Optimal Defense Policies for Partially Observable Spreading Processes on Bayesian Attack Graphs

The defense of computer networks from intruders is becoming a problem of great importance as networks and devices become increasingly connected. We develop an automated approach to defending a network against continuous attacks from intruders, using the notion of Bayesian attack graphs to describe how attackers combine and exploit system vulnerabilities in order to gain access and progress through a network. We assume that the attacker follows a probabilistic spreading process on the attack graph and that the defender can only partially observe the attacker's capabilities at any given time. This leads to the formulation of the defender's problem as a partially observable Markov decision process (POMDP). We define and compute optimal defender countermeasure policies, which describe the optimal countermeasure action to deploy given the current information.