PoolFlip: Geometry & Cybersecurity Strategies
- PoolFlip is a dual-context term denoting pooled flip processing in both computational geometry for regular triangulations and a POMDP-based cyber defense environment.
- In computational geometry, PoolFlip uses pooled GKZ-vectors to streamline regularity tests and reduce the need for extensive linear programming.
- In cybersecurity, PoolFlip extends the FlipIt game into a gym-style MARL setup with actions like Check to model stealthy contest dynamics and resource control.
Searching arXiv for “PoolFlip” and directly related papers to ground the article. PoolFlip is a term with two distinct uses in recent arXiv literature. In computational geometry, it denotes an implementation strategy in mptopcom for processing a pool of candidate flips at once when enumerating regular triangulations, replacing many full regularity checks by pooled cone-processing based on flip GKZ-vectors (Kastner, 2024). In cybersecurity, the title-bearing usage refers to “PoolFlip: A Multi-Agent Reinforcement Learning Security Environment for Cyber Defense”, a multi-agent reinforcement learning (MARL) security environment that extends the FlipIt game into a practical gym-style setting for training attackers and defenders under stealthy, partially observable control competition (Cadet et al., 27 Aug 2025). The latter is the dominant named usage of the term, while the former is an implementation-specific strategy rather than a separate mathematical object.
1. Terminological scope and placement
The two usages share a common structural idea: treating multiple local flip opportunities together rather than as isolated events. In the mptopcom setting, PoolFlip means pooling all flip vectors of a regular triangulation and preprocessing them jointly before resorting to linear programming (Kastner, 2024). In the cyber-defense setting, PoolFlip is a POMDP formulation of the FlipIt security game with explicit attacker and defender agents, richer action spaces, partial observability, and population-based training (Cadet et al., 27 Aug 2025).
This terminological overlap does not imply a shared formalism. The computational-geometry usage is embedded in the theory of regular triangulations, the secondary polytope, and GKZ-vectors. The cybersecurity usage is embedded in MARL, PSRO, PPO-based policy optimization, and security-game abstraction. A plausible implication is that the name “PoolFlip” reflects a recurring algorithmic motif—processing a set of flip-related possibilities collectively—but the two literatures study different objects, objectives, and proof techniques.
2. PoolFlip as a cyber-defense MARL environment
In cybersecurity, PoolFlip is designed as a partially observable Markov decision process (POMDP) with observation space , state space , action space , transition probability , and reward function (Cadet et al., 27 Aug 2025). The environment models a stealthy contest over shared cyber resources between an Attacker / Red Agent and a Defender / Blue Agent, where the attacker seeks compromise and the defender seeks to recapture and retain control.
PoolFlip extends the classical FlipIt game in several explicit ways. It is packaged as a gym-style environment for efficient RL experimentation, and it adds a Check action to the original FlipIt choices of Flip and Sleep. For resources, the action space has size
$1 + 2R$
with ordering
This produces a model in which inactivity, inspection, and targeted takeover or restoration can all be represented directly.
The environment is intentionally abstracted from network topology, unlike more detailed simulators such as CybORG or CyberBattleSim. This abstraction is used to emphasize game-theoretic strategy learning rather than infrastructure-specific simulation. The cyber interpretation of the actions is also explicit: Check can correspond to host scans, log review, SIEM queries, reconnaissance, port checking, or persistence validation, while Flip can correspond to patching, malware removal, credential reset, host restoration, exploitation, payload deployment, or privilege escalation (Cadet et al., 27 Aug 2025).
3. Ownership, observability, and reward structure
A central state variable in PoolFlip is resource ownership. Control of resource at time is represented by 0, and ownership evolves according to the rule
1
where 2 is the set of contestants who claim the resource at that step (Cadet et al., 27 Aug 2025). This means that ownership usually persists unless contested in the absence of the current owner; stochasticity arises when there are simultaneous flips without the previous owner present.
Partial observability is implemented with explicit memory. Agents do not know the current state unless they act, and they track whether they own the resource, time since they captured it, and time since the opponent captured it. For memory limit 3, elapsed time is clipped as
4
one-hot encoded with an extra “unknown” cell, giving a per-resource observation size of
5
For 6 resources, the total observation size is
7
or equivalently a matrix in
8
Reward is defined by ownership gain minus action cost: 9 where 0 is the set of resources owned by agent 1 at time 2 (Cadet et al., 27 Aug 2025). This induces the basic strategic tradeoff of the game: maintaining control yields cumulative value, but repeated action—especially Flip—incurs cost. The paper notes that when flipping is too expensive relative to gain, an agent may need to wait many time steps between flips to remain profitable, which rules out naïve “flip every turn” behavior.
The environment supplements reward with ownership-oriented evaluation criteria. For a single resource 3, the ownership score of agent 4 is
5
the fraction of time that agent controls the asset (Cadet et al., 27 Aug 2025). This is paired with a win criterion based on exceeding a predefined ownership threshold 6, reflecting the fact that intermittent control may be insufficient in realistic defense settings.
4. Heuristic populations and Flip-PSRO
A major design feature of PoolFlip is the inclusion of a pool of parameterized heuristic attackers/defenders used both for evaluation and for population-based learning (Cadet et al., 27 Aug 2025). The paper divides these into non-adaptive heuristics and adaptive heuristics.
The non-adaptive heuristics are SleepOnly, Periodic, Burst, and Awakening. For Awakening, the probability of flipping at time 7 is
8
The adaptive heuristics are Retaliating, Periodic Check (PC), Periodic Aggressive Check (PAC), and UPAC. These are intended to capture behaviors such as dormant attackers, periodic activity, aggressive recovery, and regular monitoring and remediation.
The learning method proposed over this environment is Flip-PSRO, a PSRO-based MARL approach. The underlying normal-form notation is
9
with mixed strategies
0
and best responses
1
The high-level loop initializes 2 with heuristic policies, starts with
3
samples opponents from the current meta-strategy, trains a PPO policy against them, evaluates that policy against all strategies in the pool, updates the utility matrix 4, and recomputes the meta-strategy (Cadet et al., 27 Aug 2025).
A key modification relative to standard payoff optimization is the use of response objectives 5, which can be based on reward, win rate by ownership, or normalized performance gap. If 6 is ownership- or gap-based, the next opponent mixture is chosen via
7
This shifts training pressure toward strategically relevant opponents rather than merely maximizing one-step return.
The paper also defines a specialist-relative gap metric. If 8 is a heuristic opponent and 9 a specialist trained against it, then
0
and the normalized form across heuristics is
1
This is used to emphasize opponents for which the current policy underperforms relative to a heuristic-specific specialist (Cadet et al., 27 Aug 2025).
5. Experimental configuration and empirical findings
The reported experiments use a deliberately simple setting: 100 time steps, 1 resource, 2 players, and action costs Sleep = 0.0, Check = 1.0, and Flip = 2.0, with +1 per time step of ownership as gain (Cadet et al., 27 Aug 2025). Default heuristic parameters are phase 2, random delay, burst length 3, burst phase 4, and awakening rate 5. PPO hyperparameters include Adam, learning rate 6, discount factor 7, clipping 8, 4 epochs per update, updates every 10 episodes, MSE loss, and entropy regularization 9. Flip-PSRO training uses 200 epochs, 100 episodes per epoch, 10 episodes stored in memory between updates, and evaluation averaged over 100 episodes.
The comparison set includes specialists, Iterated Best Response (IBR), and the best heuristic baseline, reported as Awakening(0.05) (Cadet et al., 27 Aug 2025). Heuristic performance is described as highly sensitive to parameter choice and cost structure. In particular, Awakening, Retaliating, and Periodic often perform well, while check-based strategies strengthen when checking is cheap; if Check cost is much lower, PAC(1) becomes especially strong.
The central empirical claim is about generalization. Across the heuristic pool, Flip-PSRO variants reach average rewards around 27–31, compared with 13.8 for the best heuristic and 23.2 for IBR. On previously unseen heuristic variants, the reported averages are IBR: 14.2, MSS-Unif: 27.2, MSS-O50%: 32.3, and MSS-O70%: 20.1, and the paper highlights roughly a 2× improvement in transfer performance over IBR, especially for ownership-based meta-strategies (Cadet et al., 27 Aug 2025).
Ownership-aware objectives also affect control quality directly. The paper reports that MSS-O70% achieves the highest average ownership, about 81.12%, and states that the newly designed ownership-based utility functions ensure that Flip-PSRO defenders maintain a high level of control while optimizing performance (Cadet et al., 27 Aug 2025). Self-play is explored as well, but in this simple single-resource setting it can lead to a kind of stalemate and reduce performance against the heuristic pool. This suggests that the benefit of self-play may depend on richer state and action spaces.
6. PoolFlip in mptopcom and the geometry of regular flips
In a separate and earlier usage, PoolFlip is the implementation strategy in mptopcom for handling all flips of a regular triangulation together when enumerating regular triangulations by reverse search (Kastner, 2024). Here the problem is not cyber defense but the regularity of triangulations of a point configuration. A triangulation is regular if it can be induced by a height function via lifting to the lower convex hull, and direct regularity checking is usually carried out by solving a linear program.
The conceptual shift behind PoolFlip is to avoid solving one full LP per neighboring triangulation. If 0 is regular and 1 is a flip, the paper studies the flip GKZ-vector
2
where
3
A central theorem states that if 4 forms a facet of 5, equivalently generates an extremal ray of the edge cone of the secondary polytope at 6, then the target triangulation 7 is regular (Kastner, 2024). This turns regularity testing into a local cone-extremality problem.
The geometric structure of flips makes the pooled approach effective. Every flip comes from a corank-one configuration 8 with affine dependence
9
and corresponding partition into $1 + 2R$0, $1 + 2R$1, and $1 + 2R$2. The flip GKZ-vector is sparse: it vanishes on $1 + 2R$3, is positive on $1 + 2R$4, and negative on $1 + 2R$5. This sign structure uniquely determines the circuit and hence the flip (Kastner, 2024).
PoolFlip, in practice, means collecting all flip vectors $1 + 2R$6 for a regular triangulation $1 + 2R$7, with $1 + 2R$8, and then applying recursive preprocessing before any serious LP solving. The workflow described in the paper is: collect all flip GKZ-vectors at once, use easy coordinate tests to identify rays immediately, remove already-certified rays, recurse on the reduced subsystem, and solve an LP only when sign and sparsity tests are insufficient (Kastner, 2024). The naïve extremality test would solve
$1 + 2R$9
separately for every 0; PoolFlip instead simplifies this pooled system coordinatewise.
The reduction rules include a single positive entry implies a ray criterion, a one positive and one negative entry criterion that certifies both vectors as rays while adding a derived vector to the reduced subsystem, and a scalar-multiple special case when only two vectors remain (Kastner, 2024). The paper emphasizes that this can drastically reduce both the number and size of LPs. For the benchmark 1, the pooled strategy required 0 LPs because all cases fell into the easiest type. Within the reverse-search traversal, this is presented not only as a speedup but also as a safer local criterion than caching “triangulation is regular” too aggressively, which can otherwise interfere with the reverse-search tree.
In this sense, the computational-geometry usage of PoolFlip is a pooled, sparse cone-processing method built around the geometry of the secondary polytope and the GKZ-vectors of flips, whereas the cybersecurity usage is a POMDP environment for population-based adversarial training. The shared name reflects a common emphasis on pooled handling of flip-related alternatives, but the two objects belong to distinct technical domains (Kastner, 2024).