Scheduling of defensive security actions in information processing systems

摘要

A processing device is configured to identify a plurality of defensive security actions to be taken to address a persistent security threat to a system comprising information technology infrastructure, and to determine a schedule for performance of the defensive security actions based at least in part on a selected distribution derived from a game-theoretic model, such as a delayed exponential distribution or other type of modified exponential distribution. The system subject to the persistent security threat is configured to perform the defensive security actions in accordance with the schedule in order to deter the persistent security threat. The distribution may be selected so as to optimize defender benefit in the context of the game-theoretic model, where the game-theoretic model may comprise a stealthy takeover game in which attacker and defender entities can take actions at any time but cannot determine current game state without taking an action.

主权项

1. A method comprising the steps of:
identifying a plurality of defensive security actions to be taken to address a persistent security threat; and determining a schedule for performance of the defensive security actions based at least in part on a selected distribution derived from a game-theoretic model; wherein a system comprising information technology infrastructure subject to the persistent security threat is configured to perform the defensive security actions in accordance with the schedule in order to deter the persistent security threat; wherein the selected distribution comprises a modified exponential distribution given by a combination of an exponential distribution and at least one other distribution; and wherein the steps are performed by a processing device comprising a processor coupled to a memory.