Overview on MTD technology based on game theory

. Mobile target defense (MTD) is a research hotspot in the field of network security. The decision method of network defense based on game theory is an important technique to guide MTD to make the optimal defense behavior in different network environments (GT-MTD). A lot of related work has been put forward in this field. In this paper, we focus on the scope and field of GT-MTD, systematically introduce the application scenarios of MTD in combination with four different game theory models of classical games (static games, signal games), Markov games, differential games or evolutionary games, and put forward the future development direction. There are some new views and explanations on the research of GT-MTD.


Introduction
In recent years, the number of global cybersecurity incidents has increased year by year, and the impact has become increasingly serious. In 2011, RSA data breach and CSDN password breach; In June 2013, Snowden revealed the "prism" program, revealing that the United States used its technical advantages to conduct large-scale Internet surveillance. In December 2015, Ukrainian electronics company equipment was hacked, resulting in a massive power outage and causing great public panic.
Researchers have carried out a lot of research in the field of traditional network defense and improved network defense by establishing firewalls, intrusion detection, identity authentication, anti-virus software, vulnerability repair, and other measures. However, the existing system is difficult to effectively deal with the constantly developing network attack means, which are shown as follows: Static defense is difficult to deal with high-intensity network attack; Passive security strategy is difficult to deal with new network attack methods; Software and hardware design vulnerabilities cannot be avoided. cyberspace confrontation for a long time, forming an asymmetric situation of "small attack, big defense, and one attack, global defense" [1]. The national science and technology council of the United States (NITRD) issued "trusted networks: federal strategic planning for cybersecurity research and development" [2], proposing the development of a series of "game-changing" revolutionary cybersecurity defense technologies. MTD aims to change the situation of extreme asymmetry between attack and defense, build a dynamic, random and polymorphic active defense mechanism, limit the exposure of network vulnerability, improve the complexity and cost of a network attack, and thus reduce the success rate of attack.
In MTD technology, using game theory to guide MTD decision-making can maximize the effect of MTD and minimize the cost. The paper is organized as follows. In the second part, background knowledge about GT-MTD is discussed. In the third part, the representative progress of the latest GT-MTD is introduced from the classical game model, Markov game model, differential game model, and evolutionary game model. The fourth part sorts out the whole text and puts forward the prospect of the future direction and conclude.

Background
Given MTD technology, the traditional network defense decision-making method is seriously deficient in science and accuracy. Game theory[3] is a theory that studies how to make decisions when the behaviors of decision-making subjects interact directly with each other. Among them, MTD game refers to the process in which network defenders have different defense strategies and network attackers have different attack strategies. Attackers attack the information system by selecting corresponding attack measures. The defender takes a series of defensive actions against the attack on the network system to minimize the possible loss of the attacker. The process of network attack and defense confrontation has the following characteristics: Object opposition; Strategic dependence; Relationships are not cooperative According to the above analysis, game theory and MTD have very similar characteristics. Therefore, the exploration of network security analysis methods and defense technology systems based on game theory has important practical significance and has become the focus of research in recent years.

Taxonomy of MTD technology based on game theory and overview of typical studies
According to the existing literature on game theory that has contributed to MTD, we divide it into four categories according to different game theory models: classical game model (static game, signal game), Markov game model, differential game model and evolutionary game model.

Classical game model
Liu et al. [4] studied the existence of Bayesian Nash equilibrium by using Bayesian game theory to analyze the intrusion detection of mobile ad-hoc network. Otrok et al. [5] also proposed a cooperative game model to analyze the interaction behavior of inspectors and reduce the false alarm rate for the intrusion detection failure of mobile ad-hoc network nodes. Taking worm design and data transmission as examples, Gueye et al. [6] introduced the game relationship between worm designer, data tamper and defender in detail. Sallhammar et al. [7] used game theory to model and calculate attack probability when quantifying security stochastic model. Shi J et al. [8] proposed a DIRBGT model of dynamic intrusion response based on game theory, which effectively improved the accuracy and effect of alarm response.
LIN et al. [9] introduced a dynamic game model and transformed the network attack and defense graph into a network game tree through "virtual node", which was used to study strategy selection in active defense. BURKE D et al. [10] used incomplete information repetition game to model the behavior of participants in information war. LIU Y L [11] applied the static game model with incomplete information to the performance evaluation of worm attack and defense strategies. GAO X et al. [12] used the signal game model to analyze the defense mechanism of DDoS attack and give the principles of defense strategy selection. According to information confidentiality, LIN J Q et al. [13] used signal game model to model attack and defense scenarios, analyzed factors that affect the benefits of attack and defense parties, and gave defense Suggestions. ZHANG H W et al. [14] studied offensive and defensive behaviors from the perspective of dynamic confrontation and limited information. Based on the signal game equilibrium analysis, the optimal defense strategy selection algorithm is designed. Such as JIANG L [15] from the Angle of attack surface conversion and detection surface extension defined defense strategy, for the limited information in the process of dynamic defense enhance efficiency provides the model of moving targets defense. ZHANG [16] put forward a signaling game model in the APT attacks, APT to attack and defense both sides in the behavior of the antagonism between the abstract for the incomplete information and dynamic game process, there is information transmission.

Markov game model
Chowdhary A et al. [17], considering the heterogeneity of interactive network devices and applications in the cloud network, proposed A zero sum Markov game, which provided an intelligent strategy to place the detection mechanism to maximize the detection of vulnerabilities while considering the impact on the performance of the cloud network. Zhou Y et al. [18] used multi-target Markov decision process to model the interaction between attacker and defender, and designed an effective DDoS attack defense scheme based on moving target transformation. Maleki et al. [19] proposed an MTD game model based on Markov decision process. Markov game model is used to compare the single -target IP jump and multi -target IP jump. The results show that multi-element selection can effectively improve the efficiency of jump defense.
Zhang et al. [20] analyzed the influence of vulnerability relationship and player strategy on network system security based on Markov game model. It improves the defense efficiency by searching the node or path with the greatest threat in the target network. Lei et al. [21] proposed an optimal strategy selection method based on the complete Markov game model. The exploitation of network vulnerability is abstracted as the change of attack surface and detection surface to ensure the universality of the model. Lei et al proposed an incomplete information Markov game theory method IIMG-MTD [22] on the basis of reference [21]. Markov decision process was used to describe the transition between network states in the realization process of MTD, and the development of network resources was transformed into mobile attack surface and mobile detection surface.

Differential game model
HUANG, et al. [23] through analyzing the process of continuous time of network attack and defense, in order to meet the needs threat warning, put forward the network attack and defense of qualitative differential game model, construct defense grid partition capture area and avoid area, the introduction of multidimensional space Euclidean distance evaluation threat level, determine the safety status of threat warning level and put forward pertinence suggestion according to the warning level of network defense. ZHANG et al. [24] analyzed and studied the network attack and defense behavior in the continuous process, constructed the differential game model of attack and defense, and on this basis, proposed the solution method CSCNS2019 MATEC Web of Conferences 309, 02012 (2020) . . https://doi org/10 1051/matecconf/202030 902012 of saddle point strategy and the selection algorithm of optimal defense strategy. On the basis of reference [23] and reference [24], ZHANG et al. [25], for the first time, based on the differential game theory and Markov decision-making method, transformed the network attack-defense confrontation in a certain period of time into a multi-stage continuous attack-defense process with short duration in each stage, and constructed the Markov attack-defense differential game model for research. Guo R et al. [26] advocate that defenders should take active actions to prevent DDoS attacks. A new model based on differential game theory is proposed. These include four main roles: attacker, defender, victim, and botnet. The model indicates the minimum number of Bots that should blocked by Defender. A Differential Games model is used to determine how a Defender combats an Attacker and protect the servers.
Yang L X et al. [27] discussed the problem of APT repair, that is, how to reasonably allocate available repair resources to potentially insecure hosts to mitigate potential losses of the organization. Based on a new expected state evolution model, APT response problem is modeled as a differential Nash game problem (APT repair game). This paper proposes an algorithm for searching APT and repairing potential Nash equilibrium of game. Li et al. [28] discussed how to find an effective dynamic recovery (DR) strategy to mitigate the total loss of cloud defenders in APT campaigns, which we call the dynamic cloud storage recovery (DCSR) problem. Based on the expected state evolution model, the net gain of APT attackers and the total loss of cloud defenders are measured.

Evolutionary game
Sun wei et al. [29] applied evolutionary game theory to network information security, established an information security attack and defense game model based on evolutionary game, and studied the dynamic evolution process of network attack and defense confrontation by adopting replication dynamics. Zhu jianming et al. [30] built a network information security evaluation model based on game theory and studied the optimal configuration of information security. In addition, reference [31] combined with the actual situation of network attack and defense, the evolutionary game model of network attack and defense with learning mechanism was proposed, and the system dynamics was used to establish the evolutionary game model for simulation analysis. D. Cheng [32] applied evolutionary game theory to the study of offensive and defensive costs, and analyzed the replication dynamics and evolutionary stability strategies of both offensive and defensive parties. Steven Tadelis [33] proposed the optimal control method of network performance based on evolutionary game, which can help network agents change their behaviors according to strategy information and strategy benefits, so as to achieve the goal of optimal overall network performance. WANG et al. [34] proposed a system and method to evaluate network group behavior and random evolution process. SHEN [35] analyzed the evolution trend of trust relationship between network nodes by applying the principle of replication dynamics.
Lye Kong wei [36] combined the randomness of state change in offensive and defensive system with Markov decision-making process to form a Markov stochastic evolution game model of multi-state and multi-agent. ZHANG et al. [37] analyzed the influence of various random interference factors on the selection and evolution of attack and defense strategies by establishing a game model of random attack and defense evolution based on Ito stochastic differential equation with reference to the concept of gaussian white noise. On the basis of reference [37], HUANG et al. [38] improved the traditional replication dynamic equation by introducing the incentive coefficient, indicating that strategies between consenting groups are interdependent and can promote or inhibit the convergence speed of game evolution. Alabdel CSCNS2019 MATEC Web of Conferences 309, 02012 (2020) . . https://doi org/10 1051/matecconf/202030 902012 et al. [39] used evolutionary game to capture the long-term continuous behavior of APT on cloud storage devices and studied the dynamic stability of defense and attack strategy pairs according to the Dynamics criterion of replicator, so as to characterize the equilibrium strategy of local asymptotic stability. Qiu Y et al. [40] proposed a wireless sensor network active defense model with limited learning ability of node evolution based on evolutionary game theory. The node can adjust the defense strategy actively and dynamically according to the different strategies of the attacker to achieve the most effective defense.

Conclusion
In the above analysis, how to choose an appropriate strategy is a problem. The classical game model is suitable for the simple offensive and defensive process and short duration. Markov game is suitable for attack and defense with repetition, which needs to consider the influence of past behavior on present and future. Differential game is suitable for attack and defense with high frequency and real-time behavior. Evolutionary game is suitable for the situation where both sides of attack and defense do not have absolute rationality and search for the optimal behavior through trial and error.

Summary
Mobile target defense based on game theory has always been a hot topic in the field of cyberspace security. So far, the techniques known in game theory as cyber defense strategies have been developing rapidly, but some of them are too complex to be used on a large scale in real life. Therefore, it is necessary to improve the defense performance while simplifying the burden of the algorithm on the hardware and software, and meet the normal performance requirements of users with full group of security.
We provide an overview in this article. First, we discuss the background of MTD and GT-MTD. Then we systematically introduce the recent progress in the field of GT-MTD including four aspects: classical game model, Markov game model, differential game model and evolutionary game model. Finally, the research direction of this field is pointed out. We hope that this review will contribute to the further research on defense in the field of mobile target networks.
This research was financially supported by the National Science Foundation.