SHARE: A stackelberg honey-based adversarial reasoning engine

Sushil Jajodia, Noseong Park, Edoardo Serra, V. S. Subrahmanian

Research output: Contribution to journalArticlepeer-review

15 Scopus citations


A "noisy-rich" (NR) cyber-attacker (Lippmann et al. 2012) is one who tries all available vulnerabilities until he or she successfully compromises the targeted network. We develop an adversarial foundation, based on Stackelberg games, for how NR-attackers will explore an enterprise network and how they will attack it, based on the concept of a system vulnerability dependency graph. We develop a mechanism by which the network can be modified by the defender to induce deception by placing honey nodes and apparent vulnerabilities into the network to minimize the expected impact of the NR-attacker's attacks (according to multiple measures of impact). We also consider the case where the adversary learns from blocked attacks using reinforcement learning. We run detailed experiments with real network data (but with simulated attack data) and show that Stackelberg Honey-based Adversarial Reasoning Engine performs very well, even when the adversary deviates from the initial assumptions made about his or her behavior. We also develop a method for the attacker to use reinforcement learning when his or her activities are stopped by the defender. We propose two stopping policies for the defender: Stop Upon Detection allows the attacker to learn about the defender's strategy and (according to our experiments) leads to significant damage in the long run, whereas Stop After Delay allows the defender to introduce greater uncertainty into the attacker, leading to better defendability in the long run.

Original languageEnglish (US)
Article number30
JournalACM Transactions on Internet Technology
Issue number3
StatePublished - Mar 7 2018
Externally publishedYes


  • Adversarial models
  • Computer security
  • Enterprise systems

ASJC Scopus subject areas

  • Computer Networks and Communications


Dive into the research topics of 'SHARE: A stackelberg honey-based adversarial reasoning engine'. Together they form a unique fingerprint.

Cite this