Keeping Your Enemies Closer: Shedding Light on the Attacker's Optimal Strategy

Realistically simulating a human attacker can effectively help the defender identify security weaknesses in the network. One important factor that affects the attacker's strategy is the various human characteristics. In this paper, we develop an attack engine, dubbed Attacker-Patience-Experience-Curiosity or APEC for short, to model the attacker's strategy under uncertainty. The proposed model is based on the Partially Observable Markov Decision Process (POMDP) model, taking three familiar characteristics of the attacker into consideration, including: (i) patience towards the target network; (ii) experience with attack tools; (iii) curiosity to develop new attack tools. These characteristics are modeled into the state space, action space, transition function, and reward function in the POMDP model. We further propose the betrayal principle, sunk cost, and "silence speaks volumes" to demonstrate how the attacker's characteristics affect its strategy, and why the attacker's strategy is changed at some specific points. We evaluate the effectiveness of the proposed model over two realistic network scenarios and draw several useful insights.