GHOST: Game-Theoretic Honeytoken Optimization for Strategic Threat Detection
Research Article  ·  Published: 30 June 2026
Issue cover
ICCK Transactions on Cybersecurity
Volume 2, Issue 1, 2026: 75-92
Research Article Free to Read

GHOST: Game-Theoretic Honeytoken Optimization for Strategic Threat Detection

1 Department of Computer Science and Engineering, Pragati Engineering College, Surampalem 533437, India
* Corresponding Author: Manas Kumar Yogi, [email protected]
Volume 2, Issue 1

Article Information

Abstract

As adversaries deploy advanced persistent threats (APTs), social engineering, and credential-stuffing attacks to circumvent classical reactive defenses, identity security faces a formidable challenge. This paper proposes GHOST (Game-theoretic Honeytoken Optimization for Strategic Threat Detection), a mathematically grounded and empirically evaluated framework that combines deceptive honeytokens with Stackelberg–Nash game-theoretic optimization, Bayesian attacker-type inference, and reinforcement learning (RL). The defender (Stackelberg leader) distributes honeytokens throughout a networked system of heterogeneous assets, while the attacker (follower) operates under imperfect knowledge of the deployed deceptive strategy. GHOST models the defender–attacker interaction as a Stackelberg game in which the defender commits to a mixed placement strategy before the attacker responds. A Bayesian updating mechanism iteratively refines the posterior belief over attacker archetypes, while Nash Equilibrium conditions are resolved to guarantee strategic stability. An RL-guided gradient-ascent engine dynamically repositions honeytokens in real time, yielding accelerated convergence and sustained optimal detection. Evaluated against a purpose-built simulation dataset of 10,000 network scenarios—the Honeytoken Strategic Security Dataset (HSSD)—GHOST achieves an 85.3% detection rate and a false positive rate of only 3.1%, outperforming the strongest baseline (rule-based placement) by 23.4%. Ablation experiments confirm the measurable contribution of each architectural component. GHOST is further shown to be 3.2× more cost-effective than random placement and integrates natively with zero-trust architectures (ZTA). A four-pillar governance model operationalizes ethical and regulatory compliance, addressing requirements under GDPR, HIPAA, CFAA, and the Budapest Convention.

Graphical Abstract

GHOST: Game-Theoretic Honeytoken Optimization for Strategic Threat Detection

Keywords

honeytokens game theory nash equilibrium stackelberg games bayesian security reinforcement learning identity security zero-trust architecture deception technology intrusion detection

Data Availability Statement

Data will be made available on request.

Funding

This work was supported without any funding.

Conflicts of Interest

The authors declare no conflicts of interest.

AI Use Statement

The authors declare that no generative AI was used in the preparation of this manuscript.

Ethical Approval and Consent to Participate

Not applicable.

References

  1. Verizon. (2023). 2023 Data Breach Investigations Report. Verizon Business. https://www.verizon.com/business/resources/reports/2023-data-breach-investigations-report-dbir.pdf
    [Google Scholar]
  2. Zhu, M., Hu, Z., & Liu, P. (2014, November). Reinforcement learning algorithms for adaptive cyber defense against heartbleed. In Proceedings of the first ACM workshop on moving target defense (pp. 51-58).
    [CrossRef] [Google Scholar]
  3. Yuill, J., Zappe, M., Denning, D., & Feer, F. (2004, June). Honeyfiles: deceptive files for intrusion detection. In Proceedings from the Fifth Annual IEEE SMC Information Assurance Workshop, 2004. (pp. 116-122). IEEE.
    [CrossRef] [Google Scholar]
  4. Rass, S., König, S., & Schauer, S. (2017). Defending against advanced persistent threats using game-theory. PloS one, 12(1), e0168675.
    [CrossRef] [Google Scholar]
  5. Huang, L., & Zhu, Q. (2019). Dynamic bayesian games for adversarial and defensive cyber deception. In Autonomous Cyber Deception: Reasoning, Adaptive Planning, and Evaluation of HoneyThings (pp. 75-97). Cham: Springer International Publishing.
    [CrossRef] [Google Scholar]
  6. Alamro, A. S., & Alsulaiman, F. A. (2025). Adaptive Trust-Based Access Control with Honey Objects and Behavior Analysis. Applied Sciences, 16(1), 242.
    [CrossRef] [Google Scholar]
  7. Kheddar, H., Dawoud, D. W., Awad, A. I., Himeur, Y., & Khan, M. K. (2024). Reinforcement-learning-based intrusion detection in communication networks: A review. IEEE Communications Surveys & Tutorials, 27(4), 2420-2469.
    [CrossRef] [Google Scholar]
  8. Zhao, Y., Chen, K., Gao, R., Feng, Y., Lu, H., & Chen, Y. (2025, November). Survey on the Application of Reinforcement Learning in Cyber attack and defense. In 2025 IEEE 6th International Conference on Computer, Big Data, Artificial Intelligence (ICCBD+ AI) (pp. 1-5). IEEE.
    [CrossRef] [Google Scholar]
  9. Pawlick, J., Colbert, E., & Zhu, Q. (2019). A game-theoretic taxonomy and survey of defensive deception for cybersecurity and privacy. ACM Computing Surveys (CSUR), 52(4), 1-28.
    [CrossRef] [Google Scholar]
  10. Wahab, O. A., Bentahar, J., Otrok, H., & Mourad, A. (2019). Resource-aware detection and defense system against multi-type attacks in the cloud: Repeated bayesian stackelberg game. IEEE Transactions on Dependable and Secure Computing, 18(2), 605-622.
    [CrossRef] [Google Scholar]
  11. Zhu, M., Anwar, A. H., Wan, Z., Cho, J. H., Kamhoua, C. A., & Singh, M. P. (2021). A survey of defensive deception: Approaches using game theory and machine learning. IEEE Communications Surveys & Tutorials, 23(4), 2460-2493.
    [CrossRef] [Google Scholar]
  12. Rass, S., & Zhu, Q. (2016, October). GADAPT: a sequential game-theoretic framework for designing defense-in-depth strategies against advanced persistent threats. In International conference on decision and game theory for security (pp. 314-326). Cham: Springer International Publishing.
    [CrossRef] [Google Scholar]
  13. Pita, J., Jain, M., Marecki, J., Ordóñez, F., Portway, C., Tambe, M., ... & Kraus, S. (2008, May). Deployed armor protection: the application of a game theoretic model for security at the los angeles international airport. In Proceedings of the 7th international joint conference on Autonomous agents and multiagent systems: industrial track (pp. 125-132). https://ifaamas.org/Proceedings/aamas08/proceedings/pdf/industrial_application_track/AAMAS08_IndTrack_33.pdf
    [Google Scholar]
  14. Sinha, A., Kar, D., & Tambe, M. (2015). Learning adversary behavior in security games: A PAC model perspective. arXiv preprint arXiv:1511.00043.
    [CrossRef] [Google Scholar]
  15. Sengupta, S., Chowdhary, A., Huang, D., & Kambhampati, S. (2019, October). General sum markov games for strategic detection of advanced persistent threats using moving target defense in cloud networks. In International Conference on Decision and Game Theory for Security (pp. 492-512). Cham: Springer International Publishing.
    [CrossRef] [Google Scholar]
  16. Cho, J. H., Sharma, D. P., Alavizadeh, H., Yoon, S., Ben-Asher, N., Moore, T. J., ... & Nelson, F. F. (2020). Toward proactive, adaptive defense: A survey on moving target defense. IEEE Communications Surveys & Tutorials, 22(1), 709-745.
    [CrossRef] [Google Scholar]
  17. Carroll, T. E., & Grosu, D. (2011). A game theoretic investigation of deception in network security. Security and Communication Networks, 4(10), 1162-1172.
    [CrossRef] [Google Scholar]
  18. Weinberg, A. I. (2026). Phantom: Polymorphic honeytoken adaptation with narrative-tailored organisational mimicry. arXiv preprint arXiv:2605.02992.
    [CrossRef] [Google Scholar]
  19. Cranford, E. A., Gonzalez, C., Aggarwal, P., Cooney, S., Tambe, M., & Lebiere, C. (2020). Toward personalized deceptive signaling for cyber defense using cognitive models. Topics in Cognitive Science, 12(3), 992-1011.
    [CrossRef] [Google Scholar]
  20. Zhu, T., Ye, D., Cheng, Z., Zhou, W., & Yu, P. S. (2022). Learning games for defending advanced persistent threats in cyber systems. IEEE Transactions on Systems, Man, and Cybernetics: Systems, 53(4), 2410-2422.
    [CrossRef] [Google Scholar]
  21. Almeshekah, M. H., & Spafford, E. H. (2016). Cyber security deception. In Cyber Deception: Building the Scientific Foundation (pp. 23-50). Cham: Springer International Publishing.
    [CrossRef] [Google Scholar]
  22. Kahlhofer, M., Golinelli, M., & Rass, S. (2025, June). Koney: A Cyber Deception Orchestration Framework for Kubernetes. In 2025 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW) (pp. 690-702). IEEE.
    [CrossRef] [Google Scholar]
  23. Brillouin, L. (2013). Science and information theory. Courier Corporation.
    [CrossRef] [Google Scholar]
  24. Nash Jr, J. F. (1950). Equilibrium points in n-person games. Proceedings of the national academy of sciences, 36(1), 48-49.
    [CrossRef] [Google Scholar]
  25. Shostack, A. (2014). Threat modeling: Designing for security. John wiley & sons. https://dl.acm.org/doi/abs/10.5555/2829295
    [Google Scholar]
  26. Möller, L. J. (2025). An Adaptive Multi-Layered Honeynet Architecture for Threat Behavior Analysis via Deep Learning. arXiv preprint arXiv:2512.07827.
    [CrossRef] [Google Scholar]
  27. Ait Temghart, A., Marwan, M., & Baslam, M. (2023). Stackelberg security game for optimizing cybersecurity decisions in cloud computing. Security and Communication Networks, 2023(1), 2811038.
    [CrossRef] [Google Scholar]

Cite This Article

APA Style
Uma, D., & Yogi, M. K. (2026). GHOST: Game-Theoretic Honeytoken Optimization for Strategic Threat Detection. ICCK Transactions on Cybersecurity, 2(1), 75-92. https://doi.org/10.62762/TC.2026.152584
Export Citation
RIS Format
Compatible with EndNote, Zotero, Mendeley, and other reference managers
TY  - JOUR
AU  - Uma, Darapu
AU  - Yogi, Manas Kumar
PY  - 2026
DA  - 2026/06/30
TI  - GHOST: Game-Theoretic Honeytoken Optimization for Strategic Threat Detection
JO  - ICCK Transactions on Cybersecurity
T2  - ICCK Transactions on Cybersecurity
JF  - ICCK Transactions on Cybersecurity
VL  - 2
IS  - 1
SP  - 75
EP  - 92
DO  - 10.62762/TC.2026.152584
UR  - https://www.icck.org/article/abs/TC.2026.152584
KW  - honeytokens
KW  - game theory
KW  - nash equilibrium
KW  - stackelberg games
KW  - bayesian security
KW  - reinforcement learning
KW  - identity security
KW  - zero-trust architecture
KW  - deception technology
KW  - intrusion detection
AB  - As adversaries deploy advanced persistent threats (APTs), social engineering, and credential-stuffing attacks to circumvent classical reactive defenses, identity security faces a formidable challenge. This paper proposes GHOST (Game-theoretic Honeytoken Optimization for Strategic Threat Detection), a mathematically grounded and empirically evaluated framework that combines deceptive honeytokens with Stackelberg–Nash game-theoretic optimization, Bayesian attacker-type inference, and reinforcement learning (RL). The defender (Stackelberg leader) distributes honeytokens throughout a networked system of heterogeneous assets, while the attacker (follower) operates under imperfect knowledge of the deployed deceptive strategy. GHOST models the defender–attacker interaction as a Stackelberg game in which the defender commits to a mixed placement strategy before the attacker responds. A Bayesian updating mechanism iteratively refines the posterior belief over attacker archetypes, while Nash Equilibrium conditions are resolved to guarantee strategic stability. An RL-guided gradient-ascent engine dynamically repositions honeytokens in real time, yielding accelerated convergence and sustained optimal detection. Evaluated against a purpose-built simulation dataset of 10,000 network scenarios—the Honeytoken Strategic Security Dataset (HSSD)—GHOST achieves an 85.3% detection rate and a false positive rate of only 3.1%, outperforming the strongest baseline (rule-based placement) by 23.4%. Ablation experiments confirm the measurable contribution of each architectural component. GHOST is further shown to be 3.2× more cost-effective than random placement and integrates natively with zero-trust architectures (ZTA). A four-pillar governance model operationalizes ethical and regulatory compliance, addressing requirements under GDPR, HIPAA, CFAA, and the Budapest Convention.
SN  - 3069-3349
PB  - Institute of Central Computation and Knowledge
LA  - English
ER  - 
BibTeX Format
Compatible with LaTeX, BibTeX, and other reference managers
@article{Uma2026GHOST,
  author = {Darapu Uma and Manas Kumar Yogi},
  title = {GHOST: Game-Theoretic Honeytoken Optimization for Strategic Threat Detection},
  journal = {ICCK Transactions on Cybersecurity},
  year = {2026},
  volume = {2},
  number = {1},
  pages = {75-92},
  doi = {10.62762/TC.2026.152584},
  url = {https://www.icck.org/article/abs/TC.2026.152584},
  abstract = {As adversaries deploy advanced persistent threats (APTs), social engineering, and credential-stuffing attacks to circumvent classical reactive defenses, identity security faces a formidable challenge. This paper proposes GHOST (Game-theoretic Honeytoken Optimization for Strategic Threat Detection), a mathematically grounded and empirically evaluated framework that combines deceptive honeytokens with Stackelberg–Nash game-theoretic optimization, Bayesian attacker-type inference, and reinforcement learning (RL). The defender (Stackelberg leader) distributes honeytokens throughout a networked system of heterogeneous assets, while the attacker (follower) operates under imperfect knowledge of the deployed deceptive strategy. GHOST models the defender–attacker interaction as a Stackelberg game in which the defender commits to a mixed placement strategy before the attacker responds. A Bayesian updating mechanism iteratively refines the posterior belief over attacker archetypes, while Nash Equilibrium conditions are resolved to guarantee strategic stability. An RL-guided gradient-ascent engine dynamically repositions honeytokens in real time, yielding accelerated convergence and sustained optimal detection. Evaluated against a purpose-built simulation dataset of 10,000 network scenarios—the Honeytoken Strategic Security Dataset (HSSD)—GHOST achieves an 85.3\% detection rate and a false positive rate of only 3.1\%, outperforming the strongest baseline (rule-based placement) by 23.4\%. Ablation experiments confirm the measurable contribution of each architectural component. GHOST is further shown to be 3.2× more cost-effective than random placement and integrates natively with zero-trust architectures (ZTA). A four-pillar governance model operationalizes ethical and regulatory compliance, addressing requirements under GDPR, HIPAA, CFAA, and the Budapest Convention.},
  keywords = {honeytokens, game theory, nash equilibrium, stackelberg games, bayesian security, reinforcement learning, identity security, zero-trust architecture, deception technology, intrusion detection},
  issn = {3069-3349},
  publisher = {Institute of Central Computation and Knowledge}
}

Article Metrics

Citations
Crossref
0
Scopus
0
Views
5
PDF Downloads
1

Publisher's Note

ICCK stays neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and Permissions

Institute of Central Computation and Knowledge (ICCK) or its licensor holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
ICCK Transactions on Cybersecurity
ICCK Transactions on Cybersecurity
ISSN: 3069-3349 (Online)
Portico
Preserved at
Portico