Article
Game-Theoretic Decision Support for Cyber
Forensic Investigations
Antonia Nisioti
1
, George Loukas
1
, Stefan Rass
2
and Emmanouil Panaousis
1,
*
Citation: Nisioti, A.; Loukas, G.;
Rass, S.; Panaousis, E.
Game-Theoretic Decision Support for
Cyber Forensic Investigations. Sensors
2021, 21, 5300. https://doi.org/
10.3390/s21165300
Academic Editor: Ahmed Bouridane
Received: 30 June 2021
Accepted: 1 August 2021
Published: 5 August 2021
Publisher’s Note: MDPI stays neutral
with regard to jurisdictional claims in
published maps and institutional affil-
iations.
Copyright: © 2021 by the authors.
Licensee MDPI, Basel, Switzerland.
This article is an open access article
distributed under the terms and
conditions of the Creative Commons
Attribution (CC BY) license (https://
creativecommons.org/licenses/by/
4.0/).
1
Department of Computing and Mathematical Sciences, University of Greenwich, London SE10 9BD, UK;
a.nisioti@greenwich.ac.uk (A.N.); g.loukas@greenwich.ac.uk (G.L.)
2
Institut of Artificial Intelligence and Cybersecurity, Universitaet Klagenfurt, Universitatsstrasse 65-67,
9020 Klagenfurt, Austria; stefan.rass@aau.at
* Correspondence: e.panaousis@greenwich.ac.uk
Abstract:
The use of anti-forensic techniques is a very common practice that stealthy adversaries
may deploy to minimise their traces and make the investigation of an incident harder by evading
detection and attribution. In this paper, we study the interaction between a cyber forensic Investigator
and a strategic Attacker using a game-theoretic framework. This is based on a Bayesian game
of incomplete information played on a multi-host cyber forensics investigation graph of actions
traversed by both players. The edges of the graph represent players’ actions across different hosts
in a network. In alignment with the concept of Bayesian games, we define two Attacker types
to represent their ability of deploying anti-forensic techniques to conceal their activities. In this
way, our model allows the Investigator to identify the optimal investigating policy taking into
consideration the cost and impact of the available actions, while coping with the uncertainty of
the Attacker’s type and strategic decisions. To evaluate our model, we construct a realistic case study
based on threat reports and data extracted from the MITRE ATT&CK STIX repository, Common
Vulnerability Scoring System (CVSS), and interviews with cyber-security practitioners. We use
the case study to compare the performance of the proposed method against two other investigative
methods and three different types of Attackers.
Keywords:
cyber forensics; digital forensics; game theory; bayesian game; multi-stage attacks;
decision support; optimisation
1. Introduction
As adversaries evolve their techniques, both in sophistication and variety, cyber
forensics investigations are becoming more complex and time consuming [
1
]. Modern
threats such as Advanced Persistent Threats (APTs) consist of a large number of steps
and include a wide variety of Tactics, Techniques, and Procedures (TTPs), which allow
adversaries to achieve their goals and avoid detection at the same time.
To address these problems and increase the efficiency of cyber investigations, we pre-
viously proposed DISCLOSE, a data-driven decision support framework, which utilises
Tactics, Techniques, and Procedures (TTPs) to offer optimal inspections choices to the in-
vestigator [
2
]. To do so, DISCLOSE combines extracted threat intelligence information
regarding TTPs with an attack life-cycle model and the progress of the investigation. In this
way, it optimises the choices of the investigator taking into consideration the sophistication
and diversity of the TTPs used by adversaries.
However, in most cases, such sophisticated and determined attackers will not choose
their actions only based on the immediate benefit they may collect, but rather consider
the stealthiness of their actions even if this results in the use of extra resources. Specifically,
adversaries will additionally deploy anti-forensic TTPs to either conceal part of their trail or
to increase the complexity and difficulty of the investigative process, which in turn incurs
delays in the investigation [
3
] and can significantly increase the financial, reputational or
Sensors 2021, 21, 5300. https://doi.org/10.3390/s21165300 https://www.mdpi.com/journal/sensors
