Decision model of optimal active response for network security using partial observable Markov game

Aiming at the problem that the traditional passive response model lags behind the attacks, and false alarms and missed alarms frequently lead to inappropriate responses, an active response decision-making model based on partial Markov game (POMG) is proposed. The model generates the attack state transmission graph according to the invasion processes. During the invasions, the model determines the system's belief states based on the observations of events so that the attacks are mapped to the nodes of the attack state transmission graph, considering the attacker and the uncertainty of system states. The sub-graphs of the attack state transmission graph are created, in which the belief state value of each sub-graph's initial node is over the belief state threshold. The attack and defense strategy sets are determined according to the invasion process of sub-graphs. The model generates the decision of the optimal active response policies according to POMG algorithm in the end. Experimental results show that the response speed of the active response model based on POMG is 67% faster than the map-based model, and the average response efficiency of the proposed model is 24.5% higher than the map-based model.