Given the increase in cybercrime, cybersecurity analysts (i.e. Defenders) are in high demand. Defenders must monitor an organization's network to evaluate threats and potential breaches into the network. Adversary simulation is commonly used to test defenders' performance against known threats to organizations. However, it is unclear how effective this training process is in preparing defenders for this highly demanding job. In this paper, we demonstrate how to use adversarial algorithms to investigate defenders' learning of defense strategies, using interactive cyber defense games. Our Interactive Defense Game (IDG) represents a cyber defense scenario that requires constant monitoring of incoming network alerts and allows a defender to analyze, remove, and restore services based on the events observed in a network. The participants in our study faced one of two types of simulated adversaries. A Beeline adversary is a fast, targeted, and informed attacker; and a Meander adversary is a slow attacker that wanders the network until it finds the right target to exploit. Our results suggest that although human defenders have more difficulty to stop the Beeline adversary initially, they were able to learn to stop this adversary by taking advantage of their attack strategy. Participants who played against the Beeline adversary learned to anticipate the adversary and take more proactive actions, while decreasing their reactive actions. These findings have implications for understanding how to help cybersecurity analysts speed up their training.

翻译：鉴于网络犯罪日益增多，网络安全分析师（即防御者）的需求日益增加。防御者必须监控组织网络以评估威胁及潜在的网络入侵。攻击者模拟通常用于测试防御者应对组织已知威胁的表现。然而，尚不清楚这一培训过程在多大程度上能有效帮助防御者胜任这一高要求工作。本文通过交互式网络防御游戏，展示如何利用对抗性算法研究防御者学习防御策略的过程。我们的交互式防御游戏（IDG）模拟了一种需要持续监控网络告警的网络安全场景，允许防御者根据网络中观察到的事件进行分析、清除及恢复服务。本研究的参与者面对两种模拟攻击者之一：Beeline攻击者是一种快速、目标明确且信息充分的攻击者；Meander攻击者则是一种缓慢游荡于网络中直至找到正确目标进行利用的攻击者。研究结果表明，尽管人类防御者最初更难以阻止Beeline攻击者，但他们通过利用其攻击策略逐渐学会了防御。与Beeline攻击者对战的参与者学会了预测攻击者并采取更多主动行动，同时减少了被动反应。这些发现对于理解如何帮助网络安全分析师加速培训具有重要意义。