Adaptive Cyber Defense Against Multi-Stage Attacks Using Learning-Based POMDP

• Published in: ACM transactions on privacy and security Vol. 24; no. 1; pp. 1 - 25
• Main Authors: Hu, Zhisheng, Zhu, Minghui, Liu, Peng
• Format: Journal Article
• Language: English
• Published: 28.02.2021
• ISSN: 2471-2566; 2471-2574
• DOI: 10.1145/3418897

Growing multi-stage attacks in computer networks impose significant security risks and necessitate the development of effective defense schemes that are able to autonomously respond to intrusions during vulnerability windows. However, the defender faces several real-world challenges, e.g., unknown likelihoods and unknown impacts of successful exploits. In this article, we leverage reinforcement learning to develop an innovative adaptive cyber defense to maximize the cost-effectiveness subject to the aforementioned challenges. In particular, we use Bayesian attack graphs to model the interactions between the attacker and networks. Then we formulate the defense problem of interest as a partially observable Markov decision process problem where the defender maintains belief states to estimate system states, leverages Thompson sampling to estimate transition probabilities, and utilizes reinforcement learning to choose optimal defense actions using measured utility values. The algorithm performance is verified via numerical simulations based on real-world attacks.