From the evolutionary game model, we can divide the evolutionary game analysis into two situations through the types of service, which are provided by the server.

#### 4.2.1. Honeypot Services

According to

Table 1, the payoff matrix can be obtained when the server provides the honeypot service, as shown in

Table 3.

Based on

Table 3, we can solve the expected revenue of each strategy in the three parties respectively [

40,

41]. It is assumed that when the defender executes the strategies

${S}_{Defender1}$ and

${S}_{Defender2}$ respectively, the expected revenues are obtained

${U}_{Defender1}$ and

${U}_{Defender2}$, and the average expected revenue is

$\overline{{U}_{Defender}}$. Simultaneously, the expected revenues of the attacker execute the strategies

${S}_{Attacker1}$ and

${S}_{Attacker2}$ are

${U}_{Attacker1}$ and

${U}_{Attacker2}$, and the average expected revenue is

$\overline{{U}_{Attacker}}$. Moreover, when the user executes the strategies

${S}_{User1}$ and

${S}_{User2}$ respectively, the expected revenues are

${U}_{User1}$ and

${U}_{User2}$, and the average expected revenue is

$\overline{{U}_{User}}$. Therefore, we can obtain these revenues of the assumptions above as shown in Equations (4) and (5).

According to the revenues of Equation (4) and the expected revenues of Equation (5), when the three parties of defenders, attackers and legitimate users choose pure strategies

${S}_{Defender1}$,

${S}_{Attacker1}$,

${S}_{User1}$ with the probability of

x,

y, and

z respectively, the rate of change of the individual who chooses the pure strategy at time t can be obtained. These rates of change are respectively defined as

${h}_{Defender}\left(x\right)$,

${h}_{Attacker}\left(y\right)$,

${h}_{User}\left(z\right)$, where

${h}_{Defender}\left(x\right)=\frac{\mathrm{d}x}{\mathrm{d}t}$,

${h}_{Attacker}\left(y\right)=\frac{\mathrm{d}y}{\mathrm{d}t}$,

${h}_{User}\left(z\right)=\frac{\mathrm{d}z}{\mathrm{d}t}$. Based on the stability theory of the Replicator Dynamics system and the descriptions of Equation (2), the Replicator Dynamics [

42,

43] of the three-party evolutionary game can be obtained as shown in Equation (6).

From Equation (6), we know that ${h}_{Attacker}\left(y\right)<0$. That is, ${U}_{Attacker1}<\overline{{U}_{Attacker}}$ (the revenue of strategy ${S}_{Attacker1}$ is less than the average payoff of the attacker). Hence, if evolution continues, the subgroup size of the selected strategy ${S}_{Attacker1}$ will gradually shrink until it is eliminated. Similarly, it can be calculated that ${h}_{User}\left(z\right)<0$. In other words, ${U}_{User1}<\overline{{U}_{User}}$, which means that the revenue of strategy ${S}_{User1}$ is less than the average payoff of the user. Therefore, the subgroup size of the selected strategy ${S}_{User1}$ will gradually shrink until extinction.

Moreover, when

${h}_{Defender}\left(x\right)=0$, we can obtain three values

$x=0$,

$x=1$ and

$y=0$. According to theoretical knowledge, the evolutionarily stable strategy is the point where the Replicator Dynamic curve intersects the horizontal axis and the slope of the tangent at the intersection is negative. Because of

$y\in (0,1)$, when

$y>0$, the slope of the tangent at the intersection

$x=0$ is positive. On the contrary, it is negative at the intersection

$x=1$. Therefore, only

$x=1$ is the evolutionarily stable strategy, which means that the defense strategy will evolve in the direction of

$x=1$ and the defense system will eventually deploy honeypots. Since

y cannot be less than 0, enabling the honeypot service is the dominant strategy of the defender.

Figure 3 briefly shows the trend of the function

${h}_{Defender}\left(x\right)$, which can reflect the evolution of the defense strategy over time when the server provides the honeypot service.

#### 4.2.2. Real Services

When the server provides real services, the payoff matrix is shown in

Table 4.

Same as the previous subsection, we can obtain the revenues of participants under each strategy when the server provides real services. Similarly, we assume that when the defender executes the strategies

${S}_{Defender1}$ and

${S}_{Defender2}$ respectively, the expected revenues are obtained

${U}_{Defender1}$ and

${U}_{Defender2}$, and the average expected revenue is

$\overline{{U}_{Defender}}$. Simultaneously, the expected revenues of the attacker execute the strategies

${S}_{Attacker1}$ and

${S}_{Attacker2}$ are

${U}_{Attacker1}$ and

${U}_{Attacker2}$, and the average expected revenue is

$\overline{{U}_{Attacker}}$. Moreover, when the user executes the strategies

${S}_{User1}$ and

${S}_{User2}$ respectively, the expected revenues are

${U}_{User1}$ and

${U}_{User2}$, and the average expected revenue is

$\overline{{U}_{User}}$. Then, we obtain these revenues of the assumptions for the game parties as shown in Equations (7) and (8).

Furthermore, we define the change rate of pure strategies

${S}_{Defender1}$,

${S}_{Attacker1}$,

${S}_{User1}$ of defenders, attackers and legitimate users at time t as

${h}_{Defender}\left(x\right)$,

${h}_{Attacker}\left(y\right)$,

${h}_{User}\left(z\right)$. Hence, the Replicator Dynamics for the three-party evolutionary game of defenders, attackers and legitimate users are shown in Equation (9).

Considering the idea of the Replicator Dynamics, we can judge whether the three-group game has an evolutionarily stable strategy by analyzing the asymptotic stability of the equilibrium point. From the Lyapunov theorem, we know that the asymptotic stability of the equilibrium point can be obtained by analyzing the positive and negative of the real part of the eigenvalue of Jacobian matrix. In this paper, the Jacobian matrix is called

${J}_{DAU}$, which has three eigenvalues at most. And the three eigenvalues are derived from the partial derivatives of

${h}_{Defender}\left(x\right)$,

${h}_{Attacker}\left(y\right)$ and

${h}_{User}\left(z\right)$ with respect to

x,

y and

z, which are called

${\lambda}_{k},k=1,2,3$. The Jacobian matrix

${J}_{DAU}$ is shown in Formula (10).

We find that there are at least 8 system equilibrium points

$(x,y,z)$ in the three-party array honeypot evolutionary game by calculating the Replicator Dynamics, which are

$(0,0,0)$,

$(1,0,0)$,

$(0,1,0)$,

$(1,1,0)$,

$(0,0,1)$,

$(1,0,1)$,

$(0,1,1)$,

$(1,1,1)$. Then, we bring these 8 points into the Jacobian matrix

${J}_{DAU}$ to obtain the eigenvalue matrix

${J}_{tz}$ (The three rows of elements in each column correspond in turn to a set of eigenvalues of one of the balanced nodes) of the

${J}_{DAU}$, as shown in Formula (11).

From the previous understanding of eigenvalue matrix, we know that when the real part of a certain column of eigenvalues in

${J}_{tz}$ is all negative, the equilibrium node corresponding to this column is an evolutionary stable equilibrium point. Otherwise, it is an unbalanced point. Moreover, the three-party evolutionary game can get evolutionarily stable strategy at the evolutionary stable node. Then the system can reach an evolutionary stable state after long-term evolution and development, and form a refined Nash equilibrium. The stability analysis of the equilibrium point is shown in

Table 5.

From

Table 5, when

$-(a-\frac{\gamma a}{N})<0$ and

$-(\frac{\gamma a}{N}-b)<0$,

$(1,1,1)$ is the equilibrium point. And when

$\frac{\gamma a}{N}-b<0$,

$(1,0,1)$ is the equilibrium point.

For $(1,1,1)$, it indicates that the server provides real services, the attacker attacks the server, and the user accesses the server. In this strategy, the loss of the server is less than the overall revenue of the server when the attacker attacks the server. That is, the attack probability of the attacker is small. Therefore, the server opens the real service.

$(1,0,1)$ means that the server provides real services, the attacker does not attack the server and the user accesses the server. It is known that the attack cost of attackers doubles with the increase of N. Then it brings more losses for the attacker. If the attacker wants to maintain the attack goal, he needs to increase the attack’s destructive power. However, the attack difficulty will increase. However, the stable condition of this strategy is $N>2$. Therefore, defenders can adjust the number of N to achieve system defense purposes.

In summary, since the honeypot service of the server-side is an absolute dominant strategy, the server-side strategy sets are $\{OpenHoneypotService,OpenRealService\}$ and $\{OpenHoneypotService,CloseRealService\}$. Furthermore, an attacker attacks the server in two ways. One is the attacker accessing the honeypot service, and the other is the attacker accessing the real service. Therefore, the server-side strategy set has taken into account any situation when the attacker attacks, to protect the server-side from being compromised.