GHOST: Game-Theoretic Honeytoken Optimization for Strategic Threat Detection
Article Information
Abstract
As adversaries deploy advanced persistent threats (APTs), social engineering, and credential-stuffing attacks to circumvent classical reactive defenses, identity security faces a formidable challenge. This paper proposes GHOST (Game-theoretic Honeytoken Optimization for Strategic Threat Detection), a mathematically grounded and empirically evaluated framework that combines deceptive honeytokens with Stackelberg–Nash game-theoretic optimization, Bayesian attacker-type inference, and reinforcement learning (RL). The defender (Stackelberg leader) distributes honeytokens throughout a networked system of heterogeneous assets, while the attacker (follower) operates under imperfect knowledge of the deployed deceptive strategy. GHOST models the defender–attacker interaction as a Stackelberg game in which the defender commits to a mixed placement strategy before the attacker responds. A Bayesian updating mechanism iteratively refines the posterior belief over attacker archetypes, while Nash Equilibrium conditions are resolved to guarantee strategic stability. An RL-guided gradient-ascent engine dynamically repositions honeytokens in real time, yielding accelerated convergence and sustained optimal detection. Evaluated against a purpose-built simulation dataset of 10,000 network scenarios—the Honeytoken Strategic Security Dataset (HSSD)—GHOST achieves an 85.3% detection rate and a false positive rate of only 3.1%, outperforming the strongest baseline (rule-based placement) by 23.4%. Ablation experiments confirm the measurable contribution of each architectural component. GHOST is further shown to be 3.2× more cost-effective than random placement and integrates natively with zero-trust architectures (ZTA). A four-pillar governance model operationalizes ethical and regulatory compliance, addressing requirements under GDPR, HIPAA, CFAA, and the Budapest Convention.
Graphical Abstract
Keywords
Data Availability Statement
Funding
Conflicts of Interest
AI Use Statement
Ethical Approval and Consent to Participate
References
- Verizon. (2023). 2023 Data Breach Investigations Report. Verizon Business. https://www.verizon.com/business/resources/reports/2023-data-breach-investigations-report-dbir.pdf
[Google Scholar] - Zhu, M., Hu, Z., & Liu, P. (2014, November). Reinforcement learning algorithms for adaptive cyber defense against heartbleed. In Proceedings of the first ACM workshop on moving target defense (pp. 51-58).
[CrossRef] [Google Scholar] - Yuill, J., Zappe, M., Denning, D., & Feer, F. (2004, June). Honeyfiles: deceptive files for intrusion detection. In Proceedings from the Fifth Annual IEEE SMC Information Assurance Workshop, 2004. (pp. 116-122). IEEE.
[CrossRef] [Google Scholar] - Rass, S., König, S., & Schauer, S. (2017). Defending against advanced persistent threats using game-theory. PloS one, 12(1), e0168675.
[CrossRef] [Google Scholar] - Huang, L., & Zhu, Q. (2019). Dynamic bayesian games for adversarial and defensive cyber deception. In Autonomous Cyber Deception: Reasoning, Adaptive Planning, and Evaluation of HoneyThings (pp. 75-97). Cham: Springer International Publishing.
[CrossRef] [Google Scholar] - Alamro, A. S., & Alsulaiman, F. A. (2025). Adaptive Trust-Based Access Control with Honey Objects and Behavior Analysis. Applied Sciences, 16(1), 242.
[CrossRef] [Google Scholar] - Kheddar, H., Dawoud, D. W., Awad, A. I., Himeur, Y., & Khan, M. K. (2024). Reinforcement-learning-based intrusion detection in communication networks: A review. IEEE Communications Surveys & Tutorials, 27(4), 2420-2469.
[CrossRef] [Google Scholar] - Zhao, Y., Chen, K., Gao, R., Feng, Y., Lu, H., & Chen, Y. (2025, November). Survey on the Application of Reinforcement Learning in Cyber attack and defense. In 2025 IEEE 6th International Conference on Computer, Big Data, Artificial Intelligence (ICCBD+ AI) (pp. 1-5). IEEE.
[CrossRef] [Google Scholar] - Pawlick, J., Colbert, E., & Zhu, Q. (2019). A game-theoretic taxonomy and survey of defensive deception for cybersecurity and privacy. ACM Computing Surveys (CSUR), 52(4), 1-28.
[CrossRef] [Google Scholar] - Wahab, O. A., Bentahar, J., Otrok, H., & Mourad, A. (2019). Resource-aware detection and defense system against multi-type attacks in the cloud: Repeated bayesian stackelberg game. IEEE Transactions on Dependable and Secure Computing, 18(2), 605-622.
[CrossRef] [Google Scholar] - Zhu, M., Anwar, A. H., Wan, Z., Cho, J. H., Kamhoua, C. A., & Singh, M. P. (2021). A survey of defensive deception: Approaches using game theory and machine learning. IEEE Communications Surveys & Tutorials, 23(4), 2460-2493.
[CrossRef] [Google Scholar] - Rass, S., & Zhu, Q. (2016, October). GADAPT: a sequential game-theoretic framework for designing defense-in-depth strategies against advanced persistent threats. In International conference on decision and game theory for security (pp. 314-326). Cham: Springer International Publishing.
[CrossRef] [Google Scholar] - Pita, J., Jain, M., Marecki, J., Ordóñez, F., Portway, C., Tambe, M., ... & Kraus, S. (2008, May). Deployed armor protection: the application of a game theoretic model for security at the los angeles international airport. In Proceedings of the 7th international joint conference on Autonomous agents and multiagent systems: industrial track (pp. 125-132). https://ifaamas.org/Proceedings/aamas08/proceedings/pdf/industrial_application_track/AAMAS08_IndTrack_33.pdf
[Google Scholar] - Sinha, A., Kar, D., & Tambe, M. (2015). Learning adversary behavior in security games: A PAC model perspective. arXiv preprint arXiv:1511.00043.
[CrossRef] [Google Scholar] - Sengupta, S., Chowdhary, A., Huang, D., & Kambhampati, S. (2019, October). General sum markov games for strategic detection of advanced persistent threats using moving target defense in cloud networks. In International Conference on Decision and Game Theory for Security (pp. 492-512). Cham: Springer International Publishing.
[CrossRef] [Google Scholar] - Cho, J. H., Sharma, D. P., Alavizadeh, H., Yoon, S., Ben-Asher, N., Moore, T. J., ... & Nelson, F. F. (2020). Toward proactive, adaptive defense: A survey on moving target defense. IEEE Communications Surveys & Tutorials, 22(1), 709-745.
[CrossRef] [Google Scholar] - Carroll, T. E., & Grosu, D. (2011). A game theoretic investigation of deception in network security. Security and Communication Networks, 4(10), 1162-1172.
[CrossRef] [Google Scholar] - Weinberg, A. I. (2026). Phantom: Polymorphic honeytoken adaptation with narrative-tailored organisational mimicry. arXiv preprint arXiv:2605.02992.
[CrossRef] [Google Scholar] - Cranford, E. A., Gonzalez, C., Aggarwal, P., Cooney, S., Tambe, M., & Lebiere, C. (2020). Toward personalized deceptive signaling for cyber defense using cognitive models. Topics in Cognitive Science, 12(3), 992-1011.
[CrossRef] [Google Scholar] - Zhu, T., Ye, D., Cheng, Z., Zhou, W., & Yu, P. S. (2022). Learning games for defending advanced persistent threats in cyber systems. IEEE Transactions on Systems, Man, and Cybernetics: Systems, 53(4), 2410-2422.
[CrossRef] [Google Scholar] - Almeshekah, M. H., & Spafford, E. H. (2016). Cyber security deception. In Cyber Deception: Building the Scientific Foundation (pp. 23-50). Cham: Springer International Publishing.
[CrossRef] [Google Scholar] - Kahlhofer, M., Golinelli, M., & Rass, S. (2025, June). Koney: A Cyber Deception Orchestration Framework for Kubernetes. In 2025 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW) (pp. 690-702). IEEE.
[CrossRef] [Google Scholar] - Brillouin, L. (2013). Science and information theory. Courier Corporation.
[CrossRef] [Google Scholar] - Nash Jr, J. F. (1950). Equilibrium points in n-person games. Proceedings of the national academy of sciences, 36(1), 48-49.
[CrossRef] [Google Scholar] - Shostack, A. (2014). Threat modeling: Designing for security. John wiley & sons. https://dl.acm.org/doi/abs/10.5555/2829295
[Google Scholar] - Möller, L. J. (2025). An Adaptive Multi-Layered Honeynet Architecture for Threat Behavior Analysis via Deep Learning. arXiv preprint arXiv:2512.07827.
[CrossRef] [Google Scholar] - Ait Temghart, A., Marwan, M., & Baslam, M. (2023). Stackelberg security game for optimizing cybersecurity decisions in cloud computing. Security and Communication Networks, 2023(1), 2811038.
[CrossRef] [Google Scholar]
Cite This Article
TY - JOUR AU - Uma, Darapu AU - Yogi, Manas Kumar PY - 2026 DA - 2026/06/30 TI - GHOST: Game-Theoretic Honeytoken Optimization for Strategic Threat Detection JO - ICCK Transactions on Cybersecurity T2 - ICCK Transactions on Cybersecurity JF - ICCK Transactions on Cybersecurity VL - 2 IS - 1 SP - 75 EP - 92 DO - 10.62762/TC.2026.152584 UR - https://www.icck.org/article/abs/TC.2026.152584 KW - honeytokens KW - game theory KW - nash equilibrium KW - stackelberg games KW - bayesian security KW - reinforcement learning KW - identity security KW - zero-trust architecture KW - deception technology KW - intrusion detection AB - As adversaries deploy advanced persistent threats (APTs), social engineering, and credential-stuffing attacks to circumvent classical reactive defenses, identity security faces a formidable challenge. This paper proposes GHOST (Game-theoretic Honeytoken Optimization for Strategic Threat Detection), a mathematically grounded and empirically evaluated framework that combines deceptive honeytokens with Stackelberg–Nash game-theoretic optimization, Bayesian attacker-type inference, and reinforcement learning (RL). The defender (Stackelberg leader) distributes honeytokens throughout a networked system of heterogeneous assets, while the attacker (follower) operates under imperfect knowledge of the deployed deceptive strategy. GHOST models the defender–attacker interaction as a Stackelberg game in which the defender commits to a mixed placement strategy before the attacker responds. A Bayesian updating mechanism iteratively refines the posterior belief over attacker archetypes, while Nash Equilibrium conditions are resolved to guarantee strategic stability. An RL-guided gradient-ascent engine dynamically repositions honeytokens in real time, yielding accelerated convergence and sustained optimal detection. Evaluated against a purpose-built simulation dataset of 10,000 network scenarios—the Honeytoken Strategic Security Dataset (HSSD)—GHOST achieves an 85.3% detection rate and a false positive rate of only 3.1%, outperforming the strongest baseline (rule-based placement) by 23.4%. Ablation experiments confirm the measurable contribution of each architectural component. GHOST is further shown to be 3.2× more cost-effective than random placement and integrates natively with zero-trust architectures (ZTA). A four-pillar governance model operationalizes ethical and regulatory compliance, addressing requirements under GDPR, HIPAA, CFAA, and the Budapest Convention. SN - 3069-3349 PB - Institute of Central Computation and Knowledge LA - English ER -
@article{Uma2026GHOST,
author = {Darapu Uma and Manas Kumar Yogi},
title = {GHOST: Game-Theoretic Honeytoken Optimization for Strategic Threat Detection},
journal = {ICCK Transactions on Cybersecurity},
year = {2026},
volume = {2},
number = {1},
pages = {75-92},
doi = {10.62762/TC.2026.152584},
url = {https://www.icck.org/article/abs/TC.2026.152584},
abstract = {As adversaries deploy advanced persistent threats (APTs), social engineering, and credential-stuffing attacks to circumvent classical reactive defenses, identity security faces a formidable challenge. This paper proposes GHOST (Game-theoretic Honeytoken Optimization for Strategic Threat Detection), a mathematically grounded and empirically evaluated framework that combines deceptive honeytokens with Stackelberg–Nash game-theoretic optimization, Bayesian attacker-type inference, and reinforcement learning (RL). The defender (Stackelberg leader) distributes honeytokens throughout a networked system of heterogeneous assets, while the attacker (follower) operates under imperfect knowledge of the deployed deceptive strategy. GHOST models the defender–attacker interaction as a Stackelberg game in which the defender commits to a mixed placement strategy before the attacker responds. A Bayesian updating mechanism iteratively refines the posterior belief over attacker archetypes, while Nash Equilibrium conditions are resolved to guarantee strategic stability. An RL-guided gradient-ascent engine dynamically repositions honeytokens in real time, yielding accelerated convergence and sustained optimal detection. Evaluated against a purpose-built simulation dataset of 10,000 network scenarios—the Honeytoken Strategic Security Dataset (HSSD)—GHOST achieves an 85.3\% detection rate and a false positive rate of only 3.1\%, outperforming the strongest baseline (rule-based placement) by 23.4\%. Ablation experiments confirm the measurable contribution of each architectural component. GHOST is further shown to be 3.2× more cost-effective than random placement and integrates natively with zero-trust architectures (ZTA). A four-pillar governance model operationalizes ethical and regulatory compliance, addressing requirements under GDPR, HIPAA, CFAA, and the Budapest Convention.},
keywords = {honeytokens, game theory, nash equilibrium, stackelberg games, bayesian security, reinforcement learning, identity security, zero-trust architecture, deception technology, intrusion detection},
issn = {3069-3349},
publisher = {Institute of Central Computation and Knowledge}
}
Article Metrics
Publisher's Note
ICCK stays neutral with regard to jurisdictional claims in published maps and institutional affiliations.