KEYWORDS: Network security, Machine learning, Defense and security, Computer networks, Monte Carlo methods, Inspection, Data modeling, Windows, Transformers
In this work, we demonstrate the potential of dynamic reinforcement learning (RL) methods to revolutionize cybersecurity. The RL framework we develop is shown to be capable of shutting down an aggressive botnet, which initially uses spear phishing to establish itself in a Department of Defense (DoD) network. To ensure a suitable real-time response, we employ CP, a transformer model trained for network anomaly detection, to factorize the state space accessible to our RL agent. As the fidelity of our cyber scenario is of the utmost importance for meaningful RL training, we leverage the CyberVAN emulation environment to model an appropriate DoD enterprise network to attack and defend. Our work represents an important step towards harnessing the power of RL to automate general and fully-realistic Defensive Cyber Operations (DCOs).
In this work, we aim to develop novel cybersecurity playbooks by exploiting dynamic reinforcement learning (RL) methods to close holes in the attack surface left open by the traditional signature-based approach to Defensive Cyber Operations (DCO). A useful first proof-of-concept is provided by the problem of training a scanning defense agent using RL; as a first line of defense, it is important to protect sensitive networks from network mapping tools. To address this challenge, we developed a hierarchical, Monte Carlo-based RL framework for the training of an autonomous agent which detects and reports the presence of Nmap scans in near real-time, efficiently and with near-perfect accuracy. Our algorithm is powered by a reduction of the state space given by a transformer, CLAPBAC, an anomaly detection tool which applies natural language processing to cybersecurity in a manner consistent with state-of-the-art. In a realistic scenario emulated in CyberVAN, our approach generates optimized playbooks for effective defense against malicious insiders inappropriately probing sensitive networks.
Access to the requested content is limited to institutions that have purchased or subscribe to SPIE eBooks.
You are receiving this notice because your organization may not have SPIE eBooks access.*
*Shibboleth/Open Athens users─please
sign in
to access your institution's subscriptions.
To obtain this item, you may purchase the complete book in print or electronic format on
SPIE.org.
INSTITUTIONAL Select your institution to access the SPIE Digital Library.
PERSONAL Sign in with your SPIE account to access your personal subscriptions or to use specific features such as save to my library, sign up for alerts, save searches, etc.