibrium. , denotes the mixed strategy of the attacker node, and is the mixed strategy of the defender node. If the mixed strategy meets the constraints, i.e., (14) and (15) then the Bayesian Nash equilibrium can be achieved. In the game, the mixed strategy is adopted when both parties achieve a state of equilibrium. The method for calculating the mixed strategy Bayesian Nash equilibrium can be mathematically delineated as follows: (16) Theorem 1: The mixed strategy Bayesian Nash equilibrium of the NAADBG exists. Proof: First, the NAADBG consists of several independent and similar Bayesian games. Since each independent Bayesian game is a finite game, the basic theorem of Bayesian games [22] indicates that a mixed strategy Nash equilibrium exists. Furthermore, according to the definition of the network attack-defense game, its payoff function is a convex function based on transition probabilities and payoff functions. According to the existence theorem of equilibrium strategies in finite stochastic games, we can prove that the mixed strategy Bayesian Nash equilibrium of NAADBG exists. Chatterjee B [22], Cheng L et al. [23], Wang et al. [12] have reported that the solution to the mixed strategy Bayesian Nash equilibrium can be formulated as a standard nonlinear programming problem. According to the game theory, the mixed strategy can be selected when both sides reach equilibrium state. Therefore, the equilibrium strategy solution for NAADBG can be equivalently transformed into the problem of finding the optimal value of a nonlinear programming problem. By forming a quadratic programming problem that combines the objective functions, we satisfy the constraints of the objective functions. ■ 4.2 Optimal defense strategy selection method Selecting the optimal defense strategy in a network security game is a complex process, especially when dealing with incomplete information. In realistic node security defense scenarios, defender nodes must choose strategies based on limited resources and incomplete knowledge about attacker nodes’ strategies. Traditional game-theoretic methods typically yield mixed strategies as optimal solutions. However, for practical applications where network managers may prefer to implement pure strategies, a new approach is necessary. We introduce the concept of defense effectiveness as a criterion that balances the payoff of a defense strategy against an attack strategy when both parties have reached a Nash Equilibrium. To measure the effectiveness of a defense in each security state, we define a utility function based on the payoff matrix and prior probabilities of defender strategies. In the context of node-level attack-defense games, we consider to be the probability that a defender of type selects a defense strategy, and is the prior belief of the defender about the attacker type. The payoff for a chosen defense strategy is . The defense effectiveness of strategy can be quantified as follows: (17) Upon calculating the effectiveness of all defense strategies, the effect of these strategies against the possible attack actions at equilibrium can be ascertained through defense effectiveness. The defense strategies can then be ranked, and the most effective strategy can be selected given the network resources at hand. 4.3 Algorithm description Algorithm 1 Optimal defense strategy selection algorithm based on attack defense game. Require: Network attack-defense game model NAADBG Ensure: Optimal defense strategy 1: Initialize the model parameter NAADBG = { N , T , S , P , U } 2: Construct attack and defense type set and 3: Construct attack and defense strategy set and 4: Obtain attack and defense prior belief set PA and PD 5: while do 6: Calculate the payoffs of attack-defense strategies 7: Calculate the payoff of attack strategy ; 8: Calculate the payoff of defense strategy ; 9: end while 10: The mixed strategy can be obtained; 11: Return ; //output the optimal defense strategies of each security state Based on the quantification of attack-defense payoffs, the defender’s strategy selection is determined by solving for the mixed strategy Bayesian Nash equilibrium. The defense effectiveness is quantified considering the defender’s prior beliefs and the payoff matrix. The optimal defense strategy is then selected based on the criterion of maximum defense effectiveness, differentiating this approach from classical algorithms that rely on mixed strategies. Our model advocates for the selection of a pure strategy, which enhances practical operability. By selecting the optimal strategy beforehand, the network is proactively defended against potential security threats. The key steps of this novel defense strategy include: (1) quantifying payoffs for each potential defense strategy; (2) solving for the Bayesian Nash equilibrium to ascertain feasible strategies; (3) evaluating the effectiveness of each strategy based on the equilibrium analysis; and (4) implementing the defense strategy with the highest effectiveness to activate the network’s defenses prior to the occurrence of security threats. The time complexity of the proposed algorithm primarily focuses on two aspects: game payoff quantification and the Nash equilibrium solution process. During the game payoff quantification, if the attacker’s type is , then the attack strategy is selected to target. It is well known that this process has a certain complexity, which follows the order of . The number of attacker types is , and the number of attack strategies for each type is . Therefore, the time complexity of the game payoff quantification can be expressed as . In the Nash equilibrium solution process, the game model used by this algorithm is a non-zero-sum and static game. It has been demonstrated that finding a Nash equilibrium is a PPAD-incomplete problem. In a practical network environment, it is unnecessary to find all Nash equilibrium solutions. The algorithm can be terminated to enhance efficiency once an appropriate Nash equilibrium is found. In a realistic network attack-defense scenario, both the types of attackers and defenders are small constants. Thus, the complexity of the proposed algorithm can satisfy the requirements of network attack and defense. Note that in scenarios where attackers fail to achieve their optimal outcomes, particularly under asymmetric information, the NAADBG model dynamically adjusts the defender’s strategies by leveraging Bayesian updating. As the attacker deviates from optimal behavior, the defender revises their prior beliefs about the attacker’s strategy, enabling more accurate predictions of future actions. This adaptability ensures that even in cases of suboptimal attacker actions, the model remains effective at selecting defense strategies that maximize network protection. 5 Simulation experiment and analysis To assess the effectiveness of the proposed method for selecting optimal defense strategies against node-level attacks, an experimental network system was configured following the standard experimental network environments. The network’s structure separates an internal network, safeguarded by a firewall, from potential external threats. The firewall configuration restricts external hosts to interacting solely with designated mail and web servers. Within the internal network, specific servers and administrators maintain the capability to access and manage the database server, ensuring operational control. Reflecting on historical attack patterns, we categorize attackers into two distinct profiles: attribution depth and attribution efficiency. Attribution Depth: This attacker profile is defined by a cautious approach that aims to deeply infiltrate systems at the node level while remaining undetected. The focus is on stealth and sustained access rather than quick results, with efforts concentrated on erasing any traces that could lead back to them. Specific measures can be: 1) Advanced Persistent Threats (APTs), i.e., using sophisticated malware that remains hidden for long periods. 2) Data Exfiltration Techniques, i.e., tealthily transferring data in small amounts to avoid triggering alarms. Attribution Efficiency: This profile describes an attacker who aims for quick and impactful results using minimal resources. The focus is on achieving goals swiftly and possibly openly, with less concern for hiding their tracks or establishing long-term access. Specific measures include: 1) DDoS Attacks: Quickly overwhelming network nodes to disrupt service. 2) Exploiting Zero-Day Vulnerabilities: Using newly discovered vulnerabilities to launch attacks before patches are available. Defenders can be classified into two distinct groups based on the effectiveness and expenditure of their defense strategies: namely, "senior defenders" and "primary defenders." Senior defenders are identified by their readiness to engage in more expensive defense measures to attain a robust level of protection at critical nodes. In contrast, a primary defender tends to implement more cost-effective defense tactics, focusing on achieving their defensive objectives within their budgetary constraints. For instance, Redundancy and Failover Systems to implement redundant systems to ensure continuity in case of node failure. Defenders typically choose a combination of various defensive measures, with different types of defenders selecting different actions. To determine the appropriate defensive actions from the defensive behavior library, factors such as costs, impacts, and expert advice are considered. The simulation environment replicates a standard network system with predefined configurations for internal and external network structures, focusing on node-level security. We incorporate historical attack patterns targeting individual nodes to realistically categorize attacker profiles and accordingly define defender categories as ‘senior defenders’ and ‘primary defenders’. The model parameters were initialized following the constructs of the NAADBG (Table 2). Download: PPT PowerPoint slide PNG larger image TIFF original image Table 2. Descriptions of formula variables in the NAADBG model. https://doi.org/10.1371/journal.pone.0313772.t002 Download: PPT PowerPoint slide PNG larger image TIFF original image Fig 1. The impact of N on payoffs in NAADBG. https://doi.org/10.1371/journal.pone.0316091.g001 The choice of network attack and defense strategies can be defined as follows: traditional attacks, denoted as M1, and deep infiltration attacks, represented by M2. The probability distribution for an attacker launching a traditional attack is p, while that for performing a deep infiltration attack is 1–p. Regarding strategy selection, the options include launching an attack or not launching an attack. The probability of not launching an attack is defined as ω, and the probability of launching an attack is 1 − ω. On the defense side, we have primary defenders, denoted as N1, and senior defenders, represented by N1. The probability distribution for a primary defender responding to an attack is q, while for a senior defender, it is 1–q. The strategies include defending or not defending. The probability of not defending is denoted as ϖ, while the probability of defending is 1 − ϖ. Since the players know the opponent’s strategy, Bayesian rules are applied to obtain the payoffs of the players in the game, allowing us to calculate the expected maximum payoffs for all participants. Therefore, the set of attack strategies can be divided into four cases: . Here, represents the strategy where the attacker does not launch an attack regardless of the type of attack. indicates that the attacker does not launch a traditional attack but launches a deep infiltration attack. is the opposite of , and is the opposite of . Similarly, the set of defender strategies can be divided into four cases: , . represents the strategy where the defender does not take any defensive action regardless of the defender type. indicates that the primary defender does not defend, but the senior defender does. is the opposite of , and is the opposite of . Fig 1 demonstrates the effect of N (the number of defense resources) on the payoffs of defenders and attackers. As N increases, the payoffs for defenders, particularly senior defenders (SD), exhibit a steady rise. This indicates that increasing the quantity of defense resources significantly enhances defense capabilities. In a real-world network context, this suggests that deploying more resources, such as additional firewalls or intrusion detection systems, can noticeably strengthen network defenses. Conversely, the payoffs for attackers, especially Attribution Depth Attackers (ADA), decrease as N increases. This suggests that as the defense capabilities grow stronger with more resources, the attackers’ potential gains diminish, particularly for sophisticated, stealthy attacks. This demonstrates the effectiveness of scaling defense resources to mitigate advanced cyber threats. Fig 2 illustrates the effect of the defense success rate, β, on the payoffs in the Node-Level Attribution Attack-Defense Bayesian Game (NAADBG). As β increases, senior defenders (SD) who do not employ active defense (ND) maintain high payoffs, reflecting the robustness of their defensive measures. In contrast, primary defenders (PD) with active defense (D) experience a moderate decrease in payoffs, suggesting diminishing returns on lower-level defense actions. For attackers, the payoffs, particularly for Attribution Depth Attackers (ADA) without active attacks (NA), show a sharp decline as β increases, dropping from near zero to significantly negative values. This result shows that as the defense success rate improves, attackers face increasingly severe losses. The trend supports the model’s predictive capability: higher defense efficiency drastically reduces the potential benefits for attackers, even when they attempt to evade detection. Download: PPT PowerPoint slide PNG larger image TIFF original image Fig 2. The impact of β on payoffs in NAADBG. https://doi.org/10.1371/journal.pone.0316091.g002 Download: PPT PowerPoint slide PNG larger image TIFF original image Fig 3. The impact of λ on payoffs in NAADBG. https://doi.org/10.1371/journal.pone.0316091.g003 Fig 3 explores how varying the detection probability, λ, affects the payoffs in NAADBG. Senior defenders (SD) without active defense (ND) retain a high, stable payoff, highlighting the importance of detection in reinforcing strong defenses. Primary defenders (PD) with active defense (D) see relatively stable payoffs around 200 units. On the other hand, attackers experience significant declines in payoffs as λ increases. ADA without active attacks (NA) sees a drastic drop from zero to negative values, while other strategies also exhibit declining returns. This underscores the critical role of detection probability in cyber defense: as detection capabilities improve, attackers are forced into negative payoffs, making it more difficult to sustain successful attacks. Download: PPT PowerPoint slide PNG larger image TIFF original image Fig 4. The impact of on payoffs in NAADBG. https://doi.org/10.1371/journal.pone.0316091.g004 Download: PPT PowerPoint slide PNG larger image TIFF original image Fig 5. The impact of on payoffs in NAADBG. https://doi.org/10.1371/journal.pone.0316091.g005 Download: PPT PowerPoint slide PNG larger image TIFF original image Fig 6. The impact of on payoffs in NAADBG. https://doi.org/10.1371/journal.pone.0316091.g006 Download: PPT PowerPoint slide PNG larger image TIFF original image Fig 7. Comparison of defense payoff vs. success rate. https://doi.org/10.1371/journal.pone.0316091.g007 Fig 4 illustrates that increasing the network system’s value, , impacts strategic payoffs in the NAADBG model. Senior defenders (SD) without defense (ND) shows a slight decrease in payoff, while primary defenders (PD) with defense (D) experience a more pronounced decline. Attackers, both ADA without active attack (NA) and AEA, regardless of attack (A), also face reduced payoffs, with ADA remaining stable and AEA showing a steep decline. Average payoff differences highlight that ADA+A and AEA+A strategies have a consistent difference of 10, AEA+NA has 11 . 27, PD+ND shows 14 . 09. These results indicate that higher reduces defense payoffs, likely due to higher protection costs, while significantly diminishing attack payoffs, reflecting increased difficulty in successful exploitation. Fig 5 explores how the cost of attack strategies, , influences payoffs. As increases, primary defenders (PD) with defense (D) see a decrease in payoffs, dropping from 1100 to 800, while PD without defense (ND) remains relatively stable around zero. Interestingly, the payoffs for attackers remain stable as increases, especially for ADA and AEA strategies without active attacks (NA), maintaining consistent values. This suggests that while the cost of executing attacks increases, it does not significantly impact the attackers’ immediate payoffs, highlighting the importance of balancing defense resource allocation against different attack costs. Fig 6 examines how the attack impact, , affects the payoffs in NAADBG. As increases, the payoffs for senior defenders (SD) rise steadily from negative values to over 1100, indicating that defense becomes more effective as the potential attack impact increases. Senior defenders who do not employ active defense (ND) maintain consistent payoffs, suggesting that sophisticated defense strategies can still mitigate attack impacts without active intervention. On the other hand, both ADA and AEA strategies see rising payoffs as grows, reflecting the increasing potential rewards for successful attacks. This highlights the need for defenders to adjust their strategies based on the potential impact of attacks, ensuring that high-value targets receive more robust protection to counter attackers’ increased motivations. We compare with three baseline methods: Traditional Game Theory [14]: Assumes complete information and static strategies, limiting its adaptability to advanced threats. Cooperative Game Theory [15]: Focuses on resource sharing among defenders, which enhances defense but relies on cooperation. Hybrid Game Model [20]: Combines cooperative and non-cooperative approaches, offering flexibility but struggling with complex, asymmetric information scenarios. Based on the baseline comparison, as shown in Fig 7, it is evident that the NAADBG model consistently outperforms other methods, including Traditional Game Theory, Cooperative Game Theory, and the Hybrid Game Model. The NAADBG model demonstrates a sharp increase in defense payoffs as the defense success rate (β) rises, indicating its superior efficiency in resource allocation and adaptability to evolving threats in IoT environments. In contrast, other models show a more gradual and linear increase in payoffs, suggesting that they are less effective at handling complex node-level attribution attacks. The NAADBG’s ability to anticipate and counteract sophisticated attacks with limited information makes it the most robust model for optimizing defense strategies. 6 Conclusion This paper introduces a Node-based Attribution Attack-Defense Bayesian Game (NAADBG) model to address attribution attacks in IoT environments under information asymmetry. By incorporating diverse attacker and defender profiles, the model closely aligns with real-world network security challenges. We enhance payoff quantification, analyze the existence of mixed strategy Bayesian Nash equilibrium, and derive an optimal defense strategy selection method. Simulation results demonstrate the model’s effectiveness in improving defense performance, particularly in resource-constrained environments. However, integrating the NAADBG model into existing security infrastructures may pose challenges, such as computational overhead and compatibility with current systems, which require further research for practical deployment.
TI - A Bayesian game approach for node-based attribution defense against asymmetric information attacks in IoT networks
JF - PLoS ONE
DO - 10.1371/journal.pone.0316091
DA - 2025-03-27
UR - https://www.deepdyve.com/lp/public-library-of-science-plos-journal/a-bayesian-game-approach-for-node-based-attribution-defense-against-VmZY7c0qLr
SP - e0316091
VL - 20
IS - 3
DP - DeepDyve
ER -