Training Automated Defense Strategies Using Graph-based Cyber Attack Simulations

by   Jakob Nyberg, et al.

We implemented and evaluated an automated cyber defense agent. The agent takes security alerts as input and uses reinforcement learning to learn a policy for executing predefined defensive measures. The defender policies were trained in an environment intended to simulate a cyber attack. In the simulation, an attacking agent attempts to capture targets in the environment, while the defender attempts to protect them by enabling defenses. The environment was modeled using attack graphs based on the Meta Attack Language language. We assumed that defensive measures have downtime costs, meaning that the defender agent was penalized for using them. We also assumed that the environment was equipped with an imperfect intrusion detection system that occasionally produces erroneous alerts based on the environment state. To evaluate the setup, we trained the defensive agent with different volumes of intrusion detection system noise. We also trained agents with different attacker strategies and graph sizes. In experiments, the defensive agent using policies trained with reinforcement learning outperformed agents using heuristic policies. Experiments also demonstrated that the policies could generalize across different attacker strategies. However, the performance of the learned policies decreased as the attack graphs increased in size.


page 1

page 6


Rethinking Adversarial Policies: A Generalized Attack Formulation and Provable Defense in Multi-Agent RL

Most existing works consider direct perturbations of victim's state/acti...

Policy Teaching in Reinforcement Learning via Environment Poisoning Attacks

We study a security threat to reinforcement learning where an attacker p...

REGARD: Rules of EngaGement for Automated cybeR Defense to aid in Intrusion Response

Automated Intelligent Cyberdefense Agents (AICAs) that are part Intrusio...

Automating Privilege Escalation with Deep Reinforcement Learning

AI-based defensive solutions are necessary to defend networks and inform...

Synthesis of Proactive Sensor Placement In Probabilistic Attack Graphs

This paper studies the deployment of joint moving target defense (MTD) a...

Minimizing Expected Intrusion Detection Time in Adversarial Patrolling

In adversarial patrolling games, a mobile Defender strives to discover i...

Novel Stealthy Attack and Defense Strategies for Networked Control Systems

This paper studies novel attack and defense strategies, based on a class...

Please sign up or login with your details

Forgot password? Click here to reset