Modeling and study of defense outsourcing against advanced persistent threat through impulsive differential game approach

Advanced persistent threat (APT) poses serious threat to organizations with rich digital assets. APT detection programs designed for quickly finding possibly hijacked hosts are now commercially available. This greatly reduces the workload of APT defense. In practice, the identification and repair of APT-hijacked hosts are out of a system administrator's capability and have to be outsourced to an established cybersecurity firm. Owing to the limited security budget, the APT defense can be outsourced only in a small number of maintenance periods. We refer to the sequence of outsourcing costs paid in these maintenance periods as an impulsive defense (ID) strategy. On the other hand, APT is time-continuous. We refer to the growth rate function of the attack cost over time as a continuous attack (CA) strategy. In the context that the APT actor is strategic and pursues a cost-effective CA strategy, the organization faces the problem of finding a cost-effective ID strategy (the single-impulsive defense (SID) problem). This paper addresses the SID problem through game-theoretic modeling. Based on an impulsive state evolutionary model, the SID problem is boiled down to a single- impulsive differential game model (the SID model). By applying single-impulsive differential game theory, an iterative algorithm of solving the SID problem is presented. The ID strategy obtained by running the algorithm is corroborated to be cost-effective under the Nash equilibrium solution concept. Therefore, we recommend the ID strategy. This work takes the first step toward the theoretic study of APT defense outsourcing in the presence of strategic attacker.