An Intrusion Response System utilizing Deep Q-Networks and System Partitions

TL;DR

This paper presents irs-partition, an Intrusion Response System that uses Deep Q-Networks and system partitioning to handle non-stationary environments and mitigate the curse of dimensionality in intrusion response.

Contribution

The paper introduces a novel IRS prototype that combines system partitioning, Deep Q-Networks, and transfer learning to improve adaptability and scalability in dynamic security environments.

Findings

Effective handling of non-stationary system behavior.

Reduction of state space complexity through partitioning.

Enhanced adaptability using transfer learning.

Abstract

Intrusion Response is a relatively new field of research. Recent approaches for the creation of Intrusion Response Systems (IRSs) use Reinforcement Learning (RL) as a primary technique for the optimal or near-optimal selection of the proper countermeasure to take in order to stop or mitigate an ongoing attack. However, most of them do not consider the fact that systems can change over time or, in other words, that systems exhibit a non-stationary behavior. Furthermore, stateful approaches, such as those based on RL, suffer the curse of dimensionality, due to a state space growing exponentially with the size of the protected system. In this paper, we introduce and develop an IRS software prototype, named irs-partition. It leverages the partitioning of the protected system and Deep Q-Networks to address the curse of dimensionality by supporting a multi-agent formulation. Furthermore, it exploits transfer learning to follow the evolution of non-stationary systems.