MEGA-PT: A Meta-game Framework for Agile Penetration Testing

Yunfei Ge; Quanyan Zhu

doi:10.1007/978-3-031-74835-6_2

MEGA-PT: A Meta-game Framework for Agile Penetration Testing

Yunfei Ge, Quanyan Zhu

Electrical and Computer Engineering

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

Penetration testing is an essential means of proactive defense in the face of escalating cybersecurity incidents. Traditional manual penetration testing methods are time-consuming, resource-intensive, and prone to human errors. Current trends in automated penetration testing are also impractical, facing significant challenges such as the curse of dimensionality, scalability issues, and lack of adaptability to network changes. To address these issues, we propose MEGA-PT, a meta-game penetration testing framework, featuring micro tactic games for node-level local interactions and a macro strategy process for network-wide attack chains. The micro- and macro-level modeling enables distributed, adaptive, collaborative, and fast penetration testing. MEGA-PT offers agile solutions for various security schemes, including optimal local penetration plans, purple teaming solutions, and risk assessment, providing fundamental principles to guide future automated penetration testing. Our experiments demonstrate the effectiveness and agility of our model by providing improved defense strategies and adaptability to changes at both local and network levels.

Original language	English (US)
Title of host publication	Decision and Game Theory for Security - 15th International Conference, GameSec 2024, Proceedings
Editors	Arunesh Sinha, Jie Fu, Quanyan Zhu, Tao Zhang
Publisher	Springer Science and Business Media Deutschland GmbH
Pages	24-44
Number of pages	21
ISBN (Print)	9783031748349
DOIs	https://doi.org/10.1007/978-3-031-74835-6_2
State	Published - 2025
Event	15th International Conference on Decision and Game Theory for Security, GameSec 2024 - New York, United States Duration: Oct 16 2024 → Oct 18 2024

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	14908 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	15th International Conference on Decision and Game Theory for Security, GameSec 2024
Country/Territory	United States
City	New York
Period	10/16/24 → 10/18/24

Keywords

Agile Defense
Cyber Risk Assessment
Cyber Security
Meta-Game
Penetration Testing

ASJC Scopus subject areas

Theoretical Computer Science
General Computer Science

Access to Document

10.1007/978-3-031-74835-6_2

Cite this

Ge, Y., & Zhu, Q. (2025). MEGA-PT: A Meta-game Framework for Agile Penetration Testing. In A. Sinha, J. Fu, Q. Zhu, & T. Zhang (Eds.), Decision and Game Theory for Security - 15th International Conference, GameSec 2024, Proceedings (pp. 24-44). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 14908 LNCS). Springer Science and Business Media Deutschland GmbH. https://doi.org/10.1007/978-3-031-74835-6_2

MEGA-PT: A Meta-game Framework for Agile Penetration Testing. / Ge, Yunfei; Zhu, Quanyan.
Decision and Game Theory for Security - 15th International Conference, GameSec 2024, Proceedings. ed. / Arunesh Sinha; Jie Fu; Quanyan Zhu; Tao Zhang. Springer Science and Business Media Deutschland GmbH, 2025. p. 24-44 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 14908 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Ge, Y & Zhu, Q 2025, MEGA-PT: A Meta-game Framework for Agile Penetration Testing. in A Sinha, J Fu, Q Zhu & T Zhang (eds), Decision and Game Theory for Security - 15th International Conference, GameSec 2024, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 14908 LNCS, Springer Science and Business Media Deutschland GmbH, pp. 24-44, 15th International Conference on Decision and Game Theory for Security, GameSec 2024, New York, United States, 10/16/24. https://doi.org/10.1007/978-3-031-74835-6_2

Ge Y, Zhu Q. MEGA-PT: A Meta-game Framework for Agile Penetration Testing. In Sinha A, Fu J, Zhu Q, Zhang T, editors, Decision and Game Theory for Security - 15th International Conference, GameSec 2024, Proceedings. Springer Science and Business Media Deutschland GmbH. 2025. p. 24-44. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-031-74835-6_2

Ge, Yunfei ; Zhu, Quanyan. / MEGA-PT : A Meta-game Framework for Agile Penetration Testing. Decision and Game Theory for Security - 15th International Conference, GameSec 2024, Proceedings. editor / Arunesh Sinha ; Jie Fu ; Quanyan Zhu ; Tao Zhang. Springer Science and Business Media Deutschland GmbH, 2025. pp. 24-44 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{6b136ec4f2f54efba41aed2b8ab13570,

title = "MEGA-PT: A Meta-game Framework for Agile Penetration Testing",

abstract = "Penetration testing is an essential means of proactive defense in the face of escalating cybersecurity incidents. Traditional manual penetration testing methods are time-consuming, resource-intensive, and prone to human errors. Current trends in automated penetration testing are also impractical, facing significant challenges such as the curse of dimensionality, scalability issues, and lack of adaptability to network changes. To address these issues, we propose MEGA-PT, a meta-game penetration testing framework, featuring micro tactic games for node-level local interactions and a macro strategy process for network-wide attack chains. The micro- and macro-level modeling enables distributed, adaptive, collaborative, and fast penetration testing. MEGA-PT offers agile solutions for various security schemes, including optimal local penetration plans, purple teaming solutions, and risk assessment, providing fundamental principles to guide future automated penetration testing. Our experiments demonstrate the effectiveness and agility of our model by providing improved defense strategies and adaptability to changes at both local and network levels.",

keywords = "Agile Defense, Cyber Risk Assessment, Cyber Security, Meta-Game, Penetration Testing",

author = "Yunfei Ge and Quanyan Zhu",

note = "Publisher Copyright: {\textcopyright} The Author(s), under exclusive license to Springer Nature Switzerland AG 2025.; 15th International Conference on Decision and Game Theory for Security, GameSec 2024 ; Conference date: 16-10-2024 Through 18-10-2024",

year = "2025",

doi = "10.1007/978-3-031-74835-6_2",

language = "English (US)",

isbn = "9783031748349",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer Science and Business Media Deutschland GmbH",

pages = "24--44",

editor = "Arunesh Sinha and Jie Fu and Quanyan Zhu and Tao Zhang",

booktitle = "Decision and Game Theory for Security - 15th International Conference, GameSec 2024, Proceedings",

address = "Germany",

}

TY - GEN

T1 - MEGA-PT

T2 - 15th International Conference on Decision and Game Theory for Security, GameSec 2024

AU - Ge, Yunfei

AU - Zhu, Quanyan

N1 - Publisher Copyright: © The Author(s), under exclusive license to Springer Nature Switzerland AG 2025.

PY - 2025

Y1 - 2025

N2 - Penetration testing is an essential means of proactive defense in the face of escalating cybersecurity incidents. Traditional manual penetration testing methods are time-consuming, resource-intensive, and prone to human errors. Current trends in automated penetration testing are also impractical, facing significant challenges such as the curse of dimensionality, scalability issues, and lack of adaptability to network changes. To address these issues, we propose MEGA-PT, a meta-game penetration testing framework, featuring micro tactic games for node-level local interactions and a macro strategy process for network-wide attack chains. The micro- and macro-level modeling enables distributed, adaptive, collaborative, and fast penetration testing. MEGA-PT offers agile solutions for various security schemes, including optimal local penetration plans, purple teaming solutions, and risk assessment, providing fundamental principles to guide future automated penetration testing. Our experiments demonstrate the effectiveness and agility of our model by providing improved defense strategies and adaptability to changes at both local and network levels.

AB - Penetration testing is an essential means of proactive defense in the face of escalating cybersecurity incidents. Traditional manual penetration testing methods are time-consuming, resource-intensive, and prone to human errors. Current trends in automated penetration testing are also impractical, facing significant challenges such as the curse of dimensionality, scalability issues, and lack of adaptability to network changes. To address these issues, we propose MEGA-PT, a meta-game penetration testing framework, featuring micro tactic games for node-level local interactions and a macro strategy process for network-wide attack chains. The micro- and macro-level modeling enables distributed, adaptive, collaborative, and fast penetration testing. MEGA-PT offers agile solutions for various security schemes, including optimal local penetration plans, purple teaming solutions, and risk assessment, providing fundamental principles to guide future automated penetration testing. Our experiments demonstrate the effectiveness and agility of our model by providing improved defense strategies and adaptability to changes at both local and network levels.

KW - Agile Defense

KW - Cyber Risk Assessment

KW - Cyber Security

KW - Meta-Game

KW - Penetration Testing

UR - http://www.scopus.com/inward/record.url?scp=85207651766&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85207651766&partnerID=8YFLogxK

U2 - 10.1007/978-3-031-74835-6_2

DO - 10.1007/978-3-031-74835-6_2

M3 - Conference contribution

AN - SCOPUS:85207651766

SN - 9783031748349

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 24

EP - 44

BT - Decision and Game Theory for Security - 15th International Conference, GameSec 2024, Proceedings

A2 - Sinha, Arunesh

A2 - Fu, Jie

A2 - Zhu, Quanyan

A2 - Zhang, Tao

PB - Springer Science and Business Media Deutschland GmbH

Y2 - 16 October 2024 through 18 October 2024

ER -