Modelling Cyber Security of Networks as a Reinforcement Learning Problem using Graphs : An Application of Reinforcement Learning to the Meta Attack Language

Sammanfattning: ICT systems are part of the vital infrastructure in today’s society. These systems are under constant threat and efforts are continually being put forth by cyber security experts to protect them. By applying modern AI methods, can these efforts both be improved and alleviated of the cost of expert work. This thesis examines whether a reinforcement learning (RL) algorithm can be applied to a cyber security modelling of ICT systems. The research question answered is that of how well an RL algorithm can optimise the resource cost of successful cyber attacks, as represented by a cyber security model? The modelling, called Meta Attack Language (MAL), is a meta language for attack graphs that details the individual steps to be taken in a cyber attack. In the previous work of Manuel Rickli’s thesis, a method of automatically generating attack graphs according to MAL aimed at modelling industry-level computer networks, was presented. The method was used to generate different distributions of attack graphs that were used to train deep Q-learning (DQN) agents. The agents’ results were then compared with a random agent and a greedy method based on the A∗ search algorithm. The results show that attack step selection can be achieved with a higher performance than the uninformed choice of the random agent, by DQN. However, DQN was unable to achieve higher performance than the A∗ method. This may be due to the simplicity of the attack graph generation or the fact that the A∗ method has access to the complete attack graph, amongst other factors. The thesis also raises questions about general representation of MAL attack graphs as RL problems and how to apply RL algorithms to the RL problem. The source code of this thesis is available at: https://github.com/KTH-SSAS/sandor-berglund-thesis.