A Game Theoretical Model for Anticipating Email Spear-Phishing Strategies

A solution to help victims against phishing is anticipating and leveraging impacts related to phisher actions. In this regard, this work reshapes game theoretical logic between Intrusion Detection System (IDS) agents and insiders to email spear-phishing interactions. The email spear-phishing attack is designed as a non-cooperative and repeated game between opponents. Additionally, this work relies on Quantal Response Equilibrium (QRE) to build a game theoretical approach to predict the phisher’s future intent based on past actions of both players. This approach is coupled with a recommendation strategy of appropriate allocation of resources to invest to strengthen user protection. Simulations on spear-phishing scenarios demonstrate the ability of the final system to intuitively guess the most likely phisher decisions. This work provides intelligence to spearphishing detectors and humans such that they can anticipate next phisher actions. Received on 11 May 2020; accepted on 09 September 2020; published on 18 September 2020


Introduction
Phishing is a fraudulent practice using a medium of communication (such as email, social networks, website) to lure users to provide sensitive information (such as username, password, credit card number, etc.) for malicious purposes [1,2]. This cybercrime's number of victims is perpetually increasing as reported by the Anti-Phishing Working Group (APWG) [3,4]. The phisher is the malicious object (human, robot, etc.) initiating social engineering activities to the potential victim whereas the victim is the phisher's target or an intermediary to the phisher's target [5]. There are several forms of phishing [6][7][8]; email phishing in which the attacker sends a fake email to trick users to send sensitive information [9,10], Uniform Resource Locator (URL) phishing aims at building fake copies of legitimate websites. Vishing in which malicious people initiate voice calls, put the target victim in either on the browser [20][21][22][23] or in the operating system (OS) [24,25]. The third category relies on artificial intelligence to profile spear-phishing activities [26][27][28][29][30][31]. The fourth category contributes to list-based filtering of URL based on predefined database of annotated URLs (phished and benign) and rules [32,33]. The last category provides visual similarity based approaches to identify variants of a website [33,34]. These various different approaches all help mitigate spearphishing to some degree. They are, however, inefficient at delimiting different interactive activities inside the attack for final diagnoses.
According to Shiva [35], game theory is able to model interactions involving different actors, looking for rewards resulting from optimal actions. Exploiting game theory is relevant to circumscribe strategic interactions between a defender (i.e. the potential victim) and an attacker during different stages of communication. At the end, game theory provides defender strategies to improve to deceive attackers. Indeed, the potential victim is targeted by the attacks trying to lure him in different stages. The attack can succeed once the user receives the first mail (in case of fragile victim) or the attacker varies techniques and sends multiple messages tricking the user to fall (in case the user suspects messages). Adapting defense tactics and varying attack techniques during exchanges between both players are modeled with game theory and can be combined to reinforce existing antiphishing tools. If we take the user u who is targeted by the attacker A motivating scenario can be the one illustrated in the TR-FR attack, available in the paper [36]. During this scenario, the attacker changes its strategies over time while the victim behaves differently based on his level of knowledge. Game theory is therefore penetrating into the cybersecurity sphere and is exploited to fight against phishing ( [37][38][39][40]). However, these proposals lack to consider repetitive interactions between players, iteration after iteration. As a result, they are not able to efficiently predict the phisher's future intent. Some researches based on game theory include this flaw. Nonetheless, they model interactions between attackers and Intrusion Detection System (IDS). Based on these observations, this work deals with the following research questions: • How to adapt IDS game theory models to email spear-phishing scenarios?
• What game-theory models are suitable to model repetitive spear-phishing interactions to anticipate phisher intentions?
• What appropriate defensive measures should be invested based on previous attack activities?
Quantal Response Equilibrium (QRE) is adopted in this work due to the fact that individuals have beliefs supported in equilibrium by the strategies that players choose, considering that players make systematic mistakes or deviations in their choices [41]. As a consequence, payoffs of players are influenced by social preference. This paper designs spear-phishing as a non-cooperative and repeated game between opponents. It proposes a QRE game theoretical model which learns defensive measures to anticipate an upcoming phishing strategy based on historical exchanges between opponents. To the best of our knowledge, this paper is the first work to focus on exploring QRE-based strategies for email spearphishing. In summary, this paper presents three main contributions: • Designing an extensive form of one-stage email phishing game; • Modelling a non-cooperative and repeated game between the attacker and the defender • Modelling and simulating the repeated game to predict the future behavior of the phisher.
The rest of this paper is organized as follows. Section 2 characterizes and conceptualizes the game. Section 3 is dedicated to formulate a one-shot phishing game before extending it to a repeated game. Further, a method of calculating QRE-based strategies is dissected. Section 4 concerns modelling and implementing a prediction mechanism for phishing tricks based on QRE. Section 5 includes experiments on real spear-phishing scenarios coupled to preventive recommendations and discusses results. Related works are surveyed in section 6 to reveal contributions of this work. Conclusion and perspectives are provided at the end of the document.

Game description
Players. Interactions during a phishing email attack are modelled as a game between two actors: the phisher A with bad intentions and the defender D who is an employee targeted by phisher strategies.
Scope and assumptions. This work falls within the context of protecting company infrastructures. In this environment, email spear-phishing is the main exploit since it relies on the psychological state of employees. Additionally, email is the vector from which URL phishing, vishing and ransomware infiltration can be triggered. Organizations evolve in size over the time. Even if they put in place training programs, new recruited employees can still be unaware of phishing for a period and ignorant of detection measures. We assume that a new employee has no defensive measures. Email accounts are safe and are not supported with 2 EAI Endorsed Transactions Scalable Information Systems 01 2021 -04 2021 | Volume 8 | Issue 30 | e5 encryption protocols such as Pretty Good Privacy (PGP). Nowadays, phisher initiates exchanges to a target and adapts them during interactions until success. We consider this scenario where an employee receives emails from a single phisher who adapts the contents over the time. The players are both rational, meaning that they seek to maximize their gain and thus minimize their losses. The network protections in the organization have no effective and updated antiphishing tools.

Characteristics.
Incomplete information game Phishing is modelled in this work as a game with incomplete information because the defender is supposed to be ignorant of phishing techniques. The defender does not a priory recognize a fake email and is not aware of the attack strategy and rewards (or payoffs or utilities) expected by the attacker. In other words, the defender is not aware of the attacker's strategies as well as both possible rewards.
Imperfect information game Our study focuses on a game with imperfect information because the defender is not (a priori) aware of historical actions taken by the attacker, before acting during the current iteration.
Non-cooperative game Email phishing game is a noncooperative game because: • Both players do not communicate with each other before making a decision; • opponents maintain conflictual interactions and seek contrary goals; • Both players have strictly opposite preferencesthe phisher prefers a successful attack whereas the defender wants a failed attack.
Sequential game The phisher starts the game with the following three actions.
• Inquiring about the victim; • Choosing the attack strategy; • Building a fake email to send to the user.
The user has the opportunity to take an action in the game, only after receiving the email sent by the phisher.
Non-zero sum game Indeed, for each outcome of the game, the sum of rewards of the players is always different from zero.

Attack scenarios
The attacker can either attack based on building fake e-mails or based on infiltrating malicious scripts.
Phishing based on mimicking . This category is based on techniques of social engineering, which mimic email from legitimate entities. Three strategies are used to succeed in such an attack.
Embed an answer email address Here, the malicious email contains only text and an email address to which the user could respond to provide the desired personal information to the attacker. The email content is carefully adapted to convince the recipient through emergency words or expressions. The aim is to incentive D to respond. For example, the email content could state that D's online account will be disabled in case the email is ignored. In addition, the hacker can also spoof the email address of a credible sender to request sensitive information. This strategy is denoted as S 1 .
Embed a phone number At this level, A encourages D to continue the conversation via phone calls using a phone number delicately introduced into the email. This process leads to vishing attacks. This strategy is denoted as S 2 .
Embed a fake link This strategy also called URL phishing inserts a fake link in the email. The latter redirects D to a counterfeit site specially designed to malintentionally gather sensitive data. Information from D is automatically redirected to A. This strategy is represented by S 3 .
Phishing based on infiltration. The second attack's technique consists of infiltrating malicious codes into an email attachment. Once activated (attachment downloading), the code runs and two scenarios can occur.
• The code encrypts the host machine's files claiming for ransom: this is called ransomware; • The code masquerades on the host computer to -Spy and collect sensitive information at an appropriate moment and transfer them to the phisher; -Turn the host computer as a bot.
This strategy is represented by S 4 .

Scenarios for possible user responses
There are four response scenarios delivered by D depending on the attack strategy. • Suspect a hoax and ignore the email (D 12 ); • Rely on anti-phishing training 1 but falls victim (D 13 ); • Avoid the trap thanks to an anti-phishing training adapted to the type of attack S 1 (D 14 ).

Scenario 2.
The phisher sends a forged email related to S 2 . The user can make the following reactions.
• Be lured to send sensitive information by phone to the number contained in the email (D 21 ); • Suspect a hoax and ignore the email (D 22 ); • Rely on anti-phishing training but falls victim (D 23 ); • Avoid the trap thanks to an anti-phishing training adapted to the type of attack S 2 (D 24 ).

Scenario 3.
In this scenario, the phisher chooses to send a fraudulent email based on strategy S 3 . The defender can accordingly, • Be lured to click on a fake link, to be redirected to a counterfeit website (D 31 ); • Suspect a hoax and ignore the email (D 32 ); • Fall victim despite being assisted by an antiphishing tool 2 (D 33 ); • Avoid the trap thanks to the anti-phishing toolbar (D 34 ).  According to Figure 1, the game has 16 possible outcomes listed in Table 1.

Formulation and construction of the model
This section is dedicated to the formulation of the phishing game and its construction. • denotes the preference's relation having three variants:

Model formulation
≺ 1 the preference's relation over different outcomes of the game from the phisher point of view; ≺ 2 the preference's relation over different outcomes of the game from the user point of view; And ∼ i the indifference of the player i.
Moreover, ∀(x, y) ∈ A and i ∈ {1, 2}, x ≺ i y ⇒ the player i prefers the outcome y to the outcome x; x ∼ i y ⇒ the player i prefers the outcome x as much as the outcome y.
Players' preferences and utility functions. To quantify the different outcomes of the game, the player's preferences are firstly specified on these outcomes. Then, the Von Neumann-Morgenstern utility function [42] is applied to assign numbers that reflect these preferences.   Phisher's preferences Ranking outcomes according to phisher's preferences involves the ability to identified outcomes of the game, which leads to a best situation for the phisher or not. The ranking continues with outcomes that lead to a successful attack despite the presence of defensive measures (U e, Av or Bt). It is less preferable to the ranking in (1) (from the phisher's point of view) because attacking an unprotected system increases its chances of success (and decreases the probability of being unmasked). This scenario confers the phisher the opportunity to target the same victim or other potential victims of the same victim's network.
Despite existing anti-phishing tools, the last decision belongs to the user. A well-performed education of the defender could be seen as the most feared mechanism by the phisher. In addition, the hacker dreads Av (Antivirus) more than Bt (Blacklist tool). The defender would prefer Bt to Av because it is harder to bypass Av than Bt. Antiviruses are increasingly coupled with artificial intelligence to be able to anticipate and quickly update signatures. Blacklists are less reliable for filtering because attackers can build other variants of websites with existing technologies. Equation (3) summarises previous preferences.
Subsequently, outcomes representing failures of the phisher without any defense system are derived. From the attacker's point of view, it is preferable to fail after dedicating less effort (S 3 , a) on attack than failing after dedicating much (S 4 , a) and failing anyway.
Equation (5)  The overall phisher preference's ranking is given in (6): Defender's preferences There are four main possible outcomes from the user's point of view: D falls victim without being assisted (by U e, Bt or Av); D falls victim despite some countermeasures (U e, Bt, Av).
D avoids scamming with the help of defensive measures; D avoids scamming without being assisted (by U e, Bt or Av).
In view of these four outcomes, the user's preference ranking is established as follows: The user prefers avoiding the attack as much as possible without any expense in the acquisition of U e, Bt or Av; The user prefers losing without any expense in the acquisition of a countermeasure than to lose having made such an expense.
In addition, it is assumed that in terms of defensive measures, the user establishes the order of preference in (8): Security turns around the user no matter which tool is used. Therefore education is of huge significance; Despite the strategy (S 4 ), Av also protects the defender's computer against other computer threats (malware or denial of service).
Equations (7) and (8) establish the ranking in (9), from the user's point of view: Construction of utility functions of players Constructing utility function consists to compute U i (outcome), ∀ outcome ∈ A and i ∈ {1, 2}. To achieve this, the Binmore's method is exploited [42] and implemented using a Matlab script 4 . The Binmore's method builds the Von Neumann-Morgenstern utility functions by assigning a number that reflects preferences established in (6) and (9) so that: ∀ Oc1, Oc2 ∈ A and i ∈ {1, 2}, The values of this function are called payoffs [43].

Model construction
Firstly, the model is built using the open source software Gambit to solve the game under NE. NE is a solution concept 5 which describes a steady state condition of the game [44]. Given that players agreed on the NE's set of strategies, a player who deviates 4 It is available at https://github.com/virgilo/PhishingGame/ blob/master/Binmore.m. 5 A solution concept is a systematic description of how the game will be played by employing the best possible strategies and what the outcomes might be 6 EAI Endorsed Transactions Scalable Information Systems 01 2021 -04 2021 | Volume 8 | Issue 30 | e5 Table 2. Utility function for phisher  Table 3. Utility function for defender from this agreement would reduce related payoffs. This solution concept specifies only the steady state and not how that steady state is reached in the game. Secondly, Matlab scripts are implemented to build the repeated game and predict the future behavior of the phisher.
Gambit. Gambit [45] is a software library of game theory that provides tools necessary for the construction and analysis of games in normal or extensive forms. Gambit is adopted because it is only dedicated to noncooperative games. It fits therefore to the game characteristics (see Section 2.1). Figure 2 shows the model in an extensive form generated using Gambit version 16.0.1. The defender has four possible reactions (D ij ) for each strategy (S i ) developed by the phisher. Each is associated with a utility obtained from [42]. D 21 is associated with a utility of 4 for the defender and a utility of 16 for the attacker.

Players' successful attack probabilities and players' losses.
Three elements are formulated based on the model. They include The calculation of the probability for an attack to succeed as Proba attackSucceed established in (20), The probability's calculation that the defensive measure succeed Proba def enseSucceed established in (23), Losses related to each player respectively established in (24) and (25)    Probability of a successful attack The probability Proba attackSucceed is formulated as follows: where • P (S i ) is the probability that strategy S i is chosen by attacker; • Ef f U e refers to the effectiveness of the antiphishing training; • P (Bt) is the probability that the anti-phishing tool detects a fake link ; • P (Av) is the probability that the antivirus detects the malicious attachment.
For the attack to succeed, the attacker either uses the trick S 1 , S 2 , S 3 or S 4 . If the trick S 1 is used, the attack is successful in two cases: The user is lured to send sensitive information by email (S 1 , eM).
The user falls into the phisher's traps (S 1 , U e, eM) despite the antiphishing training U e.
It is also noted that equation (20) is formulated in such a way that the satisfaction of the phisher is zero i.e. the defensive measure is effective at 100%: Probability that the defensive measure succeeds Since the event "the success of the defensive measure" is the opposite event of "the success of the attack", Equation 23 is obtained as follows.
Attacker and defender losses Phisher and user losses can be estimated through Equations (24) and (25) evaluation of costs (financial, intellectual and time) of the development of each attack as well as costs (financial, intellectual and time) related to the acquisition of the defense measure. The proposed formulas (24) and (25) assume that cost variables C S i are known: is the probability that the blacklisting tool is faulty; is the probability that the antivirus is faulty.

Prediction of the phisher's future behavior.
Repetition of the stage game We have so far modelled situations where the interaction between the attacker and the user takes place only once (one-shot game also called stage game). Actually, interactions described in the stage game (shown in Figure 2) are not performed just once. The game G is played more than once. These interactions should therefore be modelled as a repeated game. According to Shen et al. [46], a repeated game is a particular style of an extensive game in which each stage is a repetition of the same strategic game. The number of instances in a repeated game may be finite or infinite. If the game never ends (i.e. players interact forever) or players do not know when the game ends, it is called an infinitely repeated game. This paper considers this type of game. Indeed, during an email phishing attack, the user and the attacker interact without knowing the end.
Players' utility function in the repeated game This phase consists of determining rewards of both players during the game. This paper considers this type of game, i.e. taking into account the dynamicity of the game. Both players strive to maximize the expected gains, iteration after iteration. Inspired by the work of Shen et al. [46], the total utility for the phisher, after the t th iteration of the game, is given by: Here δ ∈ [0; 1[ is a discount factor. The term U t phisher (S i k ) is defined as the total utility that the phisher expects to obtain by choosing the strategy S i k at the t th iteration of the game. Equation is the total utility of the phisher during repeated game, choosing the strategy S i k at the t th iteration before the user's reaction during this iteration.
• S h i h , D h i h j h is the outcome of the game obtained at the ith iteration.
• U phisher (S i k ) is the a priori phisher's utility by choosing the strategy S i k during the stage game without any reaction from the user.
A priori utility U phisher (S i k ) The prediction proposed by the model in (40) is intrinsically related to U t phisher (S i k ) which depends itself on the a priori utility U phisher (S i k ). Similarly Shen et al. [46] have used a method based on QRE to predict future attacks, but without explicitly describing how to obtain such a priori utility. That is, how to evaluate the gain of a player who has chosen an action without the other player's choice made? Table 2 provides the value of U phisher (S 1 , D 11 ) 6 but lacks to give the value of U phisher (S 1 ).
The relation (28) is proposed to overcome this issue.
×U phisher (S i k , D i k j ), • P roba(D i k j |S i k ) is the probability for the user to choose D i k j k knowing that the phisher has chosen S i k .
• U phisher (S i k , D i k j ) is the phisher's gain when the outcome (S i k , D i k j ) is realized. Moreover, with, such that:

19-
End For 20-End For 21-Return (Proba); End Note: P roba max = 0.65 means that, during the probabilistic adjustment phase, the largest value of P roba(S i h ), ∀S i h ∈ A 1 , is 0.65; however, it does not necessarily imply that, during the prediction phase (after including the QRE), the probabilities obtained will also be increased by P roba max .
Then, the operation P roba(S i h ) ←− P roba(S i h ) + τ in statement 14 must be checked, so that P roba(S i h ) remains a probability 8 despite the progressive additions of τ during the game iterations. It is therefore a question of ensuring that ∀τ: Let, The following aims to look for k ∈ R * + such that 0 < P roba(S i h )τ ≤ 1.
On the one hand, It is further noted that Thus, to have P roba( (35) and ( On the other hand, while assuming that (k = (β 2 − 1) × P roba max 1 − P roba max ), (2 ≤ β 2 ) and (β 1 = 2 − β 2 ), In the following, we look for a sufficient condition to have P roba(S i h ) + τ > 0, ∀ S i h ∈ A 1 . We have, To ensure that (P roba(S i h ) + τ ∈]0; 1], ∀ S i h ∈ A 1 , it is sufficient to have the following conditions  [47]. It is a concept of equilibrium, which besides being more realistic contrary to the equilibrium of Nash, captures the limited rationality of each player and predicts the future behavior of the attacker as claimed by Kantzavelou and Katsikas [48]. In this regard, Shen et al. [46] proposed a model for calculating the probability of a future attack. Their model is adapted to fit our context through Equation (40).
Where P roba t λ (S i k ) is the probability that, given (t-1) iteration (s) already performed in the game, the phisher decides to attack via the S i k strategy during the next iteration, with i k ∈ {1, 2, 3, 4}. QRE introduces a decision parameter λ which represents the rationality of the player. When λ = 0, the phisher is completely irrational which corresponds to a random choice. Moreover, the phisher's next action is gradually influenced by the expected reward as λ increases to ∞ which reflects a fully rational attacker acting to maximize gains.
Based on the prediction (Equation 40), the defender is recommended to invest up to Mean({P roba t λ (S i k )} λ=0...λ max )% of its resources and budget (as computed in Equation 41). Such recommendations support countermeasures against attack and are considered as appropriate responses to avoid being lured in the t th iteration. Gambit sets its threshold to λ max = 1000000 [48]. The threshold has rather been set to λ max = 100 since Matlab simulations revealed that, starting from λ = 100 the phisher's intent no longer fluctuates according to the strategies.

Implementation and complexity
Here, the components of the final system are presented and its temporal complexity is analyzed.

Implementation phases
The implementation of the proposed approach requires four phases as shown in Figure 3). The first phase initializes the game. The second phase formalizes 12 EAI Endorsed Transactions Scalable Information Systems 01 2021 -04 2021 | Volume 8 | Issue 30 | e5 historical interactions. The third phase concerns how to adjust probabilities from history. The last phase predicts the future phisher's intent. The game phases have been implemented with MATLAB and the Github page with all the artifacts are included in the GitHub project page 9 . Some elements have been considered to ease the development phase. The first one is that the number of attackers is one, meaning that we are in a situation where an attacker develops strategies in different stages to get rewards in the game. The second is that the number of instances in a repeated game is finite, meaning that the game ends after some time. However, in practice, various attackers can target the same victim and an attacker can target multiple victims simultaneously as well as players should not know when the game is closed. The proposed development is an attempt of real cases.
Phase 1: Stage game construction The phisher's utility function U 1 and the user's utility function U 2 are built. Next, the method described in (Equation 19) is implemented for obtaining probability weights U 1 and U 2 .

Phase 2: History definition This phase is devoted to define
..,(t−1) as the set of previous outcomes that occurred during the interaction between both players. The script 10 provides to the user the ability to input these previous outcomes or generate them randomly for simulation purposes.
Phase 3: Probabilities adjustment based on the game history This phase aims to implement the algorithm described in Algorithm 1. In so doing, the probability that the phisher chooses a given trick S i , depends on the reward related to this trick in the past interactions with the user.

Phase 4: Prediction and recommendations
This phase consists of the implementation of Equation (27) 11 to evaluate the reward of the phisher, obtained during the history, according to the probabilities adjusted in phase N o 3.

Analysis of complexity
The first phase does not depend on the history of the game and it is realized once. Other phases, using the game data, can be performed several times to simulate different "history" cases.
Fundamental operations for determining temporal complexity belong to phases N o 2, N o 3 and N o 4.
The construction of the stage game in phase N o 1 is excluded because it is not executed when the number of iterations during the repeated game increases. The worst scenario in the second phase concerns the generation of the game's history. t successive assignments are required to generate t outcomes {{S h i , D h ij }} h=0,1,...,(t−1) earlier in the history. Let be: In the third phase, 3 are considered as fundamental. Then, phase N o 3 requires N 3 assignments defined as follows Assignments required in equations (27)  The calculation of P roba(D i k j k |S i k ) in (Equation 29) requires therefore N 4 2 assignments defined in Equation 45.
The a priori utility U t phisher (S i k ) (Equation (28)) costs about N 4 3 assignments as defined as in Equation 46.
So, for any trick S i k , the calculation of U t phisher (S i k ) from from equation (27) is computed in N 4 4 as defined in Equation 47.
Recommendations related to the four tricks require N 4 6 assignments. N 4 6 is evaluated based on Equation (41).
The prediction approach requires the total number of fundamental operations N for each simulation. N is obtained as follows: In sum, the temporal complexity is linear in t. This complexity grows with the number of instances in one stage. And it grows much higher when the number of stages increases.

Simulations and interpretations
We simulated the model to validate its intelligence to predict reasonably future phisher decisions. This section has two orientations. The first orientation builds the one-shot game model using Gambit to obtain NE. It is realized using the integrated package for calculating NE. The second orientation determines probabilities of a successful attack and the phisher attack anticipation based on QRE through the repeated game. Gambit does not have an embedded library to model the repeated game.

Nash Equilibrium of the model
Result. The Nash Equilibrium G presented in Figure  2 is illustrated with more details in Figure 4. Figure  4 describes the behavior of both players at the equilibrium. 14   Interpretation. The equilibrium presents that the phisher is likely to opt for strategies S 1 and S 2 with the same probability of 0.5. In both cases, the defender would better abandon suspected e-mails with a probability of 1. This reaction, a priori plausible during an attack, confirms the consistency of the proposed model. However, since it is a repeated game, the total number of strategies at the tth stage is a multiple of the number of history strategies at all stages 0, 1 ... t-1. This number grows with the number of iterations. Consequently, the time to predict the future behavior of a player at the NE state in a stage becomes higher and higher and the one for the whole game explodes accordingly.

Simulations and interpretations in case of an attack
A script 14 in Matlab has been written to determine utility functions of players for a not repeated game and simulates Equation (20). Figure 5 presents probability results of both opponents during an attack. The experiment is made under the following hypotheses.

Figure 5. Probability for an attack to succeed during Nash Equilibrium
The attack has less chance of success because Proba attackSucceed = 0.1295 at NE whereas the defensive measure is more likely to protect the user because Proba def enseSucceed = 0.8705.

Simulations and interpretations of attack predictions
The purpose of this section is to predict the future behavior of the hacker at the t th iteration based on previous (t − 1) iterations defined as // History = {{S h i , D h ij }} h=0,1,...,(t−1) ). For this purpose, three general cases are simulated and discussed.
Case N o 1.
The history is explained as follows: the phisher starts the attack using an email concealing a malicious attachment (S 4 ); Fortunately, the user with the help of antivirus foils this attack (D 44 ). Subsequently, the phisher continues the attack with a suitable text including an email address (S 1 ) to direct related responses; The user falls into the trap despite the antiphishing training (U e). The attack succeeds. 14  Results and interpretations Figure 6 illustrates recommendations to be made by the defender at the third iteration. Figure 7 shows the phisher intent predictions during the third iteration. Firstly, Figure 7 reveals that S 1 is more likely to be used by the phisher for the next attack. Indeed, the most recent attack of the phisher 15 succeeded despite the countermeasure of the user (D 13 ); Thus, the attacker during the third iteration, seeks to replicate previous success. It is done by betting on the trick S 1 , to thwart the protection implemented by the user (D 13 ).
Secondly, Figure 7 also reveals that the trick S 4 is less likely to be chosen at the next stage of the game. Indeed, the game's history indicates that the user has already taken a defensive action against S 4 , which allows to thwart the trick S 4 .

Figure 6. Case N o 1: recommendations
To reinforce security during the third iteration, the proposed model therefore recommends the user to dedicate: 96.3704% of its resources to avoid being lured by the attack's trick S 1 ; 1.04635% of its resources to avoid being lured by the attack's trick S 2 ; 2.15335% of its resources to avoid being lured by the attack's trick S 3 ; 0.429894% of its resources to avoid being lured by the attack's trick S 4 .

Case N o 2.
Inputs There are two inputs in this case.
The phisher starts with an adapted text attack that contains an email address (S 1 ) to direct related responses; the attack succeeds despite the defensive measure of the user (D 13 ). Subsequently, the phisher insists on the same strategy which results in a failure (D 12 ). Finally, the phisher decides to change the strategy and opts for a malicious link attack (S 3 ); The user is careful and ignores the mail (D 32 ). 15 The one occured at the second iteration (S 1 ). Figure 8 outlines the recommendations on resources to allocate to reinforce defensive measures. Figure 9 presents the phisher intent predictions at the fourth iteration.

Results and interpretations
Our model predicts that the phisher's intent for the next attack will be S 2 . Indeed, the most recent trick (S 3 ) failed; According to the game's history, the strategy S 1 is the only successful strategy to lure the user despite the defender's training.

Figure 8. Case N o 2: recommendations
However, the outcome (S 1 ; D 13 ) followed by (S 1 ; D 12 ) shows that the user has been trained and knows how to recognize the strategy S 1 . Since the phisher's preferences on S 1 and S 2 are almost similar 16 , the phisher's strategy is changed to S 2 . The aim is to hopefully deceive the user who has already been lured by a similar ruse in the past.
Furthermore, S 1 and S 3 have a very low probability of appearing once again because they have been foiled during previous game's iterations. However, S 3 has the lowest probability 17 because it is the most recent one and it has never been beneficial for the phisher during the game's history.
During the fourth iteration, the model therefore recommends the user to dedicate 0.971657% of its resources to avoid being lured by the attack's trick S 1 ; 94.3091% of its resources to avoid being lured by the attack's trick S 2 ; 1.82794% of its resources to avoid being lured by the attack's trick S 3 ; 2.69424% of its resources to avoid being lured by the attack's trick S 4 . The phisher succeeds four (04) attacks based on the attached file concealing a spy code, and the user foils this attack each time, with an antivirus. 16 See relation (1). 17 The lowest curve in the Figure 9. Results and interpretations Figure 10 presents recommendations obtained to anticipate the fifth attack. Figure 11 presents the phisher intent predictions at the fifth iteration.

Inputs
The model predicts that the phisher, after having tried to lure the user four consecutive times via S 4 , will abandon this strategy to bet primarily on an attack based on a forged URL (S 3 ) as shown in Figure 11. The model predicts an equiprobability in the hacker's 17 EAI Endorsed Transactions Scalable Information Systems 01 2021 -04 2021 | Volume 8 | Issue 30 | e5 choice between these two strategies, based on the indifference in the phisher's preferences between S 1 and S 2 (Equation (1) in Section 3.1). The model advocates therefore the user to devote 3.92921% of its resources to avoid being lured by the attack's trick S 1 ; 3.92921% of its resources to avoid being lured by the attack's trick S 2 ; 91.7156% of its resources to avoid being lured by the attack's trick S 3 ; 0.426001% of its resources to avoid being lured by the attack's trick S 4 .

Related Works
This section describes solutions for spear-phishing. The first part deals with main approaches and the second part presents research works exploiting game theory for phishing and intrusion detection.

Prevention and mitigation approaches
Companies acquire network protection solutions (IDS, firewalls, honeypots etc..) to mitigate spear-phishing intrusion [24,25]. At the employee level, they opt for antiviruses [49,50] or filters based on black and white lists installed on browsers [20][21][22][23]. Training sessions with tools simulating real attacks are planned and educational games [16][17][18][19] set up for this purpose are used in short or long term. Employees can also voluntarily take ownership of educational tools such as TORPEDO [51] to prevent suspicious emails. Literature provides more technical solutions. They rely on artificial intelligence including automatic or deep learning to generate intelligence necessary to characterize spear-phishing activities [26][27][28][29][30][31]49] based on an annotated sample of emails or URLs [52]. Other orientations seek to determine signatures to characterize variants of Web pages or emails to recognize similarities and to deduce malicious characters [34,53,54].
Limitations Existing solutions aim to identify the nature of email or URL as phished or genuine, and educate people to recognize this nature. They specifically rely on static features extracted from emails, URLs, or other vectors. They hardly take into account the whole interaction. Such types of detectors require a minimal knowledge for learning and a minimal expertise for exploitation. Game theory is a powerful tool to learn and represent knowledge related to opponent interactions.

Exploitation of game theory
Authors are interested to investigate how game theory can improve research towards the phishing detection area.
Game theory for spear-phishing. Yu et al. [37] models phishing through Stochastic Game Nets (SGN). Their work determines the probability of a successful attack and the average time for a successful attack. Figueroa et al. [38] combine classification techniques and signaling games. This association aims to develop a computer tool allowing the administrator of a network to classify an email. Zhao et al. [40] investigate email filtering tools diagnoses while modelling sequential spear-phishing attacks as Stackelberg game model with one and multiple credentials. They propose optimization in decision making of opponents based on the veracity weight of such first line defence. Pawlick and Zhu [39] apply Poisson Signaling Game (PSG) to capture phishing assets in the Internet of Things (IoT). Their approach captures situations with multiple receivers and gives the receivers abilities to detect deception with probabilities. Zu and Rass [55] propose to design a game-theoretical model to capture player interactions in each phase of general advanced persistent threats (APT). For instance, they provide a model for phase 1 -initial penetration and establishment, phase 2learning and propagation, and phase 3 -damage.

Game theory for intrusion detection. Kantzavelou and
Katsikas [48] applies game theory to model interactions between insiders and IDS. The game outcomes are quantified by specifying preferences of players. The von Neumann-Morgenstern utility function is then used to assign numbers that reflect these preferences. They extend Nash Equilibrium (NE) to QRE to capture bounded rationality of players and model behavior of insiders. These authors used QRE to determine how an insider will interact in the future, and how an IDS will react to protect the system. Shen et al. [46] formulate, similarly, a stage Intrusion Detection Game (IDG), where they thoroughly consider preferences of players. They assign payoffs of players based on Binmore's method, to describe interactions between the attacker and IDS agents. Authors define the corresponding payoffs by extending the stage IDG to a repeated IDG, to reflect the reality of continuous interactions. They further propose a method of calculating QRE-based strategies that predict the attacker's future behavior.
Limitations Researches based on game theory models for phishing are limited by the following aspects. 18 EAI Endorsed Transactions Scalable Information Systems 01 2021 -04 2021 | Volume 8 | Issue 30 | e5 • Interactions can take place several times, that means phisher and defender continuously interact; • The next attack's anticipation and prediction are not emphasized.
Kantzavelou and Katsikas [48] and Shen et al. [46], integrate these two aspects, but their solution does not deal with spear-phishing attacks.
Contribution This work proposed therefore to adapt approaches dealing with game theory for IDS to spearphishing, where the defender receives from the attacker one fake message repeatedly until success. Table 5 provides a comparison between the proposed approach and researches that applied game theory to phishing detection. One can note that research, although dealing with phishing, differs from their objectives. Authors adopt certain types of games based on their objectives even if they are mainly designed as sequential. Existing works aimed at predicting whether an incoming e-mail is fraudulent or not. Based on that, they take into consideration in their models, that the defender is likely to misclassify emails. Compared to our work, works lack to represent the phishing game with the specific strategies on both opponents. They consider in general that the attacker sends malicious objects and the receiver tries to recognize it as such or just one attack scenario. However, it is relevant to consider specific actions exploited by the attacker to infiltrate and to lure the defender. Our work rather intended to derive as precise as possible knowledge based on historical interactions that users rely on to anticipate future phisher actions. We therefore required to design as generic as possible the game with possible opponent strategies. We have designed our approach strictly to one-to-one deception games but in reality, the game can involve several attackers. This case is effective for example in case of Distributed Denial of Service (DDoS) where multiple bots redirect requests to the target. Several defenders can also be involved in case the attacker targets a group of people in a company. These two facts have been considered in other works although in other directions. We should extend our work while integrating them. The fact that one supposes that defenders have a certain defensive knowledge is most verified in developed countries. Nonetheless, we propose to take into consideration worst cases when users ignore security concerns and even adequate defensive measures. Contextually, there are also companies without any phishing filters. One positive fact is that these works can be exploited in association from the prediction to the detection of fake messages. 19 EAI Endorsed Transactions Scalable Information Systems 01 2021 -04 2021 | Volume 8 | Issue 30 | e5

Conclusion and future works
Attackers exploit spear-phishing attacks to infiltrate cyber systems through employees to gain sensitive information from companies. Researchers try to develop approaches to make these attacks unsuccessful. The approach proposed in this work consists of acquiring knowledge from interactions between the phisher and the victims, to predict the phisher's next actions according to knowledge from the past interactions and to recommend actions on the victim side. In this regard, this work adapted a game between IDS agents and insiders to propose a QRE game theory-based approach to predict the phisher's future intent according to the past actions of both players. A repeated and extensive game has been modelled to represent as many as possible strategies developed by opponents. The Nash Equilibrium provided that the phisher refer to spoof address emails and incentive victims to pursue conversations via phone calls. NE provides that, in this case, the potential victims renounced to avoid any risks. This situation reveals that the proposed model is reliable. The simulation of the game model, on Matlab, has been exploited to predict the future behavior of the phisher based on previous interactions. Three case studies have been drawn. For instance, let us take the case with the two past iterations {phisher: using fake attachment -victim: using antivirus}, {phisher: disguising email contents -victim: anti-phishing training}. Based on that two-historical interactions, • The model found that the phisher will more likely continue by disguising the mail contents since it was successful despites countermeasures.
The model has also been able to predict the further phisher's actions concerning any other experimented cases. The prediction has been coupled to a recommendation scheme of appropriate allocation of resources to invest to strengthen user protection. The complexity related to the construction of the game with the calculation of prediction probabilities strongly linearly depends on the number of assignments in the historical interactions. The implementation of the model has a linear temporal complexity. Future works will consist of three axes. The first axe consists of identifying and estimating significant parameters required to evaluate the attacker and the defender's losses during an email phishing attack and to integrate the results obtained to the different recommendations proposed by the model. The second axe consists of proposing an approach dealing with a method of profiling phishing attack strategies to combine with the model developed in this work. The third axe consists of extending modelling of interactions between one defender and several attackers.