Autonomous Attack Mitigation for Industrial Control Systems

TL;DR

This paper introduces a deep reinforcement learning-based autonomous response system for industrial control networks, capable of effectively mitigating advanced cyber attacks with less disruption and greater robustness than traditional playbook methods.

Contribution

It presents a novel attention-based neural architecture and a simulation environment for training autonomous defenders in industrial control systems.

Findings

The learned agent effectively mitigates advanced attacks over several months.

It outperforms traditional playbook methods in simulation.

The approach is more robust to attacker behavior changes.

Abstract

Defending computer networks from cyber attack requires timely responses to alerts and threat intelligence. Decisions about how to respond involve coordinating actions across multiple nodes based on imperfect indicators of compromise while minimizing disruptions to network operations. Currently, playbooks are used to automate portions of a response process, but often leave complex decision-making to a human analyst. In this work, we present a deep reinforcement learning approach to autonomous response and recovery in large industrial control networks. We propose an attention-based neural architecture that is flexible to the size of the network under protection. To train and evaluate the autonomous defender agent, we present an industrial control network simulation environment suitable for reinforcement learning. Experiments show that the learned agent can effectively mitigate advanced attacks that progress with few observable signals over several months before execution. The proposed deep reinforcement learning approach outperforms a fully automated playbook method in simulation, taking less disruptive actions while also defending more nodes on the network. The learned policy is also more robust to changes in attacker behavior than playbook approaches.