Using Deep Reinforcement Learning to Simulate Security Analyst

Abstract

The underlying principles of state of the art intrusion detection systems (IDS) and work of security analysts are strikingly different, despite their common goal of identifying intrusions, attacks, and infected computers. Specifically, machine learning based IDS lacks a capability to selectively query different external sources of intelligence for different samples (computers), to learn from past observations and experiences and to proactively search for new threats. There is a prior art implementing subsets of the above, but we are not aware about any system implementing all of those in a single framework. We believe that the main difference between typical IDS and security analysts is the sequential nature of analyst’s work. In each step he decides if he queries external source of intelligence, investigate more closely some aspect of security incident, consult other security expert, or abandon the investigation and move to another sample. Contrary to this, IDS treats all samples similarly in the sense that it extracts all available features and provide decision for all of them.We propose to implement IDS as an agent taught by a reinforcement learning (RL) algorithm, which would allow us to implement the decision process as a sequence of actions with various intermediate steps. Moreover, it enables continuous learning and active exploration of new samples, which are essential properties of RL. We plan to study such agent in a small scale problem to identify key issues and particularities of the security domain, and then verify the solution on a large scale data.We believe that this project has a potential to develop a new approach to IDS systems and we even imagine human analysts to be inspired by methods found by our algorithm.

Document Details

Document Type

DoD Grant Award

Publication Date

Sep 19, 2018

Source ID

FA95501817008

Entities

Tags