








|
Library
|
Your profile |
This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.|
Security Issues
Reference:
Lyutikova, L.A., Hashirova, T.Y., Arvanova, S.M. (2025). Formal Interpretation of RL Agent Strategies in Cybersecurity Tasks Based on Temporal and Epistemic Logic. Security Issues, 4, 30–41. https://doi.org/10.25136/2409-7543.2025.4.77113
Formal Interpretation of RL Agent Strategies in Cybersecurity Tasks Based on Temporal and Epistemic Logic
DOI: 10.25136/2409-7543.2025.4.77113EDN: HTKKFOReceived: 11/29/2025Published: 12/06/2025Abstract: The paper presents a formal approach to explainable reinforcement learning aimed at developing trusted intelligent systems in the field of cybersecurity. A mathematical model of an RL agent is proposed, which operates in an uncertain network environment and makes decisions on traffic inspection or blocking based on reward function optimization and partial observation of the network state. The subject of the research is the logical‑mathematical interpretation of RL agent strategies, which allows linking its behavior with formally verifiable properties of security, reachability, and causal sequence of actions. The method provides interpretation of the agent’s strategy using temporal logic, enabling formal verification of its compliance with specified security and reachability properties. The proposed mathematical model connects the decision‑making process regarding traffic blocking or inspection with causal structures and logical inference. This approach is aimed at creating trusted and auditable cyber‑physical systems whose behavior can be rigorously verified. The research methodology in this paper is based on the synthesis of machine learning techniques and formal logic. This approach enables a transition from empirical optimization to formal, verifiable behavior specifications, which constitutes its key innovation. The effectiveness of the methodology is confirmed by a computational experiment. The scientific novelty lies in the integration of reinforcement learning with logical models of LTL (Linear Temporal Logic) and EL (Epistemic Logic), which enables transition from empirically derived policies to formal specifications subject to automatic verification. It is shown that the combined use of temporal and epistemic logic allows describing the agent’s response to network anomalies both in the temporal dimension and from the perspective of the agent’s knowledge level under partial observability. The obtained results confirm that the logical‑mathematical interpretation of RL agent strategies is an effective tool for enhancing transparency, predictability, and trust in intelligent cybersecurity systems. Keywords: model, interpretation, logical analysis, data, algorithm, The agent, reinforcement learning, artificial intelligence, record, messageThis article is automatically translated. Introduction Modern cybersecurity systems face a constant increase in the complexity of network architecture and an increase in the variety of attacking influences. In these conditions, the ability of intelligent systems not only to effectively detect threats, but also to explain the decisions taken is of particular importance. The concept of explicable artificial intelligence (Explicable AI, XAI) is becoming a key direction in the development of trusted AI systems [1]. Traditional intrusion detection methods (IDS/IPS) based on signatures or statistical models have limited ability to adapt to new types of attacks and do not provide interpretation solutions. In contrast, Reinforcement Learning (RL) provides the ability to autonomously form an optimal strategy for agent behavior based on interaction with the environment. However, the internal mechanisms of RL agents are often opaque and difficult to interpret. The problem of explainability of RL agent solutions is particularly acute in the field of cybersecurity, where a high degree of trust in the system's performance is required. To eliminate the "black box" effect, it is proposed in this paper to use formal logical models that allow describing and verifying agent behavior in terms of time dependencies and knowledge [2]. Linear Temporal Logic (LTL) allows you to capture cause-and–effect relationships between events, while Epistemic Logic (EL) formalizes agents' knowledge of the state of the system and the level of threats. The integration of these logical tools with reinforcement learning makes it possible to build explicable, verifiable, and reproducible strategies for responding to anomalies [3]. The purpose of this work is to develop and experimentally verify an RL agent model capable of making decisions in a network environment interpreted in terms of temporal and epistemic logic. The article presents the problem statement, mathematical formalization, description of the method of extracting logical rules and the results of a computational experiment confirming the effectiveness of the proposed approach[4]. The subject of research in this paper is the logical and mathematical interpretation of the strategies of an intelligent agent trained by reinforcement learning, operating under conditions of partial observability and stochastic dynamics of the network environment. The novelty of the work is the creation of a formally grounded explicable RL algorithm that ensures trust, reproducibility and transparency of solutions in cyber defense systems. 1. Setting the task Let's assume that the environment is a computer network with a state where The task of agent training is formulated as optimization of the return function.: where The agent must recognize abnormal patterns in network traffic (packet frequency, ports, IP addresses, delays, deviations). To determine the optimal response: "Pass" — to skip traffic, or "Inspect"— to check, or "Block" — to block the connection. Maximize the return function (1), where the reward 2. Mathematical model and formalization of the problem Consider a cybersystem as a stochastic environment
At each time step The agent's goal is to maximize the expected discounted return: The value function The iterative update for the approximation The state of the environment is described by a vector of network features: where The agent The reward function This function reflects a balance between security (timely blocking) and saving resources (avoiding unnecessary checks) [5]. After training, the strategy
3. Logical grounds for interpreting agent behavior Temporal Logic (LTL) Linear Temporal Logic (LTL) is used to formally describe sequential processes where the state of the system changes over time. She uses statements about the future and the past of events, allowing her to formalize the requirements of safety and liveliness. The main LTL operators necessary for this field are presented in Table e1. Table 1. The main LTL operators
Example of the formula: The behavior of an agent in reinforcement learning is a sequence Safety Achievability of a goal (liveness) The sequence of actions: The introduced formulas of temporal logic (safety, liveness, and order) make it possible to move from empirical reinforcement learning based on statistical optimization of the reward function to formally verifiable agent behavior. Within the framework of this model, each trajectory of an agent's interaction with the environment is considered as a sequence of states and actions over which a logical check can be performed for the fulfillment of a security property, which ensures that during the functioning of the system there are no states in which an attack remains unanswered. A livability property that ensures that the network can be restored to normal operation after a threat. And the property of the sequence of actions that captures the causal relationships between the phases of response (detection - verification — blocking/normalization) [7]. Verification of these formulas by means of formal verification (for example, using the NuSMV or SPIN checker model) makes it possible to verify that the agent's strategy not only maximizes remuneration, but also meets the logical criteria of correctness, stability and explainability. Thus, stochastic reinforcement learning and formal logic methods are integrated, ensuring the explainability and reproducibility of intelligent security solutions. Epistemic logic (logic of knowledge) Epistemic Logic (EL) describes the knowledge and beliefs of agents. The main operator Agents in the cybersystem work in conditions of incomplete information: everyone observes only a part of the signs of traffic. Therefore, a formal description of knowledge and awareness is required. Individual knowledge looks like collective knowledge: This model is important for distributed agents operating on different network nodes: some detect a threat, others confirm or respond by forming collective knowledge and coordinating actions [8]. LTL and EL combination The combined use of temporal and epistemic logic makes it possible to describe both the dynamics of behavior and the level of knowledge of agents. For example: Justification of applicability to the data in Table 2. Table 2. Rationale for applying LTL and EL logic to data Input data structure Each observation of the environment at a given time where Table 3. Agent input data
Agent's output data
The result is an optimal policy 4. Computational experiment The step-by-step implementation of the method is as follows: 1. Download the cybersecurity environment; 2. we train the DQN agent; 3. we collect trajectories and build graphs (reward, distribution of signs of norms/anomalies); 4. Extract and print the rules; 5. We show which anomalies the agent actually "saw". An example of the data in Fig. 1. Figure 1. Sample data. The block diagram of the algorithm is shown in Fig. 2. Figure 2. Algorithm diagram Results The graph of agent behavior in the reinforcement learning process is shown in Fig. 3. Figure 3. The process of training an agent by episode. X-axis (horizontal) this is the training episode number. Each episode is a separate series of agent interactions with the environment (for example, 50 steps). At the beginning of the training, the agent acts randomly, and by the end it becomes more meaningful. Episodes 0-50 give chaotic low values, which indicates that the agent is just learning. Then (100-200 episodes) — the average reward begins to grow, although fluctuations remain. After ~250 episodes, stabilization is at a high level: the average reward value is above 60-70 (or any upper bound for your environment). The main thing is the average line level. If the curve "as a whole" goes up, it means that the agent learns the strategy, even if each specific episode is "jagged" [9]. Intensity histograms (the X₁ sign) are a very revealing visual element that actually shows how an agent “sees” the difference between normal and abnormal traffic [10]. The histograms show the distribution of one feature, x1, which indicates the intensity of network traffic (number of packets per second) (Fig. 4). Figure 4. Network traffic intensity The left histogram is "X₁ (intensity) is the NORM". Shows how the intensity values are distributed during normal network operation when there is no anomaly (anom = 0). The right histogram is "x₁ (intensity) – ANOMALY". The same thing, but only for abnormal states (anom = 1). Next comes the formation of logical rules, a fragment of which is shown in Fig. 5. Figure 5 Fragment of logical rules Based on the data under consideration, the agent achieves an anomaly detection accuracy of 94-96% with an average reaction delay of less than 0.3 s. The logical interpretation shows that the agent's strategy follows the rules of the form: The formulas obtained are successfully tested for the feasibility of the specifications Conclusion The paper proposes a method for the logical and mathematical interpretation of strategies obtained during reinforcement learning in relation to cybersecurity tasks. An RL agent model has been developed that interacts with the network environment and makes decisions about checking or blocking traffic based on optimizing the reward function. The main scientific result is the integration of stochastic reinforcement learning methods with formal means of logical verification. The use of temporal logic (LTL) made it possible to formalize and verify the properties of safety, liveness, and causality of actions. Epistemic logic (EL) has provided an opportunity to describe the level of knowledge and awareness of agents in a distributed system. The results of the computational experiment showed that the agent is able to achieve high accuracy in detecting threats with a short reaction time, and the resulting logical formulas are successfully tested for the feasibility of specifications. This confirms that the logical interpretation of strategies increases transparency and trust in intelligent system solutions. In the future, it is planned to develop the proposed approach for multi-agent systems, including the exchange of knowledge between network nodes, as well as the implementation of automatic verification of logical properties in real time. Additionally, research on embedding logical constraints directly into the learning process (reward shaping) is of interest, which will allow combining optimality and explainability at the learning stage, and not just after the fact.
The article is published in the version approved by the reviewers (after receiving a positive review recommending the manuscript for publication) with corrections made by the author (after receiving the editor’s comments, if any). References
1. Sutton, R. S., & Barto, A. G. (2020). Reinforcement learning: An introduction (2nd ed.). MIT Press.
2. Rybakov, V. V. (2015). Non-transition linear temporal logic, knowledge from the past, decidability, admissible rules. arXiv preprint arXiv:1503.08761. 3. Doshi-Velez, F., & Kim, B. (2017). Towards a rigorous science of interpretable machine learning. arXiv preprint arXiv:1702.08608. 4. Rudin, C. (2019). Stop explaining black box machine learning models for high stakes decisions and use interpretable models instead. Nature Machine Intelligence, 1, 206-215. 5. Wang, Y., Yu, W., & Seligman, J. (2022). Quantifier-free epistemic term-modal logic with assignment operator. Annals of Pure and Applied Logic, 173(3), article 103071. https://doi.org/10.1016/j.apal.2021.103071 6. Nguyen, T. T., & Reddi, V. J. (2022). Deep reinforcement learning for cyber security. Computers & Security, 113, 102583. https://doi.org/10.1109/TNNLS.2021.3121870 7. Baier, C., & Katoen, J.-P. (2008). Principles of model checking. MIT Press. 8. Shoham, Y., & Leyton-Brown, K. (2009). Multiagent systems: Algorithmic, game-theoretic, and logical foundations. Cambridge University Press. 9. Bashmakov, S. I., Kosheleva, A. V., & Rybakov, V. V. (2017). Unification in temporal multi-agent logics with universal modality. In Mathematics in the modern world: Proceedings of the international conference. 10. Wolter, F., & Zakharyaschev, M. (2008). Undecidability of the unification and admissibility problems for modal and description logics. ACM Transactions on Computational Logic, 9(4), 25. 11. Lyutikova, L. A. (2023). Methods for improving the efficiency of neural network decision-making. In Advances in automation IV: RusAutoCon 2022 (Vol. 986, pp. 294-303). Lecture Notes in Electrical Engineering. https://doi.org/10.1007/978-3-031-22311-2_29 12. Dyukova, E. V., Zhuravlev, Y. I., & Prokofyev, P. A. (2015). Methods for improving the efficiency of logical correctors. Machine Learning and Data Analysis, 1(11), 1555-1583.
Peer Review
Peer reviewers' evaluations remain confidential and are not disclosed to the public. Only external reviews, authorized for publication by the article's author(s), are made public. Typically, these final reviews are conducted after the manuscript's revision. Adhering to our double-blind review policy, the reviewer's identity is kept confidential.
|
| We use cookies to make your experience of our websites better. By using and further navigating this website you accept this. | Accept and Close |
