1. The document proposes using a simple game of hide-and-seek to abstractly model cybersecurity problems. 2. It explores strategies for hiders and seekers in this game, finding that hiders can favor some locations significantly before their behavior becomes exploitable. It also finds little benefit to seekers conducting a partial search based on probability information. 3. Further work is suggested to model more complex hider and seeker behaviors, topologies, and the ability of agents to change strategies dynamically.

1. PlayingHide-And-Seek: An Abstract Game for Cyber Security
1
Martin Chapman
Gareth Tyson
Simon Parsons
Michael Luck
Peter McBurney

2. 2

3. 3

4. Issue:The complexity of research at the
intersection of ABM and Cyber Security
3

5. 4

6. 4

7. 4

8. 5

9. 6

10. 6

11. ? ?
?
?
?
?
?
?
?
?
6

12. ? ?
?
?
?
?
?
?
?
?
6

13. 7

14. 8

15. 8

16. ? ?
?
?
?
?
?
?
?
?
8

17. Claim: A number of different Cyber Security problems
can be abstracted to a simple game of ‘Hide-And-Seek’
9

18. Claim: A number of different Cyber Security problems
can be abstracted to a simple game of ‘Hide-And-Seek’
. . . therefore . . .
We are motivated to explore strategies for seeking (and,
ultimately, hiding) in this game.
9

19. Parameters
1. Topology
2. Number of nodes
3. Number of hidden objects
“Nature”
“AgentProperties”
...
10
What is the structure of a H&S game?

20. Parameters
1. Topology
2. Number of nodes
3. Number of hidden objects
“Nature”
“AgentProperties”
...
10
What is the structure of a H&S game?

21. Parameters
1. Topology
2. Number of nodes
3. Number of hidden objects
“Nature”
“AgentProperties”
...
Network
10

22. Parameters
1. Topology
2. Number of nodes
3. Number of hidden objects
“Nature”
“AgentProperties”
...
Network
Hider
10

23. Parameters
1. Topology
2. Number of nodes
3. Number of hidden objects
“Nature”
“AgentProperties”
...
Network
Hider Seeker
10

24. Parameters
1. Topology
2. Number of nodes
3. Number of hidden objects
“Nature”
“AgentProperties”
...
Network
Hider Seeker
10

25. Parameters
1. Topology
2. Number of nodes
3. Number of hidden objects
“Nature”
“AgentProperties”
...
Hider Seeker
10

26. Parameters
1. Topology
2. Number of nodes
3. Number of hidden objects
“Nature”
“AgentProperties”
...
Hider Seeker
10

27. Parameters
1. Topology
2. Number of nodes
3. Number of hidden objects
“Nature”
“AgentProperties”
...
Hider Seeker
10

28. Parameters
1. Topology
2. Number of nodes
3. Number of hidden objects
“Nature”
“AgentProperties”
...
Hider Seeker
10

29. Parameters
1. Topology
2. Number of nodes
3. Number of hidden objects
“Nature”
“AgentProperties”
...
Hider Seeker
10

30. Parameters
1. Topology
2. Number of nodes
3. Number of hidden objects
“Nature”
“AgentProperties”
...
Seeker
10

31. Parameters
1. Topology
2. Number of nodes
3. Number of hidden objects
“Nature”
“AgentProperties”
...
Hider Seeker
10

32. Parameters
1. Topology
2. Number of nodes
3. Number of hidden objects
“Nature”
“AgentProperties”
...
Assuming no knowledge of an opponent it is intuitive to conceal these objects randomly.
Hider Seeker
10

33. Parameters
1. Topology
2. Number of nodes
3. Number of hidden objects
“Nature”
“AgentProperties”
...
In this instance, the best a seeker can do is conduct a random walk.
Hider
Seeker
10

34. Sohowcanwestrategise?
11

35. Sohowcanwestrategise?
In reality, hiders (attackers) are either unable or unwillingto
express randomness [Rubinstein, 1999]
11

36. Sohowcanwestrategise?
In reality, hiders (attackers) are either unable or unwillingto
express randomness [Rubinstein, 1999]
- Bug’s in code
- Human fallibility
- Infrastructure constraints
- Perceived ‘secrecy’ of locations
11

37. Sohowcanwestrategise?
In reality, hiders (attackers) are either unable or unwillingto
express randomness [Rubinstein, 1999]
- Bug’s in code
- Human fallibility
- Infrastructure constraints
- Perceived ‘secrecy’ of locations
Repeatbehaviour
11

38. Hider Seeker
12

39. Hider Seeker
1
v1 v2 v3
2
v5v1 v4
3
v1 v6 v7
v1 v2 v3
v5v1 v4
v1 v6 v7
12

40. Hider Seeker
1
v1 v2 v3
2
v5v1 v4
3
v1 v6 v7
4 ?
v1 v2 v3
v5v1 v4
v1 v6 v7
12

41. Hider Seeker
1
v1 v2 v3
2
v5v1 v4
3
v1 v6 v7
4 ?
v1 v2 v3
v5v1 v4
v1 v6 v7
12

42. Hider Seeker
1
v1 v2 v3
2
v5v1 v4
3
v1 v6 v7
4 ?
v1 v2 v3
v5v1 v4
v1 v6 v7
v1 12

43. Seeker
13

44. Seeker
13

45. 1. How muchof this bias needs to be exhibited before a
hider’s repetitions become exploitable?
2. How many bias nodes need to be included a directed search
to yield maximum performance for the seeker?
3. How should a seeker operate in the face of potential
deceptionon the part of the hider?
14

46. 1. How muchof this bias needs to be exhibited before a
hider’s repetitions become exploitable?
2. How
to yield maximum performance for the seeker?
3. How should a seeker operate in the face of potential
deception
14

47. 15‘b’timesmorelikelytoselectanode
8
9
11
12
14
15
0 5 10 15 20 25 30 35 40 45 50 55 60 65 70 75 80 85 90 95
Hider Bias (b)
Random Exploit (r = 1)
AverageCostofGames(log2)
Onlylookingforonehiddenobject

48. 15
Bias does not have an impact until ~ b = 45
‘b’timesmorelikelytoselectanode
8
9
11
12
14
15
0 5 10 15 20 25 30 35 40 45 50 55 60 65 70 75 80 85 90 95
Hider Bias (b)
Random Exploit (r = 1)
AverageCostofGames(log2)
Onlylookingforonehiddenobject

49. 15
Bias does not have an impact until ~ b = 45
‘b’timesmorelikelytoselectanode
8
9
11
12
14
15
0 5 10 15 20 25 30 35 40 45 50 55 60 65 70 75 80 85 90 95
Hider Bias (b)
Random Exploit (r = 1)
AverageCostofGames(log2)
Onlylookingforonehiddenobject
If it is costly for a Seeker to employ
a non-random strategy, does not need to do
so below this amount of bias

50. 15
Bias does not have an impact until ~ b = 45
‘b’timesmorelikelytoselectanode
8
9
11
12
14
15
0 5 10 15 20 25 30 35 40 45 50 55 60 65 70 75 80 85 90 95
Hider Bias (b)
Random Exploit (r = 1)
AverageCostofGames(log2)
Onlylookingforonehiddenobject
Hider can afford to favour a node significantly
before his behaviour becomes exploitable by
the seeker
If it is costly for a Seeker to employ
a non-random strategy, does not need to do
so below this amount of bias

51. 1. How muchof this bias needs to be exhibited before a
hider’s repetitions become exploitable?
2. How
to yield maximum performance for the seeker?
3. How should a seeker operate in the face of potential
deception
16

52. 1. How
hider’s repetitions become exploitable?
2. How many bias nodes need to be included a directed search
to yield maximum performance for the seeker?
3. How should a seeker operate in the face of potential
deception
16

53. 17
Lookingformultiplehiddenobjects
12.0
12.5
13.0
13.5
14.0
14.5
15.0
15.5
16.0
16.5
17.0
0 5 10 15 20 25 30 35 40 45 50
Number of High Probability Nodes Included in Search (r)
Random Exploit (0 ≤ r < n)
AverageCostofGames(log2)
Assume‘perfect’informationonopponent
Totalnumberofhiddenobjects

54. 17
Lookingformultiplehiddenobjects
12.0
12.5
13.0
13.5
14.0
14.5
15.0
15.5
16.0
16.5
17.0
0 5 10 15 20 25 30 35 40 45 50
Number of High Probability Nodes Included in Search (r)
Random Exploit (0 ≤ r < n)
AverageCostofGames(log2)
Assume‘perfect’informationonopponent
Totalnumberofhiddenobjects
Probability information only becomes useful when
used to locate almost all hidden objects

55. 17
Little benefit to conducing a search with only partial
knowledge
Lookingformultiplehiddenobjects
12.0
12.5
13.0
13.5
14.0
14.5
15.0
15.5
16.0
16.5
17.0
0 5 10 15 20 25 30 35 40 45 50
Number of High Probability Nodes Included in Search (r)
Random Exploit (0 ≤ r < n)
AverageCostofGames(log2)
Assume‘perfect’informationonopponent
Totalnumberofhiddenobjects
Probability information only becomes useful when
used to locate almost all hidden objects

56. 17
Little benefit to conducing a search with only partial
knowledge
Good news for the hider again: the number of nodes he
can be biased towards, as well as the degree, is highLookingformultiplehiddenobjects
12.0
12.5
13.0
13.5
14.0
14.5
15.0
15.5
16.0
16.5
17.0
0 5 10 15 20 25 30 35 40 45 50
Number of High Probability Nodes Included in Search (r)
Random Exploit (0 ≤ r < n)
AverageCostofGames(log2)
Assume‘perfect’informationonopponent
Totalnumberofhiddenobjects
Probability information only becomes useful when
used to locate almost all hidden objects

57. 1. How
hider’s repetitions become exploitable?
2. How many bias nodes need to be included a directed search
to yield maximum performance for the seeker?
3. How should a seeker operate in the face of potential
deception
18

58. 1. How
hider’s repetitions become exploitable?
2. How
to yield maximum performance for the seeker?
3. How should a seeker operate in the face of potential
deceptionon the part of the hider?
18

59. 19
14
15
16
0 5 10 15 20 25 30 35 40 45 50
AverageCostofGames(log2)
Number of High Probability Nodes Included in Search (r)
Random Exploit

60. 19
14
15
16
0 5 10 15 20 25 30 35 40 45 50
AverageCostofGames(log2)
Number of High Probability Nodes Included in Search (r)
Random Exploit
When we don’t know the portion of objects
which are hidden with bias, difficult to strategise
against

61. 19
14
15
16
0 5 10 15 20 25 30 35 40 45 50
AverageCostofGames(log2)
Number of High Probability Nodes Included in Search (r)
Random Exploit
When we don’t know the portion of objects
which are hidden with bias, difficult to strategise
against
r is arbitrary; should be symmetrically random

62. 20

63. 1. Results as heuristics; importance of verification
20

64. 1. Results as heuristics; importance of verification
20
2. Impact of parameters

65. 1. Results as heuristics; importance of verification
20
2. Impact of parameters
3. Importance of data-driven simulation

66. 21

67. 1. The performance of both Hiders and Seekers when
there are a varying number of items to find.
21

68. 1. The performance of both Hiders and Seekers when
there are a varying number of items to find.
21
2. Performance of agents on different topologies (fully
connected, so movement not constrained).

69. 22

70. 1. Hiders who are also constrained by the topology.
22

71. 1. Hiders who are also constrained by the topology.
22
2. ‘Intelligent’ hiders who also track seeker’s
behaviour, if repetitions exist (i.e. start point).

72. 3. Edge by edge probability scores for boththe Seeker
and Hider.
1. Hiders who are also constrained by the topology.
22
2. ‘Intelligent’ hiders who also track seeker’s
behaviour, if repetitions exist (i.e. start point).

73. 23

74. 1. Agents with a ‘strategy portfolio’ who are able to
switch between these strategies on-the-fly.
23

75. 2. Agents with a self-analysis component, allowing
them to judge their own performance, and change
strategy as appropriate.
1. Agents with a ‘strategy portfolio’ who are able to
switch between these strategies on-the-fly.
23

76. PlayingHide-And-Seek: An Abstract Game for Cyber Security
24
martin.chapman@kcl.ac.uk
www.martin-chapman.com