We study automated intrusion response and formulate the interaction between an attacker and a defender on an IT infrastructure as a stochastic game where attack and defense strategies evolve through reinforcement learning and self-play. Direct application of reinforcement learning to any non-trivial instantiation of this game is impractical due to the exponential growth of the state and action spaces with the number of components in the infrastructure. We propose a decompositional approach to deal with this challenge and prove that under assumptions generally met in practice, the game decomposes into a) additive subgames on the workflow-level that can be optimized independently; and b) subgames on the component-level that satisfy the optimal substructure property. We further show that the optimal defender strategies on the component-level exhibit threshold structures. To solve the decomposed game we develop Decompositional Fictitious Self-Play (\dfsp), an efficient fictitious self-play algorithm that learns Nash equilibria through stochastic approximation. We show that \dfsp outperforms a state-of-the-art algorithm for our use case. To evaluate the learned strategies, we deploy them in a a virtual IT infrastructure in which we run real network intrusions and real response actions. From our experimental investigation we conclude that our approach can produce effective defender strategies for a practical IT infrastructure.
Learning Near-Optimal Intrusion Responses for IT Infrastructures via Decompos...Kim Hammar
We study automated intrusion response and formulate the interaction between an attacker and a defender on an IT infrastructure as a stochastic game where attack and defense strategies evolve through reinforcement learning and self-play. Direct application of reinforcement learning to any non-trivial instantiation of this game is impractical due to the exponential growth of the state and action spaces with the number of components in the infrastructure. We propose a decompositional approach to deal with this challenge and prove that under assumptions generally met in practice the game decomposes into a) additive subgames on the workflow-level that can be optimized independently; and b) subgames on the component-level that satisfy the optimal substructure property. We further show that the optimal defender strategies on the component-level exhibit threshold structures. To solve the decomposed game we develop Decompositional Fictitious Self-Play (\dfsp), an efficient fictitious self-play algorithm that learns Nash equilibria through stochastic approximation. We show that \dfsp outperforms a state-of-the-art algorithm for our use case. To evaluate the learned strategies, we deploy them in a a virtual IT infrastructure in which we run real network intrusions and real response actions. From our experimental investigation we conclude that our approach can produce effective defender strategies for a practical IT infrastructure.
—We present a novel emulation system for creating
high-fidelity digital twins of IT infrastructures. The digital twins
replicate key functionality of the corresponding infrastructures
and allow to play out security scenarios in a safe environment.
We show that this capability can be used to automate the process
of finding effective security policies for a target infrastructure. In
our approach, a digital twin of the target infrastructure is used
to run security scenarios and collect data. The collected data is
then used to instantiate simulations of Markov decision processes
and learn effective policies through reinforcement learning, whose
performances are validated in the digital twin. This closed-loop
learning process executes iteratively and provides continuously
evolving and improving security policies. We apply our approach
to an intrusion response scenario. Our results show that the
digital twin provides the necessary evaluative feedback to learn
near-optimal intrusion response policies.
Automated Intrusion Response - CDIS Spring Conference 2024Kim Hammar
Presentation at CDIS Spring Conference 2024.
The ubiquity and evolving nature of cyber attacks is of growing concern to industry and society. In response, the automation of security processes and functions is the focus of many current research efforts. In this talk we will present a framework for automated network intrusion response, in which we model the interaction between an attacker and a defender as a partially observed Markov game. Within this framework, reinforcement learning enables the controlled evolution of attack and defense strategies towards a Nash equilibrium through the process of self-play. To realize and experiment with the self-play process on a practical IT infrastructure, we have developed a software platform for creating digital twins, which provide two key functions for our framework: (i) a safe and realistic test environment; and (ii) a tool for evaluation that enables closed-loop learning of security strategies.
Learning Near-Optimal Intrusion Responses for IT Infrastructures via Decompos...Kim Hammar
We study automated intrusion response and formulate the interaction between an attacker and a defender on an IT infrastructure as a stochastic game where attack and defense strategies evolve through reinforcement learning and self-play. Direct application of reinforcement learning to any non-trivial instantiation of this game is impractical due to the exponential growth of the state and action spaces with the number of components in the infrastructure. We propose a decompositional approach to deal with this challenge and prove that under assumptions generally met in practice the game decomposes into a) additive subgames on the workflow-level that can be optimized independently; and b) subgames on the component-level that satisfy the optimal substructure property. We further show that the optimal defender strategies on the component-level exhibit threshold structures. To solve the decomposed game we develop Decompositional Fictitious Self-Play (\dfsp), an efficient fictitious self-play algorithm that learns Nash equilibria through stochastic approximation. We show that \dfsp outperforms a state-of-the-art algorithm for our use case. To evaluate the learned strategies, we deploy them in a a virtual IT infrastructure in which we run real network intrusions and real response actions. From our experimental investigation we conclude that our approach can produce effective defender strategies for a practical IT infrastructure.
—We present a novel emulation system for creating
high-fidelity digital twins of IT infrastructures. The digital twins
replicate key functionality of the corresponding infrastructures
and allow to play out security scenarios in a safe environment.
We show that this capability can be used to automate the process
of finding effective security policies for a target infrastructure. In
our approach, a digital twin of the target infrastructure is used
to run security scenarios and collect data. The collected data is
then used to instantiate simulations of Markov decision processes
and learn effective policies through reinforcement learning, whose
performances are validated in the digital twin. This closed-loop
learning process executes iteratively and provides continuously
evolving and improving security policies. We apply our approach
to an intrusion response scenario. Our results show that the
digital twin provides the necessary evaluative feedback to learn
near-optimal intrusion response policies.
Automated Intrusion Response - CDIS Spring Conference 2024Kim Hammar
Presentation at CDIS Spring Conference 2024.
The ubiquity and evolving nature of cyber attacks is of growing concern to industry and society. In response, the automation of security processes and functions is the focus of many current research efforts. In this talk we will present a framework for automated network intrusion response, in which we model the interaction between an attacker and a defender as a partially observed Markov game. Within this framework, reinforcement learning enables the controlled evolution of attack and defense strategies towards a Nash equilibrium through the process of self-play. To realize and experiment with the self-play process on a practical IT infrastructure, we have developed a software platform for creating digital twins, which provide two key functions for our framework: (i) a safe and realistic test environment; and (ii) a tool for evaluation that enables closed-loop learning of security strategies.
I will talk about innovation in the area of cyber security analytics - developing machine learning methods to detect and block cyber attacks (e.g. detecting ransomware within 4 seconds of execution and killing the underlying processes). Rather than just focusing on this as a 'black box', I'll pull it apart and talk about how we can use these methods to enable security practitioners (SOC/CIRT etc) to ask and answer questions about 'what' and 'why' these methods are flagging attacks. I'll also talk about resilience of machine learning methods to manipulation and adversarial attacks - how stable these approaches are to diversity and evolution of malware for example.
A SIMULATION APPROACH TO PREDICATE THE RELIABILITY OF A PERVASIVE SOFTWARE SY...Osama M. Khaled
The pervasive computing domain is a very challenging one and requires a robust architectural model to facilitate the production of its systems. In this paper, we explain a case study using a simulation prototype to validate our baseline architecture of a reference architecture for the pervasive computing domain. The simulation prototype was very useful in predicting the reliability and availability of the system using the baseline architecture during runtime.
For more details, please request the full paper from this link
https://www.researchgate.net/publication/324824319_A_SIMULATION_APPROACH_TO_PREDICATE_THE_RELIABILITY_OF_A_PERVASIVE_SOFTWARE_SYSTEM
The paper can be cited as follows:
Osama M. Khaled, Hoda M. Hosny and Mohamed Shalan (2018). A Simulation Approach to Predict the Reliability of a Pervasive Software System. In The Fourth International Conference on Software Engineering (SOENG 2018). April 28-29 Copenhagen, Denmark
Architecture-centric Support for Integrating Security Tool in a Security Orch...Chadni Islam
Presentation of ECSA 2020 Conference
Security Operation Centers (SOC) leverage a number of tools to detect, thwart and deal with security attacks. One of the key challenges of SOC is to quickly integrate security tools and operational activities. To address this chal-lenge, an increasing number of organizations are using Security Orchestration, Automation and Response (SOAR) platforms, whose design needs suitable ar-chitectural support. This paper presents our work on architecture-centric support for designing a SOAR platform. Our approach consists of a conceptual map of SOAR platform and the key dimensions of an architecture design space. We have demonstrated the use of the approach in designing and implementing a Proof of Concept (PoC) SOAR platform for (i) automated integration of security tools and (ii) automated interpretation of activities to execute incident response processes. We also report a preliminary evaluation of the proposed architectural support for improving a SOAR’s design.
Smart surveillance systems play an important role in security today. The goal of security systems is to protect users against fires, car accidents, and
other forms of violence. The primary function of these systems is to offer security in residential areas. In today’s culture, protecting our homes is
critical. Surveillance, which ranges from private houses to large corporations, is critical in making us feel safe. There are numerous machine learning algorithms for home security systems; however, the deep learning convolutional neural network (CNN) technique outperforms the others. The
Keras, Tensorflow, Cv2, Glob, Imutils, and PIL libraries are used to train and assess the detection method. A web application is used to provide a
user-friendly environment. The flask web framework is used to construct it. The flash-mail, requests, and telegram application programming interface (API) apps are used in the alerting approach. The surveillance system tracks
abnormal activities and uses machine learning to determine if the scenario is normal or not based on the acquired image. After capturing the image, it is
compared with the existing dataset, and the model is trained using normal events. When there is an anomalous event, the model produces an output from which the mean distance for each frame is calculated.
The main aim of this project is to control the cyber crimes. Cyber security incidents will cause significant financial and reputation impacts. In order to detect malicious activities, the SIEM (Security Information and Event Management) system is built. If any pre-defined use case is triggered, SOC analysts will generate OTRS in real time. So that user will be aware of threats
Virtual Machines Security Internals: Detection and ExploitationMattia Salvi
This paper is an analysis of the current state of virtual machines’ security, showcasing how features have been turned into attack vectors that can pose threats to real enterprise level infrastructures. Despite the few real world scenarios that have actively exploited security holes, they remain one of the most dangerous threats organizations have to look out for.
SplunkLive! Paris 2018: Use Splunk for Incident Response, Orchestration and A...Splunk
Presented at SplunkLive! Paris 2018:
- Challenges with Security Operations Today
- Overview of Splunk Adaptive Response Initiative
- Technology behind the Adaptive Response Framework
- Demonstrations
- How to build your own AR Action
- Resources
I will talk about innovation in the area of cyber security analytics - developing machine learning methods to detect and block cyber attacks (e.g. detecting ransomware within 4 seconds of execution and killing the underlying processes). Rather than just focusing on this as a 'black box', I'll pull it apart and talk about how we can use these methods to enable security practitioners (SOC/CIRT etc) to ask and answer questions about 'what' and 'why' these methods are flagging attacks. I'll also talk about resilience of machine learning methods to manipulation and adversarial attacks - how stable these approaches are to diversity and evolution of malware for example.
A SIMULATION APPROACH TO PREDICATE THE RELIABILITY OF A PERVASIVE SOFTWARE SY...Osama M. Khaled
The pervasive computing domain is a very challenging one and requires a robust architectural model to facilitate the production of its systems. In this paper, we explain a case study using a simulation prototype to validate our baseline architecture of a reference architecture for the pervasive computing domain. The simulation prototype was very useful in predicting the reliability and availability of the system using the baseline architecture during runtime.
For more details, please request the full paper from this link
https://www.researchgate.net/publication/324824319_A_SIMULATION_APPROACH_TO_PREDICATE_THE_RELIABILITY_OF_A_PERVASIVE_SOFTWARE_SYSTEM
The paper can be cited as follows:
Osama M. Khaled, Hoda M. Hosny and Mohamed Shalan (2018). A Simulation Approach to Predict the Reliability of a Pervasive Software System. In The Fourth International Conference on Software Engineering (SOENG 2018). April 28-29 Copenhagen, Denmark
Architecture-centric Support for Integrating Security Tool in a Security Orch...Chadni Islam
Presentation of ECSA 2020 Conference
Security Operation Centers (SOC) leverage a number of tools to detect, thwart and deal with security attacks. One of the key challenges of SOC is to quickly integrate security tools and operational activities. To address this chal-lenge, an increasing number of organizations are using Security Orchestration, Automation and Response (SOAR) platforms, whose design needs suitable ar-chitectural support. This paper presents our work on architecture-centric support for designing a SOAR platform. Our approach consists of a conceptual map of SOAR platform and the key dimensions of an architecture design space. We have demonstrated the use of the approach in designing and implementing a Proof of Concept (PoC) SOAR platform for (i) automated integration of security tools and (ii) automated interpretation of activities to execute incident response processes. We also report a preliminary evaluation of the proposed architectural support for improving a SOAR’s design.
Smart surveillance systems play an important role in security today. The goal of security systems is to protect users against fires, car accidents, and
other forms of violence. The primary function of these systems is to offer security in residential areas. In today’s culture, protecting our homes is
critical. Surveillance, which ranges from private houses to large corporations, is critical in making us feel safe. There are numerous machine learning algorithms for home security systems; however, the deep learning convolutional neural network (CNN) technique outperforms the others. The
Keras, Tensorflow, Cv2, Glob, Imutils, and PIL libraries are used to train and assess the detection method. A web application is used to provide a
user-friendly environment. The flask web framework is used to construct it. The flash-mail, requests, and telegram application programming interface (API) apps are used in the alerting approach. The surveillance system tracks
abnormal activities and uses machine learning to determine if the scenario is normal or not based on the acquired image. After capturing the image, it is
compared with the existing dataset, and the model is trained using normal events. When there is an anomalous event, the model produces an output from which the mean distance for each frame is calculated.
The main aim of this project is to control the cyber crimes. Cyber security incidents will cause significant financial and reputation impacts. In order to detect malicious activities, the SIEM (Security Information and Event Management) system is built. If any pre-defined use case is triggered, SOC analysts will generate OTRS in real time. So that user will be aware of threats
Virtual Machines Security Internals: Detection and ExploitationMattia Salvi
This paper is an analysis of the current state of virtual machines’ security, showcasing how features have been turned into attack vectors that can pose threats to real enterprise level infrastructures. Despite the few real world scenarios that have actively exploited security holes, they remain one of the most dangerous threats organizations have to look out for.
SplunkLive! Paris 2018: Use Splunk for Incident Response, Orchestration and A...Splunk
Presented at SplunkLive! Paris 2018:
- Challenges with Security Operations Today
- Overview of Splunk Adaptive Response Initiative
- Technology behind the Adaptive Response Framework
- Demonstrations
- How to build your own AR Action
- Resources
Intrusion Tolerance for Networked Systems through Two-level Feedback ControlKim Hammar
We formulate intrusion tolerance for a system with service replicas as a two-level optimal control problem. On the local control level, node controllers perform intrusion recoveries and on the global control level, a system controller manages the replication factor.
Learning Optimal Intrusion Responses via DecompositionKim Hammar
We study automated intrusion response and formulate the interaction between an attacker and a defender on an IT infrastructure as a stochastic game where attack and defense strategies evolve through reinforcement learning and self-play. Direct application of reinforcement learning to any non-trivial instantiation of this game is impractical due to the exponential growth of the state and action spaces with the number of components in the infrastructure. We propose a decompositional approach to deal with this challenge and prove that under assumptions generally met in practice, the game decomposes into a) additive subgames on the workflow-level that can be optimized independently; and b) subgames on the component-level that satisfy the optimal substructure property. We further show that the optimal defender strategies on the component-level exhibit threshold structures. To solve the decomposed game we develop Decompositional Fictitious Self-Play (\dfsp), an efficient fictitious self-play algorithm that learns Nash equilibria through stochastic approximation. We show that \dfsp outperforms a state-of-the-art algorithm for our use case. To evaluate the learned strategies, we deploy them in a a virtual IT infrastructure in which we run real network intrusions and real response actions. From our experimental investigation we conclude that our approach can produce effective defender strategies for a practical IT infrastructure.
Learning Intrusion Prevention Policies through Optimal Stopping - CNSM2021Kim Hammar
We study automated intrusion prevention using reinforcement learning. In a novel approach, we formulate the problem of intrusion prevention as an optimal stopping problem. This formulation allows us insight into the structure of the optimal policies, which turn out to be threshold based. Since the computation of the optimal defender policy using dynamic programming is not feasible for practical cases, we approximate the optimal policy through reinforcement learning in a simulation environment. To define the dynamics of the simulation, we emulate the target infrastructure and collect measurements. Our evaluations show that the learned policies are close to optimal and that they indeed can be expressed using thresholds.
Learning Intrusion Prevention Policies Through Optimal StoppingKim Hammar
CDIS Research Workshop 2021 Balingsholm.
We study automated intrusion prevention using reinforcement learning. In a novel approach, we formulate the problem of intrusion prevention as an optimal multiple stopping problem. This formulation allows us insight into the structure of the optimal policies, which we show to be threshold based. Since the computation of the optimal defender policy using dynamic programming is not feasible for practical cases, we develop a reinforcement learning approach to approximate the optimal policy in a target infrastructure. The approach uses an emulation of the infrastructure to evaluate policies and to instantiate a simulation model which then is used to train policies through reinforcement learning. Our results show that the learned policies are close to optimal and that they indeed can be expressed using thresholds.
Learning Intrusion Prevention Policies Through Optimal StoppingKim Hammar
We study automated intrusion prevention using reinforcement learning. In a novel approach, we formulate the problem of intrusion prevention as an optimal multiple stopping problem. This formulation allows us insight into the structure of the optimal policies, which we show to be threshold based. Since the computation of the optimal defender policy using dynamic programming is not feasible for practical cases, we develop a reinforcement learning approach to approximate the optimal policy in a target infrastructure. The approach uses an emulation of the infrastructure to evaluate policies and to instantiate a simulation model which then is used to train policies through reinforcement learning. Our results show that the learned policies are close to optimal and that they indeed can be expressed using thresholds.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Learning Near-Optimal Intrusion Responses for IT Infrastructures via Decomposition
1. 1/54
Learning Optimal Intrusion Responses for
IT Infrastructures via Decomposition
Visit to Princeton University
Kim Hammar
kimham@kth.se
Division of Network and Systems Engineering
KTH Royal Institute of Technology
May 17, 2023
2. 2/54
Use Case: Intrusion Response
I A defender owns an infrastructure
I Consists of connected components
I Components run network services
I Defender defends the infrastructure
by monitoring and active defense
I Has partial observability
I An attacker seeks to intrude on the
infrastructure
I Has a partial view of the
infrastructure
I Wants to compromise specific
components
I Attacks by reconnaissance,
exploitation and pivoting
Attacker Clients
. . .
Defender
1 IPS
1
alerts
Gateway
7 8 9 10 11
6
5
4
3
2
12
13 14 15 16
17
18
19
21
23
20
22
24
25 26
27 28 29 30 31
3. 3/54
Automated Intrusion Response: Current Landscape
Levels of security automation
No automation.
Manual detection.
Manual prevention.
No alerts.
No automatic responses.
Lack of tools.
1980s 1990s 2000s-Now Research
Operator assistance.
Manual detection.
Manual prevention.
Audit logs.
Security tools.
Partial automation.
System has automated functions
for detection/prevention
but requires manual
updating and configuration.
Intrusion detection systems.
Intrusion prevention systems.
High automation.
System automatically
updates itself.
Automated attack detection.
Automated attack mitigation.
4. 4/54
Can we use decision theory and learning-based methods to
automatically find effective security strategies?1
π
Σ Σ
security
objective
feedback
control
input
target
system
security
indicators
disturbance
1
Kim Hammar and Rolf Stadler. “Finding Effective Security Strategies through Reinforcement Learning and
Self-Play”. In: International Conference on Network and Service Management (CNSM 2020). Izmir, Turkey, 2020,
Kim Hammar and Rolf Stadler. “Learning Intrusion Prevention Policies through Optimal Stopping”. In:
International Conference on Network and Service Management (CNSM 2021). Izmir, Turkey, 2021, Kim Hammar
and Rolf Stadler. “Intrusion Prevention Through Optimal Stopping”. In: IEEE Transactions on Network and
Service Management 19.3 (2022), pp. 2333–2348. doi: 10.1109/TNSM.2022.3176781, Kim Hammar and
Rolf Stadler. Learning Near-Optimal Intrusion Responses Against Dynamic Attackers. 2023. doi:
10.48550/ARXIV.2301.06085. url: https://arxiv.org/abs/2301.06085.
5. 5/54
Our Framework for Automated Network Security
s1,1 s1,2 s1,3 . . . s1,n
s2,1 s2,2 s2,3 . . . s2,n
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Digital Twin
Target
Infrastructure
Model Creation &
System Identification
Strategy Mapping
π
Selective
Replication
Strategy
Implementation π
Simulation System
Reinforcement Learning &
Generalization
Strategy evaluation &
Model estimation
Automation &
Self-learning systems
6. 5/54
Our Framework for Automated Network Security
s1,1 s1,2 s1,3 . . . s1,n
s2,1 s2,2 s2,3 . . . s2,n
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Digital Twin
Target
Infrastructure
Model Creation &
System Identification
Strategy Mapping
π
Selective
Replication
Strategy
Implementation π
Simulation System
Reinforcement Learning &
Generalization
Strategy evaluation &
Model estimation
Automation &
Self-learning systems
7. 5/54
Our Framework for Automated Network Security
s1,1 s1,2 s1,3 . . . s1,n
s2,1 s2,2 s2,3 . . . s2,n
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Digital Twin
Target
Infrastructure
Model Creation &
System Identification
Strategy Mapping
π
Selective
Replication
Strategy
Implementation π
Simulation System
Reinforcement Learning &
Generalization
Strategy evaluation &
Model estimation
Automation &
Self-learning systems
8. 5/54
Our Framework for Automated Network Security
s1,1 s1,2 s1,3 . . . s1,n
s2,1 s2,2 s2,3 . . . s2,n
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Digital Twin
Target
Infrastructure
Model Creation &
System Identification
Strategy Mapping
π
Selective
Replication
Strategy
Implementation π
Simulation System
Reinforcement Learning &
Generalization
Strategy evaluation &
Model estimation
Automation &
Self-learning systems
9. 5/54
Our Framework for Automated Network Security
s1,1 s1,2 s1,3 . . . s1,n
s2,1 s2,2 s2,3 . . . s2,n
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Digital Twin
Target
Infrastructure
Model Creation &
System Identification
Strategy Mapping
π
Selective
Replication
Strategy
Implementation π
Simulation System
Reinforcement Learning &
Generalization
Strategy evaluation &
Model estimation
Automation &
Self-learning systems
10. 5/54
Our Framework for Automated Network Security
s1,1 s1,2 s1,3 . . . s1,n
s2,1 s2,2 s2,3 . . . s2,n
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Digital Twin
Target
Infrastructure
Model Creation &
System Identification
Strategy Mapping
π
Selective
Replication
Strategy
Implementation π
Simulation System
Reinforcement Learning &
Generalization
Strategy evaluation &
Model estimation
Automation &
Self-learning systems
11. 5/54
Our Framework for Automated Network Security
s1,1 s1,2 s1,3 . . . s1,n
s2,1 s2,2 s2,3 . . . s2,n
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Digital Twin
Target
Infrastructure
Model Creation &
System Identification
Strategy Mapping
π
Selective
Replication
Strategy
Implementation π
Simulation System
Reinforcement Learning &
Generalization
Strategy evaluation &
Model estimation
Automation &
Self-learning systems
12. 5/54
Our Framework for Automated Network Security
s1,1 s1,2 s1,3 . . . s1,n
s2,1 s2,2 s2,3 . . . s2,n
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Digital Twin
Target
Infrastructure
Model Creation &
System Identification
Strategy Mapping
π
Selective
Replication
Strategy
Implementation π
Simulation System
Reinforcement Learning &
Generalization
Strategy evaluation &
Model estimation
Automation &
Self-learning systems
13. 6/54
Creating a Digital Twin of the Target Infrastructure
s1,1 s1,2 s1,3 . . . s1,n
s2,1 s2,2 s2,3 . . . s2,n
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Digital Twin
Target
Infrastructure
Model Creation &
System Identification
Strategy Mapping
π
Selective
Replication
Strategy
Implementation π
Simulation System
Reinforcement Learning &
Generalization
Strategy evaluation &
Model estimation
Automation &
Self-learning systems
14. 6/54
Theoretical Analysis and Learning of Defender Strategies
s1,1 s1,2 s1,3 . . . s1,n
s2,1 s2,2 s2,3 . . . s2,n
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Digital Twin
Target
Infrastructure
Model Creation &
System Identification
Strategy Mapping
π
Selective
Replication
Strategy
Implementation π
Simulation System
Reinforcement Learning &
Generalization
Strategy evaluation &
Model estimation
Automation &
Self-learning systems
15. 7/54
Creating a Digital Twin of the Target Infrastructure
I An infrastructure is
defined by its
configuration.
I Set of configurations
supported by our
framework can be
seen as a
configuration space
I The configuration
space defines the
class of
infrastructures for
which we can create
digital twins.
Σ Configuration Space
σi
*
* *
172.18.4.0/24
172.18.19.0/24
172.18.61.0/24
Digital Twins
R1 R1 R1
16. 8/54
The Target Infrastructure
I 64 nodes. 24 ovs switches, 3
gateways. 6 honeypots. 8 application
servers. 4 administration servers. 15
compute servers.
I Topology shown to the right
I 11 vulnerabilities (cve-2010-0426,
cve-2015-3306, cve-2015-5602, etc.)
I 4 zones: dmz, r&d zone, admin
zone, quarantine zone
I 9 workflows
I Management: 1 sdn controller, 1
Kafka server, 1 elastic server.
r&d zone
App servers Honeynet
dmz
admin
zone
workflow
Gateway idps
quarantine
zone
alerts
Defender
. . .
Attacker Clients
2
1
3 12
4
5
6
7
8
9
10
11
13
14
15
16
17
18
19
20
21
22 23
24
25
26
27
28
29
30 31
32
33 34 35 36 37 38 39 40
41 42 43 44 45 46 47 48
49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64
17. 9/54
Emulating Physical Components
I We emulate physical components with
Docker containers
I Focus on linux-based systems
I The containers include everything
needed to emulate the host: a runtime
system, code, system tools, system
libraries, and configurations.
I Examples of containers: IDPS
container, client container, attacker
container, CVE-2015-1427 container,
Open vSwitch containers etc.
Containers
Physical server
Operating system
Docker engine
CSLE
18. 10/54
Emulating Network Connectivity
Management node 1
Emulated IT infrastructure
Management node 2
Emulated IT infrastructure
Management node n
Emulated IT infrastructure
VXLAN VXLAN . . . VXLAN
IP network
I We emulate network connectivity on the same host using
network namespaces.
I Connectivity across physical hosts is achieved using VXLAN
tunnels with Docker swarm.
19. 11/54
Emulating Network Conditions
I We do traffic shaping using
NetEm in the Linux kernel
I Emulate internal
connections are full-duplex
& loss-less with bit
capacities of 1000 Mbit/s
I Emulate external
connections are full-duplex
with bit capacities of 100
Mbit/s & 0.1% packet loss
in normal operation and
random bursts of 1% packet
loss
User space
. . .
Application processes
Kernel
TCP/UDP
IP/Ethernet/802.11
OS
TCP/IP
stack
Queueing
discipline
Device driver
queue (FIFO)
NIC
Netem config:
latency,
jitter, etc.
Sockets
20. 12/54
Emulating Actors
I We emulate client arrivals
with Poisson processes
I We emulate client
interactions with load
generators
I Attackers are emulated by
automated programs that
select actions from a
pre-defined set
I Defender actions are
emulated through a custom
gRPC API.
Markov Decision Process
s1,1 s1,2 s1,3 . . . s1,4
s2,1 s2,2 s2,3 . . . s2,4
Digital Twin
. . .
Virtual
network
Virtual
devices
Emulated
services
Emulated
actors
IT Infrastructure
Configuration
& change events
System traces
Verified security policy
Optimized security policy
21. 13/54
System Identification
s1,1 s1,2 s1,3 . . . s1,n
s2,1 s2,2 s2,3 . . . s2,n
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Digital Twin
Target
Infrastructure
Model Creation &
System Identification
Strategy Mapping
π
Selective
Replication
Strategy
Implementation π
Simulation System
Reinforcement Learning &
Generalization
Strategy evaluation &
Model estimation
Automation &
Self-learning systems
22. 14/54
Outline
I Use Case & Digital Twin
I Use case: intrusion response
I Digital twin for data collection & evaluation
I System Model
I Discrete-time Markovian dynamical system
I Partially observed stochastic game
I System Decomposition
I Additive subgames on the workflow-level
I Optimal substructure on component-level
I Learning Near-Optimal Intrusion Responses
I Scalable learning through decomposition
I Digital twin for system identification & evaluation
I Efficient equilibrium approximation
I Conclusions & Future Work
23. 14/54
Outline
I Use Case & Digital Twin
I Use case: intrusion response
I Digital twin for data collection & evaluation
I System Model
I Discrete-time Markovian dynamical system
I Partially observed stochastic game
I System Decomposition
I Additive subgames on the workflow-level
I Optimal substructure on component-level
I Learning Near-Optimal Intrusion Responses
I Scalable learning through decomposition
I Digital twin for system identification & evaluation
I Efficient equilibrium approximation
I Conclusions & Future Work
24. 14/54
Outline
I Use Case & Digital Twin
I Use case: intrusion response
I Digital twin for data collection & evaluation
I System Model
I Discrete-time Markovian dynamical system
I Partially observed stochastic game
I System Decomposition
I Additive subgames on the workflow-level
I Optimal substructure on component-level
I Learning Near-Optimal Intrusion Responses
I Scalable learning through decomposition
I Digital twin for system identification & evaluation
I Efficient equilibrium approximation
I Conclusions & Future Work
25. 14/54
Outline
I Use Case & Digital Twin
I Use case: intrusion response
I Digital twin for data collection & evaluation
I System Model
I Discrete-time Markovian dynamical system
I Partially observed stochastic game
I System Decomposition
I Additive subgames on the workflow-level
I Optimal substructure on component-level
I Learning Near-Optimal Intrusion Responses
I Scalable learning through decomposition
I Digital twin for system identification & evaluation
I Efficient equilibrium approximation
I Conclusions & Future Work
26. 14/54
Outline
I Use Case & Digital Twin
I Use case: intrusion response
I Digital twin for data collection & evaluation
I System Model
I Discrete-time Markovian dynamical system
I Partially observed stochastic game
I System Decomposition
I Additive subgames on the workflow-level
I Optimal substructure on component-level
I Learning Near-Optimal Intrusion Responses
I Scalable learning through decomposition
I Digital twin for system identification & evaluation
I Efficient equilibrium approximation
I Conclusions & Future Work
27. 15/54
System Model
I G = h{gw} ∪ V, Ei: directed graph
representing the virtual infrastructure
I V: finite set of virtual components.
I E: finite set of component
dependencies.
I Z: finite set of zones.
r&d zone
App servers Honeynet
dmz
admin
zone
workflow
Gateway idps
quarantine
zone
alerts
Defender
. . .
Attacker Clients
2
1
3 12
4
5
6
7
8
9
10
11
13
14
15
16
17
18
19
20
21
22 23
24
25
26
27
28
29
30 31
32
33 34 35 36 37 38 39 40
41 42 43 44 45 46 47 48
49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64
28. 15/54
System Model
I G = h{gw} ∪ V, Ei: directed graph
representing the virtual infrastructure
I V: finite set of virtual components.
I E: finite set of component
dependencies.
I Z: finite set of zones.
r&d zone
App servers Honeynet
dmz
admin
zone
workflow
Gateway idps
quarantine
zone
alerts
Defender
. . .
Attacker Clients
2
1
3 12
4
5
6
7
8
9
10
11
13
14
15
16
17
18
19
20
21
22 23
24
25
26
27
28
29
30 31
32
33 34 35 36 37 38 39 40
41 42 43 44 45 46 47 48
49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64
29. 15/54
System Model
I G = h{gw} ∪ V, Ei: directed graph
representing the virtual infrastructure
I V: finite set of virtual components.
I E: finite set of component
dependencies.
I Z: finite set of zones.
r&d zone
App servers Honeynet
dmz
admin
zone
workflow
Gateway idps
quarantine
zone
alerts
Defender
. . .
Attacker Clients
2
1
3 12
4
5
6
7
8
9
10
11
13
14
15
16
17
18
19
20
21
22 23
24
25
26
27
28
29
30 31
32
33 34 35 36 37 38 39 40
41 42 43 44 45 46 47 48
49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64
30. 16/54
State Model
I Each i ∈ V has a state
vt,i = (v
(Z)
t,i
|{z}
D
, v
(I)
t,i , v
(R)
t,i
| {z }
A
)
I System state st = (vt,i )i∈V ∼ St.
I Markovian time-homogeneous
dynamics:
st+1 ∼ f (· | St, At)
At = (A
(A)
t , A
(D)
t ) are the actions.
s1 s2 s3
s4 s5 s4
.
.
.
.
.
.
.
.
.
31. 16/54
State Model
I Each i ∈ V has a state
vt,i = (v
(Z)
t,i
|{z}
D
, v
(I)
t,i , v
(R)
t,i
| {z }
A
)
I System state st = (vt,i )i∈V ∼ St.
I Markovian time-homogeneous
dynamics:
st+1 ∼ f (· | St, At)
At = (A
(A)
t , A
(D)
t ) are the actions.
s1 s2 s3
s4 s5 s4
.
.
.
.
.
.
.
.
.
32. 16/54
State Model
I Each i ∈ V has a state
vt,i = (v
(Z)
t,i
|{z}
D
, v
(I)
t,i , v
(R)
t,i
| {z }
A
)
I System state st = (vt,i )i∈V ∼ St.
I Markovian time-homogeneous
dynamics:
st+1 ∼ f (· | St, At)
At = (A
(A)
t , A
(D)
t ) are the actions.
s1 s2 s3
s4 s5 s4
.
.
.
.
.
.
.
.
.
34. 17/54
Workflow Model
I Services are connected into workflows W = {w1, . . . , w|W|}.
gw fw idps lb
http
servers
auth
server
search
engine
db
cache
Dependency graph of an example workflow representing a web
application; gw, fw, idps, lb, and db are acronyms for gateway,
firewall, intrusion detection and prevention system, load balancer, and
database, respectively.
35. 18/54
Workflow Model
I Services are connected into
workflows
W = {w1, . . . , w|W|}.
I Each w ∈ W is realized as a
directed acyclic subgraph (dag)
Gw = h{gw} ∪ Vw, Ewi of G
I W = {w1, . . . , w|W|} induces a
partitioning
V =
[
wi ∈W
Vwi such that i 6= j =⇒ Vwi ∩ Vwj = ∅
Zone a
Zone b Zone c
gw
1 2 3
4 5 6
7
A workflow dag
36. 18/54
Workflow Model
I Services are connected into
workflows
W = {w1, . . . , w|W|}.
I Each w ∈ W is realized as a
directed acyclic subgraph (dag)
Gw = h{gw} ∪ Vw, Ewi of G
I W = {w1, . . . , w|W|} induces a
partitioning
V =
[
wi ∈W
Vwi such that i 6= j =⇒ Vwi ∩ Vwj = ∅
Zone a
Zone b Zone c
gw
1 2 3
4 5 6
7
A workflow dag
37. 19/54
Client Model
Client population
. . .
Arrival rate λ Departure
Service time µ
. . .
.
.
.
.
.
.
.
.
.
w1 w2 w|W|
Workflows (Markov processes)
I Homogeneous client population
I Clients arrive according to Po(λ), Service times Exp(1
µ)
I Workflow selection: uniform
I Workflow interaction: Markov process
38. 20/54
Observation Model
I idpss inspect network traffic and
generate alert vectors:
ot ,
ot,1, . . . , ot,|V|
∈ N
|V|
0
ot,i is the number of alerts related to
node i ∈ V at time-step t.
I ot = (ot,1, . . . , ot,|V|) is a realization
of the random vector Ot with joint
distribution Z
idps
idps
idps
idps
alerts
Defender
. . .
Attacker Clients
2
1
3 12
4
5
6
7
8
9
10
11
13
14
15
16
17
18
19
20
21
22 23
24
25
26
27
28
29
30 31
32
33 34 35 36 37 38 39 40
41 42 43 44 45 46 47 48
49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64
39. 20/54
Observation Model
I idpss inspect network traffic and
generate alert vectors:
ot ,
ot,1, . . . , ot,|V|
∈ N
|V|
0
ot,i is the number of alerts related to
node i ∈ V at time-step t.
I ot = (ot,1, . . . , ot,|V|) is a realization
of the random vector Ot with joint
distribution Z
idps
idps
idps
idps
alerts
Defender
. . .
Attacker Clients
2
1
3 12
4
5
6
7
8
9
10
11
13
14
15
16
17
18
19
20
21
22 23
24
25
26
27
28
29
30 31
32
33 34 35 36 37 38 39 40
41 42 43 44 45 46 47 48
49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64
41. 22/54
Monitoring and Telemetry
Devices
Event bus
Security Policy
Storage Systems
Control actions
Data pipelines
Events
I Emulated devices run monitoring agents that periodically
push metrics to a Kafka event bus.
I The data in the event bus is consumed by data pipelines that
process the data and write to storage systems.
I The processed data is used by an automated security policy to
decide on control actions to execute in the digital twin.
42. 23/54
Feature Selection
I Our framework collects 100s of metrics every time-step.
I We focus on the IDPS alert metric as it provides the most
information for detecting the type of attacks we consider.
0 2500 5000 7500
Probability
Weighted idps alerts
DKL(ZO|0 k ZO|1) = 0.49
−100 0 100
New login attempts
DKL(ZO|0 k ZO|1) = 0.07
−500 0
# New processes
DKL(ZO|0 k ZO|1) = 0.01
−100 0 100
Probability
New tcp connections
DKL(ZO|0 k ZO|1) = 0.01
0 10 20 30
# Blocks written to disk
DKL(ZO|0 k ZO|1) = 0.12
0 20 40
# Blocks read from disk
DKL(ZO|0 k ZO|1) = 0.0
ZO|s=0 (no intrusion) ZO|s=1 (intrusion)
43. 24/54
Defender Model
I Defender action:
a
(D)
t ∈ {0, 1, 2, 3, 4}|V|
I 0 means do nothing. 1 − 4 correspond
to defensive actions (see fig)
I A defender strategy is a function
πD ∈ ΠD : HD → ∆(AD), where
h
(D)
t = (s
(D)
1 , a
(D)
1 , o1, . . . , a
(D)
t−1, s
(D)
t , ot) ∈ HD
I Objective: (i) maintain workflows; and
(ii) stop a possible intrusion:
J ,
T
X
t=1
γt−1
η
|W|
X
i=1
uW(wi , st)
| {z }
workflows utility
− (1 − η)
|V|
X
j=1
cI(st,j, at,j)
| {z }
intrusion and defense costs
!
dmz
rd
zone
admin
zone
Old path
New path
Honeypot App server
Defender
Revoke
certificates
Blacklist
IP
1) Server migration 2) Flow migration and blocking
3) Shut down server 4) Access control
44. 24/54
Defender Model
I Defender action:
a
(D)
t ∈ {0, 1, 2, 3, 4}|V|
I 0 means do nothing. 1 − 4 correspond
to defensive actions (see fig)
I A defender strategy is a function
πD ∈ ΠD : HD → ∆(AD), where
h
(D)
t = (s
(D)
1 , a
(D)
1 , o1, . . . , a
(D)
t−1, s
(D)
t , ot) ∈ HD
I Objective: (i) maintain workflows; and
(ii) stop a possible intrusion:
J ,
T
X
t=1
γt−1
η
|W|
X
i=1
uW(wi , st)
| {z }
workflows utility
− (1 − η)
|V|
X
j=1
cI(st,j, at,j)
| {z }
intrusion and defense costs
!
dmz
rd
zone
admin
zone
Old path
New path
Honeypot App server
Defender
Revoke
certificates
Blacklist
IP
1) Server migration 2) Flow migration and blocking
3) Shut down server 4) Access control
45. 24/54
Defender Model
I Defender action:
a
(D)
t ∈ {0, 1, 2, 3, 4}|V|
I 0 means do nothing. 1 − 4 correspond
to defensive actions (see fig)
I A defender strategy is a function
πD ∈ ΠD : HD → ∆(AD), where
h
(D)
t = (s
(D)
1 , a
(D)
1 , o1, . . . , a
(D)
t−1, s
(D)
t , ot) ∈ HD
I Objective: (i) maintain workflows; and
(ii) stop a possible intrusion:
J ,
T
X
t=1
γt−1
η
|W|
X
i=1
uW(wi , st)
| {z }
workflows utility
− (1 − η)
|V|
X
j=1
cI(st,j, at,j)
| {z }
intrusion and defense costs
!
dmz
rd
zone
admin
zone
Old path
New path
Honeypot App server
Defender
Revoke
certificates
Blacklist
IP
1) Server migration 2) Flow migration and blocking
3) Shut down server 4) Access control
46. 25/54
Attacker Model
I Attacker action: a
(A)
t ∈ {0, 1, 2, 3}|V|
I 0 means do nothing. 1 − 3 correspond
to attacks (see fig)
I An attacker strategy is a function
πA ∈ ΠA : HA → ∆(AA), where HA
is the space of all possible attacker
histories
h
(A)
t = (s
(A)
1 , a
(A)
1 , o1, . . . , a
(A)
t−1, s
(A)
t , ot) ∈ HA
I Objective: (i) disrupt workflows; and
(ii) compromise nodes:
− J
.
.
.
Attacker
login attempts
configure
Automated
system
Server
2) Brute-force
1) Reconnaissance
3) Code execution
Attacker Server
TCP SYN
TCP SYN ACK
port open
Attacker Service Server
malicious
request inject code
execution
47. 25/54
Attacker Model
I Attacker action: a
(A)
t ∈ {0, 1, 2, 3}|V|
I 0 means do nothing. 1 − 3 correspond
to attacks (see fig)
I An attacker strategy is a function
πA ∈ ΠA : HA → ∆(AA), where HA
is the space of all possible attacker
histories
h
(A)
t = (s
(A)
1 , a
(A)
1 , o1, . . . , a
(A)
t−1, s
(A)
t , ot) ∈ HA
I Objective: (i) disrupt workflows; and
(ii) compromise nodes:
− J
.
.
.
Attacker
login attempts
configure
Automated
system
Server
2) Brute-force
1) Reconnaissance
3) Code execution
Attacker Server
TCP SYN
TCP SYN ACK
port open
Attacker Service Server
malicious
request inject code
execution
48. 25/54
Attacker Model
I Attacker action: a
(A)
t ∈ {0, 1, 2, 3}|V|
I 0 means do nothing. 1 − 3 correspond
to attacks (see fig)
I An attacker strategy is a function
πA ∈ ΠA : HA → ∆(AA), where HA
is the space of all possible attacker
histories
h
(A)
t = (s
(A)
1 , a
(A)
1 , o1, . . . , a
(A)
t−1, s
(A)
t , ot) ∈ HA
I Objective: (i) disrupt workflows; and
(ii) compromise nodes:
− J
.
.
.
Attacker
login attempts
configure
Automated
system
Server
2) Brute-force
1) Reconnaissance
3) Code execution
Attacker Server
TCP SYN
TCP SYN ACK
port open
Attacker Service Server
malicious
request inject code
execution
49. 25/54
The Intrusion Response Problem
maximize
πD∈ΠD
minimize
πA∈ΠA
E(πD,πA) [J] (1a)
subject to s
(D)
t+1 ∼ fD · | A
(D)
t , A
(D)
t
∀t (1b)
s
(A)
t+1 ∼ fA · | S
(A)
t , At
∀t (1c)
ot+1 ∼ Z · | S
(D)
t+1, A
(A)
t ) ∀t (1d)
a
(A)
t ∼ πA · | H
(A)
t
, a
(A)
t ∈ AA(st) ∀t (1e)
a
(D)
t ∼ πD · | H
(D)
t
, a
(D)
t ∈ AD ∀t (1f)
where E(πD,πA) denotes the expectation of the random vectors
(St, Ot, At)t∈{1,...,T} under the strategy profile (πD, πA).
(1) can be formulated as a zero-sum Partially Observed Stochastic
Game with Public Observations (a PO-POSG):
Γ = hN, (Si )i∈N , (Ai )i∈N , (fi )i∈N , u, γ, (b
(i)
1 )i∈N , O, Zi
50. 26/54
Existence of a Solution
Theorem
Given the po-posg Γ (2), the following holds:
(A) Γ has a mixed Nash equilibrium and a value function
V ∗ : BD × BA → R that maps each possible initial pair of
belief states (b
(D)
1 , bA
1 ) to the expected utility of the defender
in the equilibrium.
(B) For each strategy pair (πA, πD) ∈ ΠA × ΠD, the best response
sets BD(πA) and BA(πD) are non-empty and correspond to
optimal strategies in two Partially Observed Markov Decision
Processes (pomdps): M (D) and M (A). Further, a pair of
pure best response strategies (π̃D, π̃A) ∈ BD(πA) × BA(πD)
and a pair of value functions (V ∗
D,πA
, V ∗
A,πD
) exist.
51. 27/54
The Curse of Dimensionality
I While (1) has a solution (i.e the game Γ has a value (Thm
1)), computing it is intractable since the state, action, and
observation spaces of the game grow exponentially with |V|.
1 2 3 4 5
104
105
2
105
|S|
|O|
|Ai |
|V|
Growth of |S|, |O|, and |Ai | in function of the number of nodes |V|
52. 28/54
The Curse of Dimensionality
I While (1) has a solution (i.e the game Γ has a value (Thm
1)), computing it is intractable since the state, action, and
observation spaces of the game grow exponentially with |V|.
1 2 3 4 5
104
105
2
105
|S|
|O|
|Ai |
|V|
Growth of |S|, |O|, and |Ai | in function of the number of nodes |V|
We tackle the scability challenge with decomposition
53. 29/54
Intuitively..
rd zone
App servers Honeynet
dmz
admin
zone
workflow
Gateway idps
quarantine
zone
alerts
Defender
. . .
Attacker Clients
2
1
3 12
4
5
6
7
8
9
10
11
13
14
15
16
17
18
19
20
21
22 23
24
25
26
27
28
29
30 31
32
33 34 35 36 37 38 39 40
41 42 43 44 45 46 47 48
49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 65
The optimal
action here...
Does not directly
depend on the state or
action of a node
down here
54. 30/54
Intuitively..
rd zone
App servers Honeynet
dmz
admin
zone
workflow
Gateway idps
quarantine
zone
alerts
Defender
. . .
Attacker Clients
2
1
3 12
4
5
6
7
8
9
10
11
13
14
15
16
17
18
19
20
21
22 23
24
25
26
27
28
29
30 31
32
33 34 35 36 37 38 39 40
41 42 43 44 45 46 47 48
49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 65
The optimal
action here...
But they are
not completely
independent either.
How can we
exploit this
structure?
Does not directly
depend on the state
or action of a node
down here
55. 31/54
System Decomposition
To avoid explicitly enumerating the very large state, observation,
and action spaces of Γ, we exploit three structural properties.
1. Additive structure across workflows.
I The game decomposes into additive subgames on the
workflow-level, which means that the strategy for each
subgame can be optimized independently
2. Optimal substructure within a workflow.
I The subgame for each workflow decomposes into subgames on
the node-level that satisfy the optimal substructure property
3. Threshold properties of local defender strategies.
I The optimal node-level strategies for the defender exhibit
threshold structures, which means that they can be estimated
efficiently
56. 31/54
System Decomposition
To avoid explicitly enumerating the very large state, observation,
and action spaces of Γ, we exploit three structural properties.
1. Additive structure across workflows.
I The game decomposes into additive subgames on the
workflow-level, which means that the strategy for each
subgame can be optimized independently
2. Optimal substructure within a workflow.
I The subgame for each workflow decomposes into subgames on
the node-level that satisfy the optimal substructure property
3. Threshold properties of local defender strategies.
I The optimal node-level strategies for the defender exhibit
threshold structures, which means that they can be estimated
efficiently
57. 32/54
Additive Structure Across Workflows (Intuition)
“=”
I If there is no path between i and j in G, then i and j are
independent in the following sense:
I Compromising i has no affect on the state of j.
I Compromising i does not make it harder or easier to
compromise j.
I Compromising i does not affect the service provided by j.
I Defending i does not affect the state of j.
I Defending i does not affect the service provided by j.
58. 33/54
Additive Structure Across Workflows
Definition (Transition independence)
A set of nodes Q are transition independent iff the transition
probabilities factorize as
f (St+1 | St, At) =
Y
i∈Q
f (St+1,i | St,i , At,i )
Definition (Utility independence)
A set of nodes Q are utility independent iff there exists functions
u1, . . . , u|Q| such that the utility function u decomposes as
u(St, At) = f (u1(St,1, At,1), . . . , u1(St,|Q|, At,Q))
and
ui ≤ u0
i ⇐⇒ f (u1, . . . , ui , . . . , u|Q|) ≤ f (u1, . . . , u0
i , . . . , u|Q|)
59. 34/54
Additive Structure Across Workflows
Theorem (Additive structure across workflows)
(A) All nodes V in the game Γ are transition independent.
(B) If there is no path between i and j in the topology graph G,
then i and j are utility independent.
Corollary
Γ decomposes into |W| additive subproblems that can be solved
independently and in parallel.
π
(w1)
k
π
(w2)
k
π
(w|W|)
k
ot,w1
ot,w2
ot,w|W|
.
.
.
⊕
a
(k)
w1
a
(k)
w2
a
(k)
w|W|
a
(k)
t
60. 35/54
Additive Structure Across Workflows: Minimal Example
Zone 1 Zone 2
1
2
3
gw
w1
w2
V = {1, 2, 3},
E = {(1, 2)},
W = {w1, w2},
Z = {1, 2}
a) IT infrastructure b) Transition dependencies
St, At St+1, Ot+1
S
(D)
t+1,1
S
(D)
t,1
A
(D)
t,1 S
(A)
t+1,1
S
(A)
t,1
Ot,1
A
(A)
t,1
S
(D)
t+1,2
S
(D)
t,2
A
(D)
t,2 S
(A)
t+1,2
S
(A)
t,2
Ot,2
A
(A)
t,2
S
(D)
t+1,3
S
(D)
t,3
A
(D)
t,3 S
(A)
t+1,3
S
(A)
t,3
Ot,1
A
(A)
t,3
c) Utility dependencies
St, At Ut
S
(D)
t,1
A
(D)
t,1
Ut,1
S
(A)
t,1
S
(D)
t,2
A
(D)
t,2
Ut,2
S
(A)
t,2
S
(D)
t,3
A
(D)
t,3
Ut,3
S
(A)
t,3
61. 35/54
System Decomposition
To avoid explicitly enumerating the very large state, observation,
and action spaces of Γ, we exploit three structural properties.
1. Additive structure across workflows.
I The game decomposes into additive subgames on the
workflow-level, which means that the strategy for each
subgame can be optimized independently
2. Optimal substructure within a workflow.
I The subgame for each workflow decomposes into subgames on
the node-level that satisfy the optimal substructure property
3. Threshold properties of local defender strategies.
I The optimal node-level strategies for the defender exhibit
threshold structures, which means that they can be estimated
efficiently
62. 36/54
Optimal Substructure Within a Workflow
I Nodes in the same workflow are utility
dependent.
I =⇒ Locally-optimal strategies for
each node can not simply be added
together to obtain an optimal strategy
for the workflow.
I However, the locally-optimal strategies
satisfy the optimal substructure
property.
I =⇒ there exists an algorithm for
constructing an optimal workflow
strategy from locally-optimal
strategies for each node.
Zone 1 Zone 2
1
2
3
gw
w1
w2
V = {1, 2, 3},
E = {(1, 2)},
W = {w1, w2},
Z = {1, 2}
IT infrastructure
Utility dependencies
St, At Ut
S
(D)
t,1
A
(D)
t,1
Ut,1
S
(A)
t,1
S
(D)
t,2
A
(D)
t,2
Ut,2
S
(A)
t,2
S
(D)
t,3
A
(D)
t,3
Ut,3
S
(A)
t,3
63. 36/54
Optimal substructure within a workflow
I Nodes in the same workflow are utility
dependent.
I =⇒ Locally-optimal strategies for
each node can not simply be added
together to obtain an optimal strategy
for the workflow.
I However, the locally-optimal strategies
satisfy the optimal substructure
property.
I =⇒ there exists an algorithm for
constructing an optimal workflow
strategy from locally-optimal
strategies for each node.
Zone 1 Zone 2
1
2
3
gw
w1
w2
V = {1, 2, 3},
E = {(1, 2)},
W = {w1, w2},
Z = {1, 2}
IT infrastructure
Utility dependencies
St, At Ut
S
(D)
t,1
A
(D)
t,1
Ut,1
S
(A)
t,1
S
(D)
t,2
A
(D)
t,2
Ut,2
S
(A)
t,2
S
(D)
t,3
A
(D)
t,3
Ut,3
S
(A)
t,3
64. 37/54
Algorithm for Combining Locally-Optimal Node Strategies
into Optimal Workflow Strategies
Algorithm 1: Algorithm for combining local strate-
gies
1 Input: Γ: the game,
2 πk: a vector with local strategies
3 Output: (πD, πA): global game strategies
4 Algorithm composite-strategy(Γ, πk)
5 for player k ∈ N do
6 πk ←λ (s
(k)
t , b
(k)
t )
7 a
(k)
t = ()
8 for workflow w ∈ W do
9 for node
i ∈ topological-sort(Vw) do
10 a
(k,i)
t ← π
(i)
k (s
(k)
t , b
(k)
t )
11 if gw 6→
a
(k)
t
t i then
12 a
(k,i)
t ← ⊥
13 end
14 a
(k)
t = a
(k)
t ⊕ a
(k,i)
t
15 end
16 end
17 return a
(k)
t
18 end
19 return (πD, πA)
π
(1)
k
→1
ot,1 a
(k)
t,1 a
(k),0
t,1
π
(2)
k
→2
⊕
ot,2 a
(k)
t,2 a
(k),0
t,2
π
(3)
k
→3
⊕
ot,3 a
(k)
t,3 a
(k),0
t,3
.
.
.
π
(|Vw|)
k
→|Vw|
⊕
ot,|Vw|
a
(k)
t,|Vw| a
(k),0
t,|Vw|
⊕ a
(k)
w
65. 38/54
Algorithm for Combining Locally-Optimal Node Strategies
into Optimal Workflow Strategies
π
(2)
D
π
(1)
D
π
(3)
D
π
(4)
D
π
(5)
D
π
(6)
D
(π
(i)
D )i∈Vw : local strategies in the same workflow w ∈ W
66. 38/54
Algorithm for Combining Locally-Optimal Node Strategies
into Optimal Workflow Strategies
π
(2)
D
π
(1)
D
π
(3)
D
π
(4)
D
π
(5)
D
π
(6)
D
a
(D,1)
t ∼ π
(1)
D
Step 1; select action for node 1 according to its local strategy
Workflow action:
(a
(D,1)
t )
67. 38/54
Algorithm for Combining Locally-Optimal Node Strategies
into Optimal Workflow Strategies
π
(2)
D
π
(1)
D
π
(3)
D
π
(4)
D
π
(5)
D
π
(6)
D
a
(D,2)
t ∼ π
(2)
D
Step 2; update the topology based on the previous local action;
select action a = 0 for unreachable nodes;
move to the next node in the topological ordering (i.e. 2);
select the action for the next node according to its local strategy.
Workflow action:
(a
(D,1)
t , a
(D,2)
t )
68. 38/54
Algorithm for Combining Locally-Optimal Node Strategies
into Optimal Workflow Strategies
π
(2)
D
π
(1)
D
π
(3)
D
π
(4)
D
π
(5)
D
π
(6)
D
Step 3; update the topology based on the previous local action;
select action a = 0 for unreachable nodes;
move to the next node in the topological ordering (i.e. 3);
select the action for the next node according to its local strategy.
Workflow action:
(a
(D,1)
t , a
(D,2)
t )
69. 38/54
Algorithm for Combining Locally-Optimal Node Strategies
into Optimal Workflow Strategies
π
(2)
D
π
(1)
D
π
(3)
D
π
(4)
D
π
(5)
D
π
(6)
D
a
(D,4)
t = 0
Step 3; update the topology based on the previous local action;
select action a = 0 for unreachable nodes;
move to the next node in the topological ordering (i.e. 3);
select the action for the next node according to its local strategy.
Workflow action:
(a
(D,1)
t , a
(D,2)
t , ·, 0)
70. 38/54
Algorithm for Combining Locally-Optimal Node Strategies
into Optimal Workflow Strategies
π
(2)
D
π
(1)
D
π
(3)
D
π
(4)
D
π
(5)
D
π
(6)
D
a
(D,3)
t ∼ π
(3)
D
Step 3; update the topology based on the previous local action;
select action a = 0 for unreachable nodes;
move to the next node in the topological ordering (i.e. 3);
select the action for the next node according to its local strategy.
Workflow action:
(a
(D,1)
t , a
(D,2)
t , a
(D,3)
t , 0)
71. 38/54
Algorithm for Combining Locally-Optimal Node Strategies
into Optimal Workflow Strategies
π
(2)
D
π
(1)
D
π
(3)
D
π
(4)
D
π
(5)
D
π
(6)
D
a
(D,5)
t ∼ π
(5)
D
Step 4; update the topology based on the previous local action;
select action a = 0 for unreachable nodes;
move to the next node in the topological ordering (i.e. 5);
select the action for the next node according to its local strategy.
Workflow action:
(a
(D,1)
t , a
(D,2)
t , a
(D,3)
t , 0, a
(D,5)
t )
72. 38/54
Algorithm for Combining Locally-Optimal Node Strategies
into Optimal Workflow Strategies
π
(2)
D
π
(1)
D
π
(3)
D
π
(4)
D
π
(5)
D
π
(6)
D
Step 5; update the topology based on the previous local action;
select action a = 0 for unreachable nodes;
Workflow action:
(a
(D,1)
t , a
(D,2)
t , a
(D,3)
t , 0, a
(D,5)
t )
73. 38/54
Algorithm for Combining Locally-Optimal Node Strategies
into Optimal Workflow Strategies
π
(2)
D
π
(1)
D
π
(3)
D
π
(4)
D
π
(5)
D
π
(6)
D
a
(D,6)
t = 0
Step 5; update the topology based on the previous local action;
select action a = 0 for unreachable nodes;
Workflow action:
(a
(D,1)
t , a
(D,2)
t , a
(D,3)
t , 0, a
(D,5)
t , 0)
74. 39/54
Computational Benefits of Decomposition
I ∴ we can obtain an optimal (best response) strategy for the
full game Γ by combining the solutions to V simpler
subproblems that can be solved in parallel and have
significantly smaller state, observation, and action spaces.
0.5 1 1.5 2 2.5 3 3.5 4 4.5 5
101
102
103
104
105
log10 |S| log10 |O| log10 |Ak|
log10 |S(i)| log10 |O(i)| log10 |A
(i)
k |
|V|
4 oom
3 oom
2 oom
Space complexity comparison between the full game and the decomposed
game.
75. 40/54
System Decomposition
To avoid explicitly enumerating the very large state, observation,
and action spaces of Γ, we exploit three structural properties.
1. Additive structure across workflows.
I The game decomposes into additive subgames on the
workflow-level, which means that the strategy for each
subgame can be optimized independently
2. Optimal substructure within a workflow.
I The subgame for each workflow decomposes into subgames on
the node-level that satisfy the optimal substructure property
3. Threshold properties of local defender strategies.
I The optimal node-level strategies for the defender exhibit
threshold structures, which means that they can be estimated
efficiently
77. 42/54
Scalable learning through decomposition (Simulation)
0.00
0.25
0.50
0.75
1.00
avg
defender
utility
|V| = 2, |W| = 1 |V| = 4, |W| = 2 |V| = 8, |W| = 2 |V| = 16, |W| = 2
0 50 100 150
running time (min)
0.00
0.25
0.50
0.75
1.00
avg
attacker
utility
0 50 100 150
running time (min)
0 50 100 150
running time (min)
0 50 100 150
running time (min)
πdecomposition
D πworkflow
D πfull
D upper bound πdecomposition
A πworkflow
A πfull
A
Learning curves obtained during training of ppo to find best response
strategies against randomized opponents; red, purple, blue and brown
curves relate to decomposed strategies; the orange and green curves
relate to the non-decomposed strategies.
78. 43/54
Scalable learning through decomposition (Simulation)
1 2 3 4 5 6 7 8 9 10
2
4
6
8
10
linear
measured
# parallel processes n
|V| = 10
Speedup
S
n
Speedup of completion time when computing best response strategies for
the decomposed game with |V| = 10 nodes and different number of
parallel processes; the subproblems in the decomposition are split evenly
across the processes; let Tn denote the completion time when using n
processes, the speedup is then calculated as Sn = T1
Tn
; the error bars
indicate standard deviations from 3 measurements.
79. 44/54
Threshold Properties of Local Defender Strategies.
I The local problem of the defender can be decomposed in the
temporal domain as
max
πD
T
X
t=1
J = max
πD
τ1
X
t=1
J1 +
τ2
X
t=1
J2 + . . . (2)
where τ1, τ2, . . . are stopping times.
I =⇒ (1) selection of defensive actions is simplified; and (2)
the optimal stopping times are given by a threshold strategy
that can be estimated efficiently:
Belief space B
(j)
D
Switching curve
Υ
Continuation set
C
Stopping set
S
(1, 0, 0)
j healthy
(0, 1, 0)
j discovered
(0, 0, 1)
j compromised
80. 45/54
Threshold Properties of Local Defender Strategies.
Belief space B
(j)
D
Switching curve
Υ
Continuation set
C
Stopping set
S
(1, 0, 0)
j healthy
(0, 1, 0)
j discovered
(0, 0, 1)
j compromised
I A node can be in three attack states s
(A)
t : Healthy,
Discovered, Compromised.
I The defender has a belief state b
(D)
t
81. 46/54
Threshold Properties of Local Defender Strategies.
We estimate the optimal switching curves using a linear
approximation
πD(b(D)
) =
Stop if
h
0 1 θT
i
b(D)
−1
#
0
Continue otherwise
(3)
subject to θ ∈ R2
, θ2 0 and θ1 ≥ 1 (4)
(1, 0, 0)
j healthy
(0, 1, 0)
j discovered
(0, 0, 1)
j compromised
(1, 0, 0)
j healthy
(0, 1, 0)
j discovered
(0, 0, 1)
j compromised
(1, 0, 0)
j healthy
(0, 1, 0)
j discovered
(0, 0, 1)
j compromised
(a) (b) (c)
Examples of learned linear switching curves.
82. 47/54
Proof Sketch (Threshold Properties)
I Let L(e1, b̂) denote the line segment
that starts at the belief state
e1 = (1, 0, 0) and ends at b̂, where b̂ is
in the sub-simplex that joins e2 and e3.
I All beliefs on L(e1, b̂) are totally
ordered according to the Monotone
Likelihood Ratio (MLR) order. =⇒ a
threshold belief state αb̂ ∈ L(e1, b̂)
exists where the optimal strategy
switches from C to S.
I Since the entire belief space can be
covered by the union of lines L(e1, b̂),
the threshold belief states αb̂1
, αb̂2
, . . .
yield a switching curve Υ.
Belief space B
(j)
D
(the 2-dimensional unit simplex)
sub-simplex B
(j)
D,e1
joining e2 and e3
b̂5
b̂4
b̂3
b̂2
b̂1
b̂6
b̂7
b̂8
b̂9
L(e1, b̂5)
Switching curve
Υ
Threshold
belief state αb̂9
e1
(1, 0, 0)
e2
(0, 1, 0)
e3
(0, 0, 1)
84. 49/54
Decompositional Fictitious Play (DFSP) to Approximate
an Equilibrium
π̃2 ∈ B2(π1)
π2
π1
π̃1 ∈ B1(π2)
π̃0
2 ∈ B2(π0
1)
π0
2
π0
1
π̃0
1 ∈ B1(π0
2)
. . .
π∗
2 ∈ B2(π∗
1)
π∗
1 ∈ B1(π∗
2)
Fictitious play: iterative averaging of best responses.
I Learn best response strategies iteratively through the parallel
solving of subgames in the decomposition
I Average best responses to approximate the equilibrium
85. 50/54
Learning Equilibrium Strategies
0 20 40 60 80
running time (h)
0
2
4
6
8
Approximate exploitability
0 20 40 60 80
running time (h)
0.0
0.2
0.4
0.6
0.8
1.0
Defender utility per episode
0 20 40 60 80
running time (h)
2.5
5.0
7.5
10.0
12.5
Episode length
dfsp simulation dfsp digital twin upper bound ot,i 0 random defense
Learning curves obtained during training of dfsp to find optimal
(equilibrium) strategies in the intrusion response game; red and blue
curves relate to dfsp; black, orange and green curves relate to baselines.
86. 51/54
Evaluation in the Digital Twin
s1,1 s1,2 s1,3 . . . s1,n
s2,1 s2,2 s2,3 . . . s2,n
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Digital Twin
Target
Infrastructure
Model Creation
System Identification
Strategy Mapping
π
Selective
Replication
Strategy
Implementation π
Simulation System
Reinforcement Learning
Generalization
Strategy evaluation
Model estimation
Automation
Self-learning systems
87. 51/54
Learning Equilibrium Strategies
0 20 40 60 80
running time (h)
0
2
4
6
8
Approximate exploitability
0 20 40 60 80
running time (h)
0.0
0.2
0.4
0.6
0.8
1.0
Defender utility per episode
0 20 40 60 80
running time (h)
2.5
5.0
7.5
10.0
12.5
Episode length
dfsp simulation dfsp digital twin upper bound ot,i 0 random defense
Learning curves obtained during training of dfsp to find optimal
(equilibrium) strategies in the intrusion response game; red and blue
curves relate to dfsp; black, orange and green curves relate to baselines.
88. 52/54
Learning Equilibrium Strategies (Comparison against
NFSP)
0 10 20 30 40 50 60 70 80
running time (h)
0.0
2.5
5.0
7.5
Approximate exploitability
dfsp nfsp
Learning curves obtained during training of dfsp and nfsp to find
optimal (equilibrium) strategies in the intrusion response game; the red
curve relate to dfsp and the purple curve relate to nfsp; all curves show
simulation results.
89. 53/54
Conclusions
I We develop a framework to
automatically learn security strategies.
I We apply the method to an intrusion
response use case.
I We design a novel decompositional
approach to find near-optimal
intrusion responses for large-scale IT
infrastructures.
I We show that the decomposition
reduces both the computational
complexity of finding effective
strategies, and the sample complexity
of learning a system model by several
orders of magnitude.
s1,1 s1,2 s1,3 . . . s1,n
s2,1 s2,2 s2,3 . . . s2,n
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Emulation
Target
System
Model Creation
System Identification
Strategy Mapping
π
Selective
Replication
Strategy
Implementation π
Simulation
Learning
90. 54/54
Current and Future Work
Time
st
st+1
st+2
st+3
. . .
rt+1
rt+2
rt+3
rrT
1. Extend use case
I Heterogeneous client population
I Extensive threat model of the attacker
2. Extend solution framework
I Model-predictive control
I Rollout-based techniques
I Extend system identification algorithm
3. Extend theoretical results
I Exploit symmetries and causal structure