This paper addresses the challenge of real-time estimation of attack infection states in large-scale networks, where the Boolean Kalman filter suffers from exponential time and space complexity. We propose a mean-field-theoretic state estimation algorithm that—novelty notwithstanding—introduces mean-field approximation into the networked FlipIt game framework. The model jointly captures attack propagation dynamics, noisy observations (e.g., IDS false positives/negatives), and the defender’s dynamic cleanup mechanism. Crucially, we provide a rigorous theoretical proof showing that, under nontrivial conditions, this heuristic estimator is *exactly equivalent* to the optimal Boolean Kalman filter. Computationally, the algorithm reduces complexity from exponential to polynomial time. Simulation results confirm substantial runtime reduction while preserving near-optimal estimation accuracy. Thus, our approach delivers a scalable, provably correct solution for real-time security situational awareness in large-scale networks.

The Boolean Kalman Filter and associated Boolean Dynamical System Theory have been proposed to study the spread of infection on computer networks. Such models feature a network where attacks propagate through, an intrusion detection system that provides noisy signals of the true state of the network, and the capability of the defender to clean a subset of computers at any time. The Boolean Kalman Filter has been used to solve the optimal estimation problem, by estimating the hidden true state given the attack-defense dynamics and noisy observations. However, this algorithm is infeasible because it runs in exponential time and space with respect to the network size. We address this feasibility problem by proposing a mean-field estimation approach, which is inspired by the epidemic modeling literature. Although our approach is heuristic, we prove that our estimator exactly matches the optimal estimator in certain non-trivial cases. We conclude by using simulations to show both the run-time improvement and estimation accuracy of our approach.