This study addresses the challenge of detecting and responding optimally to stealthy, multi-stage intrusions by advanced persistent threats (APTs) on attack graphs under conditions of limited information and asynchronous actions. The authors model the attacker–defender interaction as an asynchronous sequential game on an attack graph and, for the first time, systematically formulate a stochastic game framework under three distinct attacker information assumptions: Stackelberg, blind strategy, and belief-driven. By characterizing attacker behavior through a Markov decision process and integrating game-theoretic analysis, the proposed approach solves the defender’s optimization problem across these informational regimes. The method yields optimal defense deployment strategies that consistently reduce the probability of compromise of critical assets, thereby providing a rigorous theoretical foundation for practical cyber defense operations.

The rapid expansion of Internet use has increased system exposure to cyber threats, with advanced persistent threats (APTs) being especially challenging due to their stealth, prolonged duration, and multi-stage attacks targeting high-value assets. In this study, we model APT evolution as a strategic interaction between an attacker and a defender on an attack graph. With limited information about the attacker's position and progress, the defender acts at random intervals by deploying intrusion detection sensors across the network. Once a compromise is detected, affected components are immediately secured through measures such as backdoor removal, patching, or system reconfiguration. Meanwhile, the attacker begins with reconnaissance and then proceeds through the network, exploiting vulnerabilities and installing backdoors to maintain persistent access and adaptive movement. Furthermore, the attacker may take several steps between consecutive defensive operations, resulting in an asymmetric temporal dynamic. The defender's goal is to reduce the likelihood that the attacker will gain access to a critical asset, whereas the attacker's purpose is to increase this likelihood. We investigate this interaction under three informational regimes, reflecting varying levels of attacker knowledge prior to action: (i) a Stackelberg scenario, in which the attacker has full knowledge of the defender's strategy and can optimize accordingly; (ii) a blind regime, where the attacker has no information and assumes uniform beliefs about defensive deployments; and (iii) a belief-based framework, where the attacker holds accurate probabilistic beliefs about the defender's actions. For each regime, we derive optimal defensive strategies by solving the corresponding optimization problems.