Online Incident Response Planning under Model Misspecification through Bayesian Learning and Belief Quantization

TL;DR

This paper introduces MOBAL, an online Bayesian learning method for incident response planning that adapts to model misspecification by iteratively refining models and using quantization for efficient decision-making, demonstrated on a benchmark.

Contribution

The paper presents MOBAL, a novel online Bayesian learning approach that improves incident response planning under model misspecification through model refinement and quantization.

Findings

MOBAL outperforms existing methods in adaptability.

MOBAL is robust to model misspecification.

The approach is validated on the CAGE-2 benchmark.

Abstract

Effective responses to cyberattacks require fast decisions, even when information about the attack is incomplete or inaccurate. However, most decision-support frameworks for incident response rely on a detailed system model that describes the incident, which restricts their practical utility. In this paper, we address this limitation and present an online method for incident response planning under model misspecification, which we call MOBAL: Misspecified Online Bayesian Learning. MOBAL iteratively refines a conjecture about the model through Bayesian learning as new information becomes available, which facilitates model adaptation as the incident unfolds. To determine effective responses online, we quantize the conjectured model into a finite Markov model, which enables efficient response planning through dynamic programming. We prove that Bayesian learning is asymptotically consistent with respect to the information feedback. Additionally, we establish bounds on misspecification and quantization errors. Experiments on the CAGE-2 benchmark show that MOBAL outperforms the state of the art in terms of adaptability and robustness to model misspecification.