Xu Wan,Lanting Zeng,Mingyang Sun

DOI: https://doi.org/10.24963/ijcai.2022/549

2022-01-01

Abstract:Decarbonization of global power systems significantly increases the operational uncertainty and modeling complexity that drive the necessity of widely exploiting cutting-edge Deep Reinforcement Learning (DRL) technologies to realize adaptive and real-time emergency control, which is the last resort for system stability and resiliency. The vulnerability of the DRL-based emergency control scheme may lead to severe real-world security issues if it can not be fully explored before implementing it practically. To this end, this is the first work that comprehensively investigates adversarial attacks and defense mechanisms for DRL-based power system emergency control. In particular, recovery-targeted (RT) adversarial attacks are designed for gradient-based approaches, aiming to dramatically degrade the effectiveness of the conducted emergency control actions to prevent the system from restoring to a stable state. Furthermore, the corresponding robust defense (RD) mechanisms are proposed to actively modify the observations based on the distances of sequential states. Experiments are conducted based on the standard IEEE reliability test system, and the results show that security risks indeed exist in the state-of-the-art DRL-based power system emergency control models. The effectiveness, stealthiness, instantaneity, and transferability of the proposed attacks and defense mechanisms are demonstrated with both white-box and black-box settings.

Huang Wanwei,Yuan Bo,Wang Sunan,Ding Yi,Li Yuhua

DOI: https://doi.org/10.23919/jcc.ja.2022-0401

2024-10-01

China Communications

Abstract:Existing researches on cyber attack-defense analysis have typically adopted stochastic game theory to model the problem for solutions, but the assumption of complete rationality is used in modeling, ignoring the information opacity in practical attack and defense scenarios, and the model and method lack accuracy. To such problem, we investigate network defense policy methods under finite rationality constraints and propose network defense policy selection algorithm based on deep reinforcement learning. Based on graph theoretical methods, we transform the decision-making problem into a path optimization problem, and use a compression method based on service node to map the network state. On this basis, we improve the A3C algorithm and design the Defense-A3C defense policy selection algorithm with online learning capability. The experimental results show that the model and method proposed in this paper can stably converge to a better network state after training, which is faster and more stable than the original A3C algorithm. Compared with the existing typical approaches, Defense-A3C is verified its advancement.

telecommunications

Rohit Gangupantulu,Tyler Cody,Abdul Rahman,Christopher Redino,Ryan Clark,Paul Park

DOI: https://doi.org/10.48550/arXiv.2108.09358

2021-08-21

Abstract:Cyber attacks pose existential threats to nations and enterprises. Current practice favors piece-wise analysis using threat-models in the stead of rigorous cyber terrain analysis and intelligence preparation of the battlefield. Automated penetration testing using reinforcement learning offers a new and promising approach for developing methodologies that are driven by network structure and cyber terrain, that can be later interpreted in terms of threat-models, but that are principally network-driven analyses. This paper presents a novel method for crown jewel analysis termed CJA-RL that uses reinforcement learning to identify key terrain and avenues of approach for exploiting crown jewels. In our experiment, CJA-RL identified ideal entry points, choke points, and pivots for exploiting a network with multiple crown jewels, exemplifying how CJA-RL and reinforcement learning for penetration testing generally can benefit computer network operations workflows.

Cryptography and Security,Machine Learning,Networking and Internet Architecture

Yunlong Tang,Jing Sun,Huan Wang,Junyi Deng,Liang Tong,Wenhong Xu

DOI: https://doi.org/10.1016/j.cose.2024.103871

IF: 5.105

2024-04-01

Computers & Security

Abstract:Faced with the challenges of security strategy design brought about by the complexity of attack behavior and the dynamism of network structure, dynamic hierarchical intelligent defense methods have shown their effectiveness. However, in complex network environments, their application requires a higher level of coordination mechanisms. Therefore, this paper proposes a hierarchical multi-agent reinforcement learning network attack and defense game and cooperative defense decision-making method, which autonomously and efficiently completes the formulation of defense strategies and defense behavior responses. Firstly, we construct a Stackelberg hypergame model of cyberspace conflicts, and under the condition of information loss, characterize the multi-layer dynamic defense coordination response mechanism. Secondly, By utilizing a hierarchical multi-agent reinforcement learning method as the driving force for game evolution, we sequentially solve the Nash equilibrium of the game, and form a dynamic autonomous defense strategy. Finally, we construct a hierarchical multi-agent reinforcement learning framework, which decouples the defense decision problem, reduces the dimension of the defense action space and the exploration difficulty of the strategy space, and learns coordinated defense strategies more efficiently. We used the CybORG (Cyber Operations Research Gym) environment for simulation. We compared and analyzed the autonomously generated cyber defense strategies with other related works, verifying the superior coordination performance of our method in defense strategy generation and control.

computer science, information systems

Gregory Palmer,Chris Parry,Daniel J.B. Harrold,Chris Willis

2024-09-27

Abstract:The rapid increase in the number of cyber-attacks in recent years raises the need for principled methods for defending networks against malicious actors. Deep reinforcement learning (DRL) has emerged as a promising approach for mitigating these attacks. However, while DRL has shown much potential for cyber defence, numerous challenges must be overcome before DRL can be applied to the autonomous cyber defence (ACD) problem at scale. Principled methods are required for environments that confront learners with very high-dimensional state spaces, large multi-discrete action spaces, and adversarial learning. Recent works have reported success in solving these problems individually. There have also been impressive engineering efforts towards solving all three for real-time strategy games. However, applying DRL to the full ACD problem remains an open challenge. Here, we survey the relevant DRL literature and conceptualize an idealised ACD-DRL agent. We provide: i.) A summary of the domain properties that define the ACD problem; ii.) A comprehensive comparison of current ACD environments used for benchmarking DRL approaches; iii.) An overview of state-of-the-art approaches for scaling DRL to domains that confront learners with the curse of dimensionality, and; iv.) A survey and critique of current methods for limiting the exploitability of agents within adversarial settings from the perspective of ACD. We conclude with open research questions that we hope will motivate future directions for researchers and practitioners working on ACD.

Machine Learning

Zenan Wu,Liqin Tian,Yan Wang,Jianfei Xie,Yuquan Du,Yi Zhang

DOI: https://doi.org/10.1155/2021/2283786

IF: 1.968

2021-12-16

Security and Communication Networks

Abstract:Aiming at the existing network attack and defense stochastic game models, most of them are based on the assumption of complete information, which causes the problem of poor applicability of the model. Based on the actual modeling requirements of the network attack and defense process, a network defense decision-making model combining incomplete information stochastic game and deep reinforcement learning is proposed. This model regards the incomplete information of the attacker and the defender as the defender’s uncertainty about the attacker’s type and uses the Double Deep Q-Network algorithm to solve the problem of the difficulty of determining the network state transition probability, so that the network system can dynamically adjust the defense strategy. Finally, a simulation experiment was performed on the proposed model. The results show that, under the same experimental conditions, the proposed method in this paper has a better convergence speed than other methods in solving the defense equilibrium strategy. This model is a fusion of traditional methods and artificial intelligence technology and provides new research ideas for the application of artificial intelligence in the field of cyberspace security.

computer science, information systems,telecommunications

John Mern,Kyle Hatch,Ryan Silva,Jeff Brush,Mykel J. Kochenderfer

DOI: https://doi.org/10.48550/arXiv.2106.05332

2021-06-09

Cryptography and Security

Abstract:Defending computer networks from cyber attack requires coordinating actions across multiple nodes based on imperfect indicators of compromise while minimizing disruptions to network operations. Advanced attacks can progress with few observable signals over several months before execution. The resulting sequential decision problem has large observation and action spaces and a long time-horizon, making it difficult to solve with existing methods. In this work, we present techniques to scale deep reinforcement learning to solve the cyber security orchestration problem for large industrial control networks. We propose a novel attention-based neural architecture with size complexity that is invariant to the size of the network under protection. A pre-training curriculum is presented to overcome early exploration difficulty. Experiments show in that the proposed approaches greatly improve both the learning sample complexity and converged policy performance over baseline methods in simulation.

Ashutosh Dutta,Samrat Chatterjee,Arnab Bhattacharya,Mahantesh Halappanavar

DOI: https://doi.org/10.48550/arXiv.2302.01595

IF: 5.414

2023-02-03

Machine Learning

Abstract:Development of autonomous cyber system defense strategies and action recommendations in the real-world is challenging, and includes characterizing system state uncertainties and attack-defense dynamics. We propose a data-driven deep reinforcement learning (DRL) framework to learn proactive, context-aware, defense countermeasures that dynamically adapt to evolving adversarial behaviors while minimizing loss of cyber system operations. A dynamic defense optimization problem is formulated with multiple protective postures against different types of adversaries with varying levels of skill and persistence. A custom simulation environment was developed and experiments were devised to systematically evaluate the performance of four model-free DRL algorithms against realistic, multi-stage attack sequences. Our results suggest the efficacy of DRL algorithms for proactive cyber defense under multi-stage attack profiles and system uncertainties.

Thanh Thi Nguyen,Vijay Janapa Reddi

DOI: https://doi.org/10.1109/TNNLS.2021.3121870

2021-11-02

Abstract:The scale of Internet-connected systems has increased considerably, and these systems are being exposed to cyber attacks more than ever. The complexity and dynamics of cyber attacks require protecting mechanisms to be responsive, adaptive, and scalable. Machine learning, or more specifically deep reinforcement learning (DRL), methods have been proposed widely to address these issues. By incorporating deep learning into traditional RL, DRL is highly capable of solving complex, dynamic, and especially high-dimensional cyber defense problems. This paper presents a survey of DRL approaches developed for cyber security. We touch on different vital aspects, including DRL-based security methods for cyber-physical systems, autonomous intrusion detection techniques, and multiagent DRL-based game theory simulations for defense strategies against cyber attacks. Extensive discussions and future research directions on DRL-based cyber security are also given. We expect that this comprehensive review provides the foundations for and facilitates future studies on exploring the potential of emerging DRL to cope with increasingly complex cyber security problems.

Cryptography and Security,Artificial Intelligence,Machine Learning

Alex Mathew,Alex Mathew

DOI: https://doi.org/10.47760/ijcsmc.2021.v10i12.005

2021-12-30

International Journal of Computer Science and Mobile Computing

Abstract:There has been a rapid growth of the devices connected to the internet in the last decade for the various internet (IoT) of things applications. The increase of these smart devices has posed a great security concern in the internet of things ecosystem. The internet of things ecosystem must be protected from these threats. Reinforcement learning has been proposed by the cybersecurity professionals to provide the needed security tools for securing the IoT system since it is able to interact with the environment and learn how to detect the threats. This paper presents a comprehensive research on cybersecurity threats to the IoT system applications. The RL algorithms are also presented to understand the attacks on the IoT. Reinforcement learning is widely employed in cybersecurity because it can learn on its own experience by investigating and capitalizing on the unknown ecosystem, this enables it solve many complex problems. The RL capabilities on dealing with cybercrime challenges are also exploited in this paper.

Sang Ho Oh,Min Ki Jeong,Hyung Chan Kim,Jongyoul Park

DOI: https://doi.org/10.3390/s23063000

IF: 3.9

2023-03-10

Sensors

Abstract:Cybersecurity is a growing concern in today’s interconnected world. Traditional cybersecurity approaches, such as signature-based detection and rule-based firewalls, are often limited in their ability to effectively respond to evolving and sophisticated cyber threats. Reinforcement learning (RL) has shown great potential in solving complex decision-making problems in various domains, including cybersecurity. However, there are significant challenges to overcome, such as the lack of sufficient training data and the difficulty of modeling complex and dynamic attack scenarios hindering researchers’ ability to address real-world challenges and advance the state of the art in RL cyber applications. In this work, we applied a deep RL (DRL) framework in adversarial cyber-attack simulation to enhance cybersecurity. Our framework uses an agent-based model to continuously learn from and adapt to the dynamic and uncertain environment of network security. The agent decides on the optimal attack actions to take based on the state of the network and the rewards it receives for its decisions. Our experiments on synthetic network security show that the DRL approach outperforms existing methods in terms of learning optimal attack actions. Our framework represents a promising step towards the development of more effective and dynamic cybersecurity solutions.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Myles Foley,Mia Wang,Zoe M,Chris Hicks,Vasilios Mavroudis

2023-06-16

Abstract:Computer network defence is a complicated task that has necessitated a high degree of human involvement. However, with recent advancements in machine learning, fully autonomous network defence is becoming increasingly plausible. This paper introduces an end-to-end methodology for studying attack strategies, designing defence agents and explaining their operation. First, using state diagrams, we visualise adversarial behaviour to gain insight about potential points of intervention and inform the design of our defensive models. We opt to use a set of deep reinforcement learning agents trained on different parts of the task and organised in a shallow hierarchy. Our evaluation shows that the resulting design achieves a substantial performance improvement compared to prior work. Finally, to better investigate the decision-making process of our agents, we complete our analysis with a feature ablation and importance study.

Cryptography and Security,Machine Learning

Myles Foley,Chris Hicks,Kate Highnam,Vasilios Mavroudis

DOI: https://doi.org/10.1145/3488932.3527286

2024-09-27

Abstract:In the network security arms race, the defender is significantly disadvantaged as they need to successfully detect and counter every malicious attack. In contrast, the attacker needs to succeed only once. To level the playing field, we investigate the effectiveness of autonomous agents in a realistic network defence scenario. We first outline the problem, provide the background on reinforcement learning and detail our proposed agent design. Using a network environment simulation, with 13 hosts spanning 3 subnets, we train a novel reinforcement learning agent and show that it can reliably defend continual attacks by two advanced persistent threat (APT) red agents: one with complete knowledge of the network layout and another which must discover resources through exploration but is more general.

Artificial Intelligence,Cryptography and Security,Machine Learning

Kim Hammar,Rolf Stadler

DOI: https://doi.org/10.23919/CNSM50824.2020.9269092

2020-10-05

Abstract:We present a method to automatically find security strategies for the use case of intrusion prevention. Following this method, we model the interaction between an attacker and a defender as a Markov game and let attack and defense strategies evolve through reinforcement learning and self-play without human intervention. Using a simple infrastructure configuration, we demonstrate that effective security strategies can emerge from self-play. This shows that self-play, which has been applied in other domains with great success, can be effective in the context of network security. Inspection of the converged policies show that the emerged policies reflect common-sense knowledge and are similar to strategies of humans. Moreover, we address known challenges of reinforcement learning in this domain and present an approach that uses function approximation, an opponent pool, and an autoregressive policy representation. Through evaluations we show that our method is superior to two baseline methods but that policy convergence in self-play remains a challenge.

Machine Learning,Cryptography and Security,Networking and Internet Architecture

Rundong Yang,Kangfeng Zheng,Xiujuan Wang,Bin Wu,Chunhua Wu

DOI: https://doi.org/10.32604/csse.2023.038917

IF: 4.397

2023-01-01

Computer Systems Science and Engineering

Abstract:Social engineering attacks are considered one of the most hazardous cyberattacks in cybersecurity, as human vulnerabilities are often the weakest link in the entire network. Such vulnerabilities are becoming increasingly susceptible to network security risks. Addressing the social engineering attack defense problem has been the focus of many studies. However, two main challenges hinder its successful resolution. Firstly, the vulnerabilities in social engineering attacks are unique due to multistage attacks, leading to incorrect social engineering defense strategies. Secondly, social engineering attacks are real-time, and the defense strategy algorithms based on gaming or reinforcement learning are too complex to make rapid decisions. This paper proposes a multiattribute quantitative incentive method based on human vulnerability and an improved Q-learning (IQL) reinforcement learning method on human vulnerability attributes. The proposed algorithm aims to address the two main challenges in social engineering attack defense by using a multiattribute incentive method based on human vulnerability to determine the optimal defense strategy. Furthermore, the IQL reinforcement learning method facilitates rapid decision-making during real-time attacks. The experimental results demonstrate that the proposed algorithm outperforms the traditional Q-learning (QL) and deep Q-network (DQN) approaches in terms of time efficiency, taking 9.1% and 19.4% less time, respectively. Moreover, the proposed algorithm effectively addresses the non-uniformity of vulnerabilities in social engineering attacks and provides a reliable defense strategy based on human vulnerability attributes. This study contributes to advancing social engineering attack defense by introducing an effective and efficient method for addressing the vulnerabilities of human factors in the cybersecurity domain.

computer science, theory & methods, hardware & architecture

Sang Ho Oh,Jeongyoon Kim,Jae Hoon Nah,Jongyoul Park

DOI: https://doi.org/10.3390/electronics13030555

IF: 2.9

2024-01-31

Electronics

Abstract:In the current landscape where cybersecurity threats are escalating in complexity and frequency, traditional defense mechanisms like rule-based firewalls and signature-based detection are proving inadequate. The dynamism and sophistication of modern cyber-attacks necessitate advanced solutions that can evolve and adapt in real-time. Enter the field of deep reinforcement learning (DRL), a branch of artificial intelligence that has been effectively tackling complex decision-making problems across various domains, including cybersecurity. In this study, we advance the field by implementing a DRL framework to simulate cyber-attacks, drawing on authentic scenarios to enhance the realism and applicability of the simulations. By meticulously adapting DRL algorithms to the nuanced requirements of cybersecurity contexts—such as custom reward structures and actions, adversarial training, and dynamic environments—we provide a tailored approach that significantly improves upon traditional methods. Our research undertakes a thorough comparative analysis of three sophisticated DRL algorithms—deep Q-network (DQN), actor–critic, and proximal policy optimization (PPO)—against the traditional RL algorithm Q-learning, within a controlled simulation environment reflective of real-world cyber threats. The findings are striking: the actor–critic algorithm not only outperformed its counterparts with a success rate of 0.78 but also demonstrated superior efficiency, requiring the fewest iterations (171) to complete an episode and achieving the highest average reward of 4.8. In comparison, DQN, PPO, and Q-learning lagged slightly behind. These results underscore the critical impact of selecting the most fitting algorithm for cybersecurity simulations, as the right choice leads to more effective learning and defense strategies. The impressive performance of the actor–critic algorithm in this study marks a significant stride towards the development of adaptive, intelligent cybersecurity systems capable of countering the increasingly sophisticated landscape of cyber threats. Our study not only contributes a robust model for simulating cyber threats but also provides a scalable framework that can be adapted to various cybersecurity challenges.

engineering, electrical & electronic,computer science, information systems,physics, applied

Xiaofan Zhou,Simon Yusuf Enoch,Dong Seong Kim

DOI: https://doi.org/10.48550/arXiv.2207.05436

2022-07-12

Cryptography and Security

Abstract:It is challenging for a security analyst to detect or defend against cyber-attacks. Moreover, traditional defense deployment methods require the security analyst to manually enforce the defenses in the presence of uncertainties about the defense to deploy. As a result, it is essential to develop an automated and resilient defense deployment mechanism to thwart the new generation of attacks. In this paper, we propose a framework based on Markov Decision Process (MDP) and Q-learning to automatically generate optimal defense solutions for networked system states. The framework consists of four phases namely; the model initialization phase, model generation phase, Q-learning phase, and the conclusion phase. The proposed model collects real network information as inputs and then builds them into structural data. We implement a Q-learning process in the model to learn the quality of a defense action in a particular state. To investigate the feasibility of the proposed model, we perform simulation experiments and the result reveals that the model can reduce the risk of network systems from cyber attacks. Furthermore, the experiment shows that the model has shown a certain level of flexibility when different parameters are used for Q-learning.

Lei Zhang,Wei Bai,Wei Li,Shiming Xia,Qibin Zheng

DOI: https://doi.org/10.48550/arXiv.2104.07195

2021-04-15

Cryptography and Security

Abstract:In this work, we present a learning-based approach to analysis cyberspace security configuration. Unlike prior methods, our approach has the ability to learn from past experience and improve over time. In particular, as we train over a greater number of agents as attackers, our method becomes better at discovering hidden attack paths for previously methods, especially in multi-domain cyberspace. To achieve these results, we pose discovering attack paths as a Reinforcement Learning (RL) problem and train an agent to discover multi-domain cyberspace attack paths. To enable our RL policy to discover more hidden attack paths and shorter attack paths, we ground representation introduction an multi-domain action select module in RL. Our objective is to discover more hidden attack paths and shorter attack paths by our proposed method, to analysis the weakness of cyberspace security configuration. At last, we designed a simulated cyberspace experimental environment to verify our proposed method, the experimental results show that our method can discover more hidden multi-domain attack paths and shorter attack paths than existing baseline methods.

Junwei Xie

DOI: https://doi.org/10.1007/s44196-024-00492-x

IF: 2.259

2024-05-08

International Journal of Computational Intelligence Systems

Abstract:The intricacy of wireless network ecosystems and Internet of Things (IoT) connected devices have increased rapidly as technology advances and cyber threats increase. The existing methods cannot make sequential decisions in complex network environments, particularly in scenarios with partial observability and non-stationarity. Network awareness monitors and comprehends the network's assets, vulnerabilities, and ongoing activities in real-time. Advanced analytics, machine learning algorithms, and artificial intelligence are used to improve risk perception by analyzing massive amounts of information, identifying trends, and anticipating future security breaches. Hence, this study suggests the Deep Reinforcement Learning-assisted Network Awareness Risk Perception and Prevention Model (DRL-NARPP) for detecting malicious activity in cybersecurity. The proposed system begins with the concept of network awareness, which uses DRL algorithms to constantly monitor and evaluate the condition of the network in terms of factors like asset configurations, traffic patterns, and vulnerabilities. DRL provides autonomous learning and adaptation to changing network settings, revealing the ever-changing nature of network awareness risks in real time. Incorporating DRL into risk perception increases the system's capacity to recognize advanced attack methods while simultaneously decreasing the number of false positives and enhancing the reliability of risk assessments. DRL algorithms drive dynamic and context-aware response mechanisms, making up the adaptive network prevention component of the development. Predicting new threats and proactively deploying preventive measures, such as changing firewall rules, isolating compromised devices, or dynamically reallocating resources to reduce developing risks, is made possible by the system's ability to learn from historical data and prevailing network activity. The suggested DRL-NARPP model increases the anomaly detection rate by 98.3%, the attack prediction accuracy rate by 97.4%, and the network risk assessment ratio by 96.4%, reducing the false positive ratio by 11.2% compared to other popular methodologies.

computer science, artificial intelligence, interdisciplinary applications

Wanrong Yang,Alberto Acuto,Yihang Zhou,Dominik Wojtczak

2024-09-25

Abstract:Cyber-attacks are becoming increasingly sophisticated and frequent, highlighting the importance of network intrusion detection systems. This paper explores the potential and challenges of using deep reinforcement learning (DRL) in network intrusion detection. It begins by introducing key DRL concepts and frameworks, such as deep Q-networks and actor-critic algorithms, and reviews recent research utilizing DRL for intrusion detection. The study evaluates challenges related to model training efficiency, detection of minority and unknown class attacks, feature selection, and handling unbalanced datasets. The performance of DRL models is comprehensively analyzed, showing that while DRL holds promise, many recent technologies remain underexplored. Some DRL models achieve state-of-the-art results on public datasets, occasionally outperforming traditional deep learning methods. The paper concludes with recommendations for enhancing DRL deployment and testing in real-world network scenarios, with a focus on Internet of Things intrusion detection. It discusses recent DRL architectures and suggests future policy functions for DRL-based intrusion detection. Finally, the paper proposes integrating DRL with generative methods to further improve performance, addressing current gaps and supporting more robust and adaptive network intrusion detection systems.

Cryptography and Security,Artificial Intelligence