A Stackelberg game based deception defense strategy against APT under resource constraints

The advanced persistent threat (APT) has become a major challenge in cybersecurity due to its concealment, persistence, and complexity. Traditional passive defense methods, owing to their static and reactive characteristics, struggle to provide sufficient protection against APT attacks. By contrast, active defense solutions have gained increasing attention due to their ability to shift the defender from passivity to taking the initiative. Deception defense is a widely used active defense method to prevent threats in advance by deploying deception resources. Despite its development, existing deception methods often assume that the defender and the APT attacker take actions simultaneously. In practice, due to his advanced nature, the APT attacker can first observe the defender's strategy through reconnaissance and then make his best responses to the defender's strategy. In this paper, we develop a game model to accurately characterize this worst-case scenario from the defender's perspective. Specifically, we establish a Stackelberg game, called cyber deception Stackelberg game (CDSG), where the defender first announces the allocation strategy of limited deception resources to a set of services with the anticipation that the APT attacker will best respond to her strategy, and the attacker determines his action after observing the defender's strategy. In the game model, we also consider that different types of deception resources have varied probabilities of successfully capturing the APT attacker. Given the game model, we then devise a gradient descent based algorithm to solve CDSG for the equilibrium, which offers the defender a robust deception resource allocation strategy. Finally, experiments are conducted to verify the effectiveness of the deception defense strategy in defending against APT attackers and its superiority over several baselines.