The traditional Decision-Making methods leverage the awareness from one side of operators and evaluate the state of environment and devices statically. However, as the correlations of cyberspace’s actions become more and more complex and the cyberspace confrontation is always changing, it cannot meet practical requirements. To solve these problems, a tree-based search algorithm is put forward in the paper, which exploits the correlations between actions and scores all plausible courses of actions dynamically, and gives optimal tactics advice for both the defenders and attackers. Additionally, it can reduce the cost of resources for operators to decide their actions. Experimental results show the feasibility and effectiveness of our proposed Decision-Making method. Introduction Decision-Making is regarded as the cognitive process resulting in the selection of a belief or course of action among several alternative possibilities [1]. Game theory is the study of mathematical models of conflict and cooperation between intelligent rational decision-makers [2]. In recent years, it has been applied to the domain of computer network to study the security thereof. In the wake of computer network (CN) attack technology development, the intellective, coordinated and diversified attack methods are in vogue, at the same time, the defense technology is booming accordingly. This is a game between CN attacker and defender. How to find an optimal tactic to effectively reduce security risk or increase the rate of attack success and cut down the cost during the action is the key problem for player [3]. RoyS et al. [4] have token a review of game theory’s application in CN security domain according to different game models. YanFen et al. [5] described the CN situation awareness based on game theory. They define the game parameter by the manager’s evaluation of the network node importance, lead to a little subjectivity of the method, and what’s more, they paid too much attention to the side of defense. As the environment of CN is dynamical and the opponent moves are unpredictable, WangChunlu et al [6] put forward a Random Game model combining the random Petri Net model, have resolved sophisticated and dynamical network confrontation. Allen Ott et al [7] introduced a mathematical search method—Themistocles engine, which solved the problem of time relative and error-tolerant of game models. Figure.1 Diagram of a Brief View of Game Process between Two Players In this paper, a tree-based search method based on game theory has been introduced to optimize tactics in network confront move for both attacker and defender dynamically. This method can 2nd International Conference on Advances in Mechanical Engineering and Industrial Informatics (AMEII 2016) © 2016. The authors Published by Atlantis Press 878 advise a particular player select future course of actions based upon their estimate of current state. The remainder of this paper is organized as follows. Section 2 presents the structure and the key search algorithms for optimal move. Next, the section 3 gives an example of the algorithm’s employment and analysis the result. Finally, we conclude in section 4. Structure and Algorithms The Figure.2 shows the structure of our Decision-Making methods, The “Game” starts when Human/Computer selects the game action queues. The action queue searching methods and scoring algorithms are the key component of our work. We output every plausible COAs and their corresponding scores. After all plausible COAs are ergodic, the game over, and we can get a recommended COA that may be useful for realistic decision maker. Definitions. State: State is the set of all variables and their associated values needed to identified the particular device situation in a given time (e.g. device on/off state, FTP service available/unavailable, Patch version, risk, etc. ). During the interest time the state changed. Move: A relatively small set of steps that can execute on physical device (e.g., port scan, restore system, etc.). We generate a move after the system given corresponding advice for operators. Course of Action (COA): Consist of one or more individual moves taken by each player at a given stage of game, starting from their estimate of the current game state S(n) at time n. Interesting Time: The time when a move is executing or a move is detecting by opponent. State estimation: To estimate own and opponent’s future state based on the existing information and expert experience. Count function: A count function is a utility function for player to count the state-related score for a predictable action. Score: The judgment standard of resource cost. The move score valued by previous experience, while the COAs score valued by algorithms.