Catch Me If You Can: Improving Adversaries in Cyber-Security With Q-Learning Algorithms
This work addresses automated attack detection for cybersecurity, but it is incremental as it applies existing Q-Learning methods to a specific domain.
The paper tackled the problem of improving cybersecurity defenses by training an attacking agent to exfiltrate data in a network with detection probabilities, using Q-Learning variants, and found that DoubleQ-Learning achieved a 70% success rate.
The ongoing rise in cyberattacks and the lack of skilled professionals in the cybersecurity domain to combat these attacks show the need for automated tools capable of detecting an attack with good performance. Attackers disguise their actions and launch attacks that consist of multiple actions, which are difficult to detect. Therefore, improving defensive tools requires their calibration against a well-trained attacker. In this work, we propose a model of an attacking agent and environment and evaluate its performance using basic Q-Learning, Naive Q-learning, and DoubleQ-Learning, all of which are variants of Q-Learning. The attacking agent is trained with the goal of exfiltrating data whereby all the hosts in the network have a non-zero detection probability. Results show that the DoubleQ-Learning agent has the best overall performance rate by successfully achieving the goal in $70\%$ of the interactions.