Proceedings of the 12th INDIACom; INDIACom-2018
5 th
2018 International Conference on “Computing for Sustainable Global Development”, 14 th – 18th March, 2018
Bharati Vidyapeeth’s Institute of Computer Applications and Management (BVICAM), New Delhi (INDIA)
Game Theory based Attack Graph Analysis for
Cyber War Strategy
Pallaw Kumar Mishra
Scientist ‘E’, ISSA, DRDO
Email Id: pkmishra@issa.drdo.in
Abstract – The threat of an impending cyber war entails an
ever more pervasive network for military and governance,
where attacks by nation-states are very sophisticated and
persistent. Quantification of cyber threats is required in cyber
warfare domain so that a proper decision and assessment
framework can be built for the attacker as well as the
defender for analysis and planning.
This paper presents a research towards building a decision
support system (DSS) for an attacker, when multiple options
are available. The same model can be employed by a defender
to do proactive analysis of the attacker's behavior so as to
deploy resources effectively. In this paper, we show how
attack graphs can be used to depict any possible multi-host,
multi-stage cyber-attacks. Further, we present a game
theoretic model to analyze, at each node of the graph, how the
defender can strategize against the attacks to defend the cyber
assets in most efficient ways.
Keywords – Adjacency Matrix, Attack Graph, CVSS score,
Game Theory, Nash Equilibrium, Lemke Howson algorithm,
Mixed Strategy
I. INTRODUCTION
In today’s world, modernization of armed forces- more
specifically command and control, digitization of governance
and interconnection of SCADA has increased the usage of
networked communications which led to indispensability to
protect cyber assets more than ever before. It also leads to a
situation when-if an attacker gets hold of one machine, it is
very likely that (s)he would try to compromise more machines
by breaking through the target network. More so when nation
state is involved as in cyber war, the attack becomes more
persistent and the attack vector more sophisticated. For
studying such multi-stage, multi-host attacks, Phillips and
Swiler [1] proposed the concept of network attack graphs.
Attack graphs enumerates target network, with its cyber and
network entities as nodes and connection as edges. Its analysis
can elucidate different approaches to reach and attack the target
resources. These approaches are fundamentally vulnerability-
exploit chains formed by sequence of exploitation of multiple
Garima Tyagi
Student, Ashoka University
Email Id: garima.tyagi_ug18@ashoka.edu.in
vulnerabilities of intermediary nodes. Different vulnerability-
exploit chains may serve different objectives of the attacker
and can pose serious threats to target network. In real
networks there are many interconnected nodes and hence there
are multiple vulnerability-exploit chains and when these
chains are combined for analysis, it forms an attack graph.
The security analyst may employ various attack graph
generating tools to have a deep insight into the vulnerabilities
of one's own system and network, beforehand knowledge of
different paths or ways in which her/his network can be
attacked or most probable attack route to penetrate his network
and statistically know which attack paths are mostly taken by
any attacker. But the drawback here is that as we add nodes in
a network, the possible attack paths increase exponentially,
which renders this approach practically infeasible, at least for
human capability.
At this stage, employing a game theoretic model [2] may
provide numerous advantages. For one, game theory resolves
the problem of examining exponentially numerous scenarios
as it provides such capability. Next, it provides framework for
coming up with options for next course of actions with
quantitative measure for outcome of each action. Hence, it
provides a good quantitative analytical framework for DSS.
Third, it provides platform for comparison of different policy
or plans by comparative analysis of decision points, which can
be employed in real warfare scenario [3].
When an attacker is at node i and it is possible for him to
reach at, say, three different nodes from node i, then we
investigate the application of game theory in analyzing the
decision processes involved in the competitive scenario
between the attacker and the defender for each of those three
system nodes. We model this scenario at each node as a non-
cooperative, non-zero-sum game between the two players i.e.
defender and the attacker. We will demonstrate a matrix game
between the 2 players in which the payoffs of the players will
be assigned in accordance to the results of a vulnerability
scoring engine (CVSS) [4] which assigns a severity score to
each vulnerability scanned by a vulnerability scanner software
called NESSUS [5]. We will compute the equilibrium
strategies at each node of the matrix game using a program we
developed in MATLAB [6]. With the help of our model, the
 Proceedings of the 12th INDIACom; INDIACom-2018
5 2018 International Conference on “Computing for Sustainable Global Development”, 14 th – 16th March, 2018
th

attacker can have a decision support system for choosing vulnerability e.g. open ports and exploitation capability to
alternatives and the defender will try to deploy its major leverage those vulnerabilities.
defence resources effectively in its network to provide Network connectivity can be done by utilizing network
maximum security when and where required. enumeration tools like Zenmap. It gives a glimpse of
We start with brief introduction and requirement for such interconnectivity among nodes and can help build the
research, in section II we delve upon related research works. adjacency matrix.
Section III explains linkage of attack graph to our present
research and section IV explains model we developed including
game theoretic analysis of attack graph. Section V explains
progress of the game and how the mixed strategy Nash
Equilibrium is relevant to cyber war. In section VI we have
concluded the paper at the end and touched upon how the
research can be made more advanced in the near future

II. RELATED WORK

Envisaging attacker and security analyst as two players, a lot of
research has been done utilizing game theory model for
network security, IDS tactics etc. In [7], authors examined Fig. 1. Network Topology generated by Zenmap
components of intrusion detection and information security
involving balancing between speed and functioning vs security, To construct the attack graph, we would make use of the
and in order to justify it quantitatively came up with a game concept of reachability to build the adjacency matrix for our
theoretic model. Some researchers have gone into making a network of assets (machine nodes). For a graph G with n
security game exercise based on a game theoretic model to vertices namely N0 to Nn-1 , the adjacency matrix is the n x n
know the effect of deception and hardening [8], and effect of matrix where
financial motivation effecting attacker(hacker) and security aij= 1 if there exists a path from ni to nj
analyst [9]. These experiments reiterated that certain situations aij = 0 otherwise
lead network administrators to behave sub optimally in the The adjacency matrix that we will be using for our research
presence of a motivated attacker. Some researchers have involving a network system with 10 target nodes is shown
incorporated more realism into attacker-defender game by below (with assumption that N0 as attacker node):
incorporating uncertainty into the model. Some have dealt the
uncertainty with Markovian model [10] [11], some researches TABLE I. REACHABILITY MATRIX OF SAMPLE NETWORK
dealt it with Q-learning [12], and some used Bayesian model
[13]. Also [14]used the model as two player stochastic game N0 N1 N2 N3 N4 N5 N6 N7 N8 N9 N10

and came up with optimal action for both attacker and defender
N0 0 1 0 1 1 0 0 0 0 0 0
for network security. Stackelberg game models have been used
for analyzing attacker’s adaptive behavior [15] and have also
been used in conjugation with multi-criteria decision process to N1 0 0 0 0 0 0 0 1 0 0 0
predict attacker’s next move by updating the learning based on
attacker’s current moves [16] [17]. In addition to game theory N2 0 0 0 0 0 0 0 0 0 0 0

[18]used singular value decomposition to come up with optimal

N3 0 0 0 0 0 1 0 0 0 0 0
resource allocation support system for security analyst. In
[19]authors gave a framework to deal with imperfect N4 0 0 0 0 0 0 1 0 0 0 0
information to come up to Nash Equilibrium. For coming up
with strategy, the authors [20]demonstrate the relation between N5 0 0 0 0 0 0 0 1 0 0 0
strategy and effectiveness when aggressive strategy leads to
dominance and mixed strategy leads to reduced dominance. N6 0 0 0 0 0 0 0 1 1 1 0

III. ATTACK GRAPH CONSTRUCTION N7 0 0 0 0 0 0 0 0 0 1 0

In network analysis reachability or adjacency is the key N8 0 0 0 0 0 0 0 0 0 1 0

concept. In graph theory, given two nodes, the concept of
reachability tells us if it is possible to get from the first node to N9 0 0 1 0 0 0 0 0 0 0 1
the second one [21]. It is one thing to have connectivity
N10 0 0 0 0 0 0 0 0 0 0 0
between nodes and entirely different to have reachability from
one node to the other. For reachability we must have some
Game Theory based Attack Graph Analysis for Cyber War Strategy

Vulnerability of a network system can be at network level, host information set (the attack graph is private information to the
level or at application level, which can provide different access defender).
levels to the system. NESSUS is a vulnerability scanner
developed by Tenable Network Security used for vulnerability, A. Model
policy violating configurations and malware identification [5].
We define a node as any computing machine ( database server,
The NESSUS scan provides information on individual hosts
web server, workstation, virtual machine, desktop or a
and open ports and associates each identified vulnerability to
personal device) and network entity ( router, gateway, bridges,
the Common Vulnerability Scoring System (CVSS) [4] score
switches, hubs, etc.). We can model applications or services as
which later helped us in the construction of our payoff matrices
nodes, but our present model does not consider this. We define
for the Game Theoretic Model.
a set of nodes or cyber entities, N = { n0 , n1 , n2 , n3 ,…} ,
We will generate the attack graph starting from the attacker
where n0 corresponds to the attacker node.
source node (N0). The graph, consisting of nodes (one attacker
There are three possible scenarios for n0 :
node N0, and other multiple target nodes from N1 to N10) and
Case 1: n0 is the direct attacker node. The attacker directly
arrows, will be a representation of all the nodes in the network
launches attack from its system. This is a very naïve approach,
and how they are connected to each other.
as such an attack can easily be traced back to the attacker and
The attack graph based on the before mentioned adjacency
proper counterattack can be launched. So, in reality, this
matrix is given below. Here, the arrows from one node to
approach is employed by inexperienced hackers and not by
another indicate the major attacks possible on the scanned
nation states for waging cyber wars.
vulnerabilities of the target node

N0

N1 N3 N4

N5
N6

N7 Target
N8 system
Fig. 3. Attacker directly attacking target network
N9
Case 2: Attacker is routing its attack from some other node.
This is done by using proxies such as TOR or using zombies
N2 N10 created for such purpose. In this case, attribution becomes
very difficult and hence traceability to the attacker and
chances of counterattacks are minimized.
Fig. 2. A attack Graph based on Table I Adj Matrix

IV. INTERACTION BETWEEN THE ATTACKER AND

THE DEFENDER AS A GAME THEORETIC MODEL

Once we have enumerated different approaches attacker can

lead to target network with detailed analysis of vulnerabilities-
exploits sequence and attack graph scores, the next step is to
identify how the defender is expected to act to protect each of
the targeted network node by the attacker at a particular stage
of the attack.
When an attacker from the source node N0 or any other
subsequent node in the graph during a multi stage attack
decides to launch an attack, the target node for his attack is
determined by the adjacency matrix given in the previous
section. At any particular stage in the game, for each network
node which the attacker can reach from the attack node, the Fig. 4. Attacker using intermediatary node to attack Target system
interaction between the attacker and the defender can be
modelled as a 2 player, non-zero-sum game with asymmetric

5 2018 International Conference on “Computing for Sustainable Global Development”, 14 th – 16th March, 2018
th
Case 3: In DDoS attacks, a distributed set of nodes attacks the
target system in a well synchronized manner. Here, mostly
hired botnets are employed and nodes are located in physically
diverse locations and as in case 2, the attribution and chances
of counterattacks are very miniscule.
Fig. 5. Attacker using distributed node to attack target system
In the present research work, we are considering case 1
scenario, case 2 and 3 can be taken up in future research.
Vulnerabilities of nodes V = {v0 , v1 , v 2 , v3 , …}
Vulnerabilities associated with each node ni ( i>0)
vi = {vp , vq , vr , …}
For nodes connectivity, there is an adjacency matrix
Aij = 1 if there is direct connection between
node ni and nj
0 otherwise
For the sake of simplicity, we are considering unidirectional
graph.
Now, corresponding to each vulnerability vj we have a number
of exploits
Ej = { em ,en ,eo ,ep , …}
Exploits consist of combinations of exploits and payloads.
Each exploit has some gain for the attacker and loss for
defender in terms of loss of privacy (probe result), loss of
confidentiality, loss of integrity and loss of availability.
Each of these parameters can be modelled, e.g. Loss of
Confidentiality (LoC) = K0 + p (a1 , a2 , a3 , …), which is
beyond the scope of this paper. For our purpose, we will use
CVSS score which will be good proxy for gain for attacker or
loss for defender, as it includes, among many other,
confidentiality impact, integrity impact and availability impact.
Hence, there is a mapping from each exploit to a real number
as we
Define f: E R+, as a one-to-one function assigning a
positive real number to each element of E. Hence, each exploit
is associated with a payoff value for the attacker (negative for
defender).
Action Sets of the players: Let A be the action set of the
attacker. Set A will be defined as the possible actions an
Proceedings of the 12th INDIACom; INDIACom-2018
attacker will take to exploit each of the vulnerability scanned
by the NESSUS scanner like
crack_root_password_of_the_file_server, run_DOS_virus, etc.
The defender’s action set, B, can be a set of the possible
responses to the attacker’s action like set_an_alarm,
install_sniffer_detector, etc. For the purpose of this paper, we
confine the action set of the defender to only two actions:
defend and no defence.
B. Defining payoffs for the Players
When the target machines are scanned using NESSUS, the
NESSUS report consists of all the possible vulnerabilities for
each node and each vulnerability is assigned a risk score, most
commonly known as the CVSS score. This risk score assigned
by the scoring engine to a vulnerability can be treated as the
gain the attacker will get if (s)he attacks that particular
vulnerability of that particular node. If the attacker is
unsuccessful-a) when attack is failed or b) when her/his action
is detected it will be a loss to the attacker, which needs to be
modeled. In our present research, we are not considering this
scenario and is left for future scope.
The defender’s payoff is defined in a similar way as that of the
attacker’s payoff except there is an additional component, say
C, that must be added to the CVSS score of each vulnerability.
This additional component encapsulates several factors like
the amount of resources it would take to recover the node data,
how important is the host machine to the defender (this can be
determined using how sensitive the data in the machine is),
how difficult and costly it is to secure the specific host from
any particular attack of the attacker and how much loss can the
exploit cause to the workings of the networked system. In our
MATLAB program, to build our matrix game, the user of the
computer networks (or the defender) will enter the value of C
for each of the actions corresponding to each vulnerability of
the attacker.
C. Calculating equilibrium for each node
We investigate the equilibrium of each matrix (each
representing the attacker-defender game at a unique graph
node) using formal game theory methods. Once the payoff
matrices are formed for both the row and the column players,
the program calculates the Nash equilibrium strategy for each
possible target node. We will use Mixed Strategy Nash
Equilibrium to calculate the probability distribution with
which the players will choose different actions in order to
achieve the optimal output. On running our program, we
obtain the results in the form of the probabilities associated
with each action at each node. For a pure strategy Nash
Equilibrium, the probability distribution will assign a
probability of 1 to the dominant strategy.
D. Infinitely Repeated Game
Game Theory based Attack Graph Analysis for Cyber War Strategy
We model our game as an infinitely repeated game. A game is
said to be an infinitely repeated game if the players do not
know how many times will the base (stage) game be repeated.
In such games, multiple rounds are played with each player
either winning or losing, and gaining his or her respective
payoff. The above described network security game between
the attacker and the defender is an infinitely repeated game
since the defender doesn’t know how many times the attacker
will try to attack the systems, as nation-state attacks are very
persistent and consistent. The network security administrator
cannot hope to successfully protect 100 percent of his/her
information 100 percent of the time and that’s why a mixed
strategy Nash equilibrium can be used and each player must
play those strategies which are expected to give the maximum
average payoff in the long run when the game is a repeated
game [22].
VI. IMPLEMENTATION
In order to provide a decision support system (DSS) for cyber
warfare, we developed a simple Game Theoretic sample model
for demonstrating how our research can help to determine the
optimal strategy for the attacker and the defender. The
pseudocode for the model is as
generate adjacency matrix a
get the vulnerability and calculate the cvss score of each vul of each
node
start with attacker node
do
read row of present node
get the first non-zero entry
get the cvss score of the node
payoff of attacker = cvss score
payoff of defender(no action)= -cvss score
payoff of defender with action = cvss score + cost
calculate nash equilibrium from this payoff matrix
choose the best course
while leaf node
Firstly, we scanned 10 network nodes using NESSUS to get
vulnerabilities of each machine. Though it gives defender’s
perspective of the network, the attacker can employ network
scanning tools to have similar perspective. It may be possible
that the attacker and the defender may have different attack
graphs, which entails altogether different game theory models
and, at present, is left for future research. Here, we present
simplistic and realistic implementation of the model. A
snapshot from the NESSUS output CSV file (abridged) is given
below for a machine, addressed 127.0.0.1, in the local network.
Fig. 6. NESSUS output of CVSS of Nodes
The CVSS score given in the third column of the output file is
used as the payoff the attacker gets for different attacks when
the defender takes no action. When the defender takes action,
the payoffs for the attacker are negative indicating loss to the
attacker. The amplitude of the loss is the sum of the CVSS
score and the additional component (C) entered by the
defender. Similarly, the defender’s payoff when the attacker
attacks and defender defends can be given by the sum of the
CVSS score and C (defined earlier). When the defender takes
no action, his/her payoff is defined as the negative (loss) of the
CVSS score for each attack. All these payoff rows constitute
the payoff matrices for the two players.
The MATLAB program uses these payoffs to construct payoff
matrices for the network security game. The matrix is of 2 x n
dimensions, where n=number of attack strategies an attacker
can have i.e. the number of elements in the action set A of the
attacker. An example of the Defender’s payoff matrix used in
our MATLAB model for a network node (addressed
127.0.0.1) is given below.
TABLE II. PAYOFF MATRIX FOR DEFENDER
A1 A2 A3 A4 A5 A6 A7
Defend 12.8 12.5 11.4 10 10 10 10
No -7.8 -7.5 -6.4 -5 -5 -5 -5
defence
Here, A1 to A7 are possible actions that the attacker can use in
order to exploit different vulnerabilities of the respective node.
In the case of this node, A1 for example refers to the action an
attacker will take to attack the system against the vulnerability
“Network Time Protocol Daemon (ntpd) read_mru_list()
Remote DoS” and A2 is the action used to exploit “Redis
Server Unprotected by Password Authentication” and so on.
Next, in order to find the equilibrium strategies for the players,
we have made use of a function which works on a variation of
the Lemke Howson algorithm. Developed by Carlton E.
Lemke [23] and J.T. Howson, the algorithm is considered to
be one of the most efficient algorithm used for calculating
Nash Equilibrium for a two player bi-matrix game. This
function derives the mixed strategy Nash Equilibria for our
cyber war game. The output of the function is a 2-dimensional
array which stores the probabilities that the defender and the
attacker should associate with each action [24]. If there is a

5 2018 International Conference on “Computing for Sustainable Global Development”, 14 th – 16th March, 2018
th
pure strategy Nash equilibrium i.e. there is a particular row for
the row player (defender) which dominates all the other rows of
the payoff matrix of the defender or similarly, a column for the
column player (attacker) which dominates all the other columns
of the attacker’s matrix, then the output of the function assigns
a probability of 1 to that row or column [25].
For example, for a network with one node and three
vulnerabilities, the output (1, 0); (0.6, 0.2, 0.2) means that the
defender should always play its first action (should always
defend) and the attacker should exploit the first vulnerability
with a probability of 0.6 and the second and the third
vulnerability with a probability of 0.2 each. In the next step, we
scan the row of the adjacency matrix of the present node. It will
give us the nodes that can be reached through the present node.
Next, we repeat same game theory model to have optimum
strategy for attacker and defender. We continue till we reach
the leaf nodes of the attack graph.
VII. CONCLUSION AND FUTURE SCOPE
The increasing number of cyber-attacks on assets containing
confidential data causes a great threat to the world we are
living in. In order to reduce the risk to our machines by the
ever-improving network savvy attackers, we need more and
better development in the realm of cyber security. Our
interdisciplinary model is one such step towards building an
improvised network security application. The inclusion of
game theory in the cyber security scenario can prove fruitful in
the longer run as game theory is so far, the best scientific
domain which can assist in understanding competitive
interactions between players. Our model assists the defender in
deciding whether to take action or not and can easily be
extended to incorporate more actions. As a natural extension to
present research, the game could be modelled as a Stochastic
Markov Process. As, in the realm of cyber war, the interaction
of the two players consistent, the probabilities of attack and
attacker/defender action could be modelled as Bayesian belief
network.
ACKNOWLEDGEMENT
We sincerely thank Director, ISSA for his constant support and
able guidance to conduct such research and for permitting to
publish and present the paper at the conference.
REFERENCES
[1] Swiler L P, C Phillips, D Ellis and S Chakerian,"Computer
Attack Graph Generation Tool," in DARPA Information
Survivability Conference , 2001.
[2] S. Tadelis, Game Theory An Introduction, Princeton and Oxford:
Princeton University Press, 2013.
[3] Samuel N Hamilton, Wendy L Miller, Allen Ott, O. Sami
Saydjari. "The Role of Game Theory in Information Warfare," in
4th Information Survivality Workshop(ISW-2001/2002),
Vancouver, 2002.
Proceedings of the 12th INDIACom; INDIACom-2018
[4] First.org, "CVSS Schoring Scheme: Specification Document,"
First.org, 2015.
[5] Tenable, "Nessus Vulnerability Scanner," [Online]. Available:
https://www.tenable.com/products/nessus-vulnerability-scanner.
[6] Applied Game Theory and Strategic Behaviour, Taylor and
Francis, 2010.
[7] Alpcan, Tansu and Tamer Basar, "A Game Theoretic Approach
to Decision and Analysis in Network Intrusion Detection," in
42nd IEEE Conference on Decision and Control, Maui, 2003.
[8] Palvi Aggarwal, Cleotilde Gonzalez, Varun Dutt, "Cyber
Security: Role of Deception in Cyber Attack Detection," in
dvances in Intelligent Sytem and Computing, 2016.
[9] Zahid Maqbool, Nidhi Makhijani, V S Chandrashekhar Pammi
and Varun Dutt, "Effects of Motivation: Rewarding hackers for
undetected attacks cause Analysts to Perform Poorly," Human
Factors, pp. 1-12, 2016.
[10] Changchun Wang, Changhui Shi ,Chong Wang ,Ying Fu, "An
Analyzing Method for Computer Network Security Based on
Markov Game Model," pp. 454-458, 2016.
[11] Karel Durkota, Viliam Lisy, Branislav Bosansky, Christopher
Kikintveld, "Optimal Network Security Hardening Using Attack
Graph Games," in International Joint Conference on Artificial
Intelligence (IJCAI 2015), 2015.
[12] Keywhan Chung, et al "Game Theory with Learning for Cyber
Security Monitoring," in International Symposium on High
Assurance Systems Engineering, 2016.
[13] Yu Liu, Cristina Comaniciu, Hong Man, "A Bayesian Game
Approach for Intrusion Detection in Wireless Ad-hoc networks,"
in GameNets '06 Proceeding from the 2006 workshop on Game
theory for communications and networks, Pisa, Italy, 2006.
[14] Wing, Kong-wei Lye and Jeannette, "Game Strategies in
Network Security," School of Computer Science Carnegie
Mellon University , Pittsburgh, PA 15213, 2002.
[15] Karel Durkota, et al "Case Studies of Network Defense with
Attack Graph Games," IEEE Intelligent Systems, pp. 24-30,
2016.
[16] Yu Liu, Cristina Comaniciu, Hong Man, "A fictitious play-based
response strategy for multistage intrusion defense system,"
Security and Communication Network, pp. 473-491, 2013.
[17] Yi Luo, Ferenc Szidarovszky, Youssif Al-Nashif, Salim Hariri,
"Game Theory Based Network Security," Journal of Information
Security, pp. 41-44 , 2010.
[18] Andrew Fielder, et al "Game Theory Meets Information Security
Management," International Federation for Information
processing, pp. 15-29, 2014.
[19] Kien C. Nguyen, Tansu Alpcan and Tamer Basar, "Security
Games with Incomplete Information," UIUC, 2008.
[20] Jorma Jormakkal and Jarmo V. E. Molsa, "Modelling
Information Warfare as a Game," Journol of Informotion
Warfare.
[21] P. K. Mishra, "Cyber Defence Response: An approch towards
defending cyber assets," in National Conference on Cyber
Security, Pune, 2012.
[22] You, Xia Zheng and Zhang Shiyong, "A Kind of network
security behavior model Based on game theory," in Parallel and
Distributed computing, application and Technologies, Chengdu,
China, 2003.
Game Theory based Attack Graph Analysis for Cyber War Strategy

[23] J. Lemke C. E. and J. T. Howson, "Equilibrium Points of

Bimatrix Games," Journal of the Society for Industrial and
Applied Mathematics, 1964.
[24] L. S. Shapley, "A note on the Lemke-Howson algorithm,"
Pivoting and Extension: Mathematical Programming Studies, pp.
175-189, 1974.
[25] Bruno Codenotti, Stefano De Rossi, Marino Pagan, "An
experimental analysis of Lemke-Howson algorithm".