An Intrusion Response System utilizing Deep Q-Networks and System Partitions
This work addresses the challenge of efficient and adaptive intrusion response for cybersecurity systems, representing an incremental improvement over existing RL-based approaches.
The paper tackles the problem of selecting optimal countermeasures in Intrusion Response Systems (IRSs) by addressing the curse of dimensionality and non-stationary behavior in systems, resulting in a software prototype called irs-partition that uses system partitioning, Deep Q-Networks, and transfer learning.
Intrusion Response is a relatively new field of research. Recent approaches for the creation of Intrusion Response Systems (IRSs) use Reinforcement Learning (RL) as a primary technique for the optimal or near-optimal selection of the proper countermeasure to take in order to stop or mitigate an ongoing attack. However, most of them do not consider the fact that systems can change over time or, in other words, that systems exhibit a non-stationary behavior. Furthermore, stateful approaches, such as those based on RL, suffer the curse of dimensionality, due to a state space growing exponentially with the size of the protected system. In this paper, we introduce and develop an IRS software prototype, named irs-partition. It leverages the partitioning of the protected system and Deep Q-Networks to address the curse of dimensionality by supporting a multi-agent formulation. Furthermore, it exploits transfer learning to follow the evolution of non-stationary systems.