@INPROCEEDINGS{hammar_alpcan_lupu_noms26,
  author={Hammar, Kim and Alpcan, Tansu and Lupu, Emil},},
  booktitle={NOMS 2026-2026 IEEE/IFIP Network Operations and Management Symposium},
  title={Hallucination-Resistant Security Planning with a Large Language Model},
  year={2026},
  volume={},
  number={}}

@inproceedings{hammar2025incidentresponseplanningusing,
  author = 	 {Kim Hammar and Tansu Alpcan and Emil C. Lupu},
      title={Incident Response Planning Using a Lightweight Large Language Model with Reduced Hallucination}, 
  booktitle    = {33rd Annual Network and Distributed System Security Symposium, {NDSS}
                  2026, San Diego, California, USA, February 23-27, 2026},
  publisher    = {The Internet Society},		  
  year = 	 2026
}

@inproceedings{10.1145/3733799.3762965,
author = {Hammar, Kim and Li, Tao},
title = {Online Incident Response Planning under Model Misspecification through Bayesian Learning and Belief Quantization},
year = {2026},
isbn = {9798400718953},
publisher = {Association for Computing Machinery},
address = {New York, NY, USA},
url = {https://doi.org/10.1145/3733799.3762965},
doi = {10.1145/3733799.3762965},
abstract = {Effective responses to cyberattacks require fast decisions, even when information about the attack is incomplete or inaccurate. However, most decision-support frameworks for incident response rely on a detailed system model that describes the incident, which restricts their practical utility. In this paper, we address this limitation and present an online method for incident response planning under model misspecification, which we call mobal: Misspecified Online Bayesian Learning. mobal iteratively refines a conjecture about the model through Bayesian learning as new information becomes available, which facilitates model adaptation as the incident unfolds. To determine effective responses online, we quantize the conjectured model into a finite Markov model, which enables efficient response planning through dynamic programming. We prove that Bayesian learning is asymptotically consistent with respect to the information feedback. Additionally, we establish bounds on misspecification and quantization errors. Experiments on the cage-2 benchmark show that mobal outperforms the state of the art in terms of adaptability and robustness to model misspecification.},
booktitle = {Proceedings of the 18th ACM Workshop on Artificial Intelligence and Security},
pages = {40–51},
numpages = {12},
keywords = {Cybersecurity, reinforcement learning, Bayesian learning, POMDP, misspecification, incident response, network security.},
location = {
},
series = {AISec '25}
}

@misc{hammar2025adaptivenetworksecuritypolicies,
      title={Adaptive Network Security Policies via Belief Aggregation and Rollout}, 
      author={Kim Hammar and Yuchao Li and Tansu Alpcan and Emil C. Lupu and Dimitri Bertsekas},
      year={2025},
      eprint={2507.15163},
      archivePrefix={arXiv},
      primaryClass={eess.SY},
      url={https://arxiv.org/abs/2507.15163}, 
}

@phdthesis{kim_phd_thesis,
   author = {Hammar, Kim},
   institution = {KTH, Network and Systems Engineering},
   note = {Academic Dissertation which, with due permission of the KTH Royal Institute of Technology, is submitted for public defence for the Degree of Doctor of Philosophy on Thursday the 5th December 2024, at 14:00 in F3, Lindstedtsv{\"a}gen 26, Stockholm.The defense will be streamed via Zoom: https://kth-se.zoom.us/j/64592772191Candidate: Kim HammarSupervisor: Professor Rolf Stadler, KTH, SwedenOpponent: Professor Tansu Alpcan, The University of Melbourne, AustraliaGrading committee: Professor Emil Lupu, Imperial College London, UK; Professor Alina Oprea, Northeastern University, USA; Professor Karl H. Johansson, KTH, Sweden; Reviewer: Professor Henrik Sandberg, KTH, SwedenQC 20241111},
   pages = {338},
   school = {KTH, Network and Systems Engineering},
   title = {Optimal Security Response to Network Intrusions in IT Systems},
   series = {TRITA-EECS-AVL},
   number = {2024:85},
   keywords = {Cybersecurity, Game theory, Decision theory, Control theory, Causality, Optimal stopping, security response},
   abstract = {Cybersecurity is one of the most pressing technological challenges of our time and requires measures from all sectors of society. A key measure is automated security response, which enables automated mitigation and recovery from cyber attacks. Significant strides toward such automation have been made due to the development of rule-based response systems. However, these systems have a critical drawback: they depend on domain experts to configure the rules, a process that is both error-prone and inefficient. Framing security response as an optimal control problem shows promise in addressing this limitation but introduces new challenges. Chief among them is bridging the gap between theoretical optimality and operational performance. Current response systems with theoretical optimality guarantees have only been validated analytically or in simulation, leaving their practical utility unproven. This thesis tackles the aforementioned challenges by developing a practical methodology for optimal security response in IT infrastructures. It encompasses two systems. First, it includes an emulation system that replicates key components of the target infrastructure. We use this system to gather measurements and logs, based on which we identify a game-theoretic model. Second, it includes a simulation system where game-theoretic response strategies are optimized through stochastic approximation to meet a given objective, such as quickly mitigating potential attacks while maintaining operational services. These strategies are then evaluated and refined in the emulation system to close the gap between theoretical and operational performance. We present CSLE, an open-source platform that implements our methodology. This platform allows us to experimentally validate the methodology on several instances of the security response problem, including intrusion prevention, intrusion response, intrusion tolerance, and defense against advanced persistent threats. We prove structural properties of optimal response strategies and derive efficient algorithms for computing them. This enables us to solve a previously unsolved problem: demonstrating optimal security response against network intrusions on an IT infrastructure. },
   ISBN = {978-91-8106-093-5},
   year = {2024}
}

@INPROCEEDINGS{10647020,
  author={Hammar, Kim and Stadler, Rolf},
  booktitle={2024 54th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)},
  title={Intrusion Tolerance for Networked Systems through Two-Level Feedback Control},
  year={2024},
  volume={},
  number={},
  pages={338-352},
  keywords={Fault tolerance;Operations research;Costs;Fault tolerant systems;Emulation;Optimal control;Computer architecture;Intrusion tolerance;Byzantine fault tolerance;BFT;intrusion recovery;optimal control;POMDP;MDP;CMDP},
  doi={10.1109/DSN58291.2024.00042}}

@ARTICLE{10955193,
  author={Hammar, Kim and Li, Tao and Stadler, Rolf and Zhu, Quanyan},
  journal={IEEE Transactions on Information Forensics and Security},
  title={Adaptive Security Response Strategies Through Conjectural Online Learning},
  year={2025},
  volume={20},
  number={},
  pages={4055-4070},
  keywords={Games;Security;Adaptation models;Computational modeling;Servers;History;Bayes methods;Digital twins;Steady-state;Probabilistic logic;Cybersecurity;network security;game theory;Berk-Nash equilibrium;Bayesian learning;rollout},
  doi={10.1109/TIFS.2025.3558600}}

@misc{wang2024intrusion,
      title={IT Intrusion Detection Using Statistical Learning and Testbed Measurements},
      author={Xiaoxuan Wang and Rolf Stadler},
      year={2024},
      eprint={2402.13081},
      archivePrefix={arXiv},
      primaryClass={cs.LG}
}

@misc{gamesec23_extended,
      title={Scalable Learning of Intrusion Responses through Recursive Decomposition},
      author={Kim Hammar and Rolf Stadler},
      year={2023},
      eprint={2309.03292},
      archivePrefix={arXiv},
      primaryClass={eess.SY},
      url={https://arxiv.org/abs/2309.03292}
}

@ARTICLE{10175554,
  author={Hammar, Kim and Stadler, Rolf},
  journal={IEEE Transactions on Network and Service Management}, 
  title={Learning Near-Optimal Intrusion Responses Against Dynamic Attackers}, 
  year={2023},
  volume={},
  number={},
  pages={1-1},
  doi={10.1109/TNSM.2023.3293413}}

@INPROCEEDINGS{hammar_stadle4_noms_23,
  author={Hammar, Kim and Stadler, Rolf},
  booktitle={NOMS 2023-2023 IEEE/IFIP Network Operations and Management Symposium},
  title={Digital Twins for Security Automation},
  year={2023},
  volume={},
  number={},
  pages={1-6},
  doi={10.1109/NOMS56928.2023.10154288}}

@ARTICLE{9779345,
  author={Hammar, Kim and Stadler, Rolf},
  journal={IEEE Transactions on Network and Service Management},
  title={Intrusion Prevention Through Optimal Stopping},
  year={2022},
  volume={19},
  number={3},
  pages={2333-2348},
  doi={10.1109/TNSM.2022.3176781}}

@INPROCEEDINGS{hammar_stadler_cnsm_22,
  author={Hammar, Kim and Stadler, Rolf},
  booktitle={2022 18th International Conference on Network and Service Management (CNSM)},
  title={An Online Framework for Adapting Security Policies in Dynamic IT Environments},
  year={2022},
  volume={},
  number={},
  pages={359-363},
  doi={10.23919/CNSM55787.2022.9964838}}

@inproceedings{hammar_stadler_game_22_preprint,
  author = {Hammar, Kim and Stadler, Rolf},
  title = {Learning Security Strategies through Game Play and Optimal Stopping},
  booktitle = {Proceedings of the ML4Cyber workshop at the
               39th International Conference on Machine Learning,
               {ICML} 2022, Baltimore, USA, July
               17-23, 2022},
  publisher = ,
  year      = {2022}
}

@INPROCEEDINGS{hammar_stadler_noms_22,
  author={Hammar, Kim and Stadler, Rolf},
  booktitle={NOMS 2022-2022 IEEE/IFIP Network Operations and Management Symposium},
  title={A System for Interactive Examination of Learned Security Policies},
  year={2022},
  volume={},
  number={},
  pages={1-3},
  doi={10.1109/NOMS54207.2022.9789707}}

@INPROCEEDINGS{hammar_stadler_cnsm_21,
AUTHOR="Kim Hammar and Rolf Stadler",
TITLE="Learning Intrusion Prevention Policies through Optimal Stopping",
BOOKTITLE="International Conference on Network and Service Management (CNSM 2021)",
ADDRESS="Izmir, Turkey",
DAYS=1,
YEAR=2021,
note={\url{http://dl.ifip.org/db/conf/cnsm/cnsm2021/1570732932.pdf}},
KEYWORDS="Network Security, automation, optimal stopping, reinforcement learning, Markov Decision Processes",
ABSTRACT="We study automated intrusion prevention using reinforcement learning. In a novel approach, we formulate the problem of intrusion prevention as an optimal stopping problem. This formulation allows us insight into the structure of the optimal policies, which turn out to be threshold based. Since the computation of the optimal defender policy using dynamic programming is not feasible for practical cases, we approximate the optimal policy through reinforcement learning in a simulation environment. To define the dynamics of the simulation, we emulate the target infrastructure and collect measurements. Our evaluations show that the learned policies are close to optimal and that they indeed can be expressed using thresholds."
}

@INPROCEEDINGS{Hamm2011:Finding,
AUTHOR="Kim Hammar and Rolf Stadler",
TITLE="Finding Effective Security Strategies through Reinforcement Learning and
{Self-Play}",
BOOKTITLE="International Conference on Network and Service Management (CNSM 2020)
(CNSM 2020)",
ADDRESS="Izmir, Turkey",
DAYS=1,
MONTH=nov,
YEAR=2020,
KEYWORDS="Network Security; Reinforcement Learning; Markov Security Games",
ABSTRACT="We present a method to automatically find security strategies for the use
case of intrusion prevention. Following this method, we model the
interaction between an attacker and a defender as a Markov game and let
attack and defense strategies evolve through reinforcement learning and
self-play without human intervention. Using a simple infrastructure
configuration, we demonstrate that effective security strategies can emerge
from self-play. This shows that self-play, which has been applied in other
domains with great success, can be effective in the context of network
security. Inspection of the converged policies show that the emerged
policies reflect common-sense knowledge and are similar to strategies of
humans. Moreover, we address known challenges of reinforcement learning in
this domain and present an approach that uses function approximation, an
opponent pool, and an autoregressive policy representation. Through
evaluations we show that our method is superior to two baseline methods but
that policy convergence in self-play remains a challenge."
}