In [None]:
{
 "cells": [
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "# 07 – AI Security Incident Response Playbook\n",
    "\n",
    "This notebook outlines how a security analyst might handle a simulated AI-related incident involving adversarial behavior or model leakage.\n",
    "\n",
    "It includes classification of the incident, documentation, risk level determination, and response actions based on internal guidelines or AI regulations."
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "# Imports\n",
    "from src.risk_assessment import classify_incident\n",
    "import json\n",
    "from datetime import datetime\n",
    "import os"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Simulate a security incident: Model Inversion Detected"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "# Incident example\n",
    "incident = {\n",
    "    \"id\": \"INC2025-001\",\n",
    "    \"type\": \"model_inversion\",\n",
    "    \"severity\": \"high\",\n",
    "    \"detected_at\": datetime.utcnow().isoformat(),\n",
    "    \"affected_model\": \"RandomForestClassifier\",\n",
    "    \"exposure_vector\": \"Public API access\",\n",
    "    \"evidence\": \"Output probabilities vary systematically with Credit Amount\"\n",
    "}"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### 🛠️ Step 1 – Classify Incident Risk"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "risk_level = classify_incident(attack_type=incident[\"type\"], severity=incident[\"severity\"])\n",
    "incident[\"risk_level\"] = risk_level"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Step 2 – Document and Save Report"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "os.makedirs(\"reports\", exist_ok=True)\n",
    "with open(\"reports/incident_response.json\", \"w\") as f:\n",
    "    json.dump(incident, f, indent=4)\n",
    "\n",
    "print(\"Incident response documented.\")"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Step 3 – Recommended Actions\n",
    "- Disable external access to model predictions (API lockdown)\n",
    "- Rotate model version / retrain with stronger defense\n",
    "- Apply differential privacy or output clipping\n",
    "- Update internal monitoring rules\n",
    "- Notify compliance team if personal data exposure possible"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Summary\n",
    "This simulated AI incident shows how organizations can react to attacks like model inversion with:\n",
    "- Risk classification\n",
    "- Rapid response\n",
    "- Documentation & audit trail\n",
    "- Governance-aligned remediation steps"
   ]
  }
 ],
 "metadata": {
  "kernelspec": {
   "display_name": "Python 3",
   "language": "python",
   "name": "python3"
  },
  "language_info": {
   "name": "python",
   "version": "3.10"
  }
 },
 "nbformat": 4,
 "nbformat_minor": 5
}