Cyber Deception and Cyberpsychology for Defense

Permanent URI for this collectionhttps://hdl.handle.net/10125/112424

Browse

Recent Submissions

Now showing 1 - 6 of 6
  • Thumbnail Image
    Item type: Item ,
    Agentic AI for Cyber Deception: A Gestalt Game-Theoretic Approach to Defending Against Botnet DDoS Attacks
    (2026-01-06) Zhu, Quanyan; Bari, Muhammad Akram Al
    Agentic AI represents a transformative approach to cybersecurity, offering modular, flexible, and intelligent architectures capable of orchestrating complex defense operations. A central challenge lies in the design and optimization of such systems; specifically, how to construct an optimal workflow and configure agents to effectively accomplish a mission objective. This paper introduces a principled framework for modeling and optimizing agentic AI workflows, with a specific application to cyber deception. We formalize agent coordination using an extensive-form representation that captures inter-agent dependencies, enabling recursive utility estimation and workflow-level optimization via dynamic programming. At the core of our approach are large language model (LLM)-driven agents that manage tasks such as honeypot deployment, adaptive engagement, and semantic analysis of attacker behavior. Through a detailed honeynet case study, we compare a utility-aware adaptive strategy against a static, greedy baseline under operational budget constraints. The results of 500 simulated epochs show that the adaptive workflow yields a 2.5-fold increase in successful deception episodes and reduces cost per success by more than 58%, while maintaining greater stability across attacker types. These findings highlight the potential of designing optimal agentic AI to enable resource-aware and resilient cyber defense systems.
  • Thumbnail Image
    Item type: Item ,
    Exploiting Base Rate Neglect to Disrupt and Distract Cyber Attackers
    (2026-01-06) Bhat, K Raghav; Gutzwiller, Robert; Guarino, Sean; Lynn, Spencer; Clegg, Benjamin; Hypolite, Joel; Sieffert, Michael; Locasto, Michael; Kelle, David; Slocum, Max; Wu, Curt; Harrison, Scott; Revelle, Matthew; Latiff, Susan
    Oppositional human factors (OHF) seeks to exploit tendencies in human thinking to disrupt cyber attackers. One tendency is base rate neglect (BRN), where individuals overlook the likelihood of an event during reasoning, and instead base judgements on salient surface details. An expert sample of cyber red teamers completed cognitive bias survey measures, followed by missions in a cyber range. In the range, features on a server consistent with a vulnerability but out of context (extremely low base rate) were used to test whether these experts would ignore such base rates. BRN was found, including meaningful, significant performance reductions, suggesting a real, valid path for OHF techniques. Further, this approach can be employed even where bias susceptibility predictions for an attacker are unavailable.
  • Thumbnail Image
    Item type: Item ,
    Evidence of Cognitive Biases in Capture-the-Flag Cybersecurity Competitions
    (2026-01-06) Carreira, Carolina; Aggarwal, Anu; Cuevas, Alejandro; Ferreira, Maria José; Hibshi, Hanan; Gonzalez, Cleotilde
    Understanding how cognitive biases influence adversarial decision-making is essential for developing effective cyber defenses. Capture-the-Flag (CTF) competitions provide an ecologically valid testbed to study attacker behavior at scale, simulating real-world intrusion scenarios under pressure. We analyze over 500,000 submission logs from picoCTF, a large educational CTF platform, to identify behavioral signatures of cognitive biases with defensive implications. Focusing on availability bias and the sunk cost fallacy, we employ a mixed-methods approach combining qualitative coding, descriptive statistics, and generalized linear modeling. Our findings show that participants often submitted flags with correct content but incorrect formatting (availability bias), and persisted in attempting challenges despite repeated failures and declining success probabilities (sunk cost fallacy). These patterns reveal that biases naturally shape attacker behavior in adversarial contexts. Building on these insights, we outline a framework for bias-informed adaptive defenses that anticipate, rather than simply react to, adversarial actions.
  • Thumbnail Image
    Item type: Item ,
    Translating and Validating Loss Aversion for Cyber Security
    (2026-01-06) Deng, Siyu; Nazim, Mohammad; Romero, Danilo; Venkatesan, Sridhar; Aggarwal, Palvi; Kiekintveld, Christopher
    Loss aversion refers to the tendency for decision-makers to weigh losses more heavily than equivalent gains. While it has been studied extensively in many domains and has a strong basis in the experimental literature, it has not been studied specifically in cybersecurity. This paper lays the groundwork for translating and measuring loss aversion in decisions relevant to cyber attackers. We conducted two experiments; the first adapts established tasks into a survey with a cybersecurity framing to assess construct validity and sensitivity to potential moderators. The second considers decisions embedded in richer cyber attack scenarios to examine loss aversions across decision stages and goal framings. Our results show that the proportion of risky action selections reliably reflects aggregate-level loss aversion, and is robust across varying payoff and probability magnitudes (including near zero and one). The stake effect significantly influences loss aversion, with greater impact at higher magnitudes. Stage effects and goal framing further modulate attacker behavior, providing insights for psychologically informed cyber defense strategies.
  • Thumbnail Image
    Item type: Item ,
    Inferring Attacks on a Distributed Honeyfarm Using Adversary Emulation and Centralized Threat Detection
    (2026-01-06) Fadanelli, Sergio; Nguyen, Thuy; Rowe, Neil
    Securing industrial control systems (ICSs) is difficult. This research aims to improve ICS security with data collected by a distributed honeyfarm (a network of honeypots). We deployed cloud-based honeypots in Europe and North America to monitor and analyze real-world attacks on simulated power grids and ICS devices. Our honeyfarm included a centralized enterprise-grade Security Information and Event Management (SIEM) system for real-time threat detection. We used MITRE Caldera adversary emulation, MITRE ATT&CK, system logs, and network-intrusion alerts to create SIEM queries. This approach distinguishes our honeyfarm from other research. We observed exploits of network protocols and legitimate services, remote code execution, brute-force credential cracking, denial of service, and botnet activity. RDP activity indicated possible human involvement. Our results showed that a SIEM system trained with adversary-emulation results and intrusion-detection alerts collected data on 16 times more suspicious intruders and improved detection of their threats, enabling better defenses.
  • Thumbnail Image
    Item type: Item ,
    Introduction to the Minitrack on Cyber Deception and Cyberpsychology for Defense
    (2026-01-06) Sherouse, Perry; Ferguson-Walter, Kimberly; Yu, Paul; Gabrys, Ryan