8.5. Tuning the Game Parameters
The stochastic game model presented in the previous section is based on a reward and cost concept. As discussed in Section 8.3, these values will represent the attacker’s motivation when deciding on attack actions. Whenever an attacker performs an attack action, he or she immediately receives a reward. Furthermore, if the action succeeds, additional rewards may be gained. We use negative rewards (i.e., costs) to make room for the possibility that attackers may be risk averse. The cost of a detected action will be an important demotivating factor when modeling, for example, insiders; legitimate users who override their current privileges. Similarly, commercial adversaries would lose reputation and market share if it is exposed that illegal means are used.
Since we have chosen to model the interactions between an attacker and the system as a zero-sum game rather than a general-sum one, an increasing cost value will play a deterrent role for an attacker. However, due to the inherent properties of the minimax solution in Eq. 8.19, an increasing reward value will indirectly play a deterrent role for an attacker. One must, therefore, vary the cost parameters rather than the reward parameters in order to get an intuitive corresponding attack strategy. This process will be further illustrated in the upcoming examples in this section. The purpose of the, relatively simple, analysis is to give the reader a better understanding of the case study in Section 8.6.
In Eq. 8.17, we set rkl =1 and pij(ak,dl) = 0, ∀j,k,l, and then let the cost value vary between –10 ≤ ckl ≤ 1. This provides us with the possibility of analyzing, for example, how the cost of a detected attack versus the reward of an undetected one will affect the expected attacker behavior for a particular system state i.
8.5.1. One Possible Attack Action
As a first example, assume that a system is vulnerable to a single attack action in state i. An attacker can choose either to perform the attack (action a) or to resign (action Φ). The system’s response actions are then to either set an alarm (action d) or no reaction (action Φ). Hence, Ai = {a,Φ} and Di = {Φ,d}. To model this scenario we use the 2 × 2 game element:
Equation 8.21
where the cost value cad represents an attacker’s cost of a detected action and cΦΦ is the cost of resigning even though an attempted attack would have been undetected. By varying cad and cΦΦ, we can now demonstrate how the relation γad/γaΦ (i.e., the cost of a detected attack versus the reward of an undetected attack) and γΦΦ/γaΦ (i.e., the cost associated with resigning versus the reward of an undetected attack) will affect the expected attacker behavior, in terms of the attack probability 
. To compute 
,
, we solve Eq. 8.19, as previously discussed.
Reducing cad
If cad = –2 and cΦΦ = –3 in Eq. 8.21, then the expected probability of attacking will be 
. However, if the cost of a detected action is increased to cad = –10, then 
. Hence, an increasing cost of a detected action will decrease the attacker’s motivation.
Reducing cΦΦ
Again, if cad = –2 and cΦΦ = –3 in Eq. 8.21, then 
. However, if cΦΦ = –10, then 
. As the cost of resigning increases, the attacker’s motivation will increase.
Figure 8.8 depicts a more complete graph of a risk-averse attacker’s expected behavior, according to Eq. 8.21. In the graph, we let – 10 ≤ cad, cΦΦ ≤ 1. One can see that the expected probability of attacking is highest, 
= 1.0, when cad =1. This is intuitive since an attacker who receives the same reward whether he or she is detected or not will always choose to attack. On the other hand, the expected probability of attacking is lowest, 
, when cΦΦ > 0 and cad < 0. This can be interpreted as if the reward of an attack is small enough, so that it is not significantly greater than the cost of resigning, an attacker may not even bother to try (of course this is an ideal situation unlikely to occur in real life). In general, as the examples indicate and the graph illustrates, as the cost values increase, we can expect the attacker to act more carefully.
Figure 8.8. The expected attacker behavior 
with respect to cad and cΦΦ.
It is interesting to note that even though measures are taken to increase the cost of detected actions, legal proceedings for instance, a rapidly decreasing cad will only have marginal effect on the behavior of an attacker who has a strong reluctance of resigning. This is shown in Figure 8.8 as a slowly decreasing 
along the “cΦΦ = – 10” axis. In fact, the parameter that has the strongest influence on the expected attacker behavior with respect to Eq. 8.21 is cΦΦ. Unfortunately, since cΦΦ represents a mental factor in this game (the attacker’s reluctance to resign), it will be difficult for a system administrator to take preventive measures influencing cΦΦ in a way that will reduce 
.
8.5.2. Two Possible Attack Actions
Assume that there are two possible attack actions available in system state i. This scenario can be represented by the 3 × 3 game element:
Equation 8.22
where Ai ={a1,a2,Φ} and Di = {Φ,d1,d2}. Now the expected attack probability 
will depend on ca1d1, ca2d2, and cΦΦ. Figures 8.9–8.11 depict how 
will vary for –10 ≤ ca1d1, cΦΦ ≤ 1, –10 ≤ ca2d2,, cΦΦ ≤ 1, and –10 ≤ ca1d1, ca2d2≤ 1 when ca2d2 = –3, ca1d1 = –3, and cΦΦ = – 2, respectively.
Some interesting observations are:
The general trend of the expected attacker behavior in Figures 8.9 and 8.10 is that
→ 0 when cΦΦ → 0 (i.e., the attack probability decreases as the cost of resigning decreases). However, 
does not decrease as cΦΦ decreases when ca1
d1 > 0 (Figure 8.9). Since there is no negative cost value associated with action a1, regardless of the system’s response, the cost associated with resigning will not affect the probability of attack a1.Naturally,
decreases as ca1d1 increases (Figure 8.9). On the contrary, 
increases as ca2d2 increases (Figure 8.10). A higher cost of a detected action a2 will increase the probability of action a1, rather than a2.Figure 8.10. The attack probability
with respect to cΦΦ and ca2d2 when ca1d1 = – 3.
In Figure 8.11, one can see that
will be close to 1 only when ca1d1 > 0 and ca2d2 < 0. As soon as there is a cost of a detected action a1 (i.e., ca1d1< 0), the attack probability vector 
will become more evenly distributed.Figure 8.11. The attack probability
with respect to ca2d2 and ca1d1 when cΦΦ = – 2.
There are corresponding results for 
. These graphs are therefore not included in this chapter.
The same methodology can also be used to compute the expected attacker behavior for states where a system is vulnerable to a large number of attack actions. This has been demonstrated in Sallhammar et al. [18], which shows that, also for larger games, an increasing cost of a detected action will lead to a smaller probability of an attacker choosing that particular action.
8.5.3. Attacker Profiling
To distinguish between different types of attackers, it is common practice to make use of attacker profiles. A number of fine-granular classifications of attackers exist in the literature. In [32], Rogers summarizes earlier research on attacker categorization and provides a new taxonomy based on a two-dimensional circumflex classification model. Skill and motivation are identified as the primary classification criteria, which fit well into our mathematical framework where attacker skill is represented by attack intensities, as discussed in Section 8.2.2, and the motivation by the reward and cost concept. The advantage of Rogers circumflex approach is that it does not rely on any hard categorization model, but can rather serve as a basis when defining attacker profiles that share similar characteristics. Hence, to comply with the model in CERIAS [32], we suggest tuning, of the cost values of the game elements as well as the attack intensities in the stochastic model, to characterize the motivation and skill of the particular kind of attackers that are considered in the system’s threat environment. The influence of the outcome values in the game model on the attack probabilities was demonstrated in this section.
In this chapter, we have implicitly assumed that all attackers are of the same type (i.e., share the same skills and motivation). It may, however, be more realistic to regard several types, for instance, skilled, risk-averse internal attackers and less skilled and risk-averse external attackers. This may be introduced in the model by replacing the intruder transition rates introduced in Section 8.2.2 (see Eq. 8.3) by:
Equation 8.23
where k denotes the type of attacker. The strategies for each attacker, 
, may be obtained by the procedure presented in this section, with the exception that we must take into account the coupling between attacks. For instance, the transition probability in Eq. 8.15 must be replaced by
Equation 8.24
when modeling more than one type of attackers. It is seen that this also requires an iteration over the types of attackers, in addition to the iterations to find the strategies, which poses an increased computational effort.