Security-Aware Synthesis Using Delayed-Action Games

Stochastic multiplayer games (SMGs) have gained attention in the field of strategy synthesis for multi-agent reactive systems. However, standard SMGs are limited to modeling systems where all agents have full knowledge of the state of the game. In this paper, we introduce delayed-action games (DAGs) formalism that simulates hidden-information games (HIGs) as SMGs, by eliminating hidden information by delaying a player's actions. The elimination of hidden information enables the usage of SMG off-the-shelf model checkers to implement HIGs. Furthermore, we demonstrate how a DAG can be decomposed into a number of independent subgames. Since each subgame can be independently explored, parallel computation can be utilized to reduce the model checking time, while alleviating the state space explosion problem that SMGs are notorious for. In addition, we propose a DAG-based framework for strategy synthesis and analysis. Finally, we demonstrate applicability of the DAG-based synthesis framework on a case study of a human-on-the-loop unmanned-aerial vehicle system that may be under stealthy attack, where the proposed framework is used to formally model, analyze and synthesize security-aware strategies for the system.


Introduction
Stochastic multiplayer games (SMGs) are used to model reactive systems where nondeterministic decisions are made by more than one entity [4,13,20]. SMGs extend probabilistic automata by assigning a player to each choice to be made in the game. This extension allows for modeling complex systems where the behavior of players is unknown in design time. A player's strategy is a set of rules that the player follows when making decisions as the game advances. The strategy synthesis problem is concerned with finding a winning strategy, i.e., a strategy that guarantees that a set of objectives (or winning conditions) is satisfied [6,18].
Several algorithms and tools have been developed for this purpose. For instance, value iteration methods are utilized to synthesize strategies for SMGs such that multiple reward-based objectives are satisfied [2,9,16]. To tackle the state-space explosion problem, [25] presents an assume-guarantee strategy synthesis framework that relies on synthesizing strategies on the component level first, before combining them through an assume-guarantee framework to find a global winning strategy. Mean-payoffs and ratio rewards are further investigated in [3] to synthesize ε-optimal strategies. Formal tools that support strategy synthesis via SMGs include PRISM-games [7] and Uppaal Stratego [10].

arXiv:1902.04618v1 [cs.GT] 12 Feb 2019
SMGs are classified based on the number of players that can make choices at each state. In concurrent games, more than one player are allowed to concurrently make choices at a given state. Conversely, turn-based games assign one player at most to each state. Since they provide a relatively less complex structure, we focus on turn-based games in the rest of this paper.
Games are also classified according to the nature of information available to different players across the game states [23]. Complete-information games (also known as perfect-information games [5]) grant all players complete access to the information within the game -including other players' choices. Conversely, partially-observable stochastic games, introduced in [14], allow agents to have different belief states by including uncertainty about both the current state and adversarial plans into the game state. Moreover, in symmetric games some of the information is equally hidden from all players. On the contrary, asymmetric games allow some players to have access to more information than the others [23]. Note that the equivalence between turn-based semi-perfect information games and concurrent perfect-information games was shown [5]. Since a player's strategy mainly rely on full knowledge of the game state [9], using SMGs for synthesis produces strategies that may violate synthesis specifications in cases where required information is hidden from the player.
In this work, we are motivated by security-aware models of systems in which stealthy adversarial actions are potentially hidden from the system, and where the system can probabilistically and intermittently gain full knowledge about or access to its current state -e.g., when intrusion detection mechanisms are executed. To model such systems, hidden-information games (HIGs) can be used, where the hidden information is captured by private variables [5]. However, standard model checkers can only synthesize strategies for (full-information) SMGs. Hence, an alternative representation of HIGs is required.
Consequently, we introduce delayed-action games (DAGs) -a new class of games that can simulate HIGs by utilizing the concept of delaying actions. That is, a DAG hides information from one player by delaying the actions of the others. The omission of private variables enables the use of off-the-shelf tools (e.g., PRISM-games [7]) to implement and analyze DAG-based models. Next, we show how DAGs (under some mild and practical assumptions) can be decomposed into a number of independent subgames. This approach can reduce the time required for synthesis by employing parallel computation to explore each subgame. Moreover, we propose a DAG-based framework for strategy synthesis and analysis of security-aware systems. Finally, we demonstrate the applicability of the proposed framework on a case study focused on security-aware planning for an unmanned-aerial vehicle (UAV) system prone to stealthy cyber attacks; specifically, we develop a DAG-based system model and further utilize the proposed framework to synthesize strategies with strong probabilistic security guarantees.
The paper is organized as follows. Sec. 2 presents SMGs, HIGs, and problem formulation. In Sec. 3, we introduce DAGs and show that they can simulate HIGs. Sec. 4 proposes a DAG-based synthesis framework, which we use for security-aware planning for UAVs in Sec. 5, before concluding the paper in Sec. 6.

Stochastic Games
In this section, we present turn-based stochastic games, which assume that all players have full information about the state of the game. We then introduce hidden-information games and their private-variable semantics. We start by presenting the employed notation.
Notation. We employ standard notation with N 0 denoting the set of nonnegative integers. P(A) denotes the powerset of A (i.e., 2 A ). A variable v has a set of valuations Ev (v), where η(v) ∈ Ev (v) denotes one. We use Σ * to denote the set of all finite words over alphabet Σ, including the empty word . The mapping Eff : Σ * ×Ev (v) → Ev (v) indicates the effect of a finite word on η(v). Finally, for general indexing, we use s i or s (i) , for i ∈ N 0 , while PL γ denotes Player γ.

Turn-Based Stochastic Games
Stochastic multiplayer games (SMGs) can be used to model reactive systems that undergo both stochastic and nondeterministic transitions from one state to another. In a turn-based game, 1 actions can be taken at any state by at most one player. Formally, an SMG can be defined as follows [1,24,25].
-S is a finite set of states, partitioned into S I , S II and S ; -A = A I ∪ A II ∪ {τ } is a finite set of actions where τ is an empty action; s 0 ∈ S II is the initial state; and δ : S × A × S → [0, 1] is a transition function, such that δ(s, a, s ) ∈ {1, 0}, ∀s ∈ S I ∪ S II , a ∈ A and s ∈ S, and δ(s, τ, s ) ∈ [0, 1] , ∀s ∈ S and s ∈ S I ∪ S II , where s ∈SI∪SII δ(s, τ, s ) = 1 holds.
For all s ∈ S I ∪ S II and a ∈ A I ∪ A II , we write s a / / s if δ(s, a, s ) = 1. Similarly, for all s ∈ S we write s p / / s if s is randomly sampled with probability p = δ(s, τ, s ).

Hidden-Information Games
SMGs assume that all players have full knowledge of the current state, and hence provide perfect-information models [5]. In many applications, however, this assumption may not hold. A great example are security-aware models where stealthy adversarial actions can be hidden from the system; e.g., the system may not even be aware that it is under attack. On the other hand, hidden-information games (HIGs) refer to games where one player does not have complete access to (or knowledge of) the current state. The notion of hidden information can be formalized with the use of private variables (PVs) [5]. Specifically, a game state can be encoded using variables v T and v B , representing the true information, which is only known to PL I , and PL II belief, respectively.
Definition 2 (Hidden-Information Game). A hidden-information stochastic game (HIG) with players Γ = {I, II, } over a set of variables θ} is a finite set of actions, where τ denotes an empty action, and θ is the action capturing PL II attempt to reveal the true value v T ; s 0 ∈ S II is the initial state; β : A II → P(A I ) is a function that defines the set of available PL I actions, based on PL II action; and δ : S × A × S → [0, 1] is a transition function such that δ(s I , a, s ) = δ(s , a, s I ) = 0, and δ(s II , θ, s ), δ(s II , a, s I ), δ(s I , a, s II ) ∈ {0, 1} for all s I ∈ S I , s II ∈ S II , s ∈ S and a ∈ A, where s ∈SII δ(s , τ, s ) = 1.
In the above definition, δ only allows transitions s I to s II , s II to s I or s , with s II to s conditioned by action θ, and probabilistic transitions s to s II . A game state can be written as s = (t, u, Ω, γ), but to simplify notation we use s γ (t, u, Ω) instead, where t ∈ Ev (v T ) is the true value of the game, u ∈ Ev (v B ) is PL II current belief, Ω ∈ P(Ev (v T )) \ {∅} is PL II belief space, and γ ∈ Γ is the current player's index. When the truth is hidden from PL II , the belief space Ω is the information set [23], capturing PL II knowledge about the possible true values. Example 1 (Belief vs. True Value). Our motivating example is a system that consists of a UAV and a human operator. For localization, the UAV mainly relies on a GPS sensor that can be compromised to effectively steer the UAV away from its original path. While aggressive attacks can be detected, some may remain stealthy by introducing only bounded errors at each step [17,22,19,15]. For example, Fig. 1 shows a UAV (PL II ) occupying zone A and flying north (N). An adversary (PL I ) can launch a stealthy attack targeting its GPS, introducing a bounded error (NE, NW) to remain stealthy. The set of stealthy actions available to the attacker depends on the preceding UAV action, which is captured by the function β, where β(N) = {NE, N, NW}. Being unaware of the attack, the UAV believes that it is entering zone C, while the true new location is D due to the attack (NE).
HIG Semantics. The semantics of G H is described using the rules shown in Fig. 2, where H2 and H3 capture PL II and PL I moves, respectively. If PL II executes θ to attempt to reveal the true value of the game, H4 shows that this attempt can succeed with probability p i where PL II belief is updated (i.e., u = t), or remains unchanged otherwise.
Example 2 (HIG Semantics). Continuing Example 1, let us assume that A I = A II = {N, S, E, W, NE, NW, SE, SW}, and that θ = GT is a geolocation task that  attempts to reveal the true value. 2 Now consider the scenario depicted in Fig. 3. At initial state s 0 , the UAV attempts to move north (N), progressing the game to s 1 , where the adversary takes her turn by selecting an action from the set β(N) = {NE, N, NW}. The players take turns until the UAV performs GT, moving from s 4 to s 5 . With probability p = δ(s 5 , τ, s 6 ), the UAV detects its true location and updates its belief accordingly (s 6 ). Otherwise, the belief remains the same (s 4 ).
Problem Formulation. Following the system described in Example 2, we now consider the composed HIG G H = M adv M uav M adv shown in Fig. 4, which incorporates standard models of a UAV (M uav ), an adversary (M adv ), and a geolocation-task advisory system (M as ) (e.g., see [11,12]). The probability of a successful detection p(v T , v B ) is a function of both the location where the UAV believes to be current (v B ), and the ground truth location that the UAV actually occupies (v T ). Reasoning about the flight plan using such model becomes problematic since the ground truth v T is inherently unknown to the UAV (i.e., PL II ), and thus so is p(v T , v B ). Furthermore, such representation, where some information is hidden, is not supported by off-the-shelf SMG model checkers. Consequently, for such HIGs, our goal is to find an alternative representation that is suitable for strategy synthesis using off-the-shelf SMG model-checkers.

Delayed-Action Games
In this section, we provide an alternative representation of HIGs that eliminates the use of private variables -we introduce Delayed-Action Games (DAGs) that exploit the notion of delayed actions. Furthermore, we show that for any HIG, a DAG that simulates the former can be constructed.

Delayed Actions
Informally, a DAG reconstructs an HIG such that actions of PL I (the player with access to perfect information) follow the actions of PL II , i.e., PL I actions are delayed. This rearrangement of the players' actions provides a means to hide information from PL II without the use of private variables, since in this case, at PL II states, PL I actions have not occurred yet. In this way, PL II can act as though she has complete information at the moment she makes her decision, as the future state has not yet happened and so cannot be known. In essence, the formalism can be seen as a partial ordering of the players' actions, exploiting the (partial) superposition property that a wide class of physical systems exhibit. To demonstrate this notion, let us consider DAG modeling on our running example.
Example 3 (Delaying Actions). Fig. 5 depicts the (HIG-based) scenario from Fig. 3, but in the corresponding DAG, where the UAV actions are performed first (inŝ 0 ,ŝ 1 ,ŝ 2 ), followed by the adversary delayed actions (inŝ 3 ,ŝ 4 ). Note that, in the DG model, at the time the UAV executed its actions (ŝ 0 ,ŝ 1 ,ŝ 2 ) the adversary actions had not occurred (yet). Moreover,ŝ 0 andŝ 6 ( Fig. 5) share the same belief and true values as s 0 and s 6 ( Fig. 3), respectively, though the transient states do not exactly match. This will be used to show the relationship between the games.
The advantage of this approach is twofold. First, the elimination of private variables enables simulation of an HIG using a full-information game. Thus, the formulation of the strategy synthesis problem using off-the-shelf SMG-based tools becomes feasible. In particular, a PL II synthesized strategy becomes dependent on the knowledge of PL I behavior (possible actions), rather than the specific (hidden) actions. We formalize a DAG as follows.
Note that, in contrast to transition function δ in HIG G H ,δ in DAG G D only allows transitionsŝ II toŝ II orŝ I , as well asŝ I toŝ I orŝ , and probabilistic transitionsŝ toŝ II ; also note thatŝ II toŝ I is conditioned by the action θ.
DAG Semantics. A DAG state is a tupleŝ = t ,û, w, j, γ , which for simplicity we shorthand asŝ γ t ,û, w, j , wheret ∈ Ev (v T ) is the last known true value, u ∈ Ev (v B ) is PL II belief, w ∈ A * II captures PL II actions taken since the last known true value, j ∈ N 0 is an index on w, and γ ∈ Γ is the current player index. The game transitions are defined using the semantic rules from Fig. 6. Note that PL II can execute multiple moves (i.e., actions) before executing θ to attempt to reveal the true value (D2), moving to a PL I state where PL I executes all her delayed actions before reaching a 'revealing' stateŝ (D3). Finally, the revealing attempt can succeed with probability p i where PL II belief is updated (i.e.,û =t ), or otherwise remains unchanged (D4).
In both G H and G D , we label states where all players have full knowledge of the current state as proper. We also say that two states are similar if they agree on the belief, and equivalent if they agree on both the belief and ground truth.
From the above definition, we have that s ŝ =⇒ s ∈ Prop(G H ),ŝ ∈ Prop(G D ). We now define execution fragments, possible progressions from a state to another.

Definition 5 (Execution Fragment
). An execution fragment (of either an SMG, DAG or HIG) is a finite sequence of states, actions and probabilities = s 0 a 1 p 1 s 1 a 2 p 2 s 2 . . . a n p n s n such that (si We use first( ) and last( ) to refer to the first and last states of , respectively. If both states are proper, we say that is proper as well, denoted by ∈ Prop(G H ). 4 Moreover, is deterministic if no probabilities appear in the sequence.
Definition 6 (Move). A move m γ of an execution from state s ∈ , denoted by move γ (s, ), is a sequence of actions a 1 a 2 . . . a i ∈ A * γ that player γ performs in starting from s.
By omitting the player index we refer to the moves of all players. To simplify notation, we use move( ) as a short notation for move(first( ), ). We write (m)(first( )) = last( ) to denote that the execution of move m from the first( ) leads to the last( ). This allows us to now define the delay operator as follows.
Definition 7 (Delay Operator). For an G H , let m = move( ) = a 1 b 1 . . . a n b n θ be a move for some deterministic ∈ TS(G H ), where a 1 ...a n ∈ A * II , b 1 ...b n ∈ A * I . The delay operator, denoted by m, is defined by the rule m = a 1 . . . a n θb 1 . . . b n .
Intuitively, the delay operator shifts PL I actions to the right of PL II actions up until the next probabilistic state. For example,

Simulation Relation
Given an HIG G H , we first define the corresponding DAG G D .

Definition 8 (Correspondence). Given an HIG G H , a corresponding DAG
] is a DAG that follows the semantic rules displayed in Fig. 7.

Properties of DAG and DAG-based Synthesis
In this section, we discuss some of the DAG features and show how a DAG can be decomposed into a set of subgames by restricting the simulation to finite executions. We also examine preservation of DAG safety properties before proposing a DAG-based synthesis framework.
Transitions. In DAGs, nondeterministic actions of different players underline different semantics. Specifically, PL I nondeterminism captures what is known about the adversarial behavior, rather than exact actions, where PL I actions are constrained by the earlier PL II action. Conversely, PL II nondeterminism abstracts the player's decisions. This distinction reflects how DAGs can be used for strategy synthesis under hidden information. To illustrate this, suppose that a strategy π II is to be obtained based on a worst-case scenario. In that case, the game is explored for all possible adversarial behaviors. Yet, if a strategy π I is known about PL I , a counter strategy π II can be found by constructing G πI D . Probabilistic behaviors in DAGs are captured by a virtual player PL , and is characterized by the transition functionδ :Ŝ ×Ŝ II → [0, 1]. The specific definition ofδ depends on the modeled system. For instance, if the transition function (i.e., the probability) is state-independent, i.e.,δ(ŝ ,ŝ II ) = c, c ∈ [0, 1], the obtained model becomes trivial. Yet, with a state-dependent transition function, i.e.,δ(ŝ ,ŝ II ) = p(t,û), the probability that PL II successfully reveals the true value depends on both the belief and the true value, and the transition function can then be realized sinceŝ holds botht andû.
Decomposition. Consider an executionˆ * =ŝ 0 a 1ŝ1 a 2ŝ2 . . . that describes a scenario where PL II performs infinitely many actions with no attempt to reveal the true value. To simulateˆ * , the word w needs to infinitely grow. Since we are interested in finite executions, we impose stopping criteria on the DAG, such that the game is trapped whenever |w| = h max is true, where h max ∈ N is an upper horizon. We formalize the stopping criteria as a deterministic finite automaton (DFA) that, when composed with the DAG, traps the game whenever the stopping criteria hold. Note that imposing an upper horizon by itself is not a sufficient criterion for a DAG to be considered a stopping game [8]. Conversely, consider a proper (and hence finite) executionˆ =ŝ 0 a 1 . . .ŝ , whereŝ 0 ,ŝ ∈ Prop(G D ). From Definition 9, it follows that a DAG initial state is strictly proper, i.e.,ŝ 0 ∈ Prop(G D ). Hence, whenŝ is reached, the game can be seen as if it is repeated with a new initial stateŝ . Consequently, a DAG game (complemented with stopping criteria) can be decomposed into a (possibly infinite) countable set of subgames that have the same structure yet different initial states.
Definition 10 (DAG Subgames). The subgames of a G D are defined by the II ∀i, j ∈ N 0 . Intuitively, each subgame either reaches a proper state (representing the initial state of another subgame) or terminates by an upper horizon. This decomposition allows for the independent (and parallel) analysis of individual subgames, as well as further utilization of the obtained results for studying the corresponding supergame; drastically reducing both the time required for synthesis and the explored state space, and hence improving scalability. An example of this decompositional approach is provided in Sec. 5.
Preservation of safety properties. In DAGs, the action θ denotes a transition from PL II to PL I states and thus the execution of any delayed actions. While this action can simply describe a revealing attempt, it can also serve as a what-if analysis of how the true value may evolve at stage i of a subgame. We refer to an execution of the second type as a hypothetical branch, where Hyp(ˆ , h) denotes the set of hypothetical branches fromˆ at stage h ∈ {1, . . . , n}. Let L safe (s) be a labeling function denoting if a state is safe. The formula Φ safe := [G safe] is satisfied by an execution in HIG iff all s(t, u, Ω) ∈ are safe. Now, considerˆ of the DAG, whereˆ ∼ . We identify three cases: (i) L safe (s) depends only on belief value u, then |= Φ safe iff allŝ II ∈ˆ are safe. (ii) L safe (s) depends only on true value t, then |= Φ safe iff allŝ I ∈ Hyp(ˆ , n) are safe. (iii) L safe (s) depends both on true and belief values t, u, then |= Φ safe iff last(ˆ h ) is safe for allˆ h ∈ Hyp(ˆ , h), h ∈ {1, ..., n}, where n is the number of PL II actions. These relations are to be taken into account when using DAGs for synthesis.
Synthesis Framework. We here propose a framework for strategy synthesis using DAGs, summarized in Fig. 8. We start by formulating the automata M I , M II and M , representing PL I , PL II and PL abstract behaviors, respectively. Next, a FIFO memory stack (m i ) n i=1 ∈ A n II is implemented using two automata M mrd and M mwr to perform reading and writing operations, respectively. 5 The DAG G D is constructed by following the procedure summarized in Algorithm 1.
Given a synthesis query φ syn and the constructed DAG G D , the procedure described in Algorithm 2 can be used for strategy synthesis. Starting with the initial subgame, the procedure checks for each horizon of size h whether φ syn is satisfied (hence a strategy exists) if θ is performed at stage h. These iterations are terminated when reaching the maximum search horizon h max or failing to satisfy φ syn . 6 Subgames can then be pruned by discarding strategies that fail is an MDP of complete information that can be easily used for further analysis.

Case Study
In this section, we consider a case study which is an extension of our running example -a system where a human operator supervises a UAV prone to stealthy attacks on its GPS sensor. The UAV mission is to visit a number of targets after being airborne from a known base (initial state), while avoiding hazard zones that are known a priori. Moreover, the presence of adversarial stealthy attacks via GPS spoofing is assumed. We use the DAG framework to synthesize strategies for both the UAV and an operator advisory system (AS) that schedules geolocation tasks for the operator.
Modeling. We model the system as a delayed-action game G D , where PL I and PL II represent the adversary and the UAV-AS coalition, respectively. Fig. 9 shows the model primary and auxiliary components. In the UAV model M uav ,  Let (x 0 , y 0 ) be the initial UAV location that is known to be true. The goal is to find strategies for the UAV-AS coalition based on the following requirements: is specified for each encountered subgameĜ i , where locate indicates a successful geolocation task. 8 By following Algorithm 2 for a q number of reachable subgames, the supergame is reduced to an MDP G (whose states are the reachable subgames), which is checked against the query φ ana (n) := adv Pr min,max=? F n target (2) to find the bounds on the probability that the target is reached under a maximum number of geolocation tasks n.
Experimental Results. Fig. 10(a) shows the map setting used for implementation. The UAV's ability to actively detect an attack depends on both its belief and the ground truth. Specifically, the probability of success in a geolocation task mainly relies on the disparity between the belief and true locations, captured by f dis : 9 We also include the map boundaries to the set of hazard zones to prevent the UAV from reaching boundary values.
For the UAV to ever arrive to any designated target, a practical assumption is to prohibit the adversary from launching any attack for at least the first step, preventing the UAV model from infinitely bouncing around the target location. We implemented the model in PRISM-games [7] and performed the experiments on an Intel Core i7 4.0 GHz CPU, with 10GB RAM dedicated to the tool. Fig. 10(b) shows the supergame obtained by following the procedure in Algorithm 2. A vertexĜ xy represents a subgame (composed with its strategy) that starts at location (x, y), while the outgoing edges points to subgames reachable from the current one. Note that each edge represents a probabilistic transition. Subgames with more than one outgoing transition imply nondeterminism that is resolved by the adversary actions. Hence, the directed graph depicts an MDP.
By analyzing the supergame against φ ana from (2), we study the effect of the maximum number of geolocation tasks (n) on the probability to reach the target. As shown in Fig. 11(b), the minimum number of geolocation tasks to guarantee a non-zero minimum probability of reaching the target (regardless of the adversary    strategy) is 3, where the probability bounds obtained are (33.7%, 94.4%). By allowing for an extra geolocation task (i.e., n = 4), the minimum probability becomes almost twice as before (63.8%), while the upper bound slightly increases (98.9%). The increase in the lower bound slows down until both bounds level off at n=8. Note that these results include the geolocation task at the target itself.
For the initial subgame, Fig. 11(a) shows the maximum probability of a successful geolocation task if performed at stage h, and the remaining distance to target. The trends show that, assuming the adversary can launch attacks after the stage h adv = 2, the maximum probability of detection can be achieved by performing the geolocation task at step 4 (for all possible adversary strategies). For h adv =1, however, a geolocation task at stage h=3 has the highest probability of success, which drops to 0 at h=6; a stage where no possible flight plan exists without encountering a hazard zone. Conversely, for h adv =2, hazard areas can still be avoided up till h = 6. The synthesized strategy for (h adv = 2, h = 4) is demonstrated in Fig. 10(c).
The experimental data obtained for this case study are listed in Table 1. Note that, for the same grid size, more complex maps require more time for synthesis while the state space size remains unaffected. The number of states grows exponentially with the explored horizon size, i.e., O (|A uav ||A adv |) h , and is typically slowed by, e.g., the presence of hazard areas, since the branches of the game transitions are trimmed upon encountering such areas. Interestingly, for h=6 and h=7, while the model construction time (size) for h adv =1 is almost twice (quadruple) as those for h adv =2, the time for checking φ syn declines in comparison. This reflects the fact that, in case of h adv =1 compared to h adv =2, the UAV has higher chances to reach a hazard zone for the same k, leading to a shorter time for model checking.

Discussion and Conclusion
In this paper, we have introduced Delayed Action Games (DAGs) and have shown how DAGs can simulate Hidden-Information Games (HIGs) by delaying players' actions. We have also derived a DAG-based framework that allows for strategy synthesis and analysis using off-the-shelf model checkers that support Stochastic Multiplayer Games (SMGs). Under some practical assumptions, we have demonstrated that DAGs can be decomposed into a set of independent subgames. This decomposition provides the advantage of utilizing parallel computation to reduce the time needed for model analysis, as well as the size of the state space. We have further demonstrated the applicability of the proposed framework on a case study focused on synthesis and analysis of active attack detection strategies for UAVs prone to cyber attacks. The concept of delaying actions implicitly assumes that the adversary knows the UAV actions a priori. This does not present a concern in the presented case study as an abstract (i.e., nondeterministic) adversary model is analogous to synthesizing against the worst-case attacking scenario. That being said, it is clear that strategies synthesized using DAGs (and SMGs in general) are inherently conservative. Depending on the investigated system, this can easily lead to finding no feasible solution. Future work will include more case studies, e.g., scheduling active attack detection for multiple-UAV systems, and how synthesis based on multiple objectives can be utilized in DAGs.