Cybersecurity defenders need to adapt and adjust their techniques as technology advances and systems become more complex. Machine learning and artificial intelligence have been increasingly utilized in the field of cybersecurity, leading to significant advancements in various domains. For example, ML algorithms have been integrated into email security gateways since the early 2010s.
Developing autonomous defense strategies and action recommendations for real-world scenarios can be challenging. Defending cyber systems requires considering the dynamic interactions between attackers and defenders, as well as uncertainty in the system state. Additionally, defenders often face resource limitations, such as cost and time constraints. Though AI can help, creating a system capable of proactive defense is still an ideal goal.
To address this challenge, researchers from the Pacific Northwest National Laboratory (PNNL) have developed an AI system based on deep reinforcement learning (DRL) to respond to attackers in a simulated environment. This AI system can prevent 95% of cyberattacks from escalating. The researchers created a custom simulation environment to mimic a multi-stage conflict between attackers and defenders within a network. They trained four DRL neural networks using reinforcement learning principles to maximize rewards based on avoiding compromises and reducing network disruptions. This work has been well-received and was presented at the Association for the Advancement of Artificial Intelligence.
The researchers’ primary goal was to demonstrate the possibility of training a DRL architecture in a meaningful way before exploring more complex structures. They first created an abstract simulation environment using the Open AI Gym toolkit. Then, they developed attacker entities with varying skill and persistence levels based on a subset of approaches and tactics from the MITRE ATT&CK framework. The attackers’ objective is to progress through the different stages of an attack chain, from initial access to impact and exfiltration.
It’s important to note that the researchers did not aim to develop a model that blocks attacks before they occur. Instead, they assumed that the system has already been compromised and focused on using reinforcement learning to train the neural networks. Deep reinforcement learning efficiently utilizes the vast search space and imitates certain aspects of human behavior.
The researchers’ efforts successfully demonstrated that AI systems can be trained in a simulated attack environment to provide real-time defensive reactions to attacks. They conducted rigorous experiments to assess the performance of four model-free DRL algorithms against multi-stage attack sequences. The results showed that DRL algorithms can be trained to defend against attacks with varying skill and persistence levels in simulated environments.
To learn more about this research, you can read the paper and reference article. Credit for this research goes to the researchers involved in the project. Don’t forget to join our ML SubReddit, Discord Channel, and subscribe to our Email Newsletter for the latest AI research news, cool projects, and more.