Modelling Cyber Security of Networks as a Reinforcement Learning Problem using Graphs : An Application of Reinforcement Learning to the Meta Attack Language / Cybersäkerhet för datornätverk representerat som ett förstärkningsinlärningsproblem med grafer : Förstärkningsinlärning applicerat på Meta Attack Language

Berglund, Sandor

January 2022

ICT systems are part of the vital infrastructure in today’s society. These systems are under constant threat and efforts are continually being put forth by cyber security experts to protect them. By applying modern AI methods, can these efforts both be improved and alleviated of the cost of expert work. This thesis examines whether a reinforcement learning (RL) algorithm can be applied to a cyber security modelling of ICT systems. The research question answered is that of how well an RL algorithm can optimise the resource cost of successful cyber attacks, as represented by a cyber security model? The modelling, called Meta Attack Language (MAL), is a meta language for attack graphs that details the individual steps to be taken in a cyber attack. In the previous work of Manuel Rickli’s thesis, a method of automatically generating attack graphs according to MAL aimed at modelling industry-level computer networks, was presented. The method was used to generate different distributions of attack graphs that were used to train deep Q-learning (DQN) agents. The agents’ results were then compared with a random agent and a greedy method based on the A∗ search algorithm. The results show that attack step selection can be achieved with a higher performance than the uninformed choice of the random agent, by DQN. However, DQN was unable to achieve higher performance than the A∗ method. This may be due to the simplicity of the attack graph generation or the fact that the A∗ method has access to the complete attack graph, amongst other factors. The thesis also raises questions about general representation of MAL attack graphs as RL problems and how to apply RL algorithms to the RL problem. The source code of this thesis is available at: https://github.com/KTH-SSAS/sandor-berglund-thesis. / IT-system är i dagens samhälle en väsentlig del av infrastrukturen som är under konstant hot av olika personer och organisationer. IT-säkerhetsexperter lägger ner beständigt arbete på att hålla dessa system säkra och för att avvärja illvilliga auktioner mot IT-system. Moderna AI-metoder kan användas för att förbättra och lätta på kostnaden av expertarbetet inom området. Detta examensarbete avser att undersöka hur en förstärkningsinlärningsalgoritm kan appliceras på en cybersäkerhetsmodell. Det görs genom att besvara frågeställningen: Hur väl kan en förstärkningsinlärningsalgoritm optimera en cyberattack representerat av en cybersäkerhetsmodell? Meta Attack Language (MAL) är ett metaspråk för attackgrafer som beskriver varje steg i en cyberattack. I detta examensarbete användes Manuell Ricklis implementation av MAL samt attack grafs generation för att definiera ett förstärkningsinlärningsproblem. Förstärkningsinlärningsalgoritmen deep Q-learning (DQN) användes för att träna ett attention baserat neuronnät på olika fördelningar av attackgrafer och jämfördes med en slumpmässig agent och en girig metod baserad på sökalgoritmen A∗ . Resultaten visar att DQN kunde producera en agent som presterar bättre än den oinformerade slumpmässiga agenten. Agenten presterade däremot inte bättre än den giriga A∗ metoden, vilket kan bero på att A∗ har tillgång till den fulla attack grafen, bland andra bidragande faktorer. Arbetet som läggs fram här väcker frågor om hur MAL-attackgrafer representeras som förstärkningsinlärningsproblem och hur förstärkningsinlärningsalgoritmer appliceras där av. Källkoden till det här examensarbetet finns på: https://github.com/KTHSSAS/sandor-berglund-thesis.

Attack graphs

reinforcement learning

graph neural networks

Meta Attack Language

MAL

deepQ-learning (DQN)

Attackgrafer

förstärningsinlärning

artificiella neuronnät

grafneuronnät

djup Qinlärning

Meta Attack Language

MAL

Computer and Information Sciences

Data- och informationsvetenskap

Effects of Behavioral Decision-Making in Game-theoretic Frameworks for Security Resource Allocation in Networked Systems

Mustafa Abdallah (13150149)

26 July 2022

<p>Facing increasingly sophisticated attacks from external adversaries, interdependent systems owners have to judiciously allocate their (often limited) security budget in order to reduce their cyber risks. However, when modeling human decision-making, behavioral economics has shown that humans consistently deviate from classical models of decision-making. Most notably, prospect theory, for which Kahneman won the 2002 Nobel memorial prize in economics, argues that humans perceive gains, losses and probabilities in a skewed manner. While there is a rich literature on prospect theory in economics and psychology, most of the existing work studying the security of interdependent systems does not take into account the aforementioned biases.</p> <p><br></p> <p>In this thesis, we propose novel mathematical behavioral security game models for the study of human decision-making in interdependent systems modeled by directed attack graphs. We show that behavioral biases lead to suboptimal resource allocation patterns. We also analyze the outcomes of protecting multiple isolated assets with heterogeneous valuations via decision- and game-theoretic frameworks, including simultaneous and sequential games. We show that behavioral defenders over-invest in higher-valued assets compared to rational defenders. We then propose different learning-based techniques and adapt two different tax-based mechanisms for guiding behavioral decision-makers towards optimal security investment decisions. In particular, we show the outcomes of such learning and mechanisms on four realistic interdependent systems. In total, our research establishes rigorous frameworks to analyze the security of both large-scale interdependent systems and heterogeneous isolated assets managed by human decision makers, and provides new and important insights into security vulnerabilities that arise in such settings.  </p>

System and network security

Complex systems

game theory approach

behavioral decision-making

security Analysis

Attack Graphs

resource allocation.

prospect theory application Objectives