modeling secrecy and deception in a multiple-period attacker–defender signaling game

Defending simple series and parallel systems with imperfect false targets R. Peng, G. Levitin, M. Xie, S.H. Ng

Advisor: Yeong-Sung LinPresented by I-Ju Shih

2011/9/13Modeling secrecy and deception in a multiple-period attackerdefender signaling game1

1Agenda2011/9/13Introduction Signaling gameModel formulation for repeated gameAttacker observes defensive investment from the previous periodAttacker does not observe defensive investmentConclusions and future research22Agenda2011/9/13Introduction Signaling gameModel formulation for repeated gameAttacker observes defensive investment from the previous periodAttacker does not observe defensive investmentConclusions and future research33Introduction2011/9/13Most applications of game theory to homeland-security resource allocation so far have involved only one-period games.Dresher (1961) was among the first researchers to apply game theory to military strategic interactions. However, he did not explicitly model deception and secrecy.Recent game-theoretic research has also indicated that publicizing defensive information instead of keeping it secret may help to deter attacks.

44Introduction2011/9/13In practice, however, security-related information such as defensive resource allocations is often kept secret.There is a long tradition of deception in the military arena, as well as in business and capital ventures.Few of these studies have focused specifically on disclosure of resource allocations.Defenders might also have incentives to deceive by either overstating or understating their defenses, to deter or disinterest potential attackers, respectively.55Introduction2011/9/13Zhuang and Bier (2007) indicate that truthful disclosure should always be preferred to secrecy, which is not surprising, since their model is a game of complete information.Attacker uncertainty about defender private information can create opportunities for either defender secrecy or deception.Zhuang and Bier (2011) found that defender secrecy and/or deception could be strictly preferred in a one-period game in which the defender has private information (i.e., the attacker is uncertain about the defender type).66Introduction2011/9/13Secrecy has been sometimes modeled as simultaneous play in game theory, since in a simultaneous game, each player moves without knowing the moves chosen by the other players.Some researchers have modeled deception as sending noisy or imperfect signals to mislead ones opponents.Hespanha et al. (2000) and Brown et al. (2005) defined deception in a zero-sum attacker-defender game as occurring when the defender discloses only a subset of the defenses, in an attempt to route attacks to heavily-defended locations.77Introduction2011/9/13By contrast, this paper defines deception as disclosing a signal (in the domain of the action space) that differs from the chosen (hidden) action.This paper applies game theory to model strategies of secrecy and deception in a multiple-period attacker-defender resource-allocation and signaling game with incomplete information.88Introduction2011/9/13Games are classified into two major classes: cooperative games and non-cooperative games.In traditional non-cooperative games it is assumed that 1. The players are rational. 2. There are no enforceable agreements between players. 3. The players know all the data of the game.However, real-game situations may involve other types of uncertainty.99Introduction2011/9/13In this paper they focus on the case where the defender does have private information, while the attacker does not.In this case, they allow two types of updates about the defender type the attacker updates his knowledge about the defender type after observing the defenders signals, and also after observing the result of a contest (if one occurs in any given time period).10

10Agenda2011/9/13Introduction Signaling gameModel formulation for repeated gameAttacker observes defensive investment from the previous periodAttacker does not observe defensive investmentConclusions and future research1111Signaling game2011/9/1312Games are classified into four major classes.

12Signaling game2011/9/1313A signaling game is a dynamic game of incomplete information involving two players, a Sender and a Receiver.It involves two players one with private information, the other without and two moves:first the informed player (Sender, she) makes a decision, she "sends a signal".then the uninformed player (Receiver, he) having observed the informed players decision but not her private information makes a decision, he "reacts to the signal".13Signaling game2011/9/1314The timing of the game is as follows: Nature selects a type ti for Sender from a set of feasible types T = {t1,..., tI} according to a commonly-known probability distribution p(.), where p(ti) > 0 (prior belief) for every i {1,...,I} and p(ti) = 1. Sender observes ti and, on the basis of ti, chooses a message mj from a set of feasible messages M = {m1,...,mJ}. Receiver observes mj and, on the basis of mj, selects an action ak from a set of feasible actions A ={a1,...,aK}. Payoffs are realised: if nature has drawn type ti, S has chosen message mj and R has selected action ak, then payoffs for S and R are uS(ti, mj, ak) and uR(ti, mj, ak).14Signaling game2011/9/1315

15Signaling game2011/9/1316Spences (1973) job market signalling model: Sender: a worker in search for a job.Receiver: a (potential) employer (or the market of prospective employers).Type: the workers productivity.Message: the workers education choice.Action: the wage paid to the worker.16Signaling game2011/9/1317In a signaling game, there can be any or all of the following Perfect Bayesian Equilibrium (PBE): Pooling equilibrium: In a pooling PBE, both types of Sender choose the same message, so that they cannot be distinguished on the basis of their behavior. (pure strategy)Separating equilibrium: In a separating PBE, each Sender type chooses a different message, so that the message perfectly identifies the player type. (pure strategy)Semi-separating equilibrium: In a semi-separating PBE, one type of Sender plays a pure strategy while the other plays a mixed strategy. As a result, Receiver is able to imperfectly update his prior beliefs about Senders type. (mixed strategy)17Agenda2011/9/13Introduction Signaling gameModel formulation for repeated gameAttacker observes defensive investment from the previous periodAttacker does not observe defensive investmentConclusions and future research1818Model formulation for repeated game2011/9/1319This papers game has two players: an attacker (he, signal receiver, A); and a defender (she, signal sender, D).This papers model involves a N-period game with private defender information.19Model formulation for repeated game2011/9/1320

For simplicity, this paper considers onlya two-type model; i.e., the defender type equals 1 with probability p1 and 2 with probability 1-p1. This paper assumes that p1, the attackers prior probability at the beginning of the period 1, is common knowledge to both the attacker and the defender.20Model formulation for repeated game2011/9/1321

First, a defender of type chooses a strategy dt() and a signal st() for = 1, 2. dt() = 0 : The defender invests in short term expenses (such as police patrol) in period t. dt() = 1 : The defender invests in capital defenses in period t. st() {0, 1, S} be the signal sent by a defender of type about its defensive choice.21Model formulation for repeated game2011/9/1322

The attacker observes the signal st(), updates his belief from the prior pt to the posterior p't, and chooses an attacker response at(st). at(st) = 0 is the decision to do nothing during period t. at(st) = 1 represents the decision to launch an attack.22Model formulation for repeated game2011/9/1323If both defender types send the same signal at equilibrium, st(1) = st(2), then p't (posterior belief) = pt (prior belief). (Pooling equilibrium)If different defender types send different signals at equilibrium, st(1) st(2), then the attacker is able to recognize the defender type with certainty, in which case p't = 1 with probability pt, and 0 with probability 1-pt. (Separating equilibrium)23Model formulation for repeated game2011/9/1324

24Model formulation for repeated game2011/9/1325This paper assumes for simplicity that the actual level of damage to the target is either 100% or zero.

attackerdefenderConditional probability that an attack would succeedattackers target valuationsattack costdefenders target valuationsConditional probability that an attack would succeedDefense cost25Model formulation for repeated game2011/9/1326This contest success function is assumed to be of the form.

where > 1 is the effectiveness of defender short-term expenses relative to defender capital investment in security; t-k is the fraction of defensive capital from period k that is still effective in period t.

the effective defense

short-term capital investment26Model formulation for repeated game2011/9/1327

27Model formulation for repeated game2011/9/1328Let A and D be the attacker and defender discount factors, respectively.

(the current payoff, plus the discounted expected future equilibrium payoff)

attackerdefender28Model formulation for repeated game2011/9/1329Definition 1. We call the collection {a*(s), d*(), s*(), p*, p'*} an equilibrium if the following four conditions are satisfied:

29Model formulation for repeated game2011/9/1330Definition 1. We call the collection {a*(s), d*(), s*(), p*, p'*} an equilibrium if the following four conditions are satisfied:

30Model formulation for repeated game2011/9/1331Definition 1. We call the collection {a*(s), d*(), s*(), p*, p'*} an equilibrium if the following four conditions are satisfied:

31Model formulation for repeated game2011/9/1332Definition 2. In an equilibrium {a*(s), d*(), s*(), p*, p*}, we say that in period t, a defender of type chooses:

The cost of implementing truthful disclosure is lower than the costs of implementing secrecy and deception, respectively.

32Agenda2011/9/13Introduction Signaling gameModel formulation for repeated gameAttacker observes defensive investment from the previous periodAttacker does not observe defensive investmentConclusions and future research3333Attacker observes defensive investment from the previous period2011/9/1334The model is under the assumption that the attacker can observe the previous periods defensive choice, dt-1, at the beginning of period t.They still allow the defenders private information to remain secret throughout the entire game, if not revealed by the defenders choices.However, with this assumption, the defender cannot choose deception or secrecy at optimality for more than one time period.34Attacker observes defensive investment from the previous period2011/9/1335For computational convenience, they assume that capital can be carried over only to the immediate next period. (k = 0 for k 2, and 1 = )

35Attacker observes defensive investment from the previous period2011/9/1336

36Attacker observes defensive investment from the previous period2011/9/1337Case A (pt = 0 or pt =1): In this case, at the beginning of period t, the attacker already knows whether the defender is of type = 2 or = 1.

37Attacker observes defensive investment from the previous period2011/9/1338For all 48 cases, we calculate et using Eq. (11), and let p't (posterior belief) = pt+1 (prior belief) = pt (prior belief). The attacker and defender total expected payoffs are calculated as the sum of the current payoff plus the discounted future equilibrium payoff:

38Attacker observes defensive investment from the previous period2011/9/1339Case B (0 < pt < 1): In this case, at the beginning of period t, the attacker is uncertain about the defender type, and we have a three player, 8*6*6 game.For all 288 cases, we calculate et() using Eq. (11), and then determine p't stochastically as a function of st(), st(2), and pt, using condition 3 of Definition 1.39Attacker observes defensive investment from the previous period2011/9/1340the attacker payoff is given by:

the payoff to a defender of type h is given by:

40Attacker observes defensive investment from the previous period2011/9/1341In the examples in the following sections, we use the following baseline parameter values: N = 2; p1 = 0.9; A = 0.9; D(1) = D(2) = 0.9; (1) = (2) = 0.5; (1) = (2) = 2; vA(1) = vA(2) = 20; vD(1) = vD(2) = 20.Moreover, we use the following baseline costs:

41Attacker observes defensive investment from the previous period2011/9/13421. Effectiveness of expenses as defender private informationHere, we let (1) = 2 and (2) = 4 be the defender private information.

Defenders strategyDefenders signal42Attacker observes defensive investment from the previous period2011/9/13431. Effectiveness of expenses as defender private informationHere, we let (1) = 2 and (2) = 4 be the defender private information.



Defenders strategyDefenders signal45Attacker observes defensive investment from the previous period2011/9/13462. Target valuation as private informationWe consider (1) = (2) = 1.5; vA(1) = vD(1) = 10 and vA(1) = vD(2) = 20.

Defenders strategyDefenders signal1246

Attacker observes defensive investment from the previous period2011/9/13473. Defender costs as private informationWe consider (1) = (2) = 2 and the defender of type 2 has higher costs for all signals than the defender of type 1 when the defenses are given by d = 0. 47Attacker observes defensive investment from the previous period2011/9/13483. Defender costs as private informationWe consider (1) = (2) = 2 and the defender of type 2 has higher costs for all signals than the defender of type 1 when the defenses are given by d = 0.

Defenders strategyDefenders signal48Attacker observes defensive investment from the previous period2011/9/13494. Other parameters as defender private informationIn cases where the defenders private information is associated only with future payoffs (such as the carry-over coefficients k and the discount rate D), they have not found deception or secrecy in their numerical model, despite an extensive computer search.49Agenda2011/9/13Introduction Signaling gameModel formulation for repeated gameAttacker observes defensive investment from the previous periodAttacker does not observe defensive investmentConclusions and future research5050Attacker does not observe defensive investment2011/9/1351For simplicity, this paper also assumes that the attacker does not observe the result of the contest from the previous period.Therefore, we need to solve a three-player 8N*6N*6N game, where N is the number of periods.We let the cost be the defenders private information.51Attacker does not observe defensive investment2011/9/1352

52Agenda2011/9/13Introduction Signaling gameModel formulation for repeated gameAttacker observes defensive investment from the previous periodAttacker does not observe defensive investmentConclusions and future research5353Conclusions and future research2011/9/1354This work uses game theory and dynamic programming to model a multiple-period, attackerdefender, resource-allocation and signaling game with incomplete information.This papers numerical examples show that defenders can sometimes achieve more cost-effective security through secrecy and deception in a multiple-period game.One limitation to this paper is that their algorithm does not automatically identify mixed strategies.54Conclusions and future research2011/9/1355Although they found secrecy and deception as equilibrium strategies, which is somewhat unusual in the literature, such equilibria were relatively rare and difficult to obtain in our model, compared to the frequency with which secrecy and deception are observed in practice.They suspect that this may be at least in part because of some of the more unrealistic assumptions of game theory (e.g., common knowledge, full rationality).55 Thanks for your listening.2011/9/1356