The document discusses duplicity games and mechanism design for cyber deception to mitigate insider threats. It proposes a game theoretic model where a defender designs a feature generator to manipulate a user's beliefs and incentivize secure actions. The generator includes components for belief manipulation and incentive modulation. The design ensures the user has no incentive to deviate from the recommended security policy. Principles are discussed for jointly designing the generator, belief manipulator, and incentive modulator to manage incentives and achieve deterrence.

1. Duplicity Games for Deception Design With an
Application to Insider Threat Mitigation
Linan Huang and Quanyan Zhu
2022 INFORMS Annual Conference
October 17, 2022

6. Source: https://www.secureworld.io/industry-news/tesla-hacker-charges-arrested

7. Failure of Boundary Defense
Insider Threats

8. Challenge 1: Perimeter defense does not work.
Challenges of Insider Threats
Solution: Zero-Trust architecture

9. Challenge 2: Asymmetric information
Challenges of Insider Threats
Solution: Cyber deception

10. Challenge 3: False positive from negligent legitimate users
Challenges of Insider Threats
Solution: Compliance and mechanism design

11. Game between a defender and an unknown user

12. State 𝑥 ∈ 𝑋
Feature pattern 𝑠 ∈ 𝑆
• Protocols
• Ports
• Response time
• Error response
𝜋1 1 − 𝜋1 1 − 𝜋2
𝜋2
𝑏 1 − 𝑏
Feature
Generator 𝜋
𝑠1 𝑠2 𝑠1 𝑠2
Incorporating Cyber Deception into the Game Model

13. 𝜋1 1 − 𝜋1 1 − 𝜋2
𝜋2
𝑏 1 − 𝑏
User’s
posterior
belief 𝑏𝑝(𝑠1) 1 − 𝑏𝑝(𝑠1) 𝑏𝑝
(𝑠2) 1 − 𝑏𝑝(𝑠2)

14. User’s
posterior
belief 𝑏𝑝
(𝑠1) 1 − 𝑏𝑝(𝑠1)
User’s action
𝑎 ∈ 𝐴
User’s utility
𝑣𝑈(𝑡𝑦𝑝𝑒, 𝑠𝑡𝑎𝑡𝑒, 𝑎𝑐𝑡𝑖𝑜𝑛)
User’s type
𝜃 ∈ Θ
−$$ $$
−$ $$$

15. 𝜋1 1 − 𝜋1 1 − 𝜋2
𝜋2
𝑏 1 − 𝑏
𝑏𝑝(𝑠1) 1 − 𝑏𝑝(𝑠1) 𝑏𝑝(𝑠2) 1 − 𝑏𝑝
(𝑠2)
−$$ $$
−$ $$$
…
Feature Generator
𝜋
Belief Manipulator
𝑏, 𝑏𝑈
Incentive Modulator
𝑐

16. There is a need for a theory for Cyber Deception Mechanism Design.
Theory can go beyond the design of generator.
• Belief/Trust Manipulator: e.g., changing honeypot percentage
• Feature Generator: e.g., configuring honeypots and normal servers
• Incentive Modulator: e.g., using multi-step authentication
How to Design the Generator?

17. Duplicity Game for Mechanism Design

18. Cyber deception (with focus on honeypots):
Evasion risk [Spitzner 2003], Intelligence [Wagener et al. 2009, 2011], Engagement [Pawlick et
al.19’], Detection risk [Dowling et al. 2019], Resource consumption [Akiyama et al. 2012], False
positives [Qassrawi & Zhang 2010] , Strategic design [Pawlick et al. 2021], etc.
Compliance and mechanism design:
Insider Threat Mitigation Guide [CISA 2020]; The Critical Role of Positive Incentives for Reducing
Insider Threats [CERT/CMU 2016]
Mitigating inadvertent insider threats with incentives [Liu et al. 2009]; Compliance control [Casey, et
al. 2015], ZETAR [Huang and Zhu 2022]; etc.
Literature

19. Generator Design Problem: Defender’s Problem
The defender designs a utility-maximizing generator so that the user has no
incentive to deviate from the recommendation.

20. Dual Formulation: User’s Problem
The user minimizes his expected effort to satisfy the defender’s security objective.

21. User’s action
𝑎 ∈ 𝐴
User’s type
𝜃 ∈ Θ
K actions and M types 𝐾𝑀 possible security policies
Only 𝜒(𝐾, 𝑀, 𝑁) are enforceable.
−$$ $$
−$ $$$
Always exists one optimal generator that only relies on 𝑁 security policies.
Feasibility of Generators: Enforceable Policies

22. • Incentive Threshold (IT): Uncontrollable if the majority of insiders are adversarial.
• Deterrence Threshold (DT): Uncontrollable if there is an insufficient number of honeypots.
Incentive
Threshold
Deterrence
Threshold
How does the percentage or probability of honeypots and (negligent) insiders
affect defender’s utility?

23. If < IT && <DT, then the design of the generator is insufficient to deter an insider.
Zero Trust Margin → Cannot be incentivized
Deterrence Capacity

24. Defender’s utility structure = user’s utility structure
Defender’s utility structure = -user’s utility structure
No deception needed: Reveal full information
Maximum deception needed: Reveal zero information
Manageability of Incentive Modulator: Designing the Reward

25. No deception needed: Reveal full information
Maximum deception needed: Reveal zero information
Defender’s utility structure = 𝜌𝑠 user’s utility structure + 𝜌𝑑
Only the sign of 𝜌𝑠 matters.
𝜌𝑠 > 0
𝜌𝑠 < 0
Manageability under Linearly dependent utility structure

26. Principles for Joint Design of GMM
Extension to Multi-Dimensional Mechanism Designs
The defender can design reward independently.
Separation Principle
Design Information + Trust = Design Trust
Equivalence Principle

27. Fast Learning for Finite-Step Mitigation

28. • Duplicity game for designing cognitive honeypots
• Strategic and incentive-compatible Insider threat mitigation
• Enforceability, manageability, and deterrence
• Online and learning-based implementation
Conclusions
Huang, L. and Zhu, Q., 2021. Duplicity games for deception design with an application to insider threat
mitigation. IEEE Transactions on Information Forensics and Security, 16, pp.4843-4856.

29. Five Generations of Security Paradigms
1G-SP: Laissez-Faire Security
2G-SP: Perimeter Security
3G-SP: Reactive Security
4G-SP: Proactive Security
5G-SP: Federated Security
Five Generations of Security Paradigms (SPs)

30. 4G-SP: Proactive Security 5G-SP: Federated Security
Emergence of AI-Powered Attacks
Incorporate AI and system science to develop cognitive honeypots for 5G-SP
Consolidation of Strategic, Proactive,
and Autonomous Defense

31. Contact: Quanyan Zhu
Email: qz494@nyu.edu