Papers
Topics
Authors
Recent
Search
2000 character limit reached

Explainable Autonomous Cyber Defense using Adversarial Multi-Agent Reinforcement Learning

Published 6 Apr 2026 in cs.CR, cs.LG, and cs.MA | (2604.04442v1)

Abstract: Autonomous agents are increasingly deployed in both offensive and defensive cyber operations, creating high-speed, closed-loop interactions in critical infrastructure environments. Advanced Persistent Threat (APT) actors exploit "Living off the Land" techniques and targeted telemetry perturbations to induce ambiguity in monitoring systems, causing automated defenses to overreact or misclassify benign behavior as malicious activity. Existing monolithic and multi-agent defense pipelines largely operate on correlation-based signals, lack structural constraints on response actions, and are vulnerable to reasoning drift under ambiguous or adversarial inputs. We present the Causal Multi-Agent Decision Framework (C-MADF), a structurally constrained architecture for autonomous cyber defense that integrates causal modeling with adversarial dual-policy control. C-MADF first learns a Structural Causal Model (SCM) from historical telemetry and compiles it into an investigation-level Directed Acyclic Graph (DAG) that defines admissible response transitions. This roadmap is formalized as a Markov Decision Process (MDP) whose action space is explicitly restricted to causally consistent transitions. Decision-making within this constrained space is performed by a dual-agent reinforcement learning system in which a threat-optimizing Blue-Team policy is counterbalanced by a conservatively shaped Red-Team policy. Inter-policy disagreement is quantified through a Policy Divergence Score and exposed via a human-in-the-loop interface equipped with an Explainability-Transparency Score that serves as an escalation signal under uncertainty. On the real-world CICIoT2023 dataset, C-MADF reduces the false-positive rate from 11.2%, 9.7%, and 8.4% in three cutting-edge literature baselines to 1.8%, while achieving 0.997 precision, 0.961 recall, and 0.979 F1-score.

Summary

  • The paper introduces C-MADF, a framework that integrates structural causal modeling with a constrained MDP-DAG to ensure admissible action transitions.
  • It employs adversarial multi-agent reinforcement learning with dual Blue-Team and Red-Team policies to enhance decision accuracy and reduce spurious interventions.
  • Empirical results on the CICIoT2023 benchmark show significant false positive reductions and high detection precision, validating the framework's robust performance.

Explainable Autonomous Cyber Defense using Adversarial Multi-Agent Reinforcement Learning

Introduction and Motivation

This work introduces the Causal Multi-Agent Decision Framework (C-MADF), targeting the reliability and transparency deficits of current autonomous cyber defense systems when faced with adversarial manipulation or ambiguous telemetry. Typical systems leverage correlation-based analytics and unconstrained multi-agent reinforcement learning (MARL) to orchestrate defensive mitigations in critical infrastructure environments. However, these approaches suffer from policy drift, high false-positive rates, and lack of action admissibility guarantees under conditions such as "Living off the Land" tactics and targeted adversarial log perturbations ("Shadow-Jitter" attacks). The absence of structural constraints between detection, evidence gathering, and mitigation actions often leads to operational disruptions and unsafe interventions.

C-MADF explicitly addresses these deficits by integrating a learned Structural Causal Model (SCM), constraining the action space of autonomous agents within a Markov Decision Process defined as a Directed Acyclic Graph (MDP-DAG), and imposing a deliberative framework wherein competing Blue-Team and Red-Team policies arbitrate each critical action. Policy divergence and evidentiary support are exposed to a human-in-the-loop interface via a composite Explainability–Transparency Score (ETS), governing escalation and enhancing forensic auditability.

Framework Overview and Technical Implementation

C-MADF operates as a four-stage pipeline: (1) constraint-based causal discovery from historical telemetry, (2) compilation of the SCM into a causally consistent MDP-DAG investigation roadmap, (3) adversarial multi-agent reinforcement learning over the constrained roadmap, and (4) an explainability-calibrated human-in-the-loop interface. Figure 1

Figure 2: The C-MADF architecture, integrating causal discovery, roadmap induction, adversarial MARL, and HITL oversight with an explainability–transparency signal.

1. Causal Discovery

A constraint-based causal discovery engine learns the SCM from telemetry (logs, flows, events) by identifying conditional independence relations and encoding them in a DAG. The resulting causal graph imposes admissibility constraints on future action transitions and evidentiary requirements for each investigative or mitigation phase.

2. Causally-Constrained MDP-DAG Roadmap

The SCM is projected into an investigation-level DAG over high-level states (e.g., "Alert," "Evidence Gathering," "Threat Mitigated"), defining all admissible state transitions. Each edge in the MDP-DAG encodes causal justification, restricting the policy to only those action sequences that satisfy causal prerequisites. Figure 3

Figure 1: MDP-DAG roadmap, blocking inadmissible transitions and ensuring evidence precedes mitigation.

3. Adversarial Multi-Agent Deliberation

Within each state, a dual-policy structure—a threat-optimizing Blue-Team agent and a conservative, cost-sensitive Red-Team agent—deliberates on the action(s) to execute. Reward functions are asymmetrically shaped: the Blue Team maximizes threat suppression and investigation efficiency, while the Red Team penalizes interventions not causally supported or generating high operational cost. Policy disagreements are quantified by a Policy Divergence Score D(st)\mathcal{D}(s_t) (distributional or value-based), acting as a proxy for epistemic uncertainty. Figure 4

Figure 3: Council of Rivals adversarial deliberation; inter-policy disagreement exposes uncertainty for escalation triggers.

Training uses alternating self-play over the constrained action space, with all transitions verified for admissibility by the MDP-DAG.

4. Explainable Human-in-the-Loop Interface

A scalar Explainability–Transparency Score (ETS) aggregates clarity (stability and sparsity of feature attribution), completeness (density and coverage of evidence), and confidence (policy agreement, value certainty) into a normalized escalation signal. Exceeding the ETS threshold allows for safe autonomous execution; below the threshold, execution pauses and structured, evidence-rich explanations are generated for supervisory review. Figure 5

Figure 4: ETS decomposition: clarity, completeness, and confidence metrics (combined with calibrated weights) yield a decision-governing escalation signal.

Security Analysis

C-MADF's formal properties assure causally consistent, verifiable investigation trajectories and reduced vulnerability to adversarial telemetry perturbation. Action gating by the MDP-DAG bounds the expected number of spurious (inadmissible) mitigation actions in proportion to the causal mis-specification rate (ε\varepsilon) in the learned SCM. Policy divergence-based gating—coupled with ETS—monotonically decreases false-positive mitigations even under distributional shift or adversarial attack, provided adversarial capabilities are bounded as defined in the partial-compromise model. Figure 2

Figure 5: Shadow-Jitter manipulation: unconstrained defenses are deceived by manipulated correlations, while C-MADF resists via causal filtering and adversarial validation.

Robustness guarantees are characterized by reductions in disruptive false-positive interventions under both clean and adversarially perturbed benign telemetry (dTVd_{\text{TV}}-adjusted false positive rates).

Empirical Results

On the CICIoT2023 benchmark, C-MADF demonstrates 0.997 precision, 0.961 recall, and an F1-score of 0.979—outperforming DUGAT-LSTM, BiLSTM IDS, and Hybrid Weighted-XGBoost across all metrics. Critically, false-positive rates decrease from 11.2%, 9.7%, and 8.4% (in the strongest baselines) to 1.8% in C-MADF—a >4x reduction. Figure 6

Figure 7: Under Shadow-Jitter attacks, C-MADF sustains high true detection, minimal false positives, and produces actionable, explainable outputs, unlike correlation-only baselines which collapse under deception.

Ablation studies confirm that each major architectural module—causal SCM, Red Team, Blue Team—contributes substantially to overall robustness. Removal of causal reasoning increases FPR to 59.4%; removal of the Red Team increases to 21.2%; and removal of the Blue Team to 25.1%. The ETS escalation signal is well-aligned with ground-truth evidentiary sufficiency and accurately gates high-uncertainty scenarios for human adjudication.

Theoretical and Practical Implications

The explicit coupling of SCM-based structure discovery, admissible action roadmap construction, and adversarial multi-agent deliberation yields policies with formal guarantees of causal consistency and spurious-action suppression unavailable to classical MARL or static detection systems. The strong decrease in disruptive false positives is significant for high-stakes operational environments (critical infrastructure, ICS/SCADA), where every false positive can trigger costly or hazardous interventions.

Practically, the framework supports tractable policy scaling and segmented deployment by modularizing causal discovery and decision-making. Periodic SCM updates accommodate environmental drift, and the ETS mechanism enables real-time oversight calibration. While empirical evaluation is limited to benchmark telemetry, the design motivates extension to field-deployed systems, red-team testing, and human-factors studies.

Limitations and Directions for Future Research

Primary limitations of the current framework include reliance on the representativeness and integrity of historical data for causal structure learning, computational overhead for SCM discovery in large state spaces, and the need for diversifying agent inductive biases to avoid mutual blind spots in MARL deliberation. ETS, while reliable on CICIoT2023, requires field validation for operational trust and HCI optimization.

Future work includes:

  • Hierarchical, partitioned causal learning for operational scale-out.
  • Dynamic, analyst-in-the-loop expansion of the MDP-DAG ontology.
  • Heterogeneous policy architectures to improve deliberative diversity.
  • Longitudinal field studies using red-team exercises and production telemetry for external validity and human-in-the-loop calibration.

Conclusion

C-MADF demonstrates that embedding causal structure, deliberative verification, and explainability mechanisms into the policy induction and execution pipeline reduces correlation-driven hallucinations and unwarranted interventions in autonomous cyber defense. This structured design achieves a strong operational trade-off—maintaining attack recall while subduing the false-positive burden. These properties suggest C-MADF's approach is a step towards certifiable, transparent, and dependable AI in adversarial, high-dependability settings, yet future deployment demands validation against live telemetry, adaptive threat models, and supervisory workflow integration.

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.