Adaptive Security Response Strategies Through Conjectural Online Learning

Kim Hammar; Tao Li; Rolf Stadler; Quanyan Zhu

doi:10.1109/TIFS.2025.3558600

Adaptive Security Response Strategies Through Conjectural Online Learning

Kim Hammar^*, Tao Li, Rolf Stadler, Quanyan Zhu

^*Corresponding author for this work

Research output: Journal Publications and Reviews › RGC 21 - Publication in refereed journal › peer-review

3 Citations (Scopus)

Abstract

We study the problem of learning adaptive security response strategies for an IT infrastructure. We formulate the interaction between an attacker and a defender as a partially observed, non-stationary game. We relax the standard assumption that the game model is correctly specified and consider that each player has a probabilistic conjecture about the model, which may be misspecified in the sense that the true model has probability 0. This formulation allows us to capture uncertainty and misconception about the infrastructure and the intents of the players. To learn effective game strategies online, we design Conjectural Online Learning (COL), a novel method where a player iteratively adapts its conjecture using Bayesian learning and updates its strategy through rollout. We prove that the conjectures converge to best fits, and we provide a bound on the performance improvement that rollout enables with a conjectured model. To characterize the steady state of the game, we propose a variant of the Berk-Nash equilibrium. We present COL through an intrusion response use case. Testbed evaluations show that COL produces effective security strategies that adapt to a changing environment. We also find that COL enables faster convergence than current reinforcement learning techniques.
© 2025 The Authors.

Original language	English
Pages (from-to)	4055-4070
Number of pages	16
Journal	IEEE Transactions on Information Forensics and Security
Volume	20
Online published	8 Apr 2025
DOIs	https://doi.org/10.1109/TIFS.2025.3558600
Publication status	Published - 2025
Externally published	Yes

Funding

This work was supported in part by the Defense Advanced Research Project Agency (DARPA) through the CASTLE Program under Contract W912CG23C0029; and in part by the Wallenberg Artificial Intelligence (AI), Autonomous Systems and Software Program (WASP), funded by the Knut and Alice Wallenberg Foundation.

Research Keywords

Cybersecurity
network security
game theory
Berk-Nash equilibrium
Bayesian learning
rollout

Publisher's Copyright Statement

This full text is made available under CC-BY 4.0. https://creativecommons.org/licenses/by/4.0/

Access Output

10.1109/TIFS.2025.3558600

334316154.pdfFinal Published version, 3.86 MBLicence: CC BY

Other Access Options

Check CityUHK Library

Permanent Link

Right click to copy link

Cite this

@article{c664484a24ae41588d378d67c4fc3087,

title = "Adaptive Security Response Strategies Through Conjectural Online Learning",

abstract = "We study the problem of learning adaptive security response strategies for an IT infrastructure. We formulate the interaction between an attacker and a defender as a partially observed, non-stationary game. We relax the standard assumption that the game model is correctly specified and consider that each player has a probabilistic conjecture about the model, which may be misspecified in the sense that the true model has probability 0. This formulation allows us to capture uncertainty and misconception about the infrastructure and the intents of the players. To learn effective game strategies online, we design Conjectural Online Learning (COL), a novel method where a player iteratively adapts its conjecture using Bayesian learning and updates its strategy through rollout. We prove that the conjectures converge to best fits, and we provide a bound on the performance improvement that rollout enables with a conjectured model. To characterize the steady state of the game, we propose a variant of the Berk-Nash equilibrium. We present COL through an intrusion response use case. Testbed evaluations show that COL produces effective security strategies that adapt to a changing environment. We also find that COL enables faster convergence than current reinforcement learning techniques.{\textcopyright} 2025 The Authors.",

keywords = "Cybersecurity, network security, game theory, Berk-Nash equilibrium, Bayesian learning, rollout",

author = "Kim Hammar and Tao Li and Rolf Stadler and Quanyan Zhu",

year = "2025",

doi = "10.1109/TIFS.2025.3558600",

language = "English",

volume = "20",

pages = "4055--4070",

journal = "IEEE Transactions on Information Forensics and Security",

issn = "1556-6013",

publisher = "IEEE",

}

TY - JOUR

T1 - Adaptive Security Response Strategies Through Conjectural Online Learning

AU - Hammar, Kim

AU - Li, Tao

AU - Stadler, Rolf

AU - Zhu, Quanyan

PY - 2025

Y1 - 2025

N2 - We study the problem of learning adaptive security response strategies for an IT infrastructure. We formulate the interaction between an attacker and a defender as a partially observed, non-stationary game. We relax the standard assumption that the game model is correctly specified and consider that each player has a probabilistic conjecture about the model, which may be misspecified in the sense that the true model has probability 0. This formulation allows us to capture uncertainty and misconception about the infrastructure and the intents of the players. To learn effective game strategies online, we design Conjectural Online Learning (COL), a novel method where a player iteratively adapts its conjecture using Bayesian learning and updates its strategy through rollout. We prove that the conjectures converge to best fits, and we provide a bound on the performance improvement that rollout enables with a conjectured model. To characterize the steady state of the game, we propose a variant of the Berk-Nash equilibrium. We present COL through an intrusion response use case. Testbed evaluations show that COL produces effective security strategies that adapt to a changing environment. We also find that COL enables faster convergence than current reinforcement learning techniques.© 2025 The Authors.

AB - We study the problem of learning adaptive security response strategies for an IT infrastructure. We formulate the interaction between an attacker and a defender as a partially observed, non-stationary game. We relax the standard assumption that the game model is correctly specified and consider that each player has a probabilistic conjecture about the model, which may be misspecified in the sense that the true model has probability 0. This formulation allows us to capture uncertainty and misconception about the infrastructure and the intents of the players. To learn effective game strategies online, we design Conjectural Online Learning (COL), a novel method where a player iteratively adapts its conjecture using Bayesian learning and updates its strategy through rollout. We prove that the conjectures converge to best fits, and we provide a bound on the performance improvement that rollout enables with a conjectured model. To characterize the steady state of the game, we propose a variant of the Berk-Nash equilibrium. We present COL through an intrusion response use case. Testbed evaluations show that COL produces effective security strategies that adapt to a changing environment. We also find that COL enables faster convergence than current reinforcement learning techniques.© 2025 The Authors.

KW - Cybersecurity

KW - network security

KW - game theory

KW - Berk-Nash equilibrium

KW - Bayesian learning

KW - rollout

UR - http://www.scopus.com/inward/record.url?scp=105003490797&partnerID=8YFLogxK

UR - https://www.scopus.com/record/pubmetrics.uri?eid=2-s2.0-105003490797&origin=recordpage

U2 - 10.1109/TIFS.2025.3558600

DO - 10.1109/TIFS.2025.3558600

M3 - RGC 21 - Publication in refereed journal

SN - 1556-6013

VL - 20

SP - 4055

EP - 4070

JO - IEEE Transactions on Information Forensics and Security

JF - IEEE Transactions on Information Forensics and Security

ER -

Adaptive Security Response Strategies Through Conjectural Online Learning

Abstract

Funding

Research Keywords

Publisher's Copyright Statement

Access Output

Other Access Options

Permanent Link

Other Files and Links

Fingerprint

Cite this