Design of security protection and management systems based on game theory ⋆ Serhii Toliupa1,*,†, Serhii Buchyk1,†, Volodymyr Nakonechnyi1,†, Mykola Brailovskyi1,† and Serhii Shtanenko2,† 1 Taras Shevchenko National University of Kyiv, 60 Volodymyrska str., 01601 Kyiv, Ukraine 2 Military Institute of Telecommunication and Information Technologies named after the Heroes of Kruty, 45/1 Knyaziv Ostrozkyh str., 01011 Kyiv, Ukraine Abstract Currently, much attention is paid to the issues of information security. Telecommunication systems, which have been actively developing recently, are the arteries of modern global information systems. The information circulating in such systems is of significant value and is therefore vulnerable to various violations and abuses. The development of network technologies is accompanied by increased requirements for information security and the choice of the optimal level of protection systems. Many researchers propose to use the game theory framework as a mathematical basis for designing, building, and analyzing information security systems. Game theory is a formal approach designed to analyze the interaction between several participants in a process that have different interests and make decisions. The use of game theory in modeling decision-making processes has various approaches that are currently not systematic and sometimes contradict each other. Therefore, there is a need to develop methods of rapid (adaptive) information security management, depending on the availability of a priori information about the possibility of attacks by an attacker and the strategy implemented by him to create unauthorized access to an information resource. Game theory allows us to offer recommendations for creating a strategy for managing the operation of security and intrusion prevention systems. Keywords information security, game theory, optimal strategy, system security, offender system, decision-making, intrusion detection system, attack 1 1. Introduction The basic perspective of the analysis theory of the decision- making processes at the design stage of information In this paper, we will consider two approaches to the protection systems is game theory. The application of game application of game theory: the use of game theory methods theory in modeling the decision-making processes has to optimize the choice of information security and security different approaches, which currently are not systematic management. In many situations, while doing the design of and sometimes collide between themselves. Therefore, the information security systems there can be a need for the study of this subject is an actual scientific issue. development and implementation of decisions in conditions of uncertainty. Uncertainty may have a different nature. So, 2. The main part uncertain is the planned actions of the hackers which aim to decrease the efficiency of protection systems; uncertainty Despite significant advances in information security, there can refer to situations of risk in which the information are still difficulties in preventing intrusions into the network management system, which makes decisions on information system. An analysis of network attacks shows the implementation of the protection system, can establish that protection actions are most often taken after the service not only all possible outcomes of decisions but the performance has already been affected. This is due to the probability of possible conditions of their appearance. difficulty of assessing the future scale of the attack and Design conditions affect the decision-making applying the appropriate defense measure [1, 2]. subconsciously, regardless of the actions of the subject that To increase the accuracy of attack prediction and makes a decision. When aware of all the consequences of detection, an intrusion detection system must collect possible solutions, but without knowing their accuracy, it is heterogeneous information about the protected system, as clear that decisions are made in conditions of uncertainty. well as store and process a large amount of data. Using a CPITS-II 2024: Workshop on Cybersecurity Providing in Information 0000-0002-1919-9174 (S. Toliupa); and Telecommunication Systems II, October 26, 2024, Kyiv, Ukraine 0000-0003-0892-3494 (S. Buchyk); ∗ Corresponding author. 0000-0002-0247-5400 (V. Nakonechnyi); † These authors contributed equally. 0000-0002-3148-1148 (M. Brailovskyi); tolupa@i.ua (S. Toliupa); 0000-0001-9776-4653 (S. Shtanenko) buchyk@knu.ua (S. Buchyk); © 2024 Copyright for this paper by its authors. Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0). nvc2006@i.ua (V. Nakonechnyi); bk1972@ukr.net (M. Brailovskyi); shsergei@ukr.net (S. Shtanenko) CEUR Workshop ceur-ws.org ISSN 1613-0073 334 Proceedings filtering system in the absence of an attack results in a Many researchers propose to use the game theory decrease in server performance and possible false filter framework as a mathematical basis for designing, building, triggering. Quite often, the creation of an effective and analyzing information security systems. Game theory is protection system is faced with insufficient computing a formal approach designed to analyze the interaction power. Thus, the task of optimizing the resources spent on between several participants in a process that have different maintaining the performance of the system of protection interests and make decisions. against network attacks at a high level arises [3, 4]. Any information security system involves two parties: One of the solutions to this problem is to minimize the the attacking party and the defending party (information resources spent on maintaining information security at security system), which have opposing interests. In [5], it is times when the activity of the attacker is insignificant. To proposed to use the mathematical apparatus of game theory this end, an intrusion detection system should use dynamic to solve the problem of choosing means of protection methods that allow for prompt detection and prevention of against unauthorized access to information in an automated security breaches, i.e., the information security system system. The mathematical formulation of the problem in the should use a mathematical model that allows for the form of a linear programming problem with Boolean selection of the necessary set of security tools at any given variables is also performed there. In the mathematical time, providing reliable protection and at the same time formulation, the cost of protection means is introduced. The requiring a minimum amount of resources. constraints of the task take into account the requirements In recent years, domestic and foreign works have shown of the classes of protection against unauthorized access in a tendency to expand the existing mathematical approaches automated systems. to the selection of information security system parameters. In [8], an overview of theoretical game methods used in For example, various authors propose the following solving information security problems is given. The paper mathematical methods for analyzing and optimizing an considers an approach to designing intrusion detection information security system [5, 6]: methods of mathematical systems using the mathematical apparatus of matrix games statistics; methods based on the use of Petri nets; for two players. The proposed model takes into account the mathematical apparatus of the theory of random processes; cost of system resources for organizing protection. methods based on the theory of automata; methods based Paper [6] considers the possibilities of using multi-step on the theory of fuzzy sets; methods based on the use of games with incomplete information in building systems of neural networks; methods of expert systems; mathematical protection against DoS attacks. It is proposed to present the apparatus of game theory [7, 8]. problem in the form of a game of two parties: the defending Statistical intrusion detection methods apply a well- party (A) and the attacking party (B). The task of the proven mathematical statistics apparatus to the behavior of defending party is to minimize its losses due to the actions the subjects of the analyzed system. First, statistical profiles of the attacking party. The task of party B is to maximize are formed for all subjects. The components of such a profile profit. The paper points out that the main feature of such a may include various parameters, such as total traffic per game is that functions describing the behavior of the parties unit of time, the number of denials of service, the ratio of in the short term are used as strategies. It is proposed to incoming traffic to outgoing traffic, the number of unique select a variety of functions for each task individually, based requests to the system, etc. Any deviation from the on statistical data, external constraints, and common sense. reference profile is considered a security breach. The main When analyzing the issues of protection against various disadvantages of this approach are the following. First, security threats, it is advisable to consider the actions of two intrusion detection systems based on statistical methods are parties: the defense (information system) and the offender. not sensitive to the order of events in the protected system: The entirety of security threats can be considered as an in some situations, the same events, depending on the order intruder: the actions of individuals with different goals, of their occurrence, may be characteristic of abnormal or large-scale planned attacks, and accidental impacts on the normal activity. Secondly, in some cases, it can be difficult system. Such models, where there are two or more opposing to set thresholds for the monitored characteristics to parties, are typical of game theory [10]. If the options of identify anomalous activity. Underestimating the threshold actions (strategies) of each party are known, as well as the leads to false positives, and overestimating it leads to missed gain (or loss) from each of the options, it is possible to intrusions. In addition, the attacker often uses individual formulate a mathematical model of the situation in the form approaches for each defense system, which makes the use of a model of a non-coalition antagonistic game (for of statistical methods less effective [9]. example, a matrix game). Based on the formulated task, it is possible to obtain optimal strategies for the attacking and 2.1. Design of security protection defending parties that require a minimum of resources [11]. Consider the interaction between an intrusion detection Any information processing system consisting of various system and an attacker as a non-coalition endgame. Suppose hardware and software tools can be viewed as a unique that the defense party A and the attacker B have a finite complex with its characteristics. The complexity of the effective dynamic formation of observation parameters lies number of strategies 𝑛 and 𝑛 , which corresponds to in the fact that the size of the search area exponentially reality, since the defense party always has a limitation on depends on the power of the initial set of observed the number of possible response options, and the attacker parameters. has a limitation on the number of options for organizing an Various intelligent methods can be used in intrusion attack. detection systems to generate a set of observed parameters. 335 For example, in [6], it is proposed to use strategies for n defense (“ignore suspicious activity”, “increase C A (t )   ci tm , monitoring”); and for the attacker, many strategies can be i 1 considered (“complete the attack”, “continue without where n is the number of additional monitoring parameters, pause”, “pause the attack”). A set of player strategies 𝑠 = ci is the cost of monitoring the ith parameter. When making (𝑠 , 𝑠 ), where 𝑠 ∈ 𝑆 , 𝑠 ∈ 𝑆 set of situations. Functions a decision to ignore a possible attack, the information 𝜔 and 𝜔 player winnings are defined on a variety of security system does not incur the cost of additional situations 𝑆 = 𝑆 × 𝑆 . monitoring. The solution to a non-coalition game is an equilibrium Let’s estimate the costs of the information security situation, but not necessarily in pure strategies. It is known system violator. If the decision is made to terminate the that every finite antagonistic game has at least one attack, the attacker does not incur additional costs, and if equilibrium situation in mixed strategies. When analyzing the decision is made to continue the attack, the attacker’s information security systems, it makes sense to consider costs depend on the number 𝑘 of generated requests to the mixed strategies under the assumption that the system’s protected system 𝐶 = 𝑔𝑘, where 𝑔 is the cost of generating operation lasts for a considerable time, i.e., attack and one request. defense iterations are repeated many times [12]. In this case, In case of a successful attack, the information security the strategies are used by the parties with some non- system suffers losses 𝑐 ∗ , and the offender wins 𝑐 ∗ . The costs deterministic regularity and the costs/income accumulate of the protection system when implementing each of the over time. The mixed strategy of players A and B is the full possible strategies consist of the costs of organizing set of probabilities of using their pure strategies: n 𝑃 = 𝑝 ,𝑝 ,…,𝑝 , protection C A (t )   ci tm and losses from possible 𝑃 = 𝑝 ,𝑝 ,…,𝑝 . i 1 In a non-coalition game, each player uses his or her pure security breaches 𝑐 ∗ . Similarly, the gain of the infringer strategies independently of the other, so in a mixed situation consists of the gain from the breach of the information 𝑝 = (𝑃 , 𝑃 } probability 𝑝(𝑠) of the emergence of a security system 𝑐 ∗ and because of the cost of conducting situation 𝑠 = (𝑠 , 𝑠 ) is equal to the product of the attacks 𝐶 . probabilities of both players using their pure strategies, i.e. For the analyzed intrusion detection system, it is 𝑝(𝑠) = 𝑝(𝑠 , 𝑠 ). assumed that with the increase of additional monitoring Let’s find the average win (loss) of players. In the case parameters, the probability of detecting an attack increases. of the mathematical expectation of player A win in a mixed However, determining the exact dependence of successful situation 𝑝 = (𝑃 , 𝑃 } is defined as follows: attack detection on the number and set of monitoring WA ( p)  wA ( PA , PB )   wA ( s ) p(s )  parameters, as well as on the monitoring time, requires an experimental study for each type of information security sS , system.    wA (s1 , s2 ) pA ( s A )( pB ( sB )) As noted, every finite non-coalition game has at least s1S A s2 S B one equilibrium situation in mixed strategies. The where 𝑆 and 𝑆 are many possible situations of players A equilibrium situation can be found by standard game theory and B, respectively, 𝑤 is the function of the information methods described in [8]. security system’s gain (or, in fact, loss or cost) if the It should also be borne in mind that. The peculiarity of information security system has chosen a strategy s1, and the the information conflict of the information security offender—the strategy 𝑠 . operational management system and the peculiarity of the The player’s (information security system violator’s) offender trying to carry out unauthorized access (UA) is that winnings are generally determined in the same way. the opposing parties, who have several ways of acting, can How can you determine the winnings of players in this apply them repeatedly, choosing the best way [14, 15]. case? The intrusion detection system provides a lot of Based on information about the actions of the opposing parameters at any given time using sensors [13]. Each attack party. can be represented as a sequence of iterations. After each At each step of conflict resolution is not a final state but step, the intrusion detection system tries to “predict” the some payment function. Traditional game approach to the next steps of the intruder. Each step of the intruder analysis of the violator’s actions fails to take into account generates a certain type of activity that can be detected by multiple steps of conflict and does not reflect the the system’s sensors. If the analysis unit recognizes the dependence of the modes of action of the parties from the activity as suspicious, the set of basic observed parameters opposite direction, and the known conflict approach based must be expanded. Let the set of additional monitoring on the calculation of the final probability of system stay in parameters be 𝑀 = {𝑥 , 𝑥 , … , 𝑥 }, and the cost of a state of winning to a given point in time does not reflect additional resources spent on monitoring them over time the multiplicity of actions of the parties and unqualified 𝑡 − 𝐶 (𝑡). Let’s assume that the cost of observation is finality of the conflict at each step [16, 17]. directly proportional to the time of observation. If the monitoring of an extended set of parameters is carried out 2.2. Information security management during the time 𝑡 , then the cost of additional observation Therefore, there is a need to develop methods for rapid costs will be (adaptive) management of information security depending 336 on the availability of a priori information about the (rate of adaptation) of one of the parties, which improves possibility of attacks from the intruder and the strategy of the efficiency of the strategies. creating the UA implemented by him. A common method of solving a matrix game in mixed To describe the current status of the conflict let’s use the strategies, i.e., methods of linear programming becomes indicator of the security of the system аij = Рsec while much more complicated for matrixes of large dimension. implementing in it the ith, iІ={1,2,...,n}, strategy (way) of The usage of decomposition methods is not always possible, protection and the application of the jth, jJ={1,2,..., m} and iterative solution methods, such as the method of strategy (way) of creating a safety contour, m and n are Brown-Robinson, often have a high enough rate of the number of security strategies and creation of security convergence. As an alternative, one can use the method of measure implemented in the SS (security system) and the dynamic programming using the results of short-term and system of the intruder (SoI) accordingly. long-term forecasting [20]. Let’s name the subsystem of operational management of Let’s take a look at the algorithm for solving matrix the information protection as Party A and the system to games using dynamic programming. In respect of cases counteract this protection as Party B, and the aij—the win of examined long-term forecasting allows with a fairly high Party A (the loss of Party B) in a situation (i, j). The degree of reliability to limit the number of possible traditional gaming approach to the analysis of security strategies for the system of the offender and reduce the systems assumes that the parties are aware of the matrix of game matrix. The solution of matrix games in keeping with the game and the finite set of strategies of the violator, but the principle of forecasting based on the Markov approach it is unknown which strategy is implemented in a particular is to optimize the conditional strategy of SS for N cycles situation. In this case, a matrix game can be formalized in forward through the predictable strategy of the intruder’s the situation of a choice of protection strategies under system. It is obvious that with increasing N, the accuracy of conditions of uncertainty. However, this approach does not the prediction decreases. In this regard, consider the case reflect the dynamics of conflict and the possibility of a when N = 1. It is possible to allocate three stages of the purposeful selection of protection strategies at each step algorithm for forming the optimal strategy of the SS. depending on information about the system action of the The system diagram of the game management of the offender [18]. Therefore, it is proposed to describe the security system is shown in Fig. 1. conflict using the model of a stepper matrix game with lag and errors in the awareness of the parties about the actions of the offender (matrix-game process). Let us note: ТPS (ТSoI) time of a single implementation of its pure strategy by the party A(B); tPS (tSoI) is reaction time of the party A(B), which is equal to the time interval from the start of implementation of the strategy by the party B(A) to the moment of implementation of appropriate strategy by the party A(B). We assume that parties are aware of: the matrix game А  ( а ij ) nm , the set of active strategies І, J, and the assessment of the values of ТPS (ТSoI) and tPS (tSoI); the matrix of game A is average new and has the solution value of the game v and the optimal vectors of mixed strategies of the Figure 1: The system of game management (diagram) parties The method of security system management based on the A - P*  ( P1*, P2*, ..., P³*, ..., Pn* ) methods of game theory, a block diagram of the algorithm and implementation consist of the following stages (Fig. 2). B - Q*  (Q*, Q*, ..., Q*, ...,Q* ) The initial data input. You enter the parameters of 1 2 j m security measures and channel decision-making  = {i}, during the time of the game T there is no aftereffect, and the and the value of the permissible probability of incorrect sets І, J are unchanged. decision Per per. The method was designed for adaptive changes of Obtaining information about the actions of the offender’s parameters and operating modes of the SS according to the system. Using one of the methods of monitoring the status game algorithm, depending on the availability of a priori of the security system we can determine the strategy or information about the system settings of the offender and recognize the fact of the system exposure by the intruder. strategies for the creation of its attacks on information Determining the version number of the current strategy of system (IS) [19]. the SS. Based on the parameters obtained in the design phase The essence of the game control algorithm is to compare of SS, the initial strategy of the SS according to the a large number of possible in these conditions qualitatively characteristics of the remedies is determined. different solutions, determining the optimal or best with all Determination of the optimal strategy of SS. The problem the limitations solution and the formation of the of optimization of functioning algorithms of the SS is to corresponding team. To improve the efficiency in solving the dynamic games determine an optimal strategy à* À*, which provides the forecasting method is used. the maximum efficiency of functioning of SS within the One of the possible solutions for games in mixed required time functioning. To improve the efficiency in strategies is, as noted above, the increase in the reaction rate solving dynamic games the forecasting method is used. 337 One of the possible solutions for games in mixed strategies START is, as noted above, the increase in the reaction rate (rate of adaptation) of one of the parties, which improves the 1 Input of initial efficiency of the strategies. data ( = {i}) The adoption rate of the SS depends on the ratio T SS / T SoI and the value TSS , TSoI —from the durations of 2 Testing of the security time regulation and change operating modes of protection, system which depend on their position at the previous cycle. The 3 duration of the transition of SS from the state of Нn to the Assessment of state of Нm on regulation stages (Нn and Нm are the vectors protective equipment of state remedies) is known in advance by a square transit time matrix of any possible (taken from the definition field) 4 Determining the state toanother possible one: number of the initial strategy а(t) R( reg ) nm N  M , n  1, N , m  1, M . Changing Yes The elements of a matrix will be T SSregnm included in the 5 the strategy of SS? T SSН at the stage of regulation parameters, changing modes No 6 of operation of the system. Then the process of transition Correction from Нn to Нm, taking into account possible intermediate kпр (t 1t) states can be described by a unit of homogeneous Markov chains with discrete states in discrete time. The transition 7 Formation of optimal from Нn(t) to Н m ( t + 1 ) is an appropriate strategy conditional strategy a*(t + N/t) ai  SSS . The same offender’s system status in the 9 transition is defined as Н PSn (t ) and Н PS m (t  1) . 8 Prediction N=N+1 b*(t + N/t) Therefore, the task of conditional optimization of time of adaptation on the phase of adjustment consists of 10 11 choosing such a strategy a* at cycle (t+1), in which: Formation of optimal Changing the output strategy a*(t + N) TSS ((t  1), а*)  min TSS ( Н n (t ), datd аiSSS   Н m (t  1), аi );  12 No TSS ((t  2), а*)  max TSS ( Н SSn (t  1), Рer  Рer per аiSSS   Н SSm (t  2), аi ) Yes 13 Management decision considering that TSS  TPS this happens in the process of making the game solving through the introduction of ka in the calculation of the matrix elements. The numerical accuracy of the intended value of a win END function is set to some ratio of the prediction error Figure 2: The block diagram of the algorithm of the Ф̂(t  1) methods to control security based on the model of game k pr (t  1t )  , management Ф RL (t  1) where Ф RL ( t  1) is calculated when reaching (t+1) as a where  er is some centered random variable with zero result of monitoring. So, in the case of an unchanged SoI mathematical expectation and variance δ2, which defines strategy with Ф(t) for several cycles, the correction is Ф(t+1) some limit value of the error. due to k pr (t  1 t ) that is a part of the coefficient βm(t+1). Consider the algorithm for solving matrix games using This eliminates a systematic error in the calculation of the dynamic programming. In respect of cases examined long- values of Ф(t) and somehow influences the choice of a*(t+1) term forecasting allows with a fairly high degree of while solving matrix games. reliability to limit the number of possible strategies for the Since the coefficient prediction error is inverse to the system of the offender in the next management cycles up to а 2...4 and to reduce the game matrix. The solution of the factor of awareness k inf , the function is matrix game in keeping with the principle of forecasting based on the Markov approach is to optimize the conditional f (k )  kpr (t 1t) 1 . In this case, we have the following а inf strategy of the SS for N cycles forward through the à predictable strategy of the system of the intruder. It is problem of conditional optimization: kinf  max, where obvious that with increasing N, the accuracy of the à S with the limitation: max kinf  kinf prediction decreases. In this regard, consider the case when N = 1. It is possible to allocate three stages of the algorithm k pr (t  1 t )  1   er , for forming the SS optimal strategy. In the first phase based 338 on information about the current state of protection, the а *( N ) (t  N )  arg[ max P ( а (t  N ), assumed value of the transition probabilities of SS, which аSSS applies to the management cycle t of the strategy system of b * (t  N t  N  1), the intruder b(t), and taking into account previous SS Н (t  N ), policies an optimal conditional strategy à * (t  1 )t is β m (t  N ), provided: k а ( Н (t  N ) Н (t  N  1))], N  2, 3... а * ( t  1 ) t  arg  max P ( а ( t ), b ( t ), Н ( t ))  .  а S SS  The Markov chains are used at the second and third The second stage solves the problem of prediction stages, which allows to calculation of the probability of a strategy that is used at the management cycle t+1 of the SoI particular strategy for the next cycle of management and and which will ensure the minimization of the functional choice of the optimal strategy. Let’s assume that in the management cycle t the strategy b * (t  1 )t  arg  min P (а * (t  1), b(t  1)). bS REP  of violator b2 is used. Let’s say, the criterium selects the strategy а3 (see Table 1). In the third stage, the optimal strategy of SS max Pi , 2 (t )  P3, 2 management taking into account the projected system à1 strategy of the offender and the current status of protection Simultaneously, the prediction algorithm is measures: implemented. Table 1 shows a simplified example of the  max P ( а ( t  1),  predicted transition of the system from the state at cycle t  аSSS  to the state (t+1) based on inhomogeneous Markov chains.  b * ( t  1 t ),  According to the principle of optimality, when finding the   optimal solution in a multistage problem optimizing the а * ( t  1 t )  arg  Н ( t  1), .   ( t  1),  choice of management strategy a(t) at each step regardless  m  of the initial state should be aimed at optimizing not only  k а ( Н ( t  1) Н ( t )))  this but also all subsequent steps. Considering the   prediction for (t+N) steps forward (in this case, no more than To improve the reliability of the result the algorithm three steps) the mechanism of choosing the optimal strategy may be repeated a limited number of times if there is a a*(t) at cycle t will also be defined by calculating the inverse certain dispersion of the probability distribution of the use function of Bellman of the last predicted Nt+1 management of strategies à * ( t  1 t ) ... à * ( t  1 t ) and their cycles. So, for t = N: 1 n subsequent evaluation based on the criteria of the benefits BN (Н(N 1))  max PN (Н(N 1),а(N)), that are introduced. In case of impossibility of definition of а( N )IN ( Н ( N1)) such a strategy а * ( t  1) , in which the losses do not where Н(N1) is SS condition at (N1)-th management exceed the allowable values, the problem of expanding the cycle; a(N) is management strategy at a cycle of N; set of the admissible SS strategies is solved, then again,  N ( Í ( N  1)) is a finite set of admissible strategies at а*(t+1) is defined. Similarly, the SS strategy through cycle (N  1). conditional optimization of the management strategy of the The method of Bellman is used to improve forecast SS for N steps predicted strategy of SoI is formed. The third accuracy, the validity of the choice of current strategies, and stage of the algorithm in this case will look like this: decision-making support by the management device of the security system. Table 1 The algorithm of SS predicted state transition t The process of prediction t+1 1-st stage 2-nd stage 3-rd stage Decision on Probability of transition min (1  P3 j (t  1)) Probability of transition max Pi 2 (t  1) cycle P3 j  1  k N  3 j bj Pi 4  k N  i 4 a1 P31 b1 P14 а1 P32 b2 P24 а2 а3 P33 b3 b4 P34 а3 а12 P34 b4 P44 а4 … … … … P3j аj Pi4 аi4 а3; b2 а2; b4 339 3. Conclusions the operation of the protection systems. And, at least for certain types of conflicts and matrixes of winnings, these Thus, it is worth noting some peculiarities of using this recommendations allow SS to win and improve their methodology, which is based on game theory about technical characteristics. information security systems. Analysis of winning, which gets SS in different First of all, the winnings of the players in the mixed situations showed that game theory not only allows us to situation were determined to be equal to the mathematical generate an optimal strategy that can guarantee a certain expectation of their winnings. This assumes that the players win but also allows you to issue recommendations for its are risk-neutral when the game situation is repeated many switching to increase the winnings if the system of the times. However, this is not entirely justified when violator deviates from his optimal strategy. When the considering defense systems. If an attacker can be system of the offender follows his optimal strategy, game considered a risk-neutral player, then the side of the defense theory allows to evaluation of the situation. If evaluation is likely irrelevant. Even a one-time breach of the security results are not satisfied, it is necessary to implement of a protected system can be critical for it, putting it out of measures to change the situation. commission for a long time. Second, the model can use certain data as input References parameters. In this case, the possibilities of obtaining different data may be tasks of varying degrees of [1] P. Anakhov, et al., Protecting Objects of Critical complexity. For example, if the model uses characteristics of Information Infrastructure from Wartime Cyber threats, defenses, vulnerabilities, barriers, etc. as input Attacks by Decentralizing the Telecommunications parameters, it is quite difficult to evaluate all these Network, in: Workshop on Cybersecurity Providing in characteristics and determine the relationships between Information and Telecommunication Systems, vol. them, which will complicate the practical application of the 3050 (2023) 240-245. model in an intrusion detection system. [2] V. Zhebka, et al., Optimization of Machine Learning Furthermore, it is known that a large number of Method to Improve the Management Efficiency of evaluation parameters play a very important role in Heterogeneous Telecommunication Network, in: detecting network intrusions. Therefore, in anomaly Workshop on Cybersecurity Providing in Information detection, one of the main tasks is to select the optimal set and Telecommunication Systems, CPITS, vol. 3288 of evaluation parameters, which cannot be done using game (2022) 149–155. theory methods. Therefore, it is advisable to use various [3] S. Toliupa, et al., An Approach to Restore the Proper mathematical methods when building security systems, in Functioning of Embedded Systems Due to Cyber particular, intrusion detection systems. Threats, in: Information Technology and In general, the mathematical apparatus of game theory Implementation (IT&I-2023), vol. 3624 (2023) 301–316. allows for the analysis of tasks with an antagonistic, [4] V. Kazimko, Application of Game Theory for repetitive nature, which is typical for information security Modeling Information Security Problems, tasks. The proposed methods make it possible to choose at Telecommun. Inf. Technol. 1(74) (2022) 123–134. doi: the initial stage the strategy of actions in the process of 10.31673/2412-4338.2022.011524. operation of the intrusion detection system and reduce the [5] C. T. Do, er al., Game Theory for Cyber Security and computational costs of data processing in the information Privacy, ACM Computing Surveys (CSUR), 50(2) security system. (2017). Thus, in the process of constrained optimization with [6] R. Hryshchuk, Theoretical Foundations of Modeling the current game matrix, the conventionally optimal of Information Attack Processes using the Methods of strategy will be formed, defining the phase trajectory of the Theories of Differential Games and Differential SS, starting from the final cycle of forecasting t = N to the Transformations: Monograph (2010). current value of t. [7] D. Bauso. Game Theory: Models, Numerical Methods The main problems with the use of game theory arise in and Applications, Foundations and Trends in Systems the definition of the function of gain for a particular and Control, 1(4) (2014) 379–522. situation. For tasks that are solved by the security system, [8] T. Nguyen, et al. Multistage Attack Graph Security the feature of win, first and foremost, needs to reflect the Games: Heuristic Strategies, with Empirical change in the security system. GameTheoretic Analysis. Security and Communication If this situation is not satisfied with the SS, we should Networks (2018). doi: 10.1155/2018/2864873. implement measures to increase winnings with certain [9] S. Roy, et al., A Survey of Game Theory as Applied to combinations of modes. Network Security, in: 43rd Hawaii International If the attacker deviates from its optimal strategy, the SS Conference on System Sciences (2010) 1–10. has the opportunity to increase its winnings by deviating [10] R. Sankardas, et al., A Survey of Game Theory as from the optimal strategy as well. Applied to Network Security, Hawaii International The results of simulation modeling of the SS functioning Conference on System Sciences (2010). process on the proposed game algorithm showed that the [11] V. Kazimko, Application of Game Theory for additional use of forecasting strategies at N cycles ahead Modeling Information Security Problems, allows to improve the efficiency by 5–8%. Telecommun. Inf. Technol. 1(74) (2022). doi: Thus, the theory of games allows us to offer 10.31673/2412-4338.2022.011524. recommendations for creating the management strategy for 340 [12] D. Akinwumi, et al., A Review of Game Theory Approach to Cyber Security Risk Management, Nigerian J. Technol. 36(4) (2017). doi: 10.4314/njt.v36i4.38. [13] E. Borel, La théorie du jeu les équations integrales á yau symétrique. Comptes Rendus de l'Académie, 173 (1921) 1304–1308. [14] S. Shevchenko, et al., Protection of Information in Telecommunication Medical Systems based on a Risk- Oriented Approach, in: Workshop on Cybersecurity Providing in Information and Telecommunication Systems, vol. 3421 (2023) 158–167. [15] S. Shevchenko, et al., Conflict Analysis in the “Subject-to-Subject” Security System, Cybersecurity Providing in Information and Telecommunication Systems Vol. 3421 (2023) 56–66. [16] S. Shevchenko, et al., Conflicting Subsystems in the Information Space: A Study at the Software and Hardware Levels, in: Workshop on Cybersecurity Providing in Information and Telecommunication Systems, CPITS, vol. 3654 (2024) 333–342. [17] V. Astapenya, et al., Conflict Model of Radio Engineering Systems under the Threat of Electronic Warfare, in: Workshop on Cybersecurity Providing in Information and Telecommunication Systems, CPITS, vol. 3654 (2024) 290–300. [18] S. Toliupa, T. Babenko, A. Trush, The Building of a Security Strategy based on the Model of Game Management, in: 4th International Scientific-Practical Conference Problems of Infocommunications Science and Technology, PIC S and T 2017 – Proceedings (2017) 57–60. [19] S. Huang, et al., Markov Differential Game for Network Defense Decision-Making Method, IEEE Access, 6 (2018) 39621–39634. [20] T. Nguyen, et al., Multistage Attack Graph Security Games: Heuristic Strategies, with Empirical GameTheoretic Analysis, Security and Communication Networks (2018). doi: 10.1155/2018/2864873. 341