Security Modeling based on Game Theory and Generalized Stochastic Petri Nets

In this paper, we present a new approach to model the computer system security based on Generalized Stochastic Petri Nets (GSPN) and Game Theory. Attack against a system is dependent on attacker's malicious ehavior. An attack at least has two essential elements. First, the attacker must decide to choose which attack action is carried out. Second, he tries to accomplish the chosen attack action. Using GSPN, we can model the attackers' decisions. Henceforth, we calculate attacker's decision probabilities using Game Theory, especially, Zero-Sum Static Game model. By application of the decision probabilities on GSPN model that are calculated by game model, we can carry out quantitative security evaluation of the model using tools such as Mobius and calculate operational measures like Mean Time to Availability Compromise and Mean Time to Integrity Compromise. Finally, a case study has been modeled and evaluated using the method proposed in this paper.