Signaling Security Games with Attack Planner Deception

Abstract

This paper studies a class of attack behavior in which adversaries assume the role of initiators, orchestrating and implementing attacks by hiring executors. We examine the dynamics of strategic attacks, modeling the initiator as an attack planner and constructing the interaction with the defender within a defender–attack planner framework. The individuals tasked with executing the attacks are identified as attackers. To ensure the attackers’ adherence to the planner’s directives, we concurrently consider the interests of each attacker by formulating a multi-objective problem. Furthermore, acknowledging the information asymmetry where defenders have incomplete knowledge of the planners’ payments and the attackers’ profiles, and recognizing the planner’s potential to exploit this for strategic deception, we develop a defender–attack planner model with deception based on signaling games. Subsequently, through the analysis of the interaction between the defender and planner, we refine the model into a tri-level programming problem. To address this, we introduce an effective decomposition algorithm leveraging genetic algorithms. Ultimately, our numerical experiments substantiate that the attack planner’s deceptive strategy indeed yield greater benefits.

1. Introduction

Game theory has found extensive applications in various fields, especially in the Stackelberg games (SGs), which are simple yet powerful models for sequential interaction between two strategic players: a leader and a follower. Specifically, the leader commits to a strategy first, and the follower responds after observing the leader’s commitment. The game was first proposed in 1934, when researchers introduced it to analyze market competition between a large-leader firm and a small-follower firm [1]. Since then, it has been applied to a diverse array of problems, including principal–agent contract design [2], pricing and planning in transportation systems [3], influence maximization [4] and exam design [5], often focusing on the leader’s perspective and with the aim of identifying the optimal strategy for the leader to commit to. Over recent years, with the successful application of SGs in security resource allocation, an increasing number of experts have utilized them to address security problems, known as the Stackelberg Security Games (SSGs) [6]; thus, SSGs have emerged as a significant area of research for SGs. To date, SSGs have been applied to address a multitude of practical issues, such as threat screening games [7], green security games [8,9,10] and crime prevention strategies [11]. In SSGs, the defender, as the leader, implements an optimal mixed (or randomized) defense strategy. This mixed strategy represents a probability distribution across all the possible defense strategies. The attackers, as the followers, observe this and adjust their strategy to optimize their outcome [12]. This has been seen in, for instance, the Los Angeles Sheriff’s Department’s application to the subway system [13] and the US Coast Guard’s initiatives on ports and waterways in Boston and New York City [14], among others. In these applications, a defender aims to protect targets from strategic adversaries by deploying limited resources. The central solution concept in SSGs is the strong Stackelberg equilibrium (SSE) [15,16], which determines the defender’s optimal strategy. However, SSE is predicated on the assumption that both parties have complete knowledge of each other’s information. In numerous real-world scenarios, this assumption often fails to hold true. The defender frequently lacks complete information about the follower. Currently, these issues have been extensively researched, resulting in a multitude of proposed solutions. For example, when the defender is uncertain about the attacker’s payoff but is aware of its range, strategies are explored that are robust to small interval uncertainties [17,18,19]. In scenarios where the defender is only aware of the distribution of the attacker’s payoff, the Bayesian Stackelberg equilibrium is used to maximize the defender’s utility [20,21,22]. Furthermore, as defenders gather information through interactions with attackers, numerous studies have investigated learning from the attackers’ response strategies to refine leadership tactics [17,23,24,25,26]. The essence of these approaches is the defender’s attempt to acquire relevant information about the attacker, assuming the information obtained is accurate. However, when the attacker becomes aware of the defender’s reliance on information, there is a tendency for the attacker to use tactics that obfuscate the defender, intending to provide them with misleading information, which is a form of deceitful behavior.

Currently, the attackers’ deception has attracted significant attention, prompting a variety of studies to focus on this phenomenon. Existing research mainly investigates scenarios where attackers provide false information about a single aspect, such as their payoff [27,28,29] or the degree of rationality [30,31,32]. However, in numerous real-world scenarios, defenders confront a more intricate challenge where attackers have multiple pieces of undisclosed information. Recognizing this gap, broadening the scope of analysis to include situations with followers possessing multiple private information sets is essential. By considering a scenario in which the attacker has two types of private information, we can establish a more comprehensive model. In the existing body of research, the attacker commonly uses strategies that involve either selecting a target to attack [33] or allocating resources for an attack on the targets [34,35]. However, real-world scenarios frequently exhibit a more complex dynamic where the attacker assumes the role of a “leader” who orchestrates an attack and recruits individuals to execute it. In this context, the individual who devises the attack strategy is referred to as the “attack planner”, while the person commissioned to execute the attack is termed the “attacker”. Unlike resources, which can be allocated at will, individuals have independent thoughts and agency. Therefore, it is essential to consider their interests to ensure their adherence to the arranged strategy. Furthermore, the defender is often unaware of the specifics regarding the hired individuals, which we establish as the attack planner’s private information. This can be exploited by the attack planner to mislead defenders by misrepresenting the number of hired individuals.

In summary, this paper introduces a model that delineates the interaction between the attack planner and the defender, then extends this model to account for the attack planner’s deception and the compliance of hired individuals through a multi-objective problem. Subsequently, we propose a tri-level programming framework that aligns with the interactive process. The first level involves signaling, wherein the attack planner seeks to obscure the defender’s comprehension and maximize personal benefits. The second level pertains defense, wherein the defender strategically allocates resources to minimize potential losses. The third level constitutes the attack phase, wherein the attack planner coordinates the execution of the attack, aiming to maximize profit. Simultaneously, to ensure the attackers’ adherence with the plan, the attack strategy formulated by the attack planner must safeguard the attackers’ interests. This model deviates from the conventional tri-level min–max–min programming models [36,37], rendering traditional solving algorithms inapplicable. Consequently, we introduce an efficient, customized algorithm designed to accommodate the unique structure and requirements of the model, ensuring effective resolution and thorough analysis.

Our contributions: In order to deal with the opponent’s deception effectively, this paper analyzes a kind of deception behavior in attack in detail.

• We model the attack initiator as the attack planner—the individual they hire to carry out the attack is the attacker—and we propose a defender–attack planner (D-AP) model to describe the interaction between them;
• We account for the interests of each attacker to ensure compliance, framing this as a multi-objective optimization issue;
• This paper also addresses the defender’s uncertainty to the attack planner’s payment and the particulars of the hired attackers, constructing a defender–attack planner game model with deception (D-APD).
• We articulate D-APD as a tri-level programming problem and propose a customized decomposition algorithm based on a genetic algorithm (DA-GA) to address it.

The remainder of this paper consists of the following. In Section 2, we summarize the previous related work. In Section 3, we present detailed descriptions of the D-AP and D-APD models. In Section 4, we formulate a tri-level programming problem and propose a solution algorithm. In Section 5, we a conduct further analysis of the model via experimental validation. Finally, Section 6 presents the conclusions of this paper and outlines directions for future research.

2. Related Work

This section provides an overview of the existing literature that is pertinent to our research, focusing on two key aspects: deception behavior within games and the role of the planner.

2.1. Deception in Games

As deception can obfuscate an adversary’s understanding and disrupt their decision-making process, certain research endeavors have explored methods to mitigate or neutralize criminal offensives through deceptive tactics. Within the homeland security domain, studies have formulated models of deceptive strategies wherein the defender employs a range of signals to mislead the attacker [38,39,40]. Ref. [33] examines security games involving the defender’s use of disguised resources. Ref. [41] explores the concept of strategic secrecy in the defender’s approach to infrastructure protection. In addition, when the attacker is unsure of the amount of the defender’s resources, the defender may deceive the attacker by disguising or hiding a portion of the resources, potentially reporting fewer resources than are actually available [33]. In contrast to [33], Ref. [42] studied the phenomenon of bluffing in signaling games, where the defender may claim to possess more resources than are actually available, serving as a deterrent to the attacker and thus preventing the attack. In [43], a problem with multiple attacker types is studied, in which the defender initially commits to a mixed strategy and signaling scheme, identifies the attacker’s type and then acts, and the attacker subsequently responds. In [44], a two-stage game model is presented, in which the first stage is a basic defender–attacker game, and in the second stage, the defender sends a deceptive signal regarding actual resource allocation. Ref. [40] explores the issue of deception in a single-objective multi-period game where multiple types of defenders exist. In each game, they initially select a behavior and a signaling strategy. Another work has discussed the problem of stochastic games with multiple defenders cheating [45]. In [34], researchers used the hypergame framework to study the deception of defenders in a game with multiple attackers. Attackers with multiple types possess distinct payoff functions and resource quantities, so the hypergame framework is used to model each attacker individually. Ref. [46] examines the optimal conditions and methods for defenders to effectively deceive various attackers. Other studies investigated the deception of a defender in a game with ambiguous benefits and multiple attackers [47]. Ref. [48] examines how defenders counter advanced sustainability threats through deceptive behavior.

However, precisely because the deceptive behavior confuses the adversary, more and more attackers will choose to deceive, leading to a deviation in defense strategy and an infliction of more severe damage. In [27], with distinct types characterized by varying payoffs, the attacker deceives the defender by imitating other attacker types. In [28], the attacker deceives the defender by directly presenting a false type. Nguyen et al. studied the deception strategies of attackers in repeated games [29]. Ref. [49] addresses similar problems. Unlike Ref. [29], this study examines the issues within the SSG framework, whereas Ref. [29] focuses on a stochastic one. Ref. [30] studies deception in games with multiple attackers, where multiple attackers pay the same but have different levels of rationality, and perfectly rational attackers adopt a guise of bounded rationality to deceive defenders. However, these studies do not consider the scenario where attackers possess multiple pieces of private information.

In addition, because asymmetric information is a key friction in many economic interactions, deception often appears in the principal–agent problem [2,50,51], which is a prevalent application of the SGs. The principal delegates the management of the output process to the agent. A contract is signed in advance, specifying the terms of an incentive payment. The agent exerts costly effort for managing the output. Subsequently, given the contract offered by the principal, the agent returns an optimal effort response that optimally balances their cost of effort with the proposed compensation. Ultimately, the principal selects the optimal contract to motivate the agent’s effort [52]. Then, a principal may offer a range of contracts to an agent with uncertain characteristics and ask the agent to choose the one that matches their true type. Naturally, the principal’s menu must consider the agent’s potential misrepresentation of their type, meaning that the agent may mislead the principal [53]. However, such a deception is predominantly observed in economic contexts and significantly differs from the deception encountered in the security domain we examine.

2.2. About Planner

Several studies have examined the beneficial impacts of community participation in wildlife preservation [54,55,56,57,58], but these studies lack a mathematical model of the interaction between defenders and attackers; some researchers formulated it using the Stackelberg game framework [59]. Acknowledging the possibility of community members colluding with the attacker, the patrol, acting as the defender, employs community informants to gather intelligence on the attacker’s activities. However, no existing studies have yet considered a scenario where attackers may also hire some people to execute the attack, which significantly diverges from the defender’s recruitment of community members, including the consideration of the interests of the hired attackers. It is in addressing this gap that this paper contributes to the literature.

3. Model

In this section, we initially construct a foundational defender–attack planner game model. Subsequently, considering the attack planner’s private information, we construct a defender–attack planner with a deception model based on signaling games.

Table 1. Legend of common symbols.

Symbol	Description
Sets:
$SD$	The set of defender’s pure strategy
$SA$	The set of attack planner’s pure strategy
$\Theta$	The set of attack planner’s payment types
$\Phi$	The set of attacker types
$S^1$	The set of signals about payment type
$S^2$	The set of signal about attacker type
$TY$	The set of attack planner’s types
S	The set of signals
${\Delta }_{o1}$	The set of mixed signaling strategy about planner’s payoff type
${\Delta }_{o2}$	The set of mixed signaling strategy about planner’s attacker type
Parameters:
N	The number of targets
$bs$	Attacker’s base salary vector
c	Defender’s cost vector
B	Defender’s budget constraint
n	The number of strong and weak attacker
$v^d$	Defender’s valuation of targets
$v^a$	Attack planner’s valuation of targets
$sd$	Defender’s pure strategy
$sa$	Attack planner’s pure strategy
$q_j$	The probability that the target j is attacked successfully
$u^i$	i-th attacker’s base salary
$a{c}_{ij}$	The i-th attacker’s cost when they attacks target j
$\alpha$	The ratio of the commission when attack is successful
$p^{pt}$	The prior probability distribution about payment types
$v^{\theta }$	The target valuation of Attack planner with payment type $\theta$
$p^{\theta }$	The prior probability distribution about attacker type
${\mu }^{pt}$	The posterior probability about the payment types
${\mu }^{an}$	The posterior probability about the attacker type
$dc$	Attack planner’s deception cost
$p^{ty}$	The prior probability distribution of attack planner’s type
$\mu \left(ty\right|s)$	The probability that the attack planner’s type is $ty$ after receiving the signal s
$L^D,U^{AP},U^i$	The utility of defender, planner and the i-th attacker without deception
$L^{to},U^{to},U_i^{ty}$	The utility of defender, planner and the i-th attacker with deception
Decision variables:
${\pi }_o$	The signaling strategy
${\pi }_d$	Defender’s strategy scheme
${\pi }_a$	Attack planner’s attack scheme

describes the mathematical notation used in this paper.

3.1. Defender–Attack Planner Game Model

In this section, we develop a model that captures the strategic interaction between a defender and an attack planner within the framework of a Stackelberg game, known as the Defender–Attack Planner (D-AP) model.

3.1.1. Model Description

A D-AP game model consists of a defender and an attack planner (hereafter referred to as the planner), where the defender needs to protect a set of N targets, and the planner hires some attackers to attack a subset of targets. The hired attackers are categorized into two types—strong and weak—based on their offensive capabilities (the model is also extensible to scenarios involving multiple attacker types). Their basic salary is different, which is denoted as $bs=(b{s}_1,b{s}_2)$; $b{s}_1$ and $b{s}_2$ correspond to the base salaries of the strong and weak attackers, respectively. The defender also possesses two defense levels: the high-level defense is capable of repelling all attackers, while the low-level defense is effective only against weak attackers. The defender incurs a fixed cost upon protecting a target; $c=(c_1,c_2,c_3)$ represents the cost vector, where $c_1=0$ signifies the absence of defense and $c_2$ and $c_3$ correspond to the costs of low-level and high-level defense, respectively. The defender has a budget constraint B and the planner also faces budgetary constraints, which restricts the number of attackers they can hire; this is denoted as $n=(n_1,n_2)$, where planner-hired attackers are n, including $n_1$ strong attackers and $n_2$ weak attackers. $at=(a{t}_1,\dots ,a{t}_n)$ denotes each attacker’s type (strong or weak), where $a{t}_i\in \{1,2\}$ and $a{t}_i=1\left(2\right)$ represent that the i-th attacker is weak (strong). Each target holds a distinct importance to the defender and the planner, that is, they have different valuations of the targets. The defender’s valuation of the targets is $v^d=(v_1^d,\dots ,v_N^d)$ and the planner’s valuation is $v^a=(v_1^a,\dots ,v_N^a)$. When a target j is attacked successfully, the defender incurs a penalty $P_j^D$ and the planner receives a reward $R_j^A$. On the contrary, if an attack on a target j is unsuccessful, the defender will gain a reward $R_j^D$ and the planner will incur a penalty $P_j^A$, and they satisfy $R_j^D>P_j^D$, $R_j^A>P_j^A$. This paper assumes that the utility of both sides is only related to the targets that were successfully attacked; in this case, $R_j^D=P_j^A=0$, $P_j^D=-v_j^d$ and $R_j^A=v_j^a$.

3.1.2. Strategy Expression

The defender’s pure strategy is to decide what level of protection to apply to each target within budget constraints which is denoted by $sd=(s{d}_1,\dots ,s{d}_N)$, where $s{d}_j\in \{0,1,2\}$ and ${\sum }_{j=1}^N{c}_{s{d}_j+1}\le B$, $s{d}_j=0$ indicate that the target j is not protected; $s{d}_j=1$ means low-level defense against the target j and $s{d}_j=2$ denotes high-level defense against the target j. $SD=\left\{sd\right|s{d}_j\in \{0,1,2\},{\sum }_{j=1}^N{c}_{s{d}_j+1}\le B\}$ represents the set of all the defender’s pure strategies. The planner’s pure strategy involves determining the allocation of the hired attackers to execute an attack on a designated set of targets, represented by $sa={\left(s{a}_{ij}\right)}_{i\in \left[n\right],j\in \left[N\right]}$, where $s{a}_{ij}\in \{0,1\}$ and $s{a}_{ij}=1\left(0\right)$ mean that the i-th attacker is (not) arranged to attack the target j. Following a successful attack on a target, the attacker responsible is granted a commission proportional to the target’s value to the planner. Although it may appear that one attacker is assigned per target and vice versa, the diverse values of the targets result in a scenario of contention among multiple attackers, each seeking to secure a higher commission. Acknowledging this possibility, we assume that different attackers are permitted to attack the same target. However, the commission received from a successful attack will be evenly divided among the participating attackers, and the probability of a successful attack on a target remains unaffected by an increased number of attackers. This assumption facilitates adherence to the planner’s strategy among attackers. $SA=\left\{s{a}_{n\times N}\right|s{a}_{ij}\in \{0,1\},{\sum }_{j=1}^{N}s{a}_{ij}=1,i=1,\dots ,n\}$ denotes the planner’s strategy space, where ${\sum }_{j=1}^{N}s{a}_{ij}=1$ means that each attacker can only attack one target.

3.1.3. Utility Function

Given the attack strategy $sa$, we let $s{a}^1={\left(s{a}_{ij}^1\right)}_{i\in \left[n\right],j\in \left[N\right]}$, where $s{a}_{ij}^1=0$ if $s{a}_{ij}=0$ and $s{a}_{ij}^1=a{t}_i$ if $s{a}_{ij}=1$; then, $s{a}_j^2=max\{s{a}_{ij}^1,i=1,\dots ,n\}$ signifies the magnitude of the attack that target j is projected to encounter, denoting $s{a}^2=(s{a}_1^2,\dots ,s{a}_N^2)$. Specifically, should the planner allocate only weak attackers to a target, then the target faces only weak attacks; conversely, the target endures strong attacks. Then, for a strategy profile $(sd,sa)$, the probability that the target j is successfully attacked is

$${\displaystyle q_j(sd,sa)=\left\{\begin{array}{c}1,s{a}_j^2>s{d}_j\hfill \\ 0,otherwise,\hfill \end{array}\right.}$$

this is because the high-level defense is capable of repelling all attackers, while the low-level defense is effective only against weak attackers. In addition, we define $s{a}_j^3={\sum }_{i=1}^{n}s{a}_{ij}$ as the number of attackers attacking the target j, and let $s{a}^3=(s{a}_1^3,\dots ,s{a}_N^3)$.

The total loss of the defender, which is denoted as $L^D$, is the sum of the value of the targets successfully attacked and the cost of the defensive strategy; then, for a strategy profile $(sd,sa)$, we have

$$L^D(sd,sa)=\sum _{j=1}^N(q_j(sd,sa)v_j^d+c_{s{d}_j+1}).$$

(1)

The utility of the planner, $U^{AP}$, is the aggregate value derived from successfully attacked targets, minus the cost of hiring all attackers, then

$$U^{AP}(sd,sa)=\sum _{j=1}^N{q}_j(sd,sa)v_j^a-\sum _{i=1}^n{U}^i(sd,sa),$$

(2)

where $U^i$ is the benefit of the i-th employed attacker, i.e., the cost of hiring the i-th attacker. For each hired attacker, irrespective of the attack’s success, they receive a base salary, incur a certain attack cost, and upon a successful attack, they receive an additional commission proportional to the target’s value. Thus

$$U^i(sd,sa)=u_i+\sum _{j=1}^{N}s{a}_{ij}{q}_j(sd,sa)·{\displaystyle \frac{\alpha v_j^a}{s{a}_j^3}}-\sum _{j=1}^{N}s{a}_{ij}a{c}_{ij},$$

(3)

where $u_i=b{s}_{a{t}_i}$ is the i-th attacker’s base salary, $\alpha \in (0,1)$ denotes the proportionality constant of the commission awarded to the attacker post-successful attack and $a{c}_{ij}$ denotes the i-th attacker’s cost when they attacks target j. Attackers, despite having identical capabilities, may demonstrate diverse target preferences, influenced by a multitude of factors, such as the distance between the attacker and the target. This study incorporates these individual differences among attackers by representing these differences through variable attack costs $ac$.

3.2. Defender–Attack Planner Game Model with Deception

Building upon the previously outlined model, we develop an advanced Defender–Attack Planner game model with Deception (D-APD). This model takes into account the planner’s strategic deception in two critical dimensions: the payoff type and the attacker type. The deception in payoff type could lead the defender to misestimate the importance of the targets to the planner. Similarly, deception in attacker type could involve obscuring the true attack capabilities, which can confuse the defender’s assessment of the attack’s treat level. By integrating these elements, the D-APD model encapsulates the intricate interplay of strategy and information, and thus provides a framework for analyzing sophisticated security threats.

3.2.1. The Attack Planner with Multiple Types

In reality, defenders are typically aware only of the range of possible scenarios and the likelihood of each occurring, which is encapsulated in the prior probability. First, denoting the set of all possible payment types as $\Theta =\{{\theta }^1,\dots ,{\theta }^m\}$, the corresponding prior probability distribution is $p^{pt}:\Theta \to [0,1]$. A planner with payment type $\theta$ values each target as $v^{\theta }=(v_1^{\theta },\dots ,v_N^{\theta })$. Then, we denote the set of all possible hired attacker situations in which the planner with payment type $\theta$ as ${\Phi }^{\theta }=\{{\phi }_1^{\theta },\dots ,{\phi }_{m^{\theta }}^{\theta }\}$; that is, the planner with payment type $\theta$ has $m^{\theta }$ possible attacker types, where ${\phi }_k^{\theta }=({\phi }_{k1}^{\theta },{\phi }_{k2}^{\theta })$ means that the planner with payment type $\theta$ hired ${\phi }_{k1}^{\theta }$ strong attackers and ${\phi }_{k2}^{\theta }$ weak attackers. The corresponding prior probability distribution is $p^{\theta }:{\Phi }^{\Theta }\to [0,1]$. $\Phi ={\bigcup }_{\theta \in \Theta }{\Phi }^{\theta }$ represents the set of all attacker types. In practice, although the attacker type for each payment type planner is different, they can be viewed as the same by taking a union. For example, if the set of attacker types for a planner with payment type ${\theta }_1$ is ${\Phi }^{{\theta }_1}=\{{\phi }_1,{\phi }_2\}$, the set of attacker types for a planner with payment type ${\theta }_2$ is ${\Phi }^{{\theta }_2}=\{{\phi }_2,{\phi }_3\}$, then we can set ${\Phi }^{{\theta }_1}={\Phi }^{{\theta }_2}=\{{\phi }_1,{\phi }_2,{\phi }_3\}$ and $p^{{\theta }_1}\left({\phi }_3\right)=0,p^{{\theta }_2}\left({\phi }_1\right)=0$. Therefore, we can directly let $\Phi =\{{\phi }^1,\dots ,{\phi }^M\}$, which represents the set of all possible attacker types (M in total). ${\phi }^i=({\phi }_1^i,{\phi }_2^i)$ means hiring a ${\phi }_1^i$ strong attacker and a ${\phi }_2^i$ weak attacker, and we denote the prior probability of the planner of payment type $\theta$ over all attacker types as $p^{\theta }:\Phi \to [0,1]$. Obviously, each attacker type $\phi$ corresponds to a group of attackers, and the base salary of this group of attackers is recorded as $u^{\phi }=(u_1^{\phi },\dots ,u_{{\left|\right|\phi \left|\right|}_1}^{\phi })$; the attack cost matrix is recorded as $a{c}^{\phi }={\left(a{c}_{ij}^{\phi }\right)}_{i\in \left[\right|\left|\phi \right|{|}_1],j\in \left[N\right]}$. Then, under the strategy profile $(sd,sa)$, the utility function of the planner with payment type $\theta$ and attacker type $\phi$ is

$$U^{\theta ,\phi }(sd,sa)=\sum _{j=1}^N{q}_j(sd,sa)v_j^{\theta }-\sum _{i=1}^{{\left|\right|\phi \left|\right|}_1}{U}^{\theta ,\phi ,i}(sd,sa),$$

(4)

where $U^{\theta ,\phi ,i}$ is each employed attacker’s benefit, that is

$$U^{\theta ,\phi ,i}(sd,sa)=u_i^{\phi }+\sum _{j=1}^{N}s{a}_{ij}{q}_j(sd,sa)·{\displaystyle \frac{\alpha v_j^{\theta }}{s{a}_j^3}}-\sum _{j=1}^{N}s{a}_{ij}a{c}_{ij}^{\phi }.$$

(5)

3.2.2. Attack Planner’s Deception

For private information, the planner is usually more inclined to mislead the defenders by deceiving rather than reporting the truth. The practice of sending preemptive signals has become the prevalent method of deception. These signals are crafted to influence the defender’s perception of the threat and subsequent resource allocation. However, it is important to note that there is a cost associated with this deceptive behavior, termed the deception cost, denoted as $dc=(d{c}_1,d{c}_2)$, $d{c}_1$ and $d{c}_2$ is the planner’s deception cost about payment and attacker type, respectively. First, the planner will achieve deception by simulating the behavior of a planner of other payment types, so the set of signals sent about the payment type is $S^1=\Theta$ and the corresponding set of mixed-signal sending strategies is ${\Delta }_{o1}=\{o1={\left(o{1}_{s^1}\right)}_{s^1\in S^1}|o{1}_{s^1}\in [0,1]{,\left|\right|o1\left|\right|}_1=1\}$, where $o{1}_{s^1}$ is the probability of sending the signal $s^1$. In addition, for the attacker type, the planner will deceive the defender by arranging the attacker to disguise or hide (such as plainclothes police), so that the defender will have a wrong understanding of the real number of hired attackers. Therefore, the number of attackers reported by the planner cannot be more than the number of real hired attackers. Then the set of signals sent by the planner with the payment type $\theta$ and the attacker type $\phi$ about the attacker type is $S^{2,\theta ,\phi }=\{s^2\in {\mathbb{N}}^{+}|s^2\le {\phi }_1+{\phi }_2\}$ (the planner only reports the total number of attackers, not the specific number of strong and weak attackers). For example, suppose a planner’s set of attacker types is $\left\{\right(1,2),(2,4),(3,1\left)\right\}$, then the set of signals they send is $\{1,2,3,4,5,6\}$. But in fact, we can find that when the planner sends signal 1 or 2, the effect on the posterior probability is the same as when they send signal 3; this is because when sending signals 1, 2 and 3, the possible types of planner are $(1,2),(2,4),(3,1)$. Therefore, we reasonably let $S^2={\left\{\right|\left|\phi \right||}_1|\forall \phi \in \Phi \}$ represent the set of signals about the planner’s attacker type; then, $S^{2,\phi }=\{s^2\in S^2|s^2\le {\phi }_1+{\phi }_2\}$ is the set of signals about the attacker type for the attacker type $\phi$ planner, and their collection of mixed signaling strategies is ${\Delta }_{o2}^{\phi }=\{o2={\left(o{2}_{s^2}\right)}_{s^2\in S^{2,\phi }}|o{2}_{s^2}\in [0,1]{,\left|\right|o2\left|\right|}_1=1\}$, where $o{2}_{s^2}$ is the probability that the planner sends a signal $s^2$ about their attacker type. Then ${\Delta }_{o2}={\bigcup }_{\phi \in \Phi }{\Delta }_{o2}^{\phi }$ is the collection of all the mixed strategies about the attacker type.

3.2.3. Game Process

The game begins with the planner committing to a signaling scheme ${\pi }_o=({\pi }_{o1},{\pi }_{o2})$, where ${\pi }_{o1}:\Theta \times \Phi \to {\Delta }_{o1}$ is the planner’s signaling scheme about their payment type, that is, ${\pi }_{o1}(\theta ,\phi )$ represents the signaling scheme of the planner with payment type $\theta$ and the attacker type $\phi$; ${\pi }_{o1}\left(s^1\right|\theta ,\phi )$ is the probability that they send signal $s^1$, ${\pi }_{o1}\left(s^1\right|\theta )={\sum }_{\phi \in \Phi }{\pi }_{o1}\left(s^1\right|\theta ,\phi )$ is the probability that the planner with payment type $\theta$ sends signal $s^1$. Similarly, ${\pi }_{o2}:\Theta \times \Phi \to {\Delta }_{o2}$ is the planner’s signaling scheme regarding the attacker type.

Then, after receiving the signal $(s^1,s^2)$, the defender updates their belief on the planner’s type according to Bayes’ rule, which is the posterior probability. The posterior probability about the payment type is

$${\mu }^{pt}\left(\theta \right|s^1)={\displaystyle \frac{p^{pt}\left(\theta \right){\pi }_{o1}\left(s^1\right|\theta )}{{\sum }_{{\theta }^{\prime }\in \Theta }{p}^{pt}\left({\theta }^{\prime }\right){\pi }_{o1}\left(s^1\right|{\theta }^{\prime })}}={\displaystyle \frac{p^{pt}\left(\theta \right){\sum }_{\phi \in \Phi }{\pi }_{o1}\left(s^1\right|\theta ,\phi )}{{\sum }_{{\theta }^{\prime }\in \Theta }{p}^{pt}\left({\theta }^{\prime }\right){\sum }_{\phi \in \Phi }{\pi }_{o1}\left(s^1\right|{\theta }^{\prime },\phi )}},$$

(6)

and the posterior probability about the attacker type of planner with payment type $\theta$ is

$${\mu }^{an}\left(\phi \right|\theta ,s^2)={\displaystyle \frac{p^{pt}\left(\theta \right)p^{\theta }\left(\phi \right){\pi }_{o2}\left(s^2\right|\theta ,\phi )}{{\sum }_{{\phi }^{\prime }\in \Phi }{p}^{pt}\left(\theta \right)p^{\theta }\left({\phi }^{\prime }\right){\pi }_{o2}\left(s^2\right|\theta ,{\phi }^{\prime })}}={\displaystyle \frac{p^{\theta }\left(\phi \right){\pi }_{o2}\left(s^2\right|\theta ,\phi )}{{\sum }_{{\phi }^{\prime }\in \Phi }{p}^{\theta }\left({\phi }^{\prime }\right){\pi }_{o2}\left(s^2\right|\theta ,{\phi }^{\prime })}}.$$

(7)

Then the posterior probability that the planner’s payment type is $\theta$ and attacker’s type is $\phi$ is $\mu (\theta ,\phi |s^1,s^2)={\mu }^{pt}\left(\theta \right|s^1)·{\mu }^{an}\left(\phi \right|\theta ,s^2)$. Subsequently, the defender chooses a defense strategy based on their posterior belief to protect targets; we denote their strategic scheme as ${\pi }_d:S^1\times S^2\to SD$, that is, ${\pi }_d(s^1,s^2)={\left({\pi }_d\left(j\right|s^1,s^2)\right)}_{j\in \left[N\right]}$ represents the strategy that the defender takes after receiving the signal $s^1,s^2$ and ${\pi }_d\left(j\right|s^1,s^2)\in \{0,1,2\}$ is the defense level of the defender at target j at this time.

Finally, the planner arranges for the attackers to carry out the attack and the strategic scheme is ${\pi }_a:\Theta \times \Phi \times S^1\times S^2\to SA$; ${\pi }_a(\theta ,\phi ,s^1,s^2)={\left({\pi }_a\left(ij\right|\theta ,\phi ,s^1,s^2)\right)}_{i\in \left[\right|\left|\phi \right|{|}_1],j\in \left[N\right]}$ is the attacker arrangement strategy adopted by the planner with payment type $\theta$ and attacker type $\phi$ when sending signals $s^1,s^2$ and ${\pi }_a\left(ij\right|\theta ,\phi ,s^1,s^2)\in \{0,1\}$ represents the case where the i-th attacker is scheduled to attack target j at this time. The game process is shown in Figure 1.

3.2.4. Utility of Both Sides

After receiving the signal $s^1,s^2$, the defender’s loss function is

$$L^{s^1,s^2}({\pi }_o,{\pi }_d,{\pi }_a)=\sum _{\theta \in \Theta }\sum _{\phi \in {\Phi :\left|\right|\phi \left|\right|}_1\ge s^2}\mu (\theta ,\phi |s^1,s^2)·L^D({\pi }_d(s^1,s^2),{\pi }_a(\theta ,\phi ,s^1,s^2)).$$

(8)

The utility function of the planner with payment type $\theta$ and the attacker type $\phi$ when sending signal $s^1,s^2$ is

$$U_{s^1,s^2}^{\theta ,\phi }({\pi }_d,{\pi }_a)=U^{\theta ,\phi }({\pi }_d(s^1,s^2),{\pi }_a(\theta ,\phi ,s^1,s^2))-ind(s^1,\theta )·d{c}_1-ind(s^2{,\left|\right|\phi \left|\right|}_1)·d{c}_2,$$

(9)

where ${\displaystyle ind(a,b)=\left\{\begin{array}{c}0,a=b\hfill \\ 1,a\ne b\hfill \end{array}\right.}$ is indicator function. Thus, the total expected utility of the planner of type $\theta$ and attacker type $\phi$ is

$$U_{AP}^{\theta ,\phi }({\pi }_o,{\pi }_d,{\pi }_a)=\sum _{s^1\in S^1}\sum _{s^2\in S^{2,\phi }}{\pi }_{o1}\left(s^1\right|\theta ,\phi )·{\pi }_{o2}\left(s^2\right|\theta ,\phi )·U_{s^1,s^2}^{\theta ,\phi }({\pi }_d(s^1,s^2),{\pi }_a(\theta ,\phi ,s^1,s^2)),$$

(10)

which corresponds to the gains of the i-th attacker, which are shown as

$$U_i^{\theta ,\phi }({\pi }_o,{\pi }_d,{\pi }_a)=\sum _{s^1\in S^1}\sum _{s^2\in S^{2,\phi }}{\pi }_{o1}\left(s^1\right|\theta ,\phi )·{\pi }_{o2}\left(s^2\right|\theta ,\phi )·U^{\theta ,\phi ,i}({\pi }_d(s^1,s^2),{\pi }_a(\theta ,\phi ,s^1,s^2)).$$

(11)

3.2.5. The Equilibrium

For each planner with the payment type $\theta$ and the attacker type $\phi$, given the signaling strategy ${\pi }_o$ and defender strategy ${\pi }_d$, let $f_k\left({\pi }_a\right)=U_k^{\theta ,\phi }({\pi }_o,{\pi }_d,{\pi }_a),k={1,\dots ,\left|\right|\phi \left|\right|}_1$; then, by solving the Pareto optimal solutions of the multi-objective problem

$$ma{x}_{{\pi }_a}f=(f_1\left({\pi }_a\right),\dots ,f_k\left({\pi }_a\right),\dots ,f_{{\left|\right|\phi \left|\right|}_1}\left({\pi }_a\right)),$$

we can obtain a Pareto optimal set, denoted as $ParS{A}^{\theta ,\phi }$. In Definition 1, we give the specific definition of the model equilibrium solution.

Definition 1. 

The strategy profile $({\pi }_o^{*},{\pi }_d^{*},{\pi }_a^{*})$ is called an equilibrium solution of model if and only if

• ${\pi }_o^{*}=<{\pi }_{o1}^{*}(\theta ,\phi ),{\pi }_{o2}^{*}(\theta ,\phi )>=argma{x}_{{\pi }_{o1},{\pi }_{o2}}{U}_{AP}^{\theta ,\phi }({\pi }_o,{\pi }_d^{*},{\pi }_a^{*}),\forall \theta ,\phi$
• ${\pi }_d^{*}(s^1,s^2)=argmi{n}_{{\pi }_d}{L}^{s^1,s^2}({\pi }_o^{*},{\pi }_d,{\pi }_a^{*}),\forall s^1,s^2$
• ${\pi }_a^{*}(\theta ,\phi )=argma{x}_{{\pi }_a\in ParS{A}^{\theta ,\phi }}{U}_{AP}^{\theta ,\phi }({\pi }_o^{*},{\pi }_d^{*},{\pi }_a),\forall \theta ,\phi .$

3.3. Motivating Example

To explain the model more intuitively, we give an example. Assume there are three targets and the set is $T=\{t_1,t_2,t_3\}$, and the planner has two payment types $\Theta =\{{\theta }_1,{\theta }_2\}$ and two attacker types $\Phi =\{{\phi }_1,{\phi }_2\}$. The specific values are shown in

Table 2. Motivation example.

Variable	Value
N	3
m	2
$p_1$	[0.5 0.5]
M	2
$p_2$	[0.5 0.5]
$\alpha$	0.01
$v^d$	[5000 3000 2000]
$\Theta$	[2000 5000 2000;5000 5000 3000]
$bs$	[50 30]
$\Phi$	[1 0;1 1]
$u_1$	50
$u_2$	[30 50]
$a{c}_1$	[2 1 3]
$a{c}_2$	[1.5 2 1;1 3 2]
$dc$	[3 3]
c	[0 20 30]
B	40

.

When the planner chooses to reveal the true type, we can compute the SSE of this game. For the planner with payment type ${\theta }_1$ and attacker type ${\phi }_1$, the defender strategy is $(0,2,0)$, i.e., they choose to implement a high-level defense against target $t_2$, which makes sense because target $t_2$ is of the highest value to the planner with payment type ${\theta }_1$; the corresponding attack strategy is ‘$t_3$’. For a planner with payment type ${\theta }_1$ and attacker type ${\phi }_2$ where the defender chooses not to defend, the corresponding attack strategy is $(t_3,t_2)$, i.e., arrange for a strong attacker to attack target $t_3$ and a weak attacker to attack target ‘$t_2$’. For a planner with payment type ${\theta }_2$ and attacker type ${\phi }_1$ where the defender chooses not to defend, the corresponding attack strategy is $t_2$. For a planner with payment type ${\theta }_2$ and attacker type ${\phi }_2$ where the defender implements a high level of defense against the target $t_1$, the corresponding attack strategy is $(t_3,t_2)$. Under the strategy profile, the loss suffered by the defender was 3750, and the gain gained by the planner was 5633. The game tree is shown in Figure 2.

When the planner first commits to a signaling strategy, the planner with payment type ${\theta }_1$ and the attacker with type ${\phi }_1$ will mislead the defender into thinking that their payment type is ${\theta }_2$ by sending signals, causing the defender to mistake target $t_1$ as the most valuable to them, and will thus choose to implement a high-level defense against target $t_1$. In this case, the planner will choose to attack the target $t_2$ so that it benefits and the defender loses. Similarly, the planner with payment type ${\theta }_2$ and an attacker of type ${\phi }_2$ misleads the defender into thinking that their attacker type is ${\phi }_1$ by sending signals, making them gain and causing the defender to suffer losses. With the signaling strategy, the defender ultimately suffered a loss of 4022.5, while the planner made a gain of 6623.5. The game tree is given in Figure 3. It is observed that the outcomes for both parties are more pronounced when a signaling strategy is employed. This instance illustrates that the planner’s deception can lead to increased benefits for themselves, simultaneously resulting in more significant detriments for the defender.

4. Equilibrium Computation

In the introduced model, it is acknowledged that the planner’s strategy involves the transmission of two distinct signals, each necessitating individual calculation. It substantially increases the complexity of the resolution procedure. To address this issue, we propose a model simplification. Then, a tri-level programming framework is formulated based on the game process, and a decomposition algorithm is subsequently applied to solve it.

4.1. Modified Model

We propose a model simplification by considering all possible combinations of the two signals. This approach not only reduces the computational burden but also maintains the strategic essence of the signaling process, ensuring that the model remains a faithful representation. Specifically, the planner has $m·M$ possible combinations of types, so the set of types can be reformulated into $TY=\{t{y}^{\theta ,\phi }=(\theta ,\phi )|\theta \in \Theta ,\phi \in \Phi \}$. Then, the set of all types with payment type $\theta$ is represented as $T{Y}^{\theta }=\{t{y}^{\theta ,\phi }=(\theta ,\phi )|\phi \in \Phi \}$ and the set of all types with attacker type $\phi$ is represented as $T{Y}^{\phi }=\{t{y}^{\theta ,\phi }=(\theta ,\phi )|\theta \in \Theta \}$. The corresponding prior probability is $p^{ty}:TY\to [0,1]$, where $p^{ty}\left(t{y}^{\theta ,\phi }\right)=p^{pt}\left(\theta \right)·p^{\theta }\left(\phi \right)$. Rewrite the set of signals sent by the planner as $S=\{s=(s^1,s^2)|s^1\in S^1,s^2\in S^2\}$. Denote the set of signals for each type $t{y}^{\theta ,\phi }$ as $S^{t{y}^{\theta ,\phi }}=\{s=(s^1,s^2)|s^1\in S^1,s^2\in S^{2,\phi }\}$, and the corresponding mixed signal strategy set is ${\Delta }_o^{t{y}^{\theta ,\phi }}=\{o={\left(o_s\right)}_{s\in S^{t{y}^{\theta ,\phi }}}|o_s\in [0,1],\left|\right|o_s{\left|\right|}_1=1\}=\{o={\left(o_s\right)}_{s\in S}|o_s\in [0,1],\left|\right|o_s{\left|\right|}_1=1,o_s=0\forall s_2{>\left|\right|\phi \left|\right|}_1\}$; set ${\Delta }_o={\bigcup }_{ty\in TY}{\Delta }_o^{t{y}^{\theta ,\phi }}$. With a slight abuse of the notation, denote the modified signaling strategy as ${\pi }_o:TY\to {\Delta }_o$, and ${\pi }_o\left(s\right|t{y}^{\theta ,\phi })$ is the probability that the planner with type $t{y}^{\theta ,\phi }$ sends the signal s. Then, accordingly, the defender’s strategy scheme is ${\pi }_d:S\to SD$, where ${\pi }_d\left(s\right)=({\pi }_d\left(1\right|s),\dots ,{\pi }_d\left(N\right|s))$ is the defender’s strategy after receiving the signal s, and ${\pi }_d\left(j\right|s)\in \{0,1,2\}$ represents the defense level in the j-th target. The planner’s attack scheme is ${\pi }_a:TY\times S\to SA$, where ${\pi }_a(t{y}^{\theta ,\phi },s)={\left({\pi }_a\left(ij\right|t{y}^{\theta ,\phi },s)\right)}_{i\in \left[\right|\left|\phi \right|{|}_1],j\in \left[N\right]}$ is the attack strategy after the planner with type $t{y}^{\theta ,\phi }$ sends the signal s and ${\pi }_a\left(ij\right|t{y}^{\theta ,\phi },s)\in \{0,1\}$. After receiving the signal s, the defender’s belief that the planner type is $t{y}^{\theta ,\phi }$ is redenoted as $\mu \left(t{y}^{\theta ,\phi }\right|s)={\displaystyle \frac{p^{ty}\left(t{y}^{\theta ,\phi }\right)·{\pi }_o\left(s\right|t{y}^{\theta ,\phi })}{{\sum }_{ty\in TY}{p}^{ty}\left(ty\right)·{\pi }_o\left(s\right|ty)}}$. Then, combined with Equations (2), (4) and (10), the total utility function of the planner is   

$$\begin{array}{c}{U}^{to}({\pi }_o,{\pi }_d,{\pi }_a)=\sum _{t{y}^{\theta ,\phi }\in TY}{p}^{ty}\left(t{y}^{\theta ,\phi }\right)\sum _{s\in S^{t{y}^{\theta ,\phi }}}{\pi }_o\left(s\right|t{y}^{\theta ,\phi })·\hfill \\ \hfill (\sum _{j=1}^N{q}_j({\pi }_d\left(s\right),{\pi }_a(t{y}^{\theta ,\phi },s))v_j^{\theta }-\sum _{i=1}^{{\left|\right|\phi \left|\right|}_1}{U}_i^{t{y}^{\theta ,\phi }}-ind(s^1,\theta )·d{c}_1-ind(s^2,\phi )·d{c}_2),\end{array}$$

(12)

where $U_i^{t{y}^{\theta ,\phi }}$ is the income of the i-th attacker hired by the planner with type $t{y}^{\theta ,\phi }$; that is

$$U_i^{t{y}^{\theta ,\phi }}=u_i^{\phi }+\sum _{j=1}^N{\pi }_a\left(ij\right|t{y}^{\theta ,\phi },s)q_j({\pi }_d\left(s\right),{\pi }_a(t{y}^{\theta ,\phi },s))·{\displaystyle \frac{\alpha v_j^{\theta }}{{\pi }_a{(t{y}^{\theta ,\phi },s)}_j^3}}-\sum _{j=1}^N{\pi }_a\left(ij\right|t{y}^{\theta ,\phi },s)a{c}_{ij}^{\phi }.$$

(13)

Combined with Equations (1) and (8), the total loss function of the defender is

$$\begin{array}{c}{L}^{to}({\pi }_o,{\pi }_d,{\pi }_a)=\sum _{s\in S}\sum _{t{y}^{\theta ,\phi }\in TY}{\pi }_o\left(s\right|t{y}^{\theta ,\phi })·\hfill \\ \hfill \sum _{t{y}^{\theta ,\phi }\in {TY:\left|\right|\phi \left|\right|}_1\ge s^2}\mu \left(t{y}^{\theta ,\phi }\right|s)\sum _{j=1}^N(q_j({\pi }_d\left(s\right),{\pi }_a(t{y}^{\theta ,\phi },s))v_j^d+c_{{\pi }_d\left(j\right|s)+1}).\end{array}$$

(14)

4.2. Tri-Level Programming

In this section, based on the game process, we delineate the D-APD model as a tri-level programming framework that encapsulates the strategic interactions between an attack planner and a defender, as depicted in Figure 4. The following discussion provides an in-depth exposition of this tri-level programming framework.

4.2.1. Signaling-Level Problem

At the beginning of the game, the planner chooses a signaling strategy to confuse the defender and thus make their own gains greater. Therefore, the first level is the signaling-level (SL), where the planner chooses a signal strategy designed to mislead the defender’s decision-making process to achieve greater benefits. Formally, the SL problem optimizes the planner’s utility and finds the corresponding optimal signaling strategy and is denoted by $P1$:   

$$\begin{array}{ccc}\hfill P1:ma{x}_{{\pi }_o}& U^{to}({\pi }_o,{\pi }_d^{*},{\pi }_a^{*})\hfill & \hfill \left(1\mathrm{a}\right)\\ \hfill \mathit{\text{s.t.}}& {\pi }_o\left(s\right|t{y}^{\theta ,\phi })\in [0,1],\forall s\in S,t{y}^{\theta ,\phi }\in TY\hfill & \hfill \left(1\mathrm{b}\right)\\ \hfill & \sum _{s\in s}{\pi }_o\left(s\right|t{y}^{\theta ,\phi })=1,\forall t{y}^{\theta ,\phi }\in TY\hfill & \hfill \left(1\mathrm{c}\right)\\ \hfill & {\pi }_o\left(s\right|t{y}^{\theta ,\phi })=0for{s}^2{>\left|\right|\phi \left|\right|}_1,\forall t{y}^{\theta ,\phi }\in TY\hfill & \hfill \left(1\mathrm{d}\right)\end{array}$$

In $P1$, the objective function (1a) represents the planner’s objective to maximize their utility. The decision is to determine the probability of sending each signal. Constraint (1b) and (1c) ensure the validity of the decision variable. Constraint (1d) illustrates the feasibility of the decision variable, that is, the planner can only send the signal with a smaller number of attackers than the actual number of hired attackers.

4.2.2. Defense-Level Problem

Upon receiving the signal from the planner, the defender updates their beliefs in light of the received signals, and accordingly, chooses a defense strategy, aiming to minimize their loss. Thus, the second level, designated as the defense-level (DL), is designed to identify a defense strategy for the defender that minimizes the potential loss. This level is mathematically formalized as $P2$:

$$\begin{array}{ccc}\hfill P2:mi{n}_{{\pi }_d}& L^{to}({\pi }_o^{*},{\pi }_d,{\pi }_a^{*})\hfill & \hfill \left(2\mathrm{a}\right)\\ \hfill \mathit{\text{s.t.}}& \sum _{j=1}^N{c}_{{\pi }_d\left(j\right|s)+1}\le B\hfill & \hfill \left(2\mathrm{b}\right)\\ \hfill & {\pi }_d\left(j\right|s)\in \{0,1,2\},\forall j\in \left[N\right],s\in S\hfill & \hfill \left(2\mathrm{c}\right)\end{array}$$

In $P2$, the objective function (2a) is to minimize the defender’s loss. Constraint (2b) indicates that the defense cost cannot exceed its budget. Constraint (2c) sets a ternary restriction on defense decisions.

4.2.3. Attack-Level Problem

After observing the defense strategy, the planner arranges for the attackers to attack a subset of targets and the game ends. Consequently, the third and final level, known as the attack-level (AL), involves the planner deploying the attackers to execute an attack strategy that maximizes the utility. Specifically, in the AL problem, the decision is to decide the specific target for each attacker. It is essential to consider the individual benefits of each attacker simultaneously in formulating the attack strategy, ensuring that the strategy aligns with the Pareto optimal solutions within the multi-objective framework defined by the attackers’ benefits. This problem is formalized as $P3$:

$$\begin{array}{ccc}\hfill P3:ma{x}_{{\pi }_o}& U^{to}({\pi }_o^{*},{\pi }_d^{*},{\pi }_a)\hfill & \hfill \left(3\mathrm{a}\right)\\ \hfill \mathit{\text{s.t.}}& {\pi }_a(t{y}^{\theta ,\phi },s)\in ParS{A}^{t{y}^{\theta ,\phi }},\forall s\in S\hfill & \hfill \left(3\mathrm{b}\right)\\ \hfill & \sum _{j=1}^N{\pi }_a\left(ij\right|t{y}^{\theta ,\phi },s)=1,\forall i\in {\left[\right|\left|\phi \right||}_1],s\in S,t{y}^{\theta ,\phi }\in TY\hfill & \hfill \left(3\mathrm{c}\right)\\ \hfill & {\pi }_a\left(ij\right|t{y}^{\theta ,\phi },s)\in \{0,1\},\forall i\in {\left[\right|\left|\phi \right||}_1],j\in \left[N\right],s\in S,t{y}^{\theta ,\phi }\in TY\hfill & \hfill \left(3\mathrm{d}\right)\end{array}$$

In $P3$, the objective function (3a) is to maximize the planner’s payoffs. Constraint (3c) states that each attacker can only attack one target. Constraint (3d) sets a binary restriction on attack decisions. Constraint (3b) guarantees a profit for each attacker. Formally, for the planner with type $t{y}^{\theta ,\phi }$, let $g_k\left({\pi }_a\right)=U_k^{t{y}^{\theta ,\phi }}({\pi }_o,{\pi }_d,{\pi }_a),k={1,\dots ,\left|\right|\phi \left|\right|}_1$; then, $ParS{A}^{t{y}^{\theta ,\phi }}$ is the Pareto optimal set for the following multi-objective problem $P4$.

$$\begin{array}{ccc}\hfill P4:ma{x}_{{\pi }_a}& g=(g_1\left({\pi }_a\right),\dots ,g_k\left({\pi }_a\right),\dots ,g_{{\left|\right|\phi \left|\right|}_1}\left({\pi }_a\right))\hfill & \hfill \left(4\mathrm{a}\right)\\ \hfill \mathit{\text{s.t.}}& \sum _{j=1}^N{\pi }_a\left(ij\right|t{y}^{\theta ,\phi },s)=1,\forall i\in {\left[\right|\left|\phi \right||}_1],s\in S\hfill & \hfill \left(4\mathrm{b}\right)\\ \hfill & {\pi }_a\left(ij\right|t{y}^{\theta ,\phi },s)\in \{0,1\},\forall i\in {\left[\right|\left|\phi \right||}_1],j\in \left[N\right],s\in S\hfill & \hfill \left(4\mathrm{c}\right)\end{array}$$

4.3. Algorithm Description

Solving tri-level programming problems is inherently complex, with even the most straightforward scenarios being NP-hard [60]. The extant algorithms for addressing these problems are primarily divided into exact and heuristic methods. Exact algorithms encompass implicit enumeration [61,62], reformation techniques [63] and decomposition algorithms [37,64]. However, implicit enumeration is limited to very small-scale problems. The reformation technique is tailored to problems with continuous lower-level decision variables, which does not align with the discrete variables present in our model. Consequently, the decomposition algorithm has garnered widespread application in research due to its effectiveness. The crux of employing this algorithm lies in its successful decomposition of the problem. Heuristic algorithms are also favored for their swift computation times [65]. But it may yield suboptimal solutions. So, the column and constraint generation algorithm (C&CG) has been introduced as an extension of decomposition algorithms [66,67]. While previous C&CG algorithms are tailored to solve min–max–min or max–min–max problems, they are not directly applicable to the model presented in this paper. In response, we extend the decomposition algorithm and devise a customized decomposition algorithm based on a genetic algorithm (DA-GA) for the tri-level programming problem outlined herein. Our proposed algorithm operates within a master-subproblem framework. The master problem (MP) is tasked with determining the signal strategy, while the subproblem (SP) is designed to extract a defense strategy for a given signal strategy. We will now delve into the construction and computation of both the master problem and subproblem, as well as the intricate process of our customized DA-GA. Given that the resolution of the master problem and subproblem is contingent upon the solution of the lowest attack level problem, we initially present a detailed methodology for addressing the attack level problem in Section 4.3.1, prior to discussing the master problem and subproblem in depth.

4.3.1. Attack-Level Algorithm

The implementation steps of the AL problem’s algorithm are demonstrated in Algorithm 1. In fact, the essence of resolving the attack-level problem $P3$ lies in addressing the multi-objective problem $P4$. Given the vast number of strategy combinations available to planners of various types, a direct computational approach would incur significant computational expense. However, since the problem-solving process for planners of different types is analogous and their decisions are mutually independent, we can substantially mitigate computational costs by addressing each type of planner separately. Furthermore, the dimensionality of the attack scheduling strategy space escalates exponentially as the number of hired attackers increases, making it impractical to identify all Pareto optimal solutions by exhaustively examining each potential attack strategy. Leveraging the effectiveness of the NSGA-II algorithm in tackling multi-objective problems, this paper introduces a genetic algorithm (GA) tailored to problem $P4$. Taking the planner with type $t{y}^{\theta ,\phi }$ as an example, when they send signal s, the specific steps are as follows:

0.

Code: The planner’s attack scheduling strategy is a $0-1$ matrix with size ${\left|\right|\phi \left|\right|}_1\times N$, so we first need to encode it. Specifically, we encode each attack scheduling strategy as an ${\left|\right|\phi \left|\right|}_1$-dimensional row vector with elements in set $\left[N\right]$. For example, a strategy $\left(\begin{array}{ccccc}1& 0& 0& 0& 0\\ 0& 0& 0& 0& 1\\ 0& 0& 1& 0& 0\end{array}\right)$ can be encoded as $(1,5,3)$, which represents that the 1-th attacks the 1-th target, the 2-th attacks the 5-th target and the 3-th attacks the 3-th target. In fact, the number of columns in each row of the policy matrix with the value of 1 is taken as the encoding of the policy.

1.

Determine an initial population P consisting of n individuals that meet the constraints;

2.

Calculate the fitness $f=(f_1,f_2)$ of each individual in P;

(1)

For $f_1$:

• Calculate the function value for each individual on each objective;
• For each individual p, calculate the number of individuals $n_p$ that dominate it and the set of individuals $S_p$ that it dominates;
• Set the $f_1$ of the individuals with $n_p=0$ to 1, and the set of these individuals to ${\mathcal{F}}_1$, then subtract the $n_p$ values of the individuals in $S_p$ by 1; then, set the $f_1$ of the individuals with $n_p=0$ at this time to 2, the set of these individuals to ${\mathcal{F}}_2$, and so on until the $f_1$ of each individual is calculated.

(2)

For $f_2$, solve it for each individual in ${\mathcal{F}}_l$ in $\left(1\right)$ separately:

• For each individual i in ${\mathcal{F}}_l$, let i’s crowding distance $L{\left[i\right]}_d=0$;
• Calculate the m-th function value for each individual and sort them in ascending order according to these values;
• In order to give individuals on the edge a selection advantage, let $L{\left[1\right]}_d=L{\left[end\right]}_d=inf$; that is, after sorting, let the crowding distance of the first and last individuals be infinity. Then for the other individuals $i=2,\dots ,|{\mathcal{F}}_l|-1$

  $$L{\left[i\right]}_d=L{\left[i\right]}_d+(L{[i+1]}_m-L{[i-1]}_m)/(f_m^{max}-f_m^{min})$$

  where $L{[i+1]}_m$ and $L{[i-1]}_m$ represent the m-th objective function value for the $(i+1)$-th and $(i-1)$-th individuals, and $f_m^{max}$ and $f_m^{min}$ represent the maximum and minimum values of the m-th objective function of the individuals in ${\mathcal{F}}_l$, respectively;
• The above three steps are repeatedly calculated for each objective function, and the crowding distance obtained when each individual corresponds to different objective functions is added up to obtain the final crowding distance, which is denoted as $f_2$.

3.

By selecting, crossing and mutating for P, a new population Q is generated;

(1)

Selection operator: The selection is based on fitness using the binary tournament method. Randomly select two individuals for comparison, select the better individual to enter the next generation and repeat this operation until we select enough n individuals where an individual p is better than an individual q, if, and only if, the $f_1$ of p is less than q or the $f_1$ of p is equal to q and the $f_2$ of p is greater than q. That is, compare the rank first; the individual with a lower rank is better, individuals with an equal rank have a comparative crowding distance, and individuals with larger crowding distances are better;

(2)

Crossover operator: For two individuals in the population, a location is randomly selected and the genes at that location are exchanged with a certain probability;

(3)

Mutation operator: In order to ensure the diversity of the population and avoid falling into the local optimal situation, the individuals in the population are randomly selected in a position and the genes at that position are changed.

4.

According to step 2, calculate the fitness of each individual in $P\bigcup Q$;

5.

Selection* operator: Select the n individuals in $P\bigcup Q$ as the offspring; if there is an l, that makes ${\sum }_{i=1}^l\left|{\mathcal{F}}_i\right|=n$ true, so $P={\bigcup }_{i=1}^l{\mathcal{F}}_i$ is the offspring population. Otherwise, when l satisfies the conditions ${\sum }_{i=1}^{l-1}\left|{\mathcal{F}}_i\right|<n$ and ${\sum }_{i=1}^l\left|{\mathcal{F}}_i\right|>n$, the individuals in ${\mathcal{F}}_l$ are sorted in descending order of crowding distance $\left(f_2\right)$, and then the first $(n-{\sum }_{i=1}^{l-1}|{\mathcal{F}}_i\left|\right)$ individuals are selected to form offspring P together with ${\bigcup }_{i=1}^{l-1}{\mathcal{F}}_i$;

6.

Return to step 3 and loop until the termination condition is satisfied, and finally obtain a Pareto optimal solution set.

Algorithm 1: GA for AL problem

4.3.2. Master Problem

First, we construct and solve a master problem by considering a subset of the defense strategy schemes to obtain a signaling strategy. Specifically, we give a set of defense strategies ${\widehat{\mathrm{\Pi }}}_d=\{{\widehat{\pi }}_d^1,\dots ,{\widehat{\pi }}_d^h,\dots ,{\widehat{\pi }}_d^H\}$, where h represents the iteration index. For each ${\widehat{\pi }}_d^h$, we define a attack scheme ${\pi }_a^h$. Then the master problem can be formulated as follows:

$$\begin{array}{ccc}\hfill P5:ma{x}_{{\pi }_o,{\pi }_a^h}& U^{to}({\pi }_o,{\widehat{\pi }}_d^h,{\pi }_a^h)\hfill & \hfill \left(5\mathrm{a}\right)\\ \hfill \mathit{\text{s.t.}}& {\pi }_o\left(s\right|t{y}^{\theta ,\phi }\in [0,1],\forall s\in S,t{y}^{\theta ,\phi }\in TY)\hfill & \hfill \left(5\mathrm{b}\right)\\ \hfill & \sum _{s\in S}{\pi }_o\left(s\right|t{y}^{\theta ,\phi })=1,\forall t{y}^{\theta ,\phi }\in TY\hfill & \hfill \left(5\mathrm{c}\right)\\ \hfill & {\pi }_o\left(s\right|t{y}^{\theta ,\phi })=0for{s}^2{>\left|\right|\phi \left|\right|}_1,\forall t{y}^{\theta ,\phi }\in TY\hfill & \hfill \left(5\mathrm{d}\right)\\ \hfill & {\pi }_a^h(t{y}^{\theta ,\phi },s)\in ParS{A}^{t{y}^{\theta ,\phi }},\forall s\in S,h\in \left[H\right]\hfill & \hfill \left(5\mathrm{e}\right)\\ \hfill & \sum _{j=1}^N{\pi }_a^h\left(ij\right|t{y}^{\theta ,\phi },s)=1,\forall i\in {\left|\right|\phi \left|\right|}_1,s\in S,t{y}^{\theta ,\phi }\in TY,h\in \left[H\right]\hfill & \hfill \left(5\mathrm{f}\right)\\ \hfill & {\pi }_a^h\left(ij\right|t{y}^{\theta ,\phi },s)\in \{0,1\},\forall i\in {\left|\right|\phi \left|\right|}_1,j\in \left[N\right],s\in S,t{y}^{\theta ,\phi }\in TY,h\in \left[H\right]\hfill & \hfill \left(5\mathrm{g}\right)\end{array}$$

The planner’s signaling strategy is crafted specifically to mislead the defender, and as such, it exerts a direct influence on the defense strategy within the middle-level problem. Then problem $P5$ effectively translates into a linear programming problem, in which, the dimensions of columns and constraints are finite and the constraints (5e) can be effectively addressed using Algorithm 1. So the master problem can be solved directly in polynomial time by using a professional linear programming solver.

4.3.3. Subproblem

The subproblem is centered on determining the defender’s strategy in response to a predefined signaling strategy ${\pi }_o^{*}$. It is important to recognize that the subproblem is concerned solely with deriving the defender’s strategy. The defender’s eventual loss, the corresponding attack strategy and the planner’s utility are all contingent upon the defender’s potentially incorrect perception of the planner’s intentions. These outcomes, which are based on this misaligned cognition, require further analysis and are addressed in the attack-level problem. Then, the subproblem is constructed as the following bilevel problem:

$$\begin{array}{ccc}\hfill P6:mi{n}_{{\pi }_d}& L^{to}({\pi }_o^{*},{\pi }_d,{\pi }_a)\hfill & \hfill \left(6\mathrm{a}\right)\\ \hfill ma{x}_{{\pi }_a}& U^{to}({\pi }_o^{*},{\pi }_d,{\pi }_a)\hfill & \hfill \left(6\mathrm{b}\right)\\ \hfill \mathit{\text{s.t.}}& \sum _{j=1}^N{c}_{{\pi }_d\left(j\right|s)+1}\le B\hfill & \hfill \left(6\mathrm{c}\right)\\ \hfill & {\pi }_a(t{y}^{\theta ,\phi },s)\in ParS{A}^{t{y}^{\theta ,\phi }},\forall s\in S\hfill & \hfill \left(6\mathrm{d}\right)\\ \hfill & \sum _{j=1}^N{\pi }_a\left(ij\right|t{y}^{\theta ,\phi },s)=1,\forall i\in {\left[\right|\left|\phi \right||}_1],s\in S,t{y}^{\theta ,\phi }\in TY\hfill & \hfill \left(6\mathrm{e}\right)\\ \hfill & {\pi }_d\left(j\right|s)\in \{0,1,2\},\forall j\in \left[N\right],s\in S\hfill & \hfill \left(6\mathrm{f}\right)\\ \hfill & {\pi }_a\left(ij\right|t{y}^{\theta ,\phi },s)\in \{0,1\},\forall i\in {\left[\right|\left|\phi \right||}_1],j\in \left[N\right],s\in S\hfill & \hfill \left(6\mathrm{g}\right)\end{array}$$

This problem’s complexity arises from the vast number of possible defense strategy combinations for each signal, and the dimension of the defense strategy space grows exponentially with an increasing number of targets. To address this, we employ a genetic algorithm to find solutions for each signal that the defender might receive. Each defense strategy is represented as an N-dimensional row vector with elements from the set $\{0,1,2\}$, and these vectors are used directly as chromosomes without the need for additional encoding. The defender’s objective is to minimize their loss; that is, an individual with a lower loss function value would conventionally be considered more advantageous. Thus, we instead define the fitness of each individual as $f={\sum }_{j=1}^N{v}_j^d-L$. Here, L represents the objective function value that corresponds to the defender’s strategy under misperception. It is essential to note that during the algorithm’s iterative process, we must evaluate whether the individuals in each new generation adhere to the budget constraints. This is a critical step to ensure that the solutions remain feasible within the given parameters. With the signaling scheme ${\pi }_o^{*}$ as a given, the detailed steps of the algorithm are provided in Algorithm 2.

Algorithm 2: GA for SP

4.3.4. Customized Decomposition Algorithm Based on Genetic Algorithm

To solve the tri-level programming problem in this paper, we propose a customized decomposition algorithm based on a genetic algorithm. Since the goal of the algorithm is to maximize the utility of the planner, first make $\underline{P}=\infty$ starting with ${\widehat{\mathrm{\Pi }}}_d=\varnothing$, representing that the defender does not defend against any target, and then make the utility greater by comparing the utility with $\underline{P}$ after each iteration. At each iteration, solve the MP for the defense scheme ${\widehat{\mathrm{\Pi }}}_d$ and obtain a signal scheme ${\widehat{\pi }}_o$. Then for this ${\widehat{\pi }}_o$, solve SP using Algorithm 2; obtain the defense scheme ${\widehat{\pi }}_d^h$ and let ${\widehat{\mathrm{\Pi }}}_d={\widehat{\mathrm{\Pi }}}_d\bigcup {\widehat{\pi }}_d^h$. Subsequently, solve the AL problem using Algorithm 1 and obtain the objective function value $ob{j}_{AL}$ and corresponding attack scheme ${\widehat{\pi }}_a$. Compare $ob{j}_{AL}$ and $\underline{P}$; if $ob{j}_{AL}$ is larger, update ${\pi }_o^{*},{\pi }_d^{*},{\pi }_a^{*},\underline{P}$ to ${\widehat{\pi }}_o,{\widehat{\pi }}_d^h,{\widehat{\pi }}_a,ob{j}_{AL}$, respectively, otherwise do not update. Then, add a variable and a corresponding set of constraints to MP, and continue solving until the iteration stops. It is important to note that the ${\pi }_o^{*},{\pi }_d^{*},{\pi }_a^{*}$ is the final strategy scheme, and U is given by $\underline{P}$, but L needs to solve $L^{to}({\pi }_o^{*},{\pi }_d^{*},{\pi }_a^{*})$ for the strategy profile $({\pi }_o^{*},{\pi }_d^{*},{\pi }_a^{*})$, and cannot be directly given by the objective function value of SP. This is because the SP is carried out under the wrong cognition formed by the defender after receiving the deception signal of the planner; the attack scheme is not the real strategy scheme taken by the planner. The specific steps are shown in Algorithm 3.

Algorithm 3: Customized DA-GA

5. Experiment and Analysis

In this section, we analyze the model through some numerical experiments. Suppose that the value of each target to both sides is divided into three levels according to their importance to both sides, and the specific values are 10,000, 15,000 and 25,000. $v^d$ and $v^{\Theta }$ are randomly selected among all combinations of the three levels. Let $bs=(350,200)$ and $\alpha =0.01$. Each element in the attacker’s cost matrix $ac$ takes a random value from $[0,50]$.

5.1. Algorithm Performance

In this section, we evaluate the computational performance of the customized DA-GA. Figure 5 illustrates that the algorithm is finitely convergent and influenced by the budget constraints and the number of targets. Specifically, the number of iterations increases as the budget increases, as evidenced by comparing (a) with (c) and (b) with (d) in Figure 5. This trend is attributed to the expansion of the strategy space with an increased budget, complicating the search for the optimal strategy and consequently increasing the iterations needed for convergence. Similarly, an increase in the number of targets also leads to a higher number of iterations, as demonstrated by the comparison between (a) and (b), and (c) and (d) in Figure 5.

Then, we have compared the runtime of the DA-GA algorithm introduced in this paper against the Enumeration Algorithm (EA). The comparative results are illustrated in Figure 6. It is observed that while the EA holds a marginal advantage in scenarios with a small number of targets, the DA-GA algorithm consistently outperforms EA when the number of targets exceeds four. The performance gap becomes particularly pronounced as the number of targets increases. For instance, when the target count reaches six, the EA’s execution time exceeds 500 min, demonstrating the computational inefficiency of EA at higher target volumes. In contrast, the DA-GA algorithm exhibits a significant performance advantage under these conditions. This comparative analysis underscores the efficiency of the DA-GA in solving complex problems involving multiple targets.

Furthermore, to validate the accuracy of the algorithm, we have compared its computational results with the exact algorithm, as depicted in the

Table 3. Effectiveness of DA-GA.

	B = 400		B = 600
N	EA	DA-GA	EA	DA-GA
3	$4.1894\times {10}^4$	$4.1894\times {10}^4$	$2.4163\times {10}^4$	$2.4163\times {10}^4$
4	$5.5653\times {10}^4$	$5.5653\times {10}^4$	$4.6396\times {10}^4$	$4.6399\times {10}^4$
5	$5.8032\times {10}^4$	$5.8039\times {10}^4$	$6.4190\times {10}^4$	$6.4192\times {10}^4$

. The findings indicate that the error margin of the DA-GA algorithm is confined within a narrow range.

5.2. The Impact of Defense Budgets

The impact of defense budgets on the planner’s utility is analyzed and presented in Figure 7. With an increase in the defense budget, the planner’s utility is observed to decrease in a stepwise pattern. This inverse relationship is logical, given that a larger defense budget enables broader target protection, which in turn lowers the probability of a successful attack and thus reduces the planner’s utility. Moreover, within a certain range of the defense budget, minor budget variations lead to negligible changes in the planner’s utility. This phenomenon occurs as minor budget adjustments do not substantially change the defender’s strategy. For example, a defense budget of 150 or 200 units allows the defender to provide only low-level protection for a single target. This analysis highlights the critical role of budget allocation in defense strategy.

5.3. The Impact of Signaling Strategy

Following the results from Section 5.2, in this section, we calculate the utility of the attack planner when the defense budget is 300, 450, 600, 750 and 900, respectively, with and without How to solve without the signaling strategy is in the Appendix A. the signaling strategy, and subsequently analyze the impact of the signaling strategy on the utility. For each subfigure (aa) in Figure 8a–e, we set $m=2,M=3$ and for each subfigure (bb) in Figure 8a–e, we set $N=5$. The findings indicate that the utility of the planner employing a signaling strategy exceeds that of the planner not employing such a strategy. This suggests a propensity for the planner to deceive the defender in order to reap greater benefits. Additionally, each (aa) in Figure 8 shows that an increase in the number of targets causes the planner’s utility to increase. This increase is logical, given that a constant defense budget implies that the defender cannot effectively protect all targets, facilitating the planner’s selection of high-value targets for attack to maximize their utility. Furthermore, each (bb) in Figure 8 exhibits a more pronounced difference in the planner’s utility between scenarios with and without signaling strategies compared to corresponding (aa). This suggests that signaling strategies are more responsive to the diversity of payment types than to the number of targets. With an increased number of payment types, the defender’s uncertainty about the planner’s intentions escalates, enabling the planner to exploit this uncertainty through signaling and to enhance the signal strategy’s effectiveness.

5.4. The Impact of Prior Probability

Furthering our investigation, we examine the impact of prior probability on the planner’s utility. To facilitate the analysis, we focus on a scenario involving solely two types of planners. We propose the following theorem:

Theorem 1. 

When there are two types of attack planner, there is a linear relationship between their utility and the prior probability of each type (the proof of this theorem is in the Appendix B).

We proceed to validate Theorem 1 through experimentation. The number of targets was fixed at five. Utilizing the outcomes from Section 5.2, we analyzed how the planner’s utility varied with changes in the prior probability across defense budgets of 300, 450, 600, 750 and 900, respectively. The findings are presented in Figure 9. The results demonstrate a linear decrease in the planner’s utility with an increase in prior probability, consistent with the predictions of Theorem 1. This trend is attributed to the reduction in the defender’s uncertainty about the planner’s type due to an elevated prior probability. Consequently, the defender protects the targets with increased precision, resulting in a corresponding decrease in the planner’s utility.

5.5. The Impact of Deception Cost

Our analysis further explores the influence of deception costs on signaling strategies, with a summary of the findings presented in

Table 4. The impact of deception costs on signaling strategy.

	Type	1	2	3	4	5
$dc$ = [0,50]	1	(1,1)	(2,1)	(1,1)	(2,1)	(2,1)
	2	(1,2)	(4,2)	(5,2)	(5,2)	(1,2)
	3	(1,3)	(5,3)	(3,3)	(3,3)	(1,3)
$dc$ = [10,50]	1	(3,1)	(5,1)	(2,1)	(5,1)	(5,1)
	2	(1,2)	(1,2)	(3,2)	(4,2)	(5,2)
	3	(1,3)	(2,3)	(4,3)	(4,3)	(5,3)
$dc$ = [20,50]	1	(1,1)	(5,1)	(5,1)	(4,1)	(5,1)
	2	(1,2)	(2,2)	(3,2)	(4,2)	(5,2)
	3	(1,3)	(3,3)	(3,3)	(4,3)	(5,3)
$dc$ = [30,50]	1	(1,1)	(1,1)	(3,1)	(4,1)	(5,1)
	2	(1,2)	(2,2)	(3,2)	(4,2)	(5,2)
	3	(1,3)	(2,3)	(3,3)	(4,3)	(5,3)
$dc$ = [40,50]	1	(1,1)	(5,1)	(3,1)	(4,1)	(5,1)
	2	(1,2)	(2,2)	(3,2)	(4,2)	(5,2)
	3	(1,3)	(2,3)	(3,3)	(4,3)	(5,3)
$dc$ = [50,50]	1	(1,1)	(5,1)	(3,1)	(4,1)	(5,1)
	2	(1,2)	(2,2)	(3,2)	(4,2)	(5,2)
	3	(1,3)	(2,3)	(3,3)	(4,3)	(5,3)
$dc$ = [60,50]	1	(1,1)	(2,3)	(3,1)	(4,1)	(5,1)
	2	(1,2)	(2,2)	(3,2)	(4,2)	(5,2)
	3	(1,3)	(2,3)	(3,3)	(4,3)	(5,3)
$dc$ = [70,50]	1	(1,1)	(2,3)	(3,2)	(4,1)	(5,1)
	2	(1,2)	(2,2)	(3,2)	(4,2)	(5,2)
	3	(1,3)	(2,3)	(3,3)	(4,3)	(5,3)
$dc$ = [80,50]	1	(1,1)	(2,2)	(3,1)	(4,2)	(5,3)
	2	(1,2)	(2,2)	(3,2)	(4,2)	(5,2)
	3	(1,3)	(2,3)	(3,3)	(4,3)	(5,3)
$dc$ = [90,50]	1	(1,1)	(2,3)	(3,1)	(4,1)	(5,1)
	2	(1,2)	(2,2)	(3,2)	(4,2)	(5,2)
	3	(1,3)	(2,3)	(3,3)	(4,3)	(5,3)
$dc$ = [100,50]	1	(1,1)	(2,3)	(3,1)	(4,1)	(5,1)
	2	(1,2)	(2,2)	(3,2)	(4,2)	(5,2)
	3	(1,3)	(2,3)	(3,3)	(4,3)	(5,3)

. The data indicate a positive correlation between the cost of deception and the planner’s tendency to report their types truthfully. As the deception cost increases, the probability of the planner reporting their types truthfully also rises. Furthermore, the analysis indicates that the relative magnitude of deception costs associated with payment and attacker types significantly influences the planner’s signaling strategy. When the deception cost is lower for the payment type than for the attacker type, the planner is more inclined to deceive the defender regarding the payment type. Conversely, the planner is more likely to mislead the defender about the attacker type.

6. Conclusions

This paper models the interaction between an attack planner and a defender, in which the attack planner hires some attackers and arranges them to attack the target. To ensure the attackers’ compliance with the arrangement, we safeguard their interests by incorporating a multi-objective problem into our model. In addition, considering that defenders may not fully grasp various details about the attack planner, which could be exploited using the attack planner to induce misjudgment and ineffective defense strategies, we develop a D-APD signaling game model to make up for the deficiencies in prior research on this type of attack. To address the model, we formulate it as a tri-level programming framework according to the game process, and propose a customized DA-GA for its computation. Then, we validate the algorithm’s effectiveness through experimental validation. Moreover, by assessing the benefits of an honest planner, we determine that the planner is more likely to opt for deception to secure greater benefits. Hence, there is an imperative to investigate effective defenses against these attacks. Finally, through controlled variable experiments, we establish that the defense budget can significantly curtail the attack planner’s incomes, which further verify the significance of budgetary considerations in defense strategy.

We proceed under the assumption that attackers will adhere to the directives of the planner. However, in reality, hired attackers may defy the planner’s attack arrangements due to inadequate compensation or financial incentives from the defenders, among other factors, introducing a layer of complexity. Consequently, our future research will delve into this issue. Furthermore, despite our detailed examination of a specific attack behavior, the critical aspect lies in our response to it. Thus, the implementation of effective defenses by defenders in response to such complex attacks remains a central focus of our future research, and is the paramount objective of our study on attack behaviors.