We envision a semi-autonomous defense architecture which leverages a game theoretic model to counter cyber attacks. We suggest the system administrator to take a "carrot and stick" approach to guard against the adversary. Carrot and stick approach refers to a policy of offering a combination of rewards and punishment to induce the adversary behavior. The brain of GIDA is a game model which decides the best countermeasure after a thorough analysis of the cost and reward. The game model is not specific to any particular attack and countermeasure. As an example, we can envision wrapping a self-testing software module over individual components of the system with a tradeoff among the cost, security, and performance.
We envision GIDA as being a distributed architecture and consisting of three key components: A set of game agents along with the central game coordinator, an administrative console, and a dynamic honeynet. These three components interact in a semi-autonomous fashion in order to provide a means to identify, evaluate, and act upon network flows as illustrated in figure below. The honeynet in particular, provides a means to redirect malicious flows into dynamically instantiated honeypots for observation of malicious activity and the forensic data pertaining to it. Finally, the administrative console will provide a user interface that will allow the correlation of the network state data, provide a control channel for messaging, perform forensic analysis of honeypot data, and configure the various components
Figure: GIDA - A Distributed Architecture