Alum Jeffrey Pawlick and Professor Quanyan Zhu team up to improve cybersecurity with game theory
Cyber deception: To the layperson it might seem like a frightening term, conjuring up images of shadowy black-hatted hackers out to do harm.
The reality can, in fact, be frightening. Consider the impact of such high-profile attacks as the ones that exposed Equifax data from almost 150 million consumers in 2017 or the 2020 incident that allowed the phone numbers of more than 170 million users of the Chinese social media platform Sina Weibo to be posted for sale on the dark web. And an attack doesn’t have to be major enough to make the news to be devastating — especially when we rely on online systems in every area of our lives, from our money to our medical records, and Internet-of-Things technology can be found in most of our homes.
“Hackers are very good at deception,” Jeffrey Pawlick (pictured left) explains. “If they gain access to the right passwords and credentials, they can remain in a system for months without being detected, using psychological manipulation known as social engineering, or previously unknown vulnerabilities called zero-day attacks.”
Pawlick, who earned a doctoral degree in Electrical and Computer Engineering from NYU Tandon in 2018, collaborated with Assistant Professor Quanyan Zhu to write the recently released Game Theory for Cyber Deception: From Theory to Applications, which introduces game theory as a means to conceptualize, analyze, and model cyber deception.
“Cyber defenders need to be just as good at deception as hackers,” Pawlick says. “We know that there are techniques that can be used, like setting up what’s called a ‘honeypot,’ which involves luring hackers into a system in the network that appears to be a database, for the sole purpose of collecting information on them. Another technique might call for moving the most important information around to different parts of the network, making it difficult for hackers to know exactly where to attack.”
Game theory — a mathematical way to study strategic interactions when the choices made by two or more decision-makers have an intertwined effect on one another — can be a good way to boost the effectiveness of those deceptive defensive techniques. It can, for example, help cybersecurity experts determine how best to deploy honeypots or plan a more efficient moving-target defense.
Pawlick, who worked in Zhu’s Laboratory for Agile and Resilient Complex Systems (LARX) as a doctoral candidate, learned in a very visceral way the real-world importance of their work. “I was lucky enough to do an internship in Washington D.C. at the U.S. Army Research Lab,” he recalls, “and seeing uniformed servicemen and women walking the halls there really brought home to me how vital it was that the systems keeping them safe be protected.”
The authors aim for the volume to be useful to two distinct audiences: cyber experts unfamiliar with game theory and game theorists seeking to apply their knowledge in a practical, socially beneficial way.
Zhu says, “Understanding the interactions between multiple complex systems is essential when working in cybersecurity, so we’re happy to have provided a game-theoretic roadmap that we think should be very helpful.”
For more information on the topic visit www.deception.games/home.