Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Learning to Defend by Attacking (and Vice-Versa): Transfer of Learning in Cybersecurity Games

Tailia Malloy, Cleotilde Gonzalez

TL;DR

This work addresses the mismatch between classical optimal-defense assumptions and real human attacker behavior in cyber defense. It introduces IBToM, a cognitive model that combines Instance-Based Learning Theory, Theory of Mind, and Transfer of Learning to train agents in both attacker and defender roles, predicting beliefs and actions of opponents. By incorporating predictions of opponent behavior and enabling role-based transfer, IBToM outperforms boundedly rational baselines and maintains strong performance against diverse, human-like strategies in simulated Stackelberg Security Games. The results suggest that cognitively grounded transfer learning can meaningfully improve cyber defense systems and offer a tractable path toward evaluating defense against unpredictable human adversaries.

Abstract

Designing cyber defense systems to account for cognitive biases in human decision making has demonstrated significant success in improving performance against human attackers. However, much of the attention in this area has focused on relatively simple accounts of biases in human attackers, and little is known about adversarial behavior or how defenses could be improved by disrupting attacker's behavior. In this work, we present a novel model of human decision-making inspired by the cognitive faculties of Instance-Based Learning Theory, Theory of Mind, and Transfer of Learning. This model functions by learning from both roles in a security scenario: defender and attacker, and by making predictions of the opponent's beliefs, intentions, and actions. The proposed model can better defend against attacks from a wide range of opponents compared to alternatives that attempt to perform optimally without accounting for human biases. Additionally, the proposed model performs better against a range of human-like behavior by explicitly modeling human transfer of learning, which has not yet been applied to cyber defense scenarios. Results from simulation experiments demonstrate the potential usefulness of cognitively inspired models of agents trained in attack and defense roles and how these insights could potentially be used in real-world cybersecurity.

Learning to Defend by Attacking (and Vice-Versa): Transfer of Learning in Cybersecurity Games

TL;DR

This work addresses the mismatch between classical optimal-defense assumptions and real human attacker behavior in cyber defense. It introduces IBToM, a cognitive model that combines Instance-Based Learning Theory, Theory of Mind, and Transfer of Learning to train agents in both attacker and defender roles, predicting beliefs and actions of opponents. By incorporating predictions of opponent behavior and enabling role-based transfer, IBToM outperforms boundedly rational baselines and maintains strong performance against diverse, human-like strategies in simulated Stackelberg Security Games. The results suggest that cognitively grounded transfer learning can meaningfully improve cyber defense systems and offer a tractable path toward evaluating defense against unpredictable human adversaries.

Abstract

Designing cyber defense systems to account for cognitive biases in human decision making has demonstrated significant success in improving performance against human attackers. However, much of the attention in this area has focused on relatively simple accounts of biases in human attackers, and little is known about adversarial behavior or how defenses could be improved by disrupting attacker's behavior. In this work, we present a novel model of human decision-making inspired by the cognitive faculties of Instance-Based Learning Theory, Theory of Mind, and Transfer of Learning. This model functions by learning from both roles in a security scenario: defender and attacker, and by making predictions of the opponent's beliefs, intentions, and actions. The proposed model can better defend against attacks from a wide range of opponents compared to alternatives that attempt to perform optimally without accounting for human biases. Additionally, the proposed model performs better against a range of human-like behavior by explicitly modeling human transfer of learning, which has not yet been applied to cyber defense scenarios. Results from simulation experiments demonstrate the potential usefulness of cognitively inspired models of agents trained in attack and defense roles and how these insights could potentially be used in real-world cybersecurity.
Paper Structure (13 sections, 7 equations, 4 figures, 1 table, 1 algorithm)

This paper contains 13 sections, 7 equations, 4 figures, 1 table, 1 algorithm.

Table of Contents

  1. Introduction
  2. Background and Related Work
  3. Stackelberg Security Games
  4. Instance-Based Learning
  5. Bounded Rationality
  6. Theory of Mind
  7. Transfer of Learning
  8. Related Models
  9. Proposed Model
  10. Experimentation
  11. Comparison Models
  12. Task and Results
  13. Conclusions and Future Directions

Figures (4)

  • Figure 1: Comparison of (a) self-play training for attack and defense agents and (b) our proposed theory-of-mind transfer of learning training .
  • Figure 2: Top: Agent reward when paired against Upper Confidence Bound (left), Instance-Based Learning (middle) and Instance-Based Theory of Mind (right). First 50 trials are as the attacking agent, then 50 trials as the defending agent. Bottom: The same comparison of agent reward paired with other models with reversed training. The first 50 trials are for the defending agent, then 50 trials for the attacking agent.
  • Figure 3: Performance of trained models making the decisions of the defender agent against a population of all models with randomized parameters when selecting the actions of the attacker.
  • Figure 4: Performance of trained models making the decisions of the attacker agent against a population of all models with randomized parameters when selecting the actions of the defender.