Online Incident Response Planning under Model Misspecification through Bayesian Learning and Belief Quantization
This addresses the challenge of making fast cyberattack response decisions with incomplete or inaccurate information, offering a practical improvement over existing frameworks that rely on detailed models.
The paper tackles the problem of incident response planning under model misspecification by presenting MOBAL, an online method that iteratively refines models through Bayesian learning and uses quantization for efficient planning. Experiments on the CAGE-2 benchmark show that MOBAL outperforms state-of-the-art methods in adaptability and robustness.
Effective responses to cyberattacks require fast decisions, even when information about the attack is incomplete or inaccurate. However, most decision-support frameworks for incident response rely on a detailed system model that describes the incident, which restricts their practical utility. In this paper, we address this limitation and present an online method for incident response planning under model misspecification, which we call MOBAL: Misspecified Online Bayesian Learning. MOBAL iteratively refines a conjecture about the model through Bayesian learning as new information becomes available, which facilitates model adaptation as the incident unfolds. To determine effective responses online, we quantize the conjectured model into a finite Markov model, which enables efficient response planning through dynamic programming. We prove that Bayesian learning is asymptotically consistent with respect to the information feedback. Additionally, we establish bounds on misspecification and quantization errors. Experiments on the CAGE-2 benchmark show that MOBAL outperforms the state of the art in terms of adaptability and robustness to model misspecification.