GT-Engage is a cybersecurity simulation framework designed to model and analyze the strategic interaction between a defender and an attacker in a dynamic network environment. The project integrates the mathematical rigor of Incomplete Information Game Theory (Hypergames) with the tactical applicability of the MITRE Engage framework.
The simulator transforms a static network into a hostile environment for an intruder by strategically deploying deception signals, thereby increasing adversary uncertainty and exhausting their cognitive and temporal resources.
The model is based on the principles detailed in the original research:
- Hypergame Modeling: Captures scenarios where the attacker and the defender operate with different subjective perceptions of the available strategies and outcomes.
-
Bayesian Inference: The attacker uses an inference engine to update their belief (
$b_t$ ) regarding whether an asset is real or a decoy, based on noisy technical signals. - Technical Signaling: Implements deep technical mimicry by manipulating physical variables such as latency, jitter, and service banner consistency to degrade adversary confidence.
The implementation is written in Python 3.9+ following an Object-Oriented Programming (OOP) paradigm.
main.py: The orchestration engine. It handles data loading from CSVs, manages the simulation loop (Monte Carlo sampling), and exports the detailed results.game.py: The core game engine (CPD-GAME v3). It governs turn-based logic, agent interactions, and the calculation of expected and realized utilities (payoffs).attacker.py: Defines theAttackeragent. It includes profiles (from Script Kiddies to APTs), epsilon-greedy decision-making logic, and risk aversion parameters.defender.py: Defines theDefenderagent. It implements action selection based on MITRE Engage tactics, managing action fatigue and lightweight learning about attacker behavior.environment.py: Models the physical state of the network and assets. It calculates asset values and the probability of an attacker falling into a trap.signals.py: Responsible for generating noisy signals (latency, jitter, VM fingerprints) and implementing the Bayesian belief update logic for the attacker.mitre_effects.py: Contains the full MITRE Engage action catalog and defines how each action numerically perturbs signals and the environment state.utils.py: Provides auxiliary mathematical functions such as value clipping, entropy calculation, and safe means for data analysis.
attacker_types.csv: Input file defining attacker profiles, including motivation, skill level, technical knowledge, and risk aversion.defender_types.csv: Input file for defender configurations, specifying strategic weights for engagement, information gathering, and protection.environment_initial_states.csv: Defines initial asset conditions and the baseline noise level of the network infrastructure.test_results.csv: Output file where simulation steps, actions taken, belief evolution, and obtained utilities are recorded for analysis.
- Python: 3.9 or higher.
- Libraries:
numpy(for stochastic operations) andpandas(recommended for data analysis).
- Clone the repository:
git clone https://github.com/CyberDataLab/GT-Engage.git cd GT-Engage - Install dependencies:
pip install numpy pandas
Run the simulator using the main script:
python main.py