Multi-Channel Power Scheduling Based on Intrusion Detection System Under DDoS Attack: A Starkberg Game Approach

Abstract

This study aims to explore the optimal power allocation problem under Distributed Denial of Service (DDoS) attack in wireless communication networks. The Starkberg Equilibrium (SE) framework is employed to analyze the strategic interactions between defenders and attacker under conditions of incomplete information. Considering the energy constraints of both sensors and attacker, this paper also proposes an Intrusion Detection System (IDS) based on remote estimation to achieve an optimal defense strategy, with Packet Reception Rate (PPR) serving as a criterion for intrusion detection. Targeting leaders and followers, the optimal power allocation solution is derived with Signal-to-Interference-Noise Ratio (SINR) and transmission cost as the objective functions. By combining the Adaptive Penalty Function (APF) method with the Differential Evolution (DE) algorithm, the study effectively addresses related non-linear and non-convex optimization problems. Finally, the effectiveness of the proposed method is verified through case studies.

1. Introduction

In recent years, cyber-physical systems (CPSs) have achieved fruitful results in the research field and have found extensive applications in domains including military defense, intelligent transportation, and smart grids [1,2,3,4,5]. However, due to the involvement of numerous critical infrastructures, any attack on CPSs can result in severe losses. With the emergence of various sophisticated intrusion techniques, attackers can disrupt network systems in a short period [6,7,8,9]. Major security incidents worldwide have highlighted the importance of CPS security issues. For example, in 2018, GitHub experienced 1.35 Tbps delayed traffic, leading to a 10 min service interruption; in September 2021, the Russian internet giant Yandex suffered a large-scale Distributed Denial of Service (DDoS) attack with requests per second reaching up to 21.8 million [10]. Therefore, with the rapid development of CPSs, the identification and prevention of network security intrusions have become particularly crucial.

In the literature [11,12,13], researchers have discussed the optimal power scheduling problem for Denial of Service (DoS) attacks based on Signal-to-Interference-plus-Noise Ratio (SINR) in CPSs, considering energy constraints of sensors and attackers. Li et al. [11] simulated the interaction decision-making process between sensors and attackers by establishing a Markov game framework. Ref. [12] proposed a Stackelberg Equilibrium (SE) framework to examine the strategic interaction between defenders and attackers in situations involving two distinct forms of incomplete information. Additionally, ref. [13] delved into a Stackelberg game involving a defender and multiple attackers. Distinguishing itself from the existing literature, which predominantly centers on equilibrium in static games, this study also reflects the dynamic process of Stackelberg games, demonstrating the intelligence of attackers in switching channel allocation for attack energy.

To ensure the security and reliability of network system resources, real-time monitoring of network transmissions is necessary to maintain confidentiality, integrity, and availability. The research in [14,15,16,17,18,19,20,21,22] proposes attack detection methods tailored to the constructed attack models, highlighting the existence of trade-off thresholds. In particular, the work in [19] designed a replay attack detection framework based on model-free reinforcement learning to effectively deal with attackers purposefully changing attack strategies. Furthermore, Agah et al. proved through a game theory framework that a Nash equilibrium is reached between attackers and Intrusion Detection System (IDS) [20]. In another study [22], a game-theoretic intrusion detection and defense method for DDoS attacks on the internet was proposed, modeling the interaction between the system and entities as a two-player Bayesian signal zero-sum game. These studies hold significant theoretical and practical value within the realm of network security, offering invaluable perspectives and solutions for real-time monitoring of network transmissions and the security of network system resources.

A Denial of Service (DoS) attack is a type of cyberattack where a single attacker floods a target system with excessive traffic or requests, aiming to overwhelm its resources and make it unavailable to legitimate users. The attack is typically launched from a single machine or a small number of machines [23,24,25,26,27,28]. A Distributed Denial of Service (DDoS) attack is a more advanced form of a DoS attack, where multiple compromised systems (often referred to as a “botnet”) are used to flood the target system with traffic. The distributed nature of the attack makes it much harder to defend against, as the traffic comes from many different sources, making it difficult to block all incoming connections without affecting legitimate users [6,29]. In most literature, Nash Equilibrium (NE) is commonly used to describe game situations where participants simultaneously choose actions. However, when decisions of defenders and attackers are made sequentially, the Stackelberg game framework is better suited to elucidate this procedure [12,30].

Although traditional DDoS attacks typically occur at the network layer, such as by flooding target servers with a large number of packets, physical layer attacks pose a significant threat in wireless sensor networks (WSNs). The open and interference-prone nature of wireless channels allows attackers to disrupt sensor node communications by transmitting high-power wireless signals, leading to degraded signal quality and even complete communication outages. Studies have shown that high-power interference can significantly reduce the signal-to-noise ratio (SINR) at the receiver, causing communication interruptions [31]. Additionally, physical layer attacks possess characteristics such as strong stealth and high energy efficiency, enabling attackers to achieve significant disruption with minimal energy expenditure [32]. To address this challenge, this study assumes that the attacker primarily influences system performance through physical layer interference. This assumption is supported by multiple studies that highlight the effectiveness of physical layer attacks in WSNs, especially under conditions of limited energy resources [33].

Unlike existing research, which typically assumes a static network environment and symmetric information between attackers and defenders [13,21], our study introduces dynamic channel changes, transmission costs, and the signal-to-interference-plus-noise ratio (SINR) into a Stackelberg game framework. This approach provides a more realistic simulation of real-world attack and defense scenarios. Additionally, our IDS uses remote state estimation for more precise detection, offering a clear advantage over traditional feature or anomaly-based methods. By considering energy constraints, environmental background noise, and time factors, we have developed a multi-stage Stackelberg game model that better reflects actual attack and defense interactions. These innovations significantly enhance system security and robustness, providing new theoretical and technical support for the field of wireless network security. The primary contributions of this research are outlined as follows:

• Optimal energy scheduling under Distributed Denial of Service (DDoS) attack: The optimal energy scheduling problem is modeled in consideration of channels’ Signal-to-Interference-Noise Ratio (SINR) and transmission cost under Distributed Denial of Service (DDoS) attack. In the absence of an Intrusion Detection System (IDS), profit functions for the attacker and defenders are provided. To find the optimal solution, an improved differential evolution algorithm based on Adaptive Penalty Function (APF) is used to address the corresponding non-linear and non-convex optimization problems. Remote state estimation-based Detection System (IDS): We design an Intrusion Detection System (IDS) at the receiver end based on remote state estimation, using Packet Reception Rate (PPR) as the intrusion detection criterion. Unlike traditional feature- or anomaly-based methods [12,13], this approach is more suitable for real-world applications. Experimental results demonstrate that the presence of IDS can reduce the attacker’s profit and increase the defender’s profit. Multi-stage Stackelberg game model: A multi-stage Stackelberg game model is constructed to deal with the optimization problem, considering energy constraints of attacker and defenders, defenders’ awareness of environmental background noise, and introducing a time factor to build a finite-time Stackelberg game model. Compared to existing game models [12,13], our model better reflects the dynamic interactions between attackers and defenders, providing a more complex and realistic description of the attack and defense process. This new model offers valuable insights into developing effective defense strategies.

Notations: ${\mathbb{R}}^n$ and ${\mathbb{R}}^m$ represent the n-dimensional and m-dimensional Euclidean space. $\mathbb{N}$ and ${\mathbb{N}}^{+}$ represent the sets of natural numbers and nonnegative integers, respectively. The superscript $\prime$ denotes transpose. The symbols $Pr(·)$ and $E[·]$ represent the probability and expectation. ${\mathbb{S}}_{+}^n$ is the aggregation of $n\times n$ positive semidefinite matrices. $x·y$ is defined as $x^{\prime }y$ for vectors x and y. $1_N={\underset{N \mathrm{dimensional}}{\{\underbrace{1,1,\cdots ,1}\}}}^{\prime }$. $\rho (·)$ presents the spectral radius of a matrix. For any two functions f and g, their composition is defined as $(f\circ g)\left(x\right)=f\left(g\right(x\left)\right)$.

2. Model Setup

2.1. Process and Sensor Model

We consider discrete linear systems with multiple sensors as shown in Figure 1, consisting of a total of N independent discrete-time linear time-invariant systems and N sensors. The i-th sensor monitors the i-th system as follows:

$$\begin{array}{cc}\hfill x_i^{k+1}& =A_i{x}_i^k+{\mathfrak{u}}_i^k\hfill \\ \hfill y_i^k& =C_i{x}_i^k+{\mathfrak{v}}_i^k,\hfill \end{array}$$

(1)

where $i\in 1,2,\dots N$, the time index $k\in {\mathbb{N}}^{+}$. $A_i\in {\mathbb{R}}^{n_i\times n_i}$ is the state transition matrix, where $n_i$ is the dimension of the state vector $x_i^k\in {\mathbb{R}}^{n_i}$. $C_i\in {\mathbb{R}}^{m_i\times m_i}$ is the observation matrix, where $m_i$ is the dimension of the observation vector $y_i^k\in {\mathbb{R}}^{m_i}$. ${\mathfrak{u}}_i^k\in {\mathbb{R}}^{n_i}$ and ${\mathfrak{v}}_i^k\in {\mathbb{R}}^{m_i}$ are independent zero-mean Gaussian white noises, satisfying $E\left[{\mathfrak{u}}_i^k{\mathfrak{u}}_i^t\right]=Q_i\in {\mathbb{R}}^{n_i\times n_i}$, $E\left[{\mathfrak{v}}_i^k{\mathfrak{v}}_i^t\right]=R_i\in {\mathbb{R}}^{m_i\times m_i}$, $E\left[{\mathfrak{u}}_i^k{\mathfrak{v}}_i^t\right]=0$, the covariance $Q_i\ge 0$, $R_i\ge 0$, $\forall t,k\in {\mathbb{N}}^{+},i=1,2,\dots ,N$. The initial state $x_i^0$ is a zero-mean Gaussian random vector with covariance ${\Sigma }_i^0\ge 0$, which is uncorrelated with ${\mathfrak{u}}_i^k$ and ${\mathfrak{v}}_i^k$. To avoid trivial issues, we assume that the system is unstable, i.e., $\rho \left(A_i\right)>1$, $i=1,2,\dots ,N$. We assume that $(A_i,C_i)$ is observable, and $(A_i,\sqrt{Q_i})$ is controllable.

We assume that the sensors are “smart” and have sufficient computational capabilities. Following the measurement of the respective system at time step k, every sensor initiates a local Kalman filter to gauge the state of the process, incorporating all amassed measurements up to time k [34]. Subsequently, each sensor forwards its local estimate to a remote estimator. Based on the local estimate of the current state, we can calculate the minimum error estimate ${\widehat{x}}_i^k$ of the local state of the i-th subsystem and the corresponding estimate error covariance matrix ${\widehat{P}}_i^k$:

$${\widehat{x}}_i^k=E\left[x_i^k\right|y_i^0,y_i^1,\dots ,y_i^k]$$

(2)

$${\widehat{P}}_i^k=E\left[(x_i^k-{\widehat{x}}_i^k){(x_i^k-{\widehat{x}}_i^k)}^{\prime }\right|y_i^0,y_i^1,\dots ,y_i^k].$$

(3)

Computed by standard Kalman filtering [35]:

$$\begin{array}{c}\hfill ({\widehat{x}}_i^k,{\widehat{P}}_i^k)=\mathbf{KF}({\widehat{x}}_i^{k-1},{\widehat{P}}_i^{k-1},y_i^0,\dots ,y_i^k).\end{array}$$

(4)

We further define the Lyapunov operator and Riccati operators $h_i$ and ${\tilde{g}}_i$: ${\mathbb{S}}_{+}^n\to {\mathbb{S}}_{+}^n$:

$$\begin{array}{cc}\hfill h_i\left(X\right)& \triangleq A_{i}X{A_i}^{\prime }+Q_i\hfill \end{array}$$

(5)

$$\begin{array}{cc}\hfill {\tilde{g}}_i\left(X\right)& \triangleq X-X{C}_i^{\prime }{[C_{i}X{C}_i^{\prime }+R_i]}^{-1}{C}_{i}X\hfill \end{array}$$

(6)

$$\begin{array}{cc}\hfill h_i^k\left(X\right)& \stackrel{\Delta }{=}\underset{k\mathrm{times}}{\underbrace{h_i\circ h_i\dots \circ h_i}}\left(X\right).\hfill \end{array}$$

(7)

where ∘ denotes the k-fold composition of the function $h_i$, i.e., the function $h_i$ applied consecutively k times. $X\in {\mathbb{S}}_{+}^n$ is an $n\times n$ symmetric positive semi-definite matrix, representing the system’s covariance matrix or the estimation error covariance matrix.

The local estimate error covariance ${\widehat{P}}_i^k$ converges to a steady-state value at an exponential rate. Therefore, we make the assumption:

$$\begin{array}{c}\hfill {\widehat{P}}_i^k=\overline{P_i},\forall k\ge 1,i\in 1,2,\dots ,N,\end{array}$$

(8)

where $\overline{P_i}$ is the unique positive semi-definite solution to $\widetilde{g_i}\circ h_i$.

2.2. Communication Model with SINR

After receiving the data packet, sensor i obtains a local estimate ${\widehat{x}}_i^k$, which is then sent to the data fusion center through a wireless lossy channel. Due to channel attenuation and interference effects, random data loss occurs. To simulate this scenario, we assume that the channel uses an Additive White Gaussian Noise (AWGN) channel with Quadrature Amplitude Modulation (QAM) [11]. Subsequently, utilizing digital communication theory reveals the relationship between Symbol Error Rate (SER) and signal-to-noise ratio (SNR) [24]:

$$\begin{array}{c}\hfill SER=2G\left(\varpi \sqrt{SNR}\right),G\left(x\right)\triangleq {\displaystyle \frac{1}{\sqrt{2\pi }}}{\int }_x^{\infty }{e}^{-{\displaystyle \frac{{\varrho }^2}{2}}}d\varrho ,\end{array}$$

(9)

where $\varpi >0$ is a parameter.

SNR can be described as:

$$\begin{array}{c}\hfill {\iota }_i^k\triangleq {\displaystyle \frac{{\zeta }_i{\theta }_i^k}{{\sigma }_i^2+{\displaystyle \sum _{j=1,j\ne i}^N}{H}_{ij}{\zeta }_j{\theta }_j^k}},\end{array}$$

(10)

where ${\zeta }_i>0$ is the fading channel gain for channel i, ${\sigma }_i$ is the background noise, ${\theta }_i^k$ represents the transmission power allocated by sensor i to channel i at time k, $H_{ij}$ is the correlation coefficient between channels i and j.

We assume that DDoS attacks primarily occur at the physical layer, where the attacker interferes with sensor node communications by transmitting high-power wireless signals. If considering a DDoS attack on channel i, the SNR should be modified to the signal-to-interference-plus-noise ratio (SINR) as follows:

$$\begin{array}{c}\hfill {\mu }_i^k\triangleq {\displaystyle \frac{{\zeta }_i{\theta }_i^k}{{\sigma }_i^2+{\displaystyle \sum _{j=1,j\ne i}^N}{H}_{ij}{\zeta }_j{\theta }_j^k+{\varphi }_i{\delta }_i^k}},\end{array}$$

(11)

where ${\varphi }_i>0$ is the fading channel gain for the attacker on channel i, and ${\delta }_i^k$ represents the transmission power allocated by the attacker to channel i at time k. Additionally, for sensors and attackers, the cost of transmitting unit power is assumed to be ${\beta }_d$ and ${\beta }_a$, respectively. In CPSs, wireless channels are susceptible to external interference. Attackers can significantly reduce the SINR at the receiver by increasing the transmission power ${\delta }_i^k$, thereby impacting the system’s performance.

2.3. DDoS Attack

Distributed Denial of Service (DDoS) attacks can block communication between components of cyber-physical systems (CPSs), thereby reducing the overall system performance. In current research, the attacker weakens system performance by continuously invading and maliciously disrupting communication channels. In real-life scenarios, energy constraints are an unavoidable issue for both sensors and attackers, impacting the performance of remote estimation and the strategies of both sides. Due to the presence of energy constraints, sensors need to manage energy efficiently to prolong their operational time, while attackers may exploit this limitation to design more destructive attack strategies. Therefore, when designing and deploying remote estimation systems, considering energy constraints is crucial for system stability and security. Attackers can use noise to interfere with communication channels between sensors and the fusion center.

In practical applications, both the defender and the attacker can estimate each other’s power levels by monitoring Channel State Information (CSI) or through other methods such as historical data analysis and predictive models [36,37]. Therefore, we assume that at time k, the defender knows the total power of the attacker is ${\overline{\delta }}^k$, and the attacker knows the total power of the defender is ${\overline{\theta }}^k.$ Here, ${\overline{\delta }}^k={\sum }_{i=1}^N{\delta }_i^k$ represents the total power of the attacker across all channels at time k, while ${\overline{\theta }}^k={\sum }_{i=1}^N{\theta }_i^k$ represents the total power of the defender across all channels at time k. On channel i, the total power of the attacker and the defender over the time horizon T is denoted as ${\overline{\delta }}_i$ and ${\overline{\theta }}_i$, respectively, where ${\overline{\delta }}_i={\sum }_{k=1}^T{\delta }_i^k,{\overline{\theta }}_i={\sum }_{k=1}^T{\theta }_i^k$. Within the entire time range T, the total power of the attacker and the defender across all channels is denoted as $\overline{\delta }$ and $\overline{\theta }$, respectively, where $\overline{\delta }={\sum }_{i=1}^N{\sum }_{k=1}^T{\delta }_i^k,\overline{\theta }={\sum }_{i=1}^N{\sum }_{k=1}^T{\theta }_i^k$.

In practical applications, attackers face energy budget constraints and therefore need to carefully decide whether to launch the DDoS attack on the wireless channel at each sampling instant. This strategic decision involves balancing the impact of the attack with energy expenditure. Attackers may formulate attack strategies based on system performance metrics, communication requirements, and their own energy resources. By effectively managing energy budgets and strategically timing attack, attackers can maximize the impact on the performance of remote estimators while ensuring their ability to sustain attack behavior. We use ${\gamma }_i^k=1$ to represent the attacker’s attack on channel i at time k; otherwise, ${\gamma }_i^k=0$. Within a finite time domain T, the i-th communication channel suffers a DDoS attack denoted by ${\delta }_i\triangleq {\{{\delta }_i^1,{\delta }_i^2,\dots ,{\delta }_i^k,\dots ,{\delta }_i^T\}}^{\prime }$, $i=1,2,\dots ,N$. If ${\delta }_i^k>0$, then ${\gamma }_i^k=1$; if ${\delta }_i^k=0$, then ${\gamma }_i^k=0$. Within the time domain T, assuming the DDoS attacker applies constant interference power on the i-th communication channel, when the constant power ${\delta }_i^k$ is given, we can determine the total number of attacks on channel i within the time range T as ${\gamma }_i={\displaystyle \frac{{\overline{\delta }}_i}{{\delta }_i^k}}$.

Therefore, the attacker’s attack strategy $\delta$ can be represented as:

$$\begin{array}{c}\hfill \delta \triangleq \{{\delta }_1,{\delta }_2,\dots ,{\delta }_N\},\end{array}$$

(12)

The energy constraint faced by the attacker is:

$$\begin{array}{c}\sum _{i=1}^N\sum _{k=1}^T{\delta }_i^k=\overline{\delta },\hfill \\ 0\le \underset{min}{\delta }\le {\delta }_i^k\le \stackrel{max}{\delta },\hfill \end{array}$$

(13)

where $\underset{min}{\delta }$ and $\stackrel{max}{\delta }$ represent the lower and upper power limits of ${\delta }_i^k$, respectively.

Similarly, we use ${\vartheta }_i^k=1$ to represent the i-th sensor selecting to transmit a data packet at time k; otherwise, ${\vartheta }_i^k=0$. Within a finite time domain T, the i-th sensor sends data packets denoted by ${\theta }_i\triangleq {\{{\theta }_i^1,{\theta }_i^2,\dots ,{\theta }_i^k,\dots ,{\theta }_i^T\}}^{\prime }$, $i=1,2,\dots ,N$. If ${\theta }_i^k>0$, then ${\vartheta }_i^k=1$; if ${\theta }_i^k=0$, then ${\vartheta }_i^k=0$. Assuming the i-th sensor maintains a constant transmission power within the time domain T, when the constant power ${\theta }_i^k$ is given, we can determine the total number of data packets sent by the i-th sensor within the time range T as ${\vartheta }_i={\displaystyle \frac{{\overline{\theta }}_i}{{\theta }_i^k}}$.

Therefore, the sensor’s transmission strategy $\theta$ can be represented as:

$$\begin{array}{c}\hfill \theta \triangleq \{{\theta }_1,{\theta }_2,\dots ,{\theta }_N\},\end{array}$$

(14)

The energy constraint faced by the sensor is:

$$\begin{array}{cc}& \sum _{i=1}^N\sum _{k=1}^T{\theta }_i^k=\overline{\theta },\hfill \\ & \underset{min}{\theta }\le {\theta }_i^k\le \stackrel{max}{\theta },\hfill \end{array}$$

(15)

where $\underset{min}{\theta }$ and $\stackrel{max}{\theta }$ represent the lower and upper bounds of the transmission power ${\theta }_i^k$, respectively.

2.4. Remote Estimation with a Lossy Channel

In each time step k, sensor i transmits its result from the local Kalman filter ${\widehat{x}}_i^k$ to a fusion center through a lossy communication channel. Let ${\alpha }_i^k\in \left\{0,1\right\}$ represent whether the data packet is received by the fusion center without errors. If it is successfully received, ${\alpha }_i^k=1$; otherwise, ${\alpha }_i^k=0$. When an attacker launches an attack and blocks the channel, sensor data packets are received with a probability ${\omega }_i^k$. Assume that ${\alpha }_i^k$ follows a Bernoulli distribution and

$$\begin{array}{c}\hfill Pr({\alpha }_i^k=1)={\omega }_i^k.\end{array}$$

(16)

Using $D\left(\delta \right)$ to represent all the data packets received by the remote estimator at time step k, the remote estimator estimates the minimum mean square error ${\overline{x}}_i^k$ and covariance ${\overline{P}}_i^k\left(\delta \right)$ of the remote end based on the received $D\left(\delta \right)$, as follows:

$$\begin{array}{cc}\hfill {\overline{x}}_i^k& =E\left[x_i^k\right|D\left(\delta \right)],\hfill \end{array}$$

(17)

$$\begin{array}{cc}\hfill {\overline{P}}_i^k& =E\left[(x_i^k-{\overline{x}}_i^k){(x_i^k-{\overline{x}}_i^k)}^{\prime }\right|D\left(\delta \right)].\hfill \end{array}$$

(18)

If ${\widehat{x}}_i^k$ is successfully received, it is used to estimate ${\overline{x}}_i^k$; otherwise, the estimator forecasts the estimate using its prior estimate and the system model. Therefore, the minimum mean square error ${\overline{x}}_i^k$ and covariance ${\overline{P}}_i^k$ obtained by the remote estimator can be derived as follows:

$$\begin{array}{c}\hfill ({\overline{x}}_i^k,{\overline{P}}_i^k)=\left\{\begin{array}{cc}({\widehat{x}}_i^k,{\overline{P}}_i),\hfill & \mathrm{if}{\widehat{x}}_i^k\mathrm{arrives},\hfill \\ A_i{\overline{x}}_i^{k-1},h_i\left({\overline{P}}_i^{k-1}\right),\hfill & \mathrm{otherwise}.\hfill \end{array}\right.\end{array}$$

(19)

At time k, ${\overline{P}}_i^k$ can only take values from a finite set $\left\{{\overline{P}}_i,h_i\left({\overline{P}}_i\right),h_i^2\left({\overline{P}}_i\right),\dots ,h_i^k\left({\overline{P}}_i\right)\right\}$, where $h_i\left({\overline{P}}_i\right)$ satisfies ${\overline{P}}_i\le h_i\left({\overline{P}}_i\right)\le h_i^2\left({\overline{P}}_i\right)\le \dots \le h_i^k\left({\overline{P}}_i\right)$.

Therefore, we can represent the expected error covariance as:

$$\begin{array}{c}\hfill E\left[{\overline{P}}_i^k\right]={\omega }_i^k{\overline{P}}_i+(1-{\omega }_i^k)h_i\left(E\left[{\overline{P}}_i^{k-1}\right]\right).\end{array}$$

(20)

3. Payoff Functions

This section will present the payoff functions of attackers and defenders in Figure 1 (Section 3.1), as well as the payoff functions of both parties with the presence of the Intrusion Detection System (IDS) detector in Figure 2 along with the corresponding constraint conditions (Section 3.2).

3.1. Rewards

We assume that the likelihood of the sensor perceiving solely background noise in the environment is denoted by ${\epsilon }_1$. Therefore, the probability of a Intrusion Detection System (IDS) occurring is $(1-{\epsilon }_1)$. The N systems we are considering are mutually independent, so we assume that the attack sequence for each system satisfies the following form:

$$\begin{array}{c}\hfill (0,\dots ,0,\underset{{\kappa }_{i,1}}{\underbrace{1,\dots ,1}},0,\dots ,0,\underset{{\kappa }_{i,2}}{\underbrace{1,\dots ,1}},0,\dots ,0,\underset{{\kappa }_{i,\partial }}{\underbrace{1,\dots ,1}},0,\dots ,0)\end{array}$$

where 1 represents the attacker choosing to attack the channel at this moment, and 0 represents the attacker choosing not to attack at this moment, satisfying: ${\displaystyle \sum _{s=1}^{\partial }}{\kappa }_{i,s}={\gamma }_i={\displaystyle \frac{{\overline{\delta }}_i}{{\delta }_i^k}}$.

To evaluate the quality of estimation within the time interval T, we introduce the profit function of the attacker:

$$\begin{array}{cc}\hfill O_a(\theta ,\delta )=& {\displaystyle \frac{1}{T}}\sum _{k=1}^T\{-\sum _{i=1}^N{\displaystyle \frac{{\zeta }_i{\theta }_i^k}{{\sigma }^2+{\displaystyle \sum _{j=1,j\ne i}^N}{H}_{ij}{\zeta }_j{\theta }_j^k+{\varphi }_i{\delta }_i^k}}+{\beta }_d\sum _{i=1}^N{\theta }_i^k-{\beta }_a\sum _{i=1}^N{\delta }_i^k\}\hfill \\ \hfill =& {\displaystyle \frac{1}{T}}{1}_T·\{-(1_N·\mu )+{\beta }_d(1_N·\theta )-{\beta }_a(1_N·\delta )\},\hfill \end{array}$$

(21)

where

$$\begin{array}{c}\hfill {\mu }_i^k={\{{\mu }_i^1,{\mu }_i^2,\dots ,{\mu }_i^T\}}^{\prime },\mu =\{{\mu }_1,{\mu }_2,\dots ,{\mu }_N\},\end{array}$$

In (21), $-{\beta }_a(1_N·\delta )$ represents the total power cost for the attacker. Additionally, introducing ${\beta }_d(1_N·\theta )$ in the attacker’s reward function aims to deplete the defender’s energy.

Similarly, we assume that the transmission sequence for each sensor satisfies the following form:

$$\begin{array}{c}\hfill (\underset{{\chi }_{i,1}}{\underbrace{1,\dots ,1}},0,\dots ,0,\underset{{\chi }_{i,2}}{\underbrace{1,\dots ,1}},0,\dots ,0,\underset{{\chi }_{i,\wp }}{\underbrace{1,\dots ,1}})\end{array}$$

The equation to satisfy is ${\displaystyle \sum _{s=1}^{\wp }}{\chi }_{i,s}={\vartheta }_i={\displaystyle \frac{{\overline{\theta }}_i}{{\theta }_i^k}}$.

To evaluate the quality of estimation within the time interval T, we introduce the profit function of the defender:

$$\begin{array}{cc}\hfill O_d(\theta ,\delta )=& {\displaystyle \frac{1}{T}}\sum _{k=1}^T\{{\epsilon }_1\sum _{i=1}^N{\displaystyle \frac{{\zeta }_i{\theta }_i^k}{{\sigma }^2+{\displaystyle \sum _{j=1,j\ne i}^N}{H}_{ij}{\zeta }_j{\theta }_j^k}}-{\beta }_d\sum _{i=1}^N{\theta }_i^k\hfill \\ & +(1-{\epsilon }_1)\sum _{i=1}^N{\displaystyle \frac{{\zeta }_i{\theta }_i^k}{{\sigma }^2+{\displaystyle \sum _{j=1,j\ne i}^N}{H}_{ij}{\zeta }_j{\theta }_j^k+{\varphi }_i{\delta }_i^k}}\hfill \\ \hfill =& {\displaystyle \frac{1}{T}}{1}_T·\{{\epsilon }_1(1_N·\iota )-{\beta }_d(1_N·\theta )+(1-{\epsilon }_1)(1_N·\mu )\},\hfill \end{array}$$

(22)

where

$$\begin{array}{c}\hfill {\vartheta }_i^k={\{{\vartheta }_i^1,{\vartheta }_i^2,\dots ,{\vartheta }_i^T\}}^{\prime },\vartheta =\{{\vartheta }_1,{\vartheta }_2,\dots ,{\vartheta }_N\},\end{array}$$

In (22), $-{\beta }_d(1_N·\theta )$ represents the total power cost for the defender.

3.2. Profit Function in the Presence of an IDS

In practical applications, when the estimator detects data loss due to unknown factors such as environmental changes or enemy intrusions, an Intrusion Detection System (IDS) is typically introduced at the receiving end, as shown in Figure 2, to effectively mitigate these influencing factors. This section introduces the concept of Packet Reception Rate (PRR) at the receiver end as a standard for intrusion detection. PRR refers to the ratio between successfully received packets by the estimator and the packets sent by the sensor. Therefore, $PR{R}_i$ can be expressed as:

$$\begin{array}{c}\hfill PR{R}_i={\displaystyle \frac{{\Re }_i}{\mathbb{k}}},\end{array}$$

(23)

The parameter $\mathbb{k}$ represents the length of the time window, and the parameter ${\Re }_i$ represents the number of packets received on the i-th channel within that time window.

Remark 1. 

When the packet reception rate is low, indicating a high packet loss rate, an Intrusion Detection System (IDS) may infer the presence of intruders in the system and issue an alert. To ensure the safe arrival of packets at the remote computer, sensors can adopt new technologies such as channel hopping. Channel hopping is a technique that dynamically changes channels during communication, enhancing the reliability and security of data transmission. Specifically, channel hopping technology switches between different channels at different time intervals, allowing packets to be transmitted through multiple channels. The benefit of this approach is that even if a specific channel experiences interference or packet loss, the system can still transmit data through other channels, improving the overall reliability of the communication link. By using channel hopping technology, sensors can select available channels to ensure that packets reach the remote computer safely, reduce the likelihood of packet loss, and enhance the performance and security of the system.

We assume that when $PR{R}_i\le PR{R}_i^0$, an alert will be triggered, where $PR{R}_i^0$ represents a predefined threshold value for triggering the alert.

Lemma 1. 

$PR{R}_i\le PR{R}_i^0\triangleq {\overline{P}}_i^k>h^{d_i}\left({\overline{P}}_i\right)$, $k=1,2,\dots ,T$, where $d_i=\mathbb{k}-{\Re }_i^0$, ${\Re }_i^0=max\left\{{\Re }_i\right|{\displaystyle \frac{{\Re }_i}{\mathbb{k}}}\le PR{R}_i^0\}$.

Proof. 

The triggering condition of the alarm $PR{R}_i\le PR{R}_i^0$ is equivalent to ${\Re }_i\le {\Re }_i^0$. Therefore, we assume that the number of packet losses $d_i^{num}$ for the i-th channel in any time window is less than or equal to $d_i^{num}\le d_i=\mathbb{k}-{\Re }_i^0$, which leads to ${\overline{P}}_i^k\le h^{d_i}\left({\overline{P}}_i\right)$. This contradicts the triggering condition $PR{R}_i\le PR{R}_i^0$; thus, the assumption is not valid. By proof of contradiction, it is demonstrated that the triggering condition $PR{R}_i\le PR{R}_i^0$ is also equivalent to $d_i^{num}>d_i=\mathbb{k}-{\Re }_i^0$.    □

From Lemma 1, it can be deduced that if the length of any attack sequence does not exceed $d_i$, the attack will not be detected by the detector. In fact, the attacker can steal the values of time window $\mathbb{k}$ and $PR{R}_i^0$ through the wireless channel, and then take action to carry out the attack. When the system has an IDS detector, the optimization of the payoff functions for the attacker and defender is as follows:

$$\begin{array}{cc}\hfill O_{a_{IDS}}(\theta ,\delta )=& O_a(\theta ,\delta )-{\displaystyle \frac{1}{T}}\sum _{k=1}^T\sum _{i=1}^N\sum _{s=1}^{\partial }(d_i-{\kappa }_{i,s}){\displaystyle \frac{{\zeta }_i{\theta }_i^k}{{\sigma }^2+{\displaystyle \sum _{j=1,j\ne i}^N}{H}_{ij}{\zeta }_j{\theta }_j^k+{\varphi }_i{\delta }_i^k}}\hfill \\ \hfill =& {\displaystyle \frac{1}{T}}{1}_T·\{-(1_N·\mu [1_s·(d-\kappa )])+{\beta }_d(1_N·\theta )-{\beta }_a(1_N·\delta )\}\hfill \end{array}$$

(24)

$$\begin{array}{cc}\hfill O_{d_{IDS}}(\theta ,\delta )=& O_d(\theta ,\delta )+{\displaystyle \frac{1}{T}}\sum _{k=1}^T\sum _{i=1}^N\sum _{s=1}^{\partial }(d_i-{\kappa }_{i,s}){\displaystyle \frac{{\zeta }_i{\theta }_i^k}{{\sigma }^2+{\displaystyle \sum _{j=1,j\ne i}^N}{H}_{ij}{\zeta }_j{\theta }_j^k+{\varphi }_i{\delta }_i^k}}\hfill \\ \hfill =& {\displaystyle \frac{1}{T}}{1}_T·\{{\epsilon }_1(1_N·\iota )-{\beta }_d(1_N·\theta )+(1-{\epsilon }_1)(1_N·\mu [1_s·(d-\kappa )]),\hfill \end{array}$$

(25)

where

$$\begin{array}{cc}& {\kappa }_{i,s}={\kappa }_1,{\kappa }_2,\dots ,{\kappa }_N;{\kappa }_i={\kappa }_{i,1},{\kappa }_{i,2},\dots ,{\kappa }_{i,\partial }\hfill \\ & d_i=d_1,d_2,\dots ,d_N.\hfill \end{array}$$

In reality, the attacker can eavesdrop on the values of time ${\Re }_i$ and $\mathbb{k}$ through wireless channels before taking any attack actions. In order not to be detected by the IDS, on the basis of the optimal attack strategy of the attacker in (13), a constraint condition is added:

$$\begin{array}{c}\hfill {\kappa }_{i,s}\le d_i,i=1,2,\dots ,N,s=1,2,\dots ,\partial .\end{array}$$

(26)

Both the sensor and the attacker aim to maximize their own objective functions. Under the premise of energy constraints, the optimal strategies for both sides need to be found, and the main problem 1 needs to be solved.

Problem 1. 

The optimal attack schedule for the attacker:

$$\begin{array}{cc}\hfill & {\Omega }_a^{*}\left(\delta \right)=argmax{O}_{a_{IDS}}(\theta ,\delta )\hfill \\ \hfill s.t.& \sum _{i=1}^N\sum _{k=1}^T{\delta }_i^k=\overline{\delta },\hfill & \hfill \\ \hfill & 0\le \underset{min}{\delta }\le {\delta }_i^k\le \stackrel{max}{\delta },\hfill & \hfill \\ \hfill & {\kappa }_{i,s}\le d_i,i=1,2,\dots ,N,k=1,2,\dots ,T,s=1,2,\dots ,\partial ;\hfill \end{array}$$

(27)

and the optimal defense schedule for the defender:

$$\begin{array}{cc}\hfill & {\Omega }_d^{*}\left(\theta \right)=argmax{O}_{d_{IDS}}(\theta ,\delta )\hfill \\ \hfill s.t.& \sum _{i=1}^N\sum _{k=1}^T{\theta }_i^k=\overline{\theta },\hfill & \hfill \\ \hfill & 0\le \underset{min}{\theta }\le {\theta }_i^k\le \stackrel{max}{\theta },i=1,2,\dots ,N,k=1,2,\dots ,T.\hfill \end{array}$$

(28)

4. Stackelberg Game for the Optimization Problem

The Stackelberg game is an important model in game theory. It describes a game process between a leader and a follower, where the defender, as the leader, formulates a strategy first, and the attacker reacts after observing the defender’s strategy. Both parties can formulate their own optimal strategies by analyzing the best response of the other party, and thus engage in a repeated game process, gradually approaching an equilibrium point. Under conditions of incomplete information, both parties need to infer the possible behaviors of the other party based on known information and probabilities, in order to formulate the optimal strategy. The elements of the Stackelberg game framework outlined in this paper are as follows:

• Players: N sensors and a Distributed Denial of Service (DDoS) attack.
• Strategy: The strategies of the defender and attacker are, respectively, $\theta \triangleq \{{\theta }_1,{\theta }_2,\dots ,{\theta }_N\}$ and $\delta \triangleq \{{\delta }_1,{\delta }_2,\dots ,{\delta }_N\}$.
• Reward: The reward function of the defender is $O_{d_{IDS}}(\theta ,\delta )$, and the reward function of the attacker is $O_{a_{IDS}}(\theta ,\delta )$.
• Interaction: A continuous-time two-stage dynamic game. First, the defender makes a decision as the leader, and then the attacker makes their own decision based on the defender’s decision, and so on.

We define the best responses of both sides in the game as follows [38].

Definition 1. 

The best response is the action that brings the maximum return to a player while taking into account the actions of the other players. Specifically, the best responses for the defender and attacker are ${\Omega }_d^{*}\left(\theta \right)$ and ${\Omega }_a^{*}\left(\delta \right)$, respectively.

Theorem 1. 

The solution of the Stackelberg game first involves calculating:

$$\begin{array}{c}\hfill {\theta }^{SE}={\Omega }_d^{*}\left({\Omega }_a^{*}\left({\theta }^{SE}\right)\right),\end{array}$$

(29)

then computing

$$\begin{array}{c}\hfill {\delta }^{SE}={\Omega }_a^{*}\left({\delta }^{SE}\right),\end{array}$$

(30)

Thus, $({\theta }^{SE},{\delta }^{SE})\in (\theta ,\delta )$ represents the equilibrium solution of the Stackelberg game.

Proof. 

When the defender’s defense strategy $\theta$ is given, the attacker chooses the attack strategy as $\delta ={\Omega }_a^{*}\left(\theta \right)$. The defender is aware of this reaction from the attacker, so the defender will choose a corresponding defense strategy to maximize their payoff $O_d(\theta ,{\Omega }_a^{*}\left(\theta \right))$, which can be represented as:

$$\begin{array}{c}\hfill {\theta }^{SE}={\Omega }_d^{*}\left({\Omega }_a^{*}\left({\theta }^{SE}\right)\right).\end{array}$$

(31)

Upon observing the defender’s strategy ${\theta }^{SE}$, the attacker responds accordingly to determine the optimal strategy ${\delta }^{SE}$:

$$\begin{array}{c}\hfill {\delta }^{SE}={\Omega }_a^{*}\left({\delta }^{SE}\right).\end{array}$$

(32)

Proof completed.    □

Remark 2. 

The Stackelberg equilibrium $({\theta }^{SE},{\delta }^{SE})$ and the Nash equilibrium $({\theta }^{NE},{\delta }^{NE})$ have significant differences. In the Stackelberg model, the leader first chooses the strategy ${\theta }^{SE}$, and then the follower selects the optimal response ${\delta }^{SE}$ based on the leader’s strategy. This sequential decision making mechanism allows the leader to optimize global performance, maximize the system’s total utility, and enhance security. In contrast, in the Nash equilibrium, all participants choose their strategies simultaneously, with each participant’s strategy considering only their own interests, which can lead to suboptimal solutions, especially in cases of conflict or competition. Additionally, the Stackelberg model typically offers better stability and predictability, making it suitable for long-term planning and global optimization scenarios. On the other hand, the Nash model may exhibit higher short-term utility in environments with high information transparency and ideal market conditions, but it tends to be less stable in dynamic and complex environments. The Stackelberg equilibrium must satisfy the following conditions:

$$\begin{array}{c}\hfill O_{d_{IDS}}(\theta ,{\delta }^{*})\le O_{d_{IDS}}({\theta }^{*},{\delta }^{*}),\end{array}$$

(33)

$$\begin{array}{c}\hfill O_{a_{IDS}}({\theta }^{*},\delta )\le O_{a_{IDS}}({\theta }^{*},{\delta }^{*}).\end{array}$$

(34)

Considering the conditions that need to be met in problem 1, we design the attacker’s best response through the following optimization problem:

Problem 2. 

$$\begin{array}{ccc}\hfill & \underset{\delta }{max}{\displaystyle \frac{1}{T}}{1}_T·\{-(1_N·\mu [1_s·(d-\kappa )])\}\hfill & \hfill \\ \hfill s.t.& (1_N·\delta )-\overline{\delta }=0,\hfill & \hfill \\ \hfill & 0\le \underset{min}{\delta }\le {\delta }_i^k\le \stackrel{max}{\delta },\hfill & \hfill \\ \hfill & {\kappa }_{i,s}\le d_i,i=1,2,\dots ,N,s=1,2,\dots ,\partial ,\hfill \end{array}$$

(35)

which is equivalent to the following problem:

Problem 3. 

$$\begin{array}{ccc}\hfill & \underset{\delta }{min}{1}_T·\{-(1_N·\mu [1_s·(d-\kappa )])\}\hfill & \hfill \\ \hfill s.t.& (1_N·\delta )-\overline{\delta }=0,\hfill & \hfill \\ \hfill & 0\le \underset{min}{\delta }\le {\delta }_i^k\le \stackrel{max}{\delta },\hfill & \hfill \\ \hfill & {\kappa }_{i,s}\le d_i,i=1,2,\dots ,N,s=1,2,\dots ,\partial .\hfill \end{array}$$

(36)

Then, by calculation, we can obtain

$$\begin{array}{cc}& {\displaystyle \frac{\partial 1_T·\left\{(1_N·\mu )\right\}}{\partial {\delta }_i^k}}=-(1+d_i-{\kappa }_{i,s}){\displaystyle \frac{{\zeta }_i{\theta }_i^k{\varphi }_i}{[{\sigma }^2+{\displaystyle \sum _{j=1,j\ne i}^N}(H_{ij}{\zeta }_j{\theta }_j^k+{\varphi }_i{\delta }_i^k){]}^2}}\hfill \end{array}$$

(37)

and

$$\begin{array}{cc}& {\displaystyle \frac{{\partial }^2{1}_T·\left\{(1_N·\mu )\right\}}{\partial {{\delta }_i^k}^2}}=(1+d_i-{\kappa }_{i,s}){\displaystyle \frac{2{\zeta }_i{\theta }_i^k{\varphi }_i^2}{[{\sigma }^2+{\displaystyle \sum _{j=1,j\ne i}^N}(H_{ij}{\zeta }_j{\theta }_j^k+{\varphi }_i{\delta }_i^k){]}^3}}.\hfill \end{array}$$

(38)

The results indicate that when ${\theta }_i^k>0$ and ${\kappa }_{i,s}<d_i+1$, we have ${\displaystyle \frac{{\partial }^2{1}_T\circ \{(1_N\circ \mu )}{\partial {{\delta }_i^k}^2}}>0$. Clearly, for all $\forall {\theta }_i^k=0$, we have ${\delta }_i^k\left(\theta \right)=0$. The attacker can observe the defense strategy chosen by the defender; therefore, they only launch attacks upon detecting the transmission of sensor data to save energy. We assume that at time k, if $i\in \Xi$, then ${\theta }_i^k>0$; if $i\in {\displaystyle \frac{N}{\Xi }}$, then ${\theta }_i^k=0$, where $\Xi =1,2,\dots ,\psi$, ψ denotes the number of ${\theta }_i^k>0$. Therefore, (36) can be solved through the following convex optimization problem:

Problem 4. 

$$\begin{array}{ccc}\hfill & \underset{\delta }{min}{1}_T·\{-(1_N·\mu [1_s·(d-\kappa )])\}\hfill & \hfill \\ \hfill s.t.& (1_{\psi }·\delta )-\overline{\delta }=0,\hfill & \hfill \\ \hfill & {\delta }_i^k-\stackrel{max}{\delta }\le 0,\hfill & \hfill \\ \hfill & -{\delta }_i^k+\underset{min}{\delta }\le 0,\hfill & \hfill \\ \hfill & {\kappa }_{i,s}-d_i\le 0,i=1,2,\dots ,\psi ,s=1,2,\dots ,\partial ,\hfill \end{array}$$

(39)

where

$$\begin{array}{c}\hfill \widehat{\mu }=\{{\mu }_1,{\mu }_2,\dots ,{\mu }_{\psi }\},\widehat{\gamma }=\{{\gamma }_1,{\gamma }_2,\dots ,{\gamma }_{\psi }\},\widehat{\delta }=\{{\delta }_1,{\delta }_2,\dots ,{\delta }_{\psi }\}.\end{array}$$

(40)

Theorem 2. 

If the defender’s strategy is θ, then the attacker’s best response can be calculated by the following formula:

$$\begin{array}{c}\hfill {\delta }_i^k\left(\theta \right)=\left\{\begin{array}{cc}max\left\{{\displaystyle \frac{1}{{\varphi }_i}}\left[\sqrt{(1+d_i-{\kappa }_{i,s}){\displaystyle \frac{{\zeta }_i{\theta }_i^k{\varphi }_i}{{\overline{\Phi }}_i^k}}}-{\sigma }^2-{\displaystyle \sum _{j=1,j\ne i}^N}{H}_{ij}{\zeta }_j{\theta }_j^k\right],0\right\},& i\in \Xi \\ 0,& i\in {\displaystyle \frac{N}{\Xi }}\end{array}\right.\end{array}$$

(41)

where ${\overline{\Phi }}_i^k$ is obtained from the following equation:

$$\begin{array}{c}\hfill \sum _{k=1}^T\sum _{i=1}^{\psi }max\left\{{\displaystyle \frac{1}{{\varphi }_i}}\left[\sqrt{(1+d_i-{\kappa }_{i,s}){\displaystyle \frac{{\zeta }_i{\theta }_i^k{\varphi }_i}{{\overline{\Phi }}_i^k}}}-{\sigma }^2-{\displaystyle \sum _{j=1,j\ne i}^N}{H}_{ij}{\zeta }_j{\theta }_j^k\right],0\right\}=\overline{\delta }.\end{array}$$

(42)

Proof. 

We define the Lagrangian function at each time point k as:

$$\begin{array}{cc}\hfill L(\widehat{\delta },{\beth }^k,{\daleth }^k,{\Im }_i^k,{\gimel }^k)=& 1_T·\{-(1_N·\mu [1_s·(d-\kappa )])\}+\sum _{i=1}^{\psi }{\beth }_i^k({\delta }_i^k-\stackrel{max}{\delta })\hfill \\ & +\sum _{i=1}^{\psi }{\daleth }_i^k({\delta }_i^k+\underset{min}{\delta })+\sum _{i=1}^{\psi }{\Im }_i^k({\kappa }_{i,s}-d_i)+{\gimel }_0^k[(1_{\psi }·\delta )-\overline{\delta }],\hfill \end{array}$$

(43)

where ${\gimel }_0^k>0$, ${\Im }_i^k\ge 0$, ${\daleth }_0^k\ge 0$, ${\beth }_i^k\ge 0$, $i=1,2,\dots ,\psi$. Thus, the Karush–Kuhn–Tucker (KKT) conditions can be represented as:

$$\begin{array}{cc}\hfill {\displaystyle \frac{\partial L(\widehat{\delta },{\beth }^k,{\daleth }^k)}{\partial {\delta }_i^k}}& =0,i\in \Xi \hfill \end{array}$$

(44)

$$\begin{array}{cc}\hfill (1_{\psi }·\delta )-\overline{\delta }& =0\hfill \end{array}$$

(45)

$$\begin{array}{cc}\hfill {\gimel }_0^k[(1_{\psi }·\delta )-\overline{\delta }]& =0\hfill \end{array}$$

(46)

$$\begin{array}{cc}\hfill {\beth }_i^k({\delta }_i^k-\stackrel{max}{\delta })& =0,i\in \Xi \hfill \end{array}$$

(47)

$$\begin{array}{cc}\hfill -{\daleth }_i^k({\delta }_i^k+\underset{min}{\delta })& =0,i\in \Xi \hfill \end{array}$$

(48)

$$\begin{array}{cc}\hfill \sum _{i=1}^{\psi }{\Im }_i^k({\kappa }_{i,s}-d_i)& =0,i\in \Xi \hfill \end{array}$$

(49)

$$\begin{array}{cc}\hfill {\delta }_i^k-\stackrel{max}{\delta }& \le 0\hfill \end{array}$$

(50)

$$\begin{array}{cc}\hfill -{\delta }_i^k+\underset{min}{\delta }& \le 0,i\in \Xi \hfill \end{array}$$

(51)

$$\begin{array}{cc}\hfill {\kappa }_{i,s}-d_i& \le 0,i\in \Xi \hfill \end{array}$$

(52)

Through Equations (44) to (52), we systematically verify each part of the KKT conditions. Equation (44) ensures that the gradient of the objective function, when combined linearly with the Lagrange multipliers of all constraints, is zero, thereby satisfying the stationarity condition. Equations (45) to (49) ensure that all primal feasibility and dual feasibility conditions are met, including constraints such as energy limits and transmission power limits. Equations (50) to (52) utilize the complementary slackness conditions to determine which constraints are active, i.e., which constraints are binding at the optimal solution, where

$$\begin{array}{cc}\hfill {\displaystyle \frac{\partial L(\widehat{\delta },{\beth }^k,{\daleth }^k,{\Im }_i^k,{\gimel }^k)}{\partial {\delta }_i^k}}=& -(1+d_i-{\kappa }_{i,s}){\displaystyle \frac{{\zeta }_i{\theta }_i^k{\varphi }_i}{[{\sigma }^2+{\displaystyle \sum _{j=1,j\ne i}^N}(H_{ij}{\zeta }_j{\theta }_j^k+{\varphi }_i{\delta }_i^k){]}^2}}\hfill \\ & +{\gimel }_0^k+{\beth }_i^k+{\beth }^k+{\daleth }^k+{\Im }_i^k,\hfill \end{array}$$

(53)

Define ${\overline{\Phi }}_i^k={\gimel }_0^k+{\beth }_i^k+{\beth }^k+{\daleth }^k+{\Im }_i^k>0$. Therefore, the relationship between ${\delta }_i^k$ and $\theta$ is given by (41).    □

Remark 3. 

It should be noted that ${\overline{\Phi }}_i^k$ is crucial for designing the optimal strategy ${\delta }_i^k\left(\theta \right)$ and the parameters ${\overline{\Phi }}_i^k$ should be computed first. However, since ${\overline{\Phi }}_i^k$ is not easily computable, we provide Algorithm 1 to solve for it.

Algorithm 1 Calculating parameter ${\overline{\Phi }}_i^k$

1: Calculate ${\overline{\Phi }}_i^k={\displaystyle \frac{{\zeta }_i{\theta }_i^k{\varphi }_i}{[{\sigma }^2+{\displaystyle \sum _{j=1,j\ne i}^N}{H}_{ij}{\zeta }_j{\theta }_j^k{]}^2}},i\in \Xi$ 2: Sort ${\overline{\Phi }}_i^k$: $0\le {\overline{\Phi }}_{i^1}^k\le {\overline{\Phi }}_{i^2}^k\le \cdots \le {\overline{\Phi }}_{i^{\psi }}^k$ 3: Find ${\overline{\Phi }}_i^k\in [{\overline{\Phi }}_{i^{h-1}}^k,{\overline{\Phi }}_{i^h}^k]$ such that $f\left({\overline{\Phi }}_{i^h}^k\right)\le \overline{\delta }\le f\left({\overline{\Phi }}_{i^{h-1}}^k\right)$, where $f\left(\overline{\Phi }\right)={\displaystyle \sum _{k=1}^T\sum _{w=h}^{\psi }}{\displaystyle \frac{1}{{\varphi }_{i^w}}}\left[\sqrt{{\displaystyle \frac{{\zeta }_{i^w}{\theta }_{i^w}^k{\varphi }_{i^w}}{\overline{\Phi }}}}-{\sigma }^2-{\displaystyle \sum _{w=h,w\ne h}^{\psi }}{H}_{i^{w}j}{\zeta }_{j^w}{\theta }_{j^w}^k\right]$ 4: if $f\left(\overline{\Phi }\right)=\overline{\delta }$, then ${\overline{\Phi }}_i^k=\overline{\Phi }$

The defender’s best response can be obtained by solving the following optimization problem:

$$\begin{array}{ccc}\hfill & maxG\left(\iota \right(\theta ),\mu (\theta \left)\right)\hfill & \hfill \\ \hfill \mathrm{s}.\mathrm{t}.& (1_N·\theta )-\overline{\theta }=0,\hfill & \hfill \\ \hfill & 0\le \underset{min}{\theta }\le {\theta }_i^k\le \stackrel{max}{\theta }.i=1,2,\dots ,N,k=1,2,\dots ,T,\hfill \end{array}$$

(54)

where $G(\iota \left(\theta \right),\mu \left(\theta \right))=1_T·\{{\epsilon }_1(1_N·\iota \left(\theta \right))+(1-{\epsilon }_1)(1_N·\mu \left(\theta \right)[1_s·(d-\kappa )])\}$.

Theorem 3. 

If ${\epsilon }_1\in (0,1)$ is given, then there exists ${\theta }^{SE}\in \theta$, so the defender’s best strategy can be ${\theta }^{SE}$. After obtaining ${\theta }^{SE}$, Algorithm 2 can be used to calculate ${\delta }^{SE}\in \delta$. Therefore, $({\theta }^{SE},{\delta }^{SE})$ is the Stackelberg equilibrium.

Algorithm 2 APF-based Differential Evolution

1: Construct adaptive penalty function: $\Theta \left(\theta \right)=\Delta \left(\theta \right)+\eta \left(\theta \right)\Lambda \left(\theta \right)$ where $\Delta \left(\theta \right)=1_T\circ \{{\epsilon }_1(1_N\circ \iota \left(\theta \right))+(1-{\epsilon }_1)(1_N\circ \mu \left(\theta \right)[1_s\circ (d-\kappa )])\}$, $\eta \left(\theta \right)=1+{\displaystyle \frac{\Delta \left(\theta \right)}{1+\Lambda \left(\theta \right)}}$, $\Lambda \left(\theta \right)=(1_N\circ \theta )-\overline{\theta }$ 2: Initialize: ${\theta }_i^k\left(G\right)$ represents an N-dimensional variable, where $i=1,2,\dots ,N_p$ and G is the generation. Choose ${\theta }_{j,i}^k\left(0\right)={\theta }_{j_{min}}^k+rand(0,1)({\theta }_{j_{max}}^k-{\theta }_{j_{min}}^k)$, where $i=1,2,\dots ,N_p$, $j=1,2,\dots ,N$ and ${\theta }_{j_{min}}^k\le {\theta }_j^k\le {\theta }_{j_{max}}^k$. 3: Variation: Generate variogram vector, as follows: ${\delta }_i^k\left(G\right)={\theta }_{z_1}^k\left(G\right)+F({\theta }_{z_2}^k\left(G\right)-{\theta }_{z_3}^k\left(G\right))$, where $z_1,z_2,z_3\in 1,2,\dots ,N_p$ and $z_1\ne z_2\ne z_3$, and the adaptive mutation operator F can be given by $F=F_0\times 2^{\mho }$, where $\mho =e^{1-{\displaystyle \frac{G_{max}}{G_{max}+1-G}}}$. $G_{max}$ represents the maximum generation. 4: Crossover: Denote ${\delta }_i^k(G+1)=[{\delta }_{1,i}^k(G+1),\dots ,{\delta }_{N,i}^k(G+1)]$, If $rand(0,1)\le CR\mathrm{or}j=j_{rand}$,      ${\delta }_{j,i}^k(G+1)={\delta }_{j,i}^k(G+1)$ else      ${\delta }_{j,i}^k(G+1)={\theta }_{j,i}^k(G+1)$ where $CR$ is crossover operator, and $j_{rand}\in \{1,2,\dots ,N\}$ is a sequence selected randomly.

To obtain the defender’s strategy, the optimization problem (54) needs to be solved. However, due to the nonlinearity and possible non-convexity of the reward function $O_{d_{IDS}}(\theta ,\delta \left(\theta \right))$, solving (54) is not easy. This paper combines the Adaptive Penalty Function (APF) method and the Differential Evolution Algorithm to handle related non-convex and nonlinear optimization problems [39]. Algorithm 2 details the main steps of the Differential Evolution algorithm based on APF. Differential Evolution (DE) is an efficient global optimization algorithm suitable for nonlinear, non-convex, and multimodal problems. Artificial Potential Field (APF) is a path-planning method that quickly finds feasible paths using potential fields. By combining DE and APF, we leverage DE’s global search capabilities to find the global optimum and APF’s local guidance to speed up convergence. This integration enhances optimization efficiency and better handles complex environments and constraints. Once ${\theta }^{SE}$ is obtained, the attacker’s best response ${\delta }^{SE}$ can be calculated according to Theorem 2.

5. Simulations

In this section, we use numerical examples to demonstrate the theoretical results of the Stackelberg game strategies under the presence of Intrusion Detection System (IDS) detectors as proposed in this paper. We set the following parameters: $N=3, T=1000, \zeta =[0.2;0.3;0.3],$ $\varphi =[0.3;0.2;0.2], {\sigma }^2=0.02, {\beta }_d=0.2, {\beta }_a=0.2, 0\le {\theta }_j^k\le 5, H_{12}=0.01, H_{13}=0.03,$ $H_{21}=0.02, H_{23}=0.01, H_{31}=0.01, H_{32}=0.02, N_p=50, G=100, F=0.4, CR=0.3,$ $PR{R}_1^0=PR{R}_2^0=PR{R}_3^0=PR{R}^0$. To further validate the proposed framework’s effectiveness in practical wireless communication, we refer to recent experiments using real-world datasets and testbeds. For instance, ref. [40] evaluated a similar strategy on an IEEE 802.11-based testbed, showing improved throughput and SINR under interference. Similarly, ref. [41] used USRP devices to simulate a multi-user environment and showed effective attack mitigation while maintaining high communication quality. These studies demonstrate advantages and achievements from different perspectives, providing useful references. It is worth noting that our proposed framework includes an IDS detector. Compared with [12], its uniqueness is introducing this detector at the estimator end. This innovation makes our framework more effective in practical scenarios. Through in-depth analyses, we find it more robust and applicable, offering more reliable guarantees and better performance.

When the IDS does not exist in the system model, as shown in Figure 1, the reward functions of both sides are as given by Equations (21) and (22). Keeping other parameters constant, we can establish the relationship between time k and the reward functions of both sides, as shown in Figure 3. In this paper, we have designed an IDS at the remote estimator end, as depicted in Figure 2. By choosing ${\epsilon }_1=0.6$ and $PR{R}^0=5$, we are able to obtain the relationship between time k and the reward functions of both sides, as shown in Figure 4, as well as the strategic choices of both participants when reaching equilibrium in Figure 5. The three graphs from top to bottom in Figure 5, respectively, display the strategy values of attackers and defenders on channels 1, 2, and 3. By comparing Figure 3 and Figure 4, it can be observed that the proposed IDS detector in this paper can reduce the reward value of attackers and effectively increase the reward value of defenders. In Figure 4, after each participant undergoes 650 iterations, the reward function converges to the optimal value.

By solving Theorem 2 and Algorithm 2, the relationship between the boundary values $PR{R}^0$, ${\epsilon }_1$ triggering alarms in the IDS detector, and the reward values of both players is illustrated in Figure 6. We choose $PR{R}^0\in [0,10]$ and ${\epsilon }_1\in [0,1]$. The first graph in Figure 6 represents the reward function of the defender, while the second graph illustrates the reward function of the attacker. From the graph, we can conclude that when $PR{R}^0$ is fixed, ${\epsilon }_1$ has a significant impact on $O_{d_{IDS}}(\theta ,\delta )$, with an increase in ${\epsilon }_1$ corresponding to a larger $O_{d_{IDS}}(\theta ,\delta )$. The influence of ${\epsilon }_1$ on $O_{a_{IDS}}(\theta ,\delta )$ is minimal. When ${\epsilon }_1$ is determined, changes in $PR{R}^0$ result in different reward values for both players in the game. As $PR{R}_i^0$ transitions from 0 to 1, it is evident that the reward function value of the attacker sharply decreases, while the defender’s reward value slightly increases. For $PR{R}_i^0\ge 1$ the attacker’s reward value exhibits minor periodic fluctuations, while the defender’s reward value remains relatively stable.

In the simulation, we can select the range of values for ${\theta }_j^k$ based on the communication constraints of each channel, which in turn affects the optimization results. Therefore, the results obtained may not be the optimal solution but a suboptimal one. Given this, the nonlinear and non-convex optimization proposed in this paper can provide a feasible solution. In Figure 4, we have chosen $0\le {\theta }_j^k\le 5$. If we set $0\le {\theta }_j^k\le 0.5$, the reward function values for both parties are depicted in Figure 7.

Our optimization scheme combines the global search capabilities of Differential Evolution (DE) with the local guidance advantages of the Artificial Potential Field (APF) method. The time complexity of DE is $\mathcal{O}(N_p\times G\times D)$, where $N_p$ is the population size, G is the maximum number of iterations, and D is the dimensionality of each individual. This complexity arises from the matrix operations involved in evaluating the fitness function. The time complexity of APF is $\mathcal{O}\left(N^2\right)$, primarily dependent on the number of nodes N and the size of the channel gain matrix H. Therefore, the overall time complexity of our combined approach is $\mathcal{O}(N_p\times G\times (D+N^2)$. Based on our current experimental setup ($N=3, T=1000, N_p=50, G=100$), the average runtime is 2.5 s. Although these experiments were conducted on a smaller scale, we can extrapolate the performance for larger scales by adjusting parameters (e.g., $N=50, N_p=200, G=500$). Our complexity analysis suggests that while runtime will increase, it will remain within a reasonable range. To evaluate real-time performance, we simulated a scenario requiring one optimization decision per second. Under current settings, the optimization completes within 1 s, meeting real-time requirements. However, for larger problem scales, we may need to adjust parameters, such as reducing population size or lowering the number of iterations, to maintain real-time performance. We also explored parallel computing, where processing individuals across multiple nodes can significantly reduce runtime without sacrificing optimization effectiveness. This approach is a promising direction for future research.

6. Conclusions

This study aims to explore the optimal power control problem when the wireless channel undergoes Distributed Denial of Service (DDoS) attacks with the presence of an Intrusion Detection System at the remote estimator. Considering the impact of the attacker on the wireless channel, we quantify it using signal-to-noise ratio as a metric. To address this, we propose a Stackelberg game framework to analyze the game situation when both sides are in an incomplete information state. In such scenarios, the optimal strategy relationship between attackers and defenders can be determined through Karush–Kuhn–Tucker (KKT) conditions. We employ a Differential Evolution (DE) method based on Artificial Potential Field (APF) to design the optimal strategy for the defense side. Finally, we not only provide specific steps to solve the corresponding optimization problem but also observe that this optimization scheme can effectively reduce the reward function value for attackers and simultaneously increase the reward value for defenders when an Intrusion Detection System exists at the remote estimator. In future work, we plan to investigate integrated defense strategies that combine DDoS attacks with other network attacks (e.g., man-in-the-middle attacks, data tampering). By developing a multi-layered, multi-dimensional defense system, we aim to enhance overall security and improve the system’s resilience against complex attack environments.