- The paper introduces C-MADF, a framework that integrates structural causal modeling with a constrained MDP-DAG to ensure admissible action transitions.
- It employs adversarial multi-agent reinforcement learning with dual Blue-Team and Red-Team policies to enhance decision accuracy and reduce spurious interventions.
- Empirical results on the CICIoT2023 benchmark show significant false positive reductions and high detection precision, validating the framework's robust performance.
Explainable Autonomous Cyber Defense using Adversarial Multi-Agent Reinforcement Learning
Introduction and Motivation
This work introduces the Causal Multi-Agent Decision Framework (C-MADF), targeting the reliability and transparency deficits of current autonomous cyber defense systems when faced with adversarial manipulation or ambiguous telemetry. Typical systems leverage correlation-based analytics and unconstrained multi-agent reinforcement learning (MARL) to orchestrate defensive mitigations in critical infrastructure environments. However, these approaches suffer from policy drift, high false-positive rates, and lack of action admissibility guarantees under conditions such as "Living off the Land" tactics and targeted adversarial log perturbations ("Shadow-Jitter" attacks). The absence of structural constraints between detection, evidence gathering, and mitigation actions often leads to operational disruptions and unsafe interventions.
C-MADF explicitly addresses these deficits by integrating a learned Structural Causal Model (SCM), constraining the action space of autonomous agents within a Markov Decision Process defined as a Directed Acyclic Graph (MDP-DAG), and imposing a deliberative framework wherein competing Blue-Team and Red-Team policies arbitrate each critical action. Policy divergence and evidentiary support are exposed to a human-in-the-loop interface via a composite Explainability–Transparency Score (ETS), governing escalation and enhancing forensic auditability.
Framework Overview and Technical Implementation
C-MADF operates as a four-stage pipeline: (1) constraint-based causal discovery from historical telemetry, (2) compilation of the SCM into a causally consistent MDP-DAG investigation roadmap, (3) adversarial multi-agent reinforcement learning over the constrained roadmap, and (4) an explainability-calibrated human-in-the-loop interface.
Figure 2: The C-MADF architecture, integrating causal discovery, roadmap induction, adversarial MARL, and HITL oversight with an explainability–transparency signal.
1. Causal Discovery
A constraint-based causal discovery engine learns the SCM from telemetry (logs, flows, events) by identifying conditional independence relations and encoding them in a DAG. The resulting causal graph imposes admissibility constraints on future action transitions and evidentiary requirements for each investigative or mitigation phase.
2. Causally-Constrained MDP-DAG Roadmap
The SCM is projected into an investigation-level DAG over high-level states (e.g., "Alert," "Evidence Gathering," "Threat Mitigated"), defining all admissible state transitions. Each edge in the MDP-DAG encodes causal justification, restricting the policy to only those action sequences that satisfy causal prerequisites.
Figure 1: MDP-DAG roadmap, blocking inadmissible transitions and ensuring evidence precedes mitigation.
3. Adversarial Multi-Agent Deliberation
Within each state, a dual-policy structure—a threat-optimizing Blue-Team agent and a conservative, cost-sensitive Red-Team agent—deliberates on the action(s) to execute. Reward functions are asymmetrically shaped: the Blue Team maximizes threat suppression and investigation efficiency, while the Red Team penalizes interventions not causally supported or generating high operational cost. Policy disagreements are quantified by a Policy Divergence Score D(st​) (distributional or value-based), acting as a proxy for epistemic uncertainty.
Figure 3: Council of Rivals adversarial deliberation; inter-policy disagreement exposes uncertainty for escalation triggers.
Training uses alternating self-play over the constrained action space, with all transitions verified for admissibility by the MDP-DAG.
4. Explainable Human-in-the-Loop Interface
A scalar Explainability–Transparency Score (ETS) aggregates clarity (stability and sparsity of feature attribution), completeness (density and coverage of evidence), and confidence (policy agreement, value certainty) into a normalized escalation signal. Exceeding the ETS threshold allows for safe autonomous execution; below the threshold, execution pauses and structured, evidence-rich explanations are generated for supervisory review.
Figure 4: ETS decomposition: clarity, completeness, and confidence metrics (combined with calibrated weights) yield a decision-governing escalation signal.
Security Analysis
C-MADF's formal properties assure causally consistent, verifiable investigation trajectories and reduced vulnerability to adversarial telemetry perturbation. Action gating by the MDP-DAG bounds the expected number of spurious (inadmissible) mitigation actions in proportion to the causal mis-specification rate (ε) in the learned SCM. Policy divergence-based gating—coupled with ETS—monotonically decreases false-positive mitigations even under distributional shift or adversarial attack, provided adversarial capabilities are bounded as defined in the partial-compromise model.
Figure 5: Shadow-Jitter manipulation: unconstrained defenses are deceived by manipulated correlations, while C-MADF resists via causal filtering and adversarial validation.
Robustness guarantees are characterized by reductions in disruptive false-positive interventions under both clean and adversarially perturbed benign telemetry (dTV​-adjusted false positive rates).
Empirical Results
On the CICIoT2023 benchmark, C-MADF demonstrates 0.997 precision, 0.961 recall, and an F1-score of 0.979—outperforming DUGAT-LSTM, BiLSTM IDS, and Hybrid Weighted-XGBoost across all metrics. Critically, false-positive rates decrease from 11.2%, 9.7%, and 8.4% (in the strongest baselines) to 1.8% in C-MADF—a >4x reduction.
Figure 7: Under Shadow-Jitter attacks, C-MADF sustains high true detection, minimal false positives, and produces actionable, explainable outputs, unlike correlation-only baselines which collapse under deception.
Ablation studies confirm that each major architectural module—causal SCM, Red Team, Blue Team—contributes substantially to overall robustness. Removal of causal reasoning increases FPR to 59.4%; removal of the Red Team increases to 21.2%; and removal of the Blue Team to 25.1%. The ETS escalation signal is well-aligned with ground-truth evidentiary sufficiency and accurately gates high-uncertainty scenarios for human adjudication.
Theoretical and Practical Implications
The explicit coupling of SCM-based structure discovery, admissible action roadmap construction, and adversarial multi-agent deliberation yields policies with formal guarantees of causal consistency and spurious-action suppression unavailable to classical MARL or static detection systems. The strong decrease in disruptive false positives is significant for high-stakes operational environments (critical infrastructure, ICS/SCADA), where every false positive can trigger costly or hazardous interventions.
Practically, the framework supports tractable policy scaling and segmented deployment by modularizing causal discovery and decision-making. Periodic SCM updates accommodate environmental drift, and the ETS mechanism enables real-time oversight calibration. While empirical evaluation is limited to benchmark telemetry, the design motivates extension to field-deployed systems, red-team testing, and human-factors studies.
Limitations and Directions for Future Research
Primary limitations of the current framework include reliance on the representativeness and integrity of historical data for causal structure learning, computational overhead for SCM discovery in large state spaces, and the need for diversifying agent inductive biases to avoid mutual blind spots in MARL deliberation. ETS, while reliable on CICIoT2023, requires field validation for operational trust and HCI optimization.
Future work includes:
- Hierarchical, partitioned causal learning for operational scale-out.
- Dynamic, analyst-in-the-loop expansion of the MDP-DAG ontology.
- Heterogeneous policy architectures to improve deliberative diversity.
- Longitudinal field studies using red-team exercises and production telemetry for external validity and human-in-the-loop calibration.
Conclusion
C-MADF demonstrates that embedding causal structure, deliberative verification, and explainability mechanisms into the policy induction and execution pipeline reduces correlation-driven hallucinations and unwarranted interventions in autonomous cyber defense. This structured design achieves a strong operational trade-off—maintaining attack recall while subduing the false-positive burden. These properties suggest C-MADF's approach is a step towards certifiable, transparent, and dependable AI in adversarial, high-dependability settings, yet future deployment demands validation against live telemetry, adaptive threat models, and supervisory workflow integration.