Modern cyberattacks such as advanced persistent threats have become sophisticated. Hackers can stay undetected for an extended time and defenders do not have sufficient countermeasures to prevent advanced cyberattacks. Reflecting on this phenomenon, we propose a game-theoretic model to analyze strategic decisions made by a hacker and a defender in equilibrium. In our game model, the hacker launches stealthy cyberattacks for a long time and the defender decides when to disable a suspicious user based on noisy observations of the user’s activities. Damages caused by the hacker can be enormous if the defender does not immediately ban a suspicious user under certain circumstances, which can explain the emerging sophisticated cyberattacks with detrimental consequences. Our model also predicts that the hacker may opt to be behavioral to avoid worst cases. This is because behavioral cyberattacks are less threatening and the defender decides not to immediately block a suspicious user to reduce cost of false detection.

高级持续性威胁等现代网络攻击已经变得复杂。黑客可以在很长一段时间内不被发现，而防御者没有足够的对策来防止高级网络攻击。考虑到这一现象，我们提出了一个博弈论模型来分析黑客和防御者在平衡状态下做出的战略决策。在我们的游戏模型中，黑客长时间发起隐蔽的网络攻击，防御者根据对用户活动的嘈杂观察来决定何时禁用可疑用户。如果防御者在某些情况下不立即禁止可疑用户，则黑客造成的损失可能是巨大的，这可以解释新兴的复杂网络攻击带来的有害后果。我们的模型还预测黑客可能会选择行为来避免最坏的情况。这是因为行为网络攻击威胁较小，防御者决定不立即阻止可疑用户以降低错误检测的成本。