CyGIL: A Cyber Gym for Training Autonomous Agents over Emulated Network Systems

TL;DR

CyGIL is a high-fidelity, flexible emulated environment designed for training autonomous cyber agents using reinforcement learning, integrating the MITRE ATT&CK framework to simulate realistic network threats.

Contribution

This work introduces CyGIL, a novel emulated RL training environment for cyber defense that balances fidelity and abstraction, enabling advanced agent training over complex network threats.

Findings

Supports training on diverse APT profiles

Integrates MITRE ATT&CK for realistic threat simulation

Balances fidelity and simplicity for effective RL training

Abstract

Given the success of reinforcement learning (RL) in various domains, it is promising to explore the application of its methods to the development of intelligent and autonomous cyber agents. Enabling this development requires a representative RL training environment. To that end, this work presents CyGIL: an experimental testbed of an emulated RL training environment for network cyber operations. CyGIL uses a stateless environment architecture and incorporates the MITRE ATT&CK framework to establish a high fidelity training environment, while presenting a sufficiently abstracted interface to enable RL training. Its comprehensive action space and flexible game design allow the agent training to focus on particular advanced persistent threat (APT) profiles, and to incorporate a broad range of potential threats and vulnerabilities. By striking a balance between fidelity and simplicity, it aims to leverage state of the art RL algorithms for application to real-world cyber defence.