No Time to Lie - Bounds on the Learning Rate of a Defender for Inferring Attacker Target Preferences.

Prior work has explored the use of defensive cyber deception to manipulate the information available to attackers and to proactively misinform on behalf of both real and decoy systems. Such approaches can provide advantages to defenders by detecting inadvertent attacker interactions with decoy systems, by delaying attacker forward progress, by decreasing or eliminating attacker payoffs in multi-round interactions, and by predicting and interfering with (or incentivizing) likely attacker actions (probe, attack, and walk-away). In this work, we extend our prior model by examining the ability of a defender to learn an attacker’s preferences through observations of their interactions with targeted systems. Knowledge of an attacker’s preferences can be used to guide defensive systems, particularly those which present deceptive features to an attacker. Prior work did not distinguish between targets other than as real or decoy and only modeled an attacker’s behaviors as it related to their costs for probing or attacking defended systems. While this was able to predict an attacker’s likelihood of continuing their interactions or walking away from the game, it did not inform a defender as to an attacker’s likely future actions as expressed through preferences for various defended systems. In this paper, we first present a theoretical model in which lower and upper bounds on the number of observations needed for a defender to learn an attacker’s preferences is expressed. We then present empirical results in the form of simulated interactions between an attacker with fixed preferences and a learning defender. Lastly we discuss how these bounds can be used to inform an adaptive deceptive defense in which a defender can leverage their knowledge of attacker preferences to more optimally interfere with an attacker’s future actions.