Exploring the Optimum Proactive Defense Strategy for the Power Systems from an Attack Perspective

Proactive defense is one of the most promising approaches to enhance cyber-security in the power systems, while how to balance its costs and benefits has not been fully studied. ,is paper proposes a novel method to model cyber adversarial behaviors as attackers contending for the defenders’ benefit based on the game theory. We firstly calculate the final benefit of the hackers and defenders in different states on the basis of the constructed models and then predict the possible attack behavior and evaluate the best defense strategy for the power systems. Based on a real power system subnet, we analyze 27 attack models with our method, and the result shows that the optimal strategy of the attacker is to launch a small-scale attack. Correspondingly, the optimal strategy of the defender is to conduct partial-defense.


Introduction
Energy is one of the most important forces to promote the development of industry in the entire society. e energy systems, the only channels for energy transmission, are responsible for the stable transmission of energy. As the primary branch of the energy systems, the power systems have been the focus to be assaulted in recent years [1]; in 2010, a power plant in Iran was attacked by the Stuxnet virus, which made the Iranian nuclear power plant lose its power generation capacity for a short time [2]; in 2014, the malicious software Black Energy invaded into USA power turbines during which USA power systems suffered a total of no less than 79 hacker attacks; in 2015, Ukrainian power systems were attacked by a malicious code, which caused a large-scale blackout; in 2016, a great many computers of the power systems, attacked in Israel by hackers, were in a suspended state; in 2019, many major hydropower stations in Venezuela were under cyber-attack, which occurred in more than half of the regions with a large-scale power outage for more than 6 days. e fundamental reason that energy systems such as the power systems can be frequently attacked successfully is that the protection strategy of each system is passive and static and it does not have an autoimmune function [3]. For such prominent problems, a lot of researches on proactive defense have been conducted in the industry areas and the related works include moving target defense, mimic defense, and end-to-end hopping [3,4]. e abovementioned proactive defense technologies have made considerable progress in theory, but the disadvantage is that it needs to take a huge cost to build a system with the above defense attributes, which is often unbearable. For the sake of solving this problem, many scholars have applied game theory to network security defense, but so far, there have been fewer reports on game theory that can be employed to solve security problems in the real power production systems.
In this paper, we firstly introduce some related typical works in the field of active and proactive defense. Secondly, a single and dual game model between the hackers and defenders of the power systems, based on the introduction of game theory, is constructed. en, the established attack and defense model is verified by the production environment attack data from a real power systems subnet. Finally, the model that matches the real production environment is used to predict the hostile attack strategy in the next month and the key defense points of the power systems under the current situation are given. e significant contribution of this article is to provide a qualitative method for evaluating external attacks for the power systems, which is as follows: the idea with the revenue of the power systems being robbed is proposed for the first time; taking a subnet in a real power systems as an example, three single and dual attack and defense models are discussed in detail, respectively; the theoretical model in line with the real production environment was established and verified by the attack data in actual production; the best revenues of the attack and defense sides are calculated separately, and the best defense modes for the power systems when facing different attack scales are given. Overall, the main contributions of our works are as follows: (1) Compared with the mimic defense and moving target defense methods in the current industry, we propose a relatively low-cost proactive defense method based on game theory. (2) By calculating the best benefits of the attacker and defender in the game, we can predict the most likely attack behavior and provide more targeted defense strategy for the power systems. (3) We have evaluated the benefits of the three combined attack strategies that are closer to the actual attack situations for both the attacker and defender and verified it with actual attack data.

Related Work
Currently, there are many related reports on active defense on active network defense, mainly including moving target defense (MTD), mimic security defense (MSD), end information hopping (EIH), game theory defense technologies (GTD), and information theory approach (ITA) [5,6]. Deformation networks, adaptive computer networks, selfcleaning networks, and open-flow random host conversion technologies are widely reported in MTD, and the essence of them is to make it difficult for an attacker to accurately grasp the information of the target systems by proactively changing its relevant configuration within a certain time interval. e advantage of this theory is that it can improve the security of the systems attacked by forcing the attacker to continuously increase attack cost, but the pain points inside are needing a huge available configuration space to support the operation of this defense technology. e concept of MSD is fairly similar to that of MTD. Both technologies enable defenders to realize rapid migration in a diverse environment, thereby augmenting the difficulty degree of the hackers. Compared with MTD, MSD has more heterogeneous redundant architectures with the disadvantages that require huge investment cost, while MTD provides limited heterogeneous redundant architectures, which can be regarded as a special case of MTD. EIH, composed of early warning, collaborative control, information management, and task switching function modules, mainly protects the two communication parties by changing crucial information such as the protocol, address, and port between the two communication ends. GTD is a network defense technology based on game theory, which belongs to the theory of beforehand decision analysis and has been used in the field of network security for many years. Although the abovementioned methods have a certain effect on the actual environment, the common problem is that these designs are expensive.
Game theory is an ideal solution to the problem of high cost in proactive defense methods. Many scholars have done a lot of research on it. Radha et al. proposed a game theory optimization routing framework for wireless networks, which provided a solution for the realization of low-energy routing [7]. Zhu and Basar explored the game mechanism of the optimal cross-layer flexible control system to enhance the robustness and security of the cyber-physical system [8]. Zhao et al. studied the game theory model based on the distribution market and solved the problem of the coordinated operation of multiple microgrids [9]. Rass and Zhu analyzed the defense-in-depth strategy of advanced persistent threats and proposed a method to deal with the threats [10]. Chen et al. used dynamic game theory to design a network protection and recovery system for infrastructure to ensure reliable service provision [11]. Miao et al. established a zero-sum mixed state random game model to solve different types of attacks on cyber-physical systems [12]. e abovementioned method based on game theory does solve many relevant network security problems. However, it neither calculates the value of offense and defense benefits nor does it use real-world attack data of power systems to verify its theoretical model. erefore, the problem solved in this paper is how to use game theory to model real industrial control systems and how to qualitatively give the best protection strategy for power systems.

Bayesian Game eory.
Bayesian game is also called incomplete information game, which means that at least one player among multiple players is not completely clear about the revenues or revenue functions of the remaining players. In this article, incomplete information means that the defender on the power systems does not know the method and purpose of the hackers. Similarly, the hackers are not fully aware of the power systems. us, we need to introduce the Bayesian game model to analyze the possible behaviors and revenues of both parties. Bayesian game is not repeated here because the existing literature is very detailed about it [13,14].

Attack and Defense Model Construction of the Power
Systems. Many factors that affect the safe operation of the power systems and the main targets that most likely to be attacked are focused on, including the host, network, and management. Here, we primarily build the single and dual models of the power systems among which the single models include host, network, and management model and the dual models include host and network, host and management, and network and management model.
Under normal circumstances, a considerable revenue, recorded as the total revenue s, can be obtained by defenders from their assets inside the power systems. In consideration of the assets characteristics with wide coverage and multifaceted feature, there will always exist potential security vulnerabilities and this part, denoted as l, is defined as the inherent loss. e hackers frequently utilize various vulnerabilities in an attempt to reduce the defender's revenue. At this time, the hackers' benefit and cost are proportional to the attack size. When the defense side detects that the malicious forces from outside are attempting to damage the power system, it will consume a certain cost and adopt corresponding defense strategies to intercept. Once the power system is severely damaged, it needs at a significant cost to repair it. In this paper, the deliberate attack scale from the outside world is divided into three categories: large-scale, small-scale, and no-attack. e defense strategy in the power systems is divided into complete-defense, partial-defense, and no-defense. Judging from the data about the centralized attacks on the power systems organized by government departments every year, the main targets of the attack are the host, network, and management. e corresponding risk levels are 2, 3 and 2, respectively. According to the respective damage levels, specific values are assigned to the parameters in the models, as shown in Figure 1, and the specific meaning is listed in Table 1. Besides, the original benefits in the adversarial sides are increased by 10 to be convenient for processing data.

Host Attack-Defense Model.
Considering that each attack/defense is a frequently organized and complicated process, all kinds of costs and revenues here are relative values and greater than zero. e expenditure cost from the hackers on large-scale, small-scale, and no-attack can be expressed as a matrix s a , and the expenditure cost of the power systems on complete-, partial-, and no-defense can be expressed as a matrix s d : ere are three defense modes for the power systems to choose each time, and every defense mode may face any attack strategies from outside. In the following, the overall revenue matrix s e obtained by the hackers is given in detail, among which the complete-, partial-, and no-defense in the power systems are taken as row vectors and the large-scale, small-scale, and no-attack from the attackers are used as column vectors, respectively: At this time, according to the abovementioned discussion of various parameters in both sides, the total revenue of the hackers under different attack strategies corresponding to the different defense modes can be calculated, as shown in Figure 2. In the complete-defense mode, Figure 2(a) shows that the gained revenue by the hackers reaches maximum when they adopt large-scale strategy, with the result that the revenue in the power systems is forced to drop to the bottom, but the cost paid by the hackers is also huge. In partial-defense mode, Figure 2(b) reveals that the two sides reach the Nash equilibrium when the hackers use small-scale strategy. In no-defense mode, Figure 2(c) indicates that both sides also reach the Nash equilibrium when the hackers employ a small-scale strategy. It can be concluded that the probability of adopting small-and large-scale strategies for the hackers, respectively, is 2/3 and 1/3 corresponding to the three defense modes that the defender can choose. erefore, the small-scale attack should be paid close attention to in-host attack and defense model.

Network Attack and Defense Model.
e construction process of the network attack and defense model is the same as that of the host, and the cost of both sides is exactly the same as the matrix (1). Considering the openness and accessibility of the network, the extent of injury from an attacker via the network is slightly higher than that of the host, so its specific revenue is shown in the following matrix:

Symbols
Meaning t e cost of a large-scale attack t − Δt e cost of a small-scale attack p − Δp e cost of a partial-defense q e benefit made by the attacker with launching a large-scale attack when the defender is in a state of complete-defense q + Δq e benefit made by the attacker with launching a large-scale attack when the defender is in a state of partial-defense q + n * Δq e benefit made by the attacker with launching a large-scale attack when the defender is in a state of no-defense q e benefit made by the attacker with launching a small-scale attack when the defender is in a state of partial-defense q + Δq e benefit made by the attacker with launching a small-scale attack when the defender is in a state of no-defense l Inherent loss s e total benefit obtained by the defender using its own assets Next, according to the cost of both sides and the revenue obtained by the hackers, we have calculated their total revenues in different states, as shown in Figure 2. Although the defender chooses complete-defense mode in Figure 2(d), the hackers still make very considerable gains by using largescale strategy, owing to the network openness and its own various flaws such as protocol loopholes. Furthermore, the hacker revenue in Figure 2(d) is higher than that of the power systems and both sides have reached the Nash equilibrium, but considering the cost, this attack strategy will only be employed at a particular moment; in partial-defense mode, both sides reach the Nash equilibrium when the hackers adopt the small-scale strategy, and the revenue of the hackers is greater than that of the power systems, as shown in Figure 2(e); in no-defense mode, Figure 2(f ) displays that the two sides also reach the Nash equilibrium when the hackers use small-scale strategy. At this moment, the hackers reach the optimal value in terms of costs and revenues.
In these three defense modes, the probability of smallscale strategy (2/3) is greater than the probability of largescale strategy (1/3). It is worth noting that the conditions for the emergence of large-scale strategy are that the defender must select complete-defense mode and the hackers are willing to be at all costs.

Management Attack and Defense Model.
e construction of the management attack and defense model is also similar to the network and the cost of both sides is identical with matrix (1). Different from the abovementioned network attack and defense model, the degree of attack severity through management defects is lower than that of the host, and its specific revenue is presented in the following matrix: en, based on the known costs and the gains obtained, the total revenues of the attack and defense parties in different states can be calculated, as shown in Figure 2. e data in Figure 2(g) indicate that the cost paid by the hackers is far higher than their revenues when large-and small-scale strategies are adopted. It can be inferred from the above that the best attack strategy of the hackers is to keep a static state and then both sides reach the Nash equilibrium with the defender being in complete-defense mode. In partial-defense mode, the hackers would try to remain stationary since Figure 2(h) indicates that the revenue of the hackers, although higher than in other cases, is still minimal with largescale attacks. As a result, the power systems achieve the maximum revenue with a state of Nash equilibrium. Obviously, the situation in Figure 2(i) is similar to Figure 2(h).
In the management attack and defense model, it is fairly difficult for the hackers to find out a breakthrough point to invade the power systems because the various management measures on it are relatively complete. erefore, the smartest choice for an attacker is to use a static observation strategy.

Host and Network Attack and Defense Model.
In the general host and network policy configuration process, the security policy configuration of the host or network is usually completed first, and then the rest of the policy settings are completed in turn. e default security policy setting order in this part is host network. It is known that many security policies are often universal. Here, the security policies that have been set in the host and can be used in the network are recorded as cost savings. e following lists the cost savings matrix s s of the host in complete-, partial-, and no-defense: According to the cost saved by matrix (5), it can be calculated that the defense cost paid by the power systems in the case of complete-, partial-, and no-defense of the host is displayed in the matrix s 1 , s 2, and s 3 : that the overall revenue required by various attack methods minus its cost is the ultimate revenue of the attack side. e final revenue on the power systems is that its total revenue subtracts the inherent loss, defense cost, and the plundered revenue. us, under the complete-, partial-, and no-defense of the host, the total revenue of the attack side can be gotten via the calculation process provided above, which is the average of the sum of the revenues of the corresponding host and network single model, as shown in the following matrix: Facing the three defense modes of the power systems, Figure 3 analyzes the final revenue that an attacker can achieve by using three different attack strategies. In the first place, we discuss the revenues of the attack and defense sides when the host is in complete-defense mode: with the network being complete-defense, the most likely outcome is Security and Communication Networks that the attack side would adopt large-scale strategy to maximize its revenue, which is very close to the value of the power systems in Figure 3(a). In Figure 3(b), the revenue obtained by the hackers using small-scale strategy is almost equal to that obtained with large-scale strategy, and the two sides reach the Nash equilibrium; therefore, the possibility of suffering small-scale attack is the greatest in the case of network partial-defense; Figure 3(c) shows that the attack revenue is higher than that of the other two strategies when small-scale strategy is employed by an attacker to destroy the power systems, which enable the two sides to reach the Nash equilibrium, it is why most of the outside invaders launch small-scale strategy when the network is in no-defense.
Afterwards, we discuss the revenue made by the attack and defense sides when the host is in partial-defense mode: as shown in Figure 3(d), small-scale strategy is the most unfavorable tactic for the hackers and its revenue is negative, while large-scale strategy makes the hackers' revenue  basically equal to that of the power systems and the both sides reach the Nash equilibrium. e data in Figure 3(d) indicates that the power systems are more likely to be subjected to large-scale attacks when the network is set as complete-defense mode; obviously, small-scale strategy makes the revenue of the attack and defense parties achieve the Nash equilibrium, as shown in Figure 3(e), which demonstrates that the most probable attack strategy is to launch a small-scale attack when the network is in partialdefense mode; the situation in Figure 3(f ) is extremely similar to Figure 3(e).
Finally, we discuss the revenues of the attack and defense sides when the host is in no-defense mode: it can be seen from Figure 3(g) that small-scale strategy not only fails to break the defense of the power systems but also makes the attack side pay a huge price. On the contrary, large-scale strategy can maintain the revenues of both parties at a balanced point. Consequently, it must be alert to large-scale attack from the enemy when the network adopts completedefense; the hackers utilize small-scale strategy to receive the same revenue as the power systems, and the two sides have reached the state of Nash equilibrium, as shown in Figure 3(h), when the network adopts partial-defense. At this time, we must pay more attention to the loss caused by small-scale strategy adopted by the attack side; when the network adopts no-defense, Figure 3(i) displays that smallscale strategy launched by the hackers has the largest gain and is also the most desirable strategy compared with the cost paid by large-scale strategy. us, small-scale strategy remains the focus of attention.
Based on the above discussion, this part lists nine possible combinations in host and network attack and defense model among which the probability that the hackers may adopt large-and small-scale strategies is 3/9 and 6/9, respectively. erefore, it is critical to be aware of small-scale strategy implemented by the attack side for most of the time. In special circumstances, the possibility of an attacker launching a large-scale strategy is not ruled out.

Host and Management Attack and Defense Model.
e possibility of an attacker carrying out a malicious attack on the host and management is also bound to exist. e main discussion here is to consider the establishment of host and management attack and defense model when the host security policy has been completed. In view of the low cross degree of the security strategy between the host and management, the cost saving matrix s s′ of the host during complete, partial-, and no-defense is as follows: Similarly, according to the cost saved in matrix (8), the defense costs paid by the side of the power systems in the above three cases (complete-, partial-, and no-defense) can be calculated, respectively, as the matrix s 1 ′ , s 2 ′ , and s 3 ′ as follows: e calculation process of the total revenue of the hackers in this type of model is similar to matrix (7). e total revenue here is the average of the sum of the corresponding host and management single model, as shown in the following matrix: Under the three defense modes on the power systems, Figure 4 analyzes in detail the final revenues made by the attack and defense sides when the hackers adopt three different attack strategies. For the host in complete-defense mode, the final revenue of the both sides is revealed in Figures 4(a) and 4(c), respectively: when the management is in complete-defense, the average revenue of the three different attack strategies of the hackers is 9.66, which is significantly lower than the situation where the management is in partialand no-defense, as described in Figure 4(a). At this time, the hacker's choice of large-scale strategy can effectively prevent the power systems from maximizing its revenue, but the own revenue performance of the attack side is fairly poor so that there are two possible options for the hackers: large-scale attack or no-attack; when the management is in partialdefense, small-scale strategy used by the attack side makes the Security and Communication Networks most significant contribution to its overall revenue, and the two sides have reached the Nash equilibrium. In this defense mode, the hackers are most likely to employ a small-scale strategy, as shown in Figure 4(b), as shown in Figure 4(c), the revenue of small-scale strategy is not only close to that of large-scale strategy but also the paid cost from small-scale strategy is much smaller than that of the large-scale strategy. From the perspective of maximizing revenue, the attack side will still choose a small-scale strategy when the management side is in no-defense.
For the host in partial-defense mode, the final revenues of both sides are displayed in Figures 4(d) and 4(f ), respectively: in Figure 4(d), the revenue from utilizing smallscale strategy is about half that of the power systems, and it is the least of the three attack strategies. In view of that, the hackers have two options along with the management being in complete-defense: one is to be forced to adopt large-scale strategy when necessary to suppress the revenue of the power systems to reach maximum, and the other is to remain stationary to avoid its own loss; in Figure 4(e), the  defender achieves the biggest revenue when the hackers employ small-scale strategy, while the hackers get the maximum revenue with large-scale strategy. However, the maximum revenue obtained by the hackers through largescale strategy is very close to the value obtained by smallscale strategy. To minimize cost and maximize revenue, the hackers have the highest probability of choosing small-scale strategy when the management side is in partial-defense; in Figure 4(f ), the attack and defense parties arrive the Nash equilibrium when the hackers launch a small-scale strategy. Taking into account the respective costs and game issues, at this time, the revenues of both parties also reach each maximum value.
For the host in no-defense mode, the final revenues of the both sides are described in Figures 4(g) and 4(i), respectively: from Figure 4(g), it can be inferred that the revenue inside the power systems is obviously lower than that in Figures 4(a) and 4(d) in order when the management side is set as complete-defense mode; similarly, the revenue inside the power systems in Figure 4(h) is lower than Figures 4(b) and 4(e); it is also suitable for the revenue inside the power systems of Figure 4(i), lower than Figures 4(c) and 4(f ). at manifests that the revenue of the power systems is more easily plundered by the hackers with the host being nodefense; the data in Figure 4(g) point that only when the attack side adopts large-scale strategy can the revenue of the power systems reach the maximization. When the management side is set as complete-defense, the hackers also have two options: launching large-scale attack when necessary to reach the Nash equilibrium or continuing to remain silent to avoid any losses; when the management side is in partial-and no-defense, as shown in Figures 4(h) and 4(i), both sides will reach the Nash equilibrium with small-scale strategy adopted by the hackers. erefore, in the above three defense modes, the hackers are more likely to launch a small-scale strategy.
In summary, this part discusses nine possible combinations in host and management attack and defense model among which the occurrence probability of large-scale, small-scale, and no-attack strategy is 3/12, 6/12, and 3/12, respectively. So, it is critical to be aware of small-scale strategy implemented by the attack side most of the time. Under special conditions, the possibility of the attackers launching a large-scale and no-attack strategy is not excluded.

Network and Management Attack and Defense Model.
e third possible combination is network and management attack. Whenever a huge amount of cost is invested and a certain level of authorizations is still not available through the network path, the hackers will choose to use social engineering to seek management loopholes to breakthrough. When a certain authorization is obtained by means of management defects or a specific Trojan horse is implanted in a specific location, the hackers will successfully conduct the attack via the network path. e setting order of security policies here is the network management. Given that management vulnerabilities can often provide vital support for network attacks, the cost savings when the network is in complete-, partial-, and no-defense are denoted as τ/2, (τ − Δτ)/2, and 0, respectively. In the light of the cost savings, the paid defense costs in the above three cases can be calculated, as exhibited, respectively, in matrix s 1 ′ , s 2 ′ , and s 3 ′ : e calculation process of the total revenue of the hackers in this type of model is similar to matrix (9); the total revenue here is equal to the average of the sum of the corresponding single network and management model, as displayed in the following matrix:

Security and Communication Networks
Next, we calculate the final revenues of the both sides that the revenue of the hackers acquired by various attack methods minus the attack cost is its ultimate value. at the total revenue on the power systems minus the inherent loss, defense cost, and plundered revenue is its final revenue. Under the three defense modes on the power systems, Figure 5 analyzes in detail the final revenues made by both sides when the hackers utilize three different attack strategies. For the network in complete-defense mode, the final revenues of the two sides are presented in Figures 5(a) and 5(c), respectively: when the management side is set as complete-defense mode, Figure 5(a) indicates that the hackers can only obtain the maximum revenue by adopting large-scale strategy due to the rigorous defense on the power systems. At the same time, that strategy can effectively stop the power systems reaching its top value with the two sides being the Nash equilibrium, which demonstrates that large-scale strategy needs the most attention; when the management side is set as partialdefense mode, the two sides reach the Nash equilibrium  with the hackers using small-scale strategy, which expresses that the probability of small-scale attacks is the highest; e data in Figure 5(c) show that not only do the revenues of the two parties get the maximum value but both sides also reach a state of Nash equilibrium when the hackers launch small-scale attacks, which represents that small-scale strategy should be highly attached importance. For the network in partial-defense mode, the final revenues of the both sides are shown in Figures 5(d) and 5(f ), respectively: when the management side is set as complete-defense, in order to suppress the emergence of the maximum gain on the power systems, the only option for the hackers is to employ large-scale strategy, as illustrated in Figure 5(d), so it is necessary to hinder large-scale attacks; when the management side is set as partialdefense, the attack side is more likely to seek small-scale attacks because under this situation, as presented in Figure 5(e), its output cost is fairly low and the revenue is only 0.1% lower than large-scale attack; when the management side is set as no-defense, Figure 5 Based on the above discussion, here we list nine possible combinations in network and management attack and defense model among which the probability of the large-and small-scale strategy is 3/9 and 6/9, implying that the probability that the hackers will implement small-scale strategy is far greater than the probability of large-scale and no-attack strategy most of the time.

Experiment Analysis
First of all, the experimental part of this article is to verify the dual attack and defense model established previously to ensure that the constructed model can be applied to the power production systems. en, we predict the best defense strategy on the power systems in the next month according to the construction model.  A production subnet in the power systems is taken as an example, as shown in Figure 6. e entire production systems network is an internal private network, divided into multiple subareas, and its terminals of each subarea include personal PCs, cameras, electric vehicles, and temperature detectors. As can be seen from Figure 6, Web Application Firewall (WAF), the admission device, and other security devices are respectively connected at the core switching layer with the purpose to monitor abnormal traffics and prevent malicious attacks on the power systems.

Model Validation.
WAF is one of the most commonly used network security protection devices in the power systems and is well known for its ability to detect malicious attacks in accordance with rules in a timely manner. To accurately predict the probability of attacks of different scales every day, a total of 454 sets of real-time data are extracted with a time step of 10 minutes. e average value of the high-, medium-, and low-risk events in the WAF is used as the basis for judging, so as to infer the frequency of various attacks inside the power systems every day. Here, the high-, medium-, and low-risk attacks correspond to the large-, small-, and no-attack strategies of the hackers in turn. e calculated daily probability of high-, medium-, and low-risk attack events is 48%, 51%, and 1%, as shown in Figure 7(a). A total of 27 possible combined attacks are discussed in this article among which the odds of launching large-scale, small-scale, and noattack by attackers are 9/30, 18/30, and 3/30, with the conclusion that the basic attack strategy of the hackers is mainly small-scale strategy combining with large-scale and no-attack strategy followed occasionally. e probability of high-and medium-risk events in Figure 7(a) is 48% and 51% higher than the probability of no security event, respectively. e data in Figure 7(a) show that the probability of no-attack on the power systems is extremely small, which is very close to the change trend inferred from the theoretical model. Obviously, the actual attack data in the power systems also confirm the results of the attack and defense model, which indicates that the models constructed in the article are consistent with the actual production environment.

Building Revenue Function.
Taking the value of the above risk types as empirical values, the monthly revenue function formula (13) of both the sides is given, and then we discuss how the power systems should take precautions to maximize its revenue: Among which, x, y, and z correspond to the final revenues obtained by the attack side using large-scale, smallscale, and no-attack. Assuming that the attack plan chosen by the hackers is the same within one month, thus the total monthly revenue of the power systems can be calculated. Considering that in actual production, the hackers are less likely to launch an attack on a single target and most of them would take the form of a combined attack. erefore, this article only discusses the revenues of the both parties in the dual model.
In the first place, the revenues of both parties in the host and network attack defense model are discussed. e three  models corresponding to complete-, partial-, and no-defense of the host are described in Figures 8(a) and 8(c), respectively. e changes in the three figures are exactly the same, both of them reach the Nash equilibrium during partialdefense. e probability of this situation in Figure 8(c) in the actual production environment is almost zero. us, only when the host is in complete-defense and the network is in partial-defense can the power systems gain abundant revenues. erefore, this defense mode should be the main one in the next month.
en, the revenues of both parties in the host and management attack and defense model are discussed. e three models corresponding to complete-, partial-, and nodefense of the host are shown in Figures 8(d) and 8(f), respectively. e data trends in the three figures are the same as those in Figure 8, which implies that the power systems have the largest gain when the host side is in complete-defense and management side is in partial-defense. It is clear that this defense mode should be dominated in the next month.
Finally, the revenues of both parties in network and management attack and defense model are discussed. e three models corresponding to complete-, partial-, and nodefense of the network are shown in Figures 8(g) and 8(i), respectively. e data trends in the three figures are the same as in Figures 8(d) and 8(f ), which also means that the power systems have the largest gain when the network side is in complete-defense and the management side is in partialdefense. In the next month, this defense mode should be the optimal choice in the power systems.

Conclusions and Future Work
In summary, the idea of modeling cyber-attack and defense as contending for power system benefit is proposed for the first time. en, we have taken a subnet of the power systems as a case and employed the attack data in the actual production environment to verify the 27 dual attack-defense models constructed in this paper. By this approach, we derive the monthly benefit function applicable to this environment and calculated the benefits of both sides and the best defense mode on the power systems in the next month. Additionally, this paper analyzes in detail the possible attacks from the perspective of the attackers and evaluates the impact on the power systems, thereby changing its defense strategy from passive to proactive; we explored the optimum proactive defense strategy for the power systems from the angle of the game between the attacker and defender. In the next step, we will combine with actual production business processes to further study more specific proactive strategies to achieve the transition from qualitative defense to quantitative defense strategies.

Data Availability
No dataset was used in this experiment. e supporting data for the experimental results are all from WAF equipment, and the data template on the official website cannot be seen (the link may have expired). See the hyperlink (https://pan.baidu. com/s/1cxUE51JPnwS3KG5i0VE-Ew; Extraction code: Jw25) for the specific data the authors extracted.

Conflicts of Interest
e authors declare that they have no conflicts of interest.