When to Deceive: A Cross-Layer Stackelberg Game Framework for Strategic Timing of Cyber Deception

Cyber deception is an emerging proactive defense strategy to counter increasingly sophisticated attacks such as Advanced Persistent Threats (APTs) by misleading and distracting attackers from critical assets. However, since deception techniques incur costs and may lose effectiveness over time, defenders must strategically time and select them to adapt to the dynamic system and the attacker's responses. In this study, we propose a Stackelberg game-based framework to design strategic timing for cyber deception: the lower tactical layer (follower) captures the evolving attacker-defender dynamics under a given deception through a one-sided information Markov game, while the upper strategic layer (leader) employs a stopping-time decision process to optimize the timing and selection of deception techniques. We also introduce a computational algorithm that integrates dynamic programming and belief-state updates to account for the attacker's adaptive behavior and limited deception resources. Numerical experiments validate the framework, showing that strategically timed deceptions can enhance the defender's expected utility and reduce the risk of asset compromise compared to baseline strategies.