A Bayesian Multi-armed Bandit Approach for Identifying Human Vulnerabilities

Abstract

We consider the problem of identifying the set of users in an organization’s network that are most susceptible to falling victim to social engineering attacks. To achieve this goal, we propose a testing strategy, based on the theory of multi-armed bandits, that involves a system administrator sending fake malicious messages to users in a sequence of unannounced tests and recording their responses. To accurately model the administrator’s testing problem, we propose a new bandit setting, termed the structured combinatorial multi-bandit model, that allows one to impose combinatorial constraints on the space of allowable queries. The model captures the diversity in attack types and user responses by considering multiple multi-armed bandits, where each bandit problem represents an attack (message) type and each arm represents a user. Users respond to test messages according to a response model with unknown statistics. The response model associates a Bernoulli distribution with an unknown mean with each message-user pair, dictating the likelihood that a user will respond to a given message. The administrator’s problem of identifying the most susceptible users can then be expressed as identifying the set of message-user pairs with means that exceed a given threshold. We adopt a Bayesian approach to solving the problem, associating a (beta) prior distribution with each unknown mean. In a given trial, the system administrator queries a selection of users with test messages, generating query responses which are then used to update posterior distributions on the means. By defining a state as the parameters of the posteriors, we show that the optimal testing strategy can be characterized as the solution of a Markov decision process (MDP). Unfortunately, solving the MDP is computationally intractable. As a result, we propose a heuristic testing strategy, based on Thompson sampling, that focuses queries on message-user pairs that are estimated to have means close to the threshold. The heuristic testing strategy is shown to yield accurate identifications.

This research was supported by the U.S. Office of Naval Research (ONR) MURI grant N00014-16-1-2710.

A Proof of Lemma 1

Denoting \(\mathbb {E}_n^\pi [J(\varTheta ,P;\tau )]:=E_{\varTheta \sim f_n(\theta _{mk})}[J(\varTheta ,P;\tau )\mid P=P^\pi ]\) as the expectation of the reward with respect to the posteriors \(f_n(\theta _{mk})\), application of the law of iterated expectations allows one to write the expected reward as \(\mathbb {E}_0^\pi [J(\varTheta ,P;\tau )] = \mathbb {E}_0^\pi [\mathbb {E}_n^\pi [J(\varTheta ,P;\tau )]]\), where

$$\begin{aligned} \mathbb {E}_n^\pi \big [J(\varTheta ,P;\tau )\big ]&=\mathbb {P}_n\bigg (\bigcap _{(m,k)\in P^\pi }\{\varTheta _{mk}>\tau \}\cap \bigcap _{(m,k)\in \bar{P}^\pi }\{\varTheta _{mk}\le \tau \}\bigg )\\&= \prod _{(m,k)\in P^\pi }\mathbb {P}_n(\{\varTheta _{mk}>\tau \})\prod _{(m,k)\in \bar{P}^\pi }\mathbb {P}_n(\{\varTheta _{mk}\le \tau \})\\&= \prod _{(m,k)\in P^\pi }I_{1-\tau }(\beta _{mk,n},\alpha _{mk,n})\prod _{(m,k)\in \bar{P}^\pi }I_{\tau }(\alpha _{mk,n},\beta _{mk,n}) =: J^\pi (P;\tau ) \end{aligned}$$

where \(I_{\tau }(\alpha ,\beta )\) is the normalized incomplete beta function (we have used the identity \(1-I_{\tau }(\alpha ,\beta ) \equiv I_{1-\tau }(\beta ,\alpha )\)). The dependency of the identification set P on the testing strategy \(\pi \) is made explicit by writing \(P^\pi \).