A critical gap exists between theoretical optimality and practical performance in automated network intrusion response. Method: This paper proposes an optimal security response framework integrating simulation and empirical validation: (i) a high-fidelity cyber-attack-and-defense simulation environment is constructed via IT infrastructure virtualization, leveraging real-world logs to formulate a dynamic game model; (ii) a stochastic approximation algorithm is designed to compute the optimal response policy, provably satisfying structural properties such as monotonicity and threshold structure. Contribution/Results: To the best of our knowledge, this work is the first to unify rigorous theoretical optimality proofs, computationally efficient algorithmic solutions, and closed-loop empirical validation. Experimental evaluation on a dedicated simulation platform demonstrates significant improvements in the joint optimization of attack mitigation efficacy and service continuity—thereby establishing a verifiable, theory-grounded pathway for operationalizing optimal security response.

Cybersecurity is one of the most pressing technological challenges of our time and requires measures from all sectors of society. A key measure is automated security response, which enables automated mitigation and recovery from cyber attacks. Significant strides toward such automation have been made due to the development of rule-based response systems. However, these systems have a critical drawback: they depend on domain experts to configure the rules, a process that is both error-prone and inefficient. Framing security response as an optimal control problem shows promise in addressing this limitation but introduces new challenges. Chief among them is bridging the gap between theoretical optimality and operational performance. Current response systems with theoretical optimality guarantees have only been validated analytically or in simulation, leaving their practical utility unproven. This thesis tackles the aforementioned challenges by developing a practical methodology for optimal security response in IT infrastructures. It encompasses two systems. First, it includes an emulation system that replicates key components of the target infrastructure. We use this system to gather measurements and logs, based on which we identify a game-theoretic model. Second, it includes a simulation system where game-theoretic response strategies are optimized through stochastic approximation to meet a given objective, such as mitigating potential attacks while maintaining operational services. These strategies are then evaluated and refined in the emulation system to close the gap between theoretical and operational performance. We prove structural properties of optimal response strategies and derive efficient algorithms for computing them. This enables us to solve a previously unsolved problem: demonstrating optimal security response against network intrusions on an IT infrastructure.