A Game-Theoretic Framework for Network Security Vulnerability Assessment and Mitigation

  • Assane Gueye
  • Vladimir Marbukh
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7638)


In this paper we propose and discuss a game-theoretic framework for (a) evaluating security vulnerability, (b) quantifying the corresponding Pareto optimal vulnerability/cost tradeoff, and (c) identifying the optimal operating point on this Pareto optimal frontier. We discuss our framework in the context of a flow-level model of Supply-Demand (S-D) network where we assume a sophisticated attacker attempting to disrupt the network flow. The vulnerability metric is determined by the Nash equilibrium payoff of the corresponding game. The vulnerability/cost tradeoff is derived by assuming that “the network” can reduce the security vulnerability at the cost of using more expensive flows and the optimal operating point is determined by “the network” preferences with respect to vulnerability and cost. We illustrate the proposed framework on examples through numerical investigations.


Nash Equilibrium Network Manager Maximum Cost Security Investment Security Vulnerability 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Anderson, R., Barton, C., Böhme, R., Clayton, R., van Eeten, M.J.G., Levi, M., Moore, T., Savage, S.: Measuring the Cost of Cybercrime. In: 11th Workshop on the Economics of Information Security (June 2012)Google Scholar
  2. 2.
    Fulkerson, D.R., Weinberger, D.B.: Blocking Pairs of Polyhedra Arising from Network Flows. Journal of Combinatorial Theory, Series B 18(3), 265–283 (1975)MathSciNetzbMATHCrossRefGoogle Scholar
  3. 3.
    Gambit. Game theory analysis software and tools @ONLINE (2002),
  4. 4.
    Gordon, L.A., Loeb, M.P.: The Economics of Information Security Investment. ACM Trans. Inf. Syst. Secur. 5(4), 438–457 (2002)CrossRefGoogle Scholar
  5. 5.
    Gueye, A.: A Game Theoretical Approach to Communication Security. PhD dissertation, University of California, Berkeley, Electrical Engineering and Computer Sciences (March 2011)Google Scholar
  6. 6.
    Gueye, A., Lazska, A., Walrand, J., Anantharam, V.: A Polyhedral-Based Analysis of Nash Equilibrium of Quasi-Zero-Sum Games and its Applications to Communication Network Security. Symmetry – Special Issue: Polyhedra (submitted)Google Scholar
  7. 7.
    Gueye, A., Marbukh, V., Walrand, J.C.: Towards a Quantification of Communication Network Vulnerability to Attacks: A Game Theoretic Approach. In: 3rd International ICST Conference on Game Theory for Networks, Vancouver, Canada (May 2012)Google Scholar
  8. 8.
    Gueye, A., Walrand, J.C., Anantharam, V.: Design of Network Topology in an Adversarial Environment. In: Alpcan, T., Buttyán, L., Baras, J.S. (eds.) GameSec 2010. LNCS, vol. 6442, pp. 1–20. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  9. 9.
    Laszka, A., Szeszlér, D., Buttyán, L.: Game-theoretic Robustness of Many-to-one Networks. In: 3rd International ICST Conference on Game Theory for Networks, Vancouver, Canada (May 2012)Google Scholar
  10. 10.
    Mcneil, E.J.: Extreme Value Theory for Risk Managers, pp. 93–113. RISK Books (1999)Google Scholar
  11. 11.
    Mell, P., Scarfone, K., Romanosky, S.: A Complete Guide to the Common Vulnerability Scoring System. In: NIST CVSS. National Institute of Standards and Technology (June 2007)Google Scholar
  12. 12.
    Tiwari, R.K., Karlapalem, K.: Cost Tradeoffs for Information Security Assurance. In: 4th Annual Workshop on the Economics of Information Security, WEIS, June 1-3. Harvard University, Cambridge (2005)Google Scholar
  13. 13.
    Wolsey, L.A., Nemhauser, G.L.: Integer and Combinatorial Optimization. Wiley-Interscience (November 1999)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Assane Gueye
    • 1
  • Vladimir Marbukh
    • 1
  1. 1.National Institute of Standards and Technology (NIST)USA

Personalised recommendations