CyberForce: A Federated Reinforcement Learning Framework for Malware Mitigation

TL;DR

CyberForce is a federated reinforcement learning framework that enables IoT devices to collaboratively learn effective moving target defense strategies against zero-day malware attacks while preserving privacy and improving learning efficiency.

Contribution

It introduces a novel federated RL approach for IoT cybersecurity that enhances learning speed, robustness, and privacy compared to centralized methods.

Findings

CyberForce learns effective MTD techniques faster than centralized RL.

Knowledge transfer improves performance when devices face different attacks.

Aggregation algorithms increase robustness against malicious attacks.

Abstract

Recent research has shown that the integration of Reinforcement Learning (RL) with Moving Target Defense (MTD) can enhance cybersecurity in Internet-of-Things (IoT) devices. Nevertheless, the practicality of existing work is hindered by data privacy concerns associated with centralized data processing in RL, and the unsatisfactory time needed to learn right MTD techniques that are effective against a rising number of heterogeneous zero-day attacks. Thus, this work presents CyberForce, a framework that combines Federated and Reinforcement Learning (FRL) to collaboratively and privately learn suitable MTD techniques for mitigating zero-day attacks. CyberForce integrates device fingerprinting and anomaly detection to reward or penalize MTD mechanisms chosen by an FRL-based agent. The framework has been deployed and evaluated in a scenario consisting of ten physical devices of a real IoT platform affected by heterogeneous malware samples. A pool of experiments has demonstrated that CyberForce learns the MTD technique mitigating each attack faster than existing RL-based centralized approaches. In addition, when various devices are exposed to different attacks, CyberForce benefits from knowledge transfer, leading to enhanced performance and reduced learning time in comparison to recent works. Finally, different aggregation algorithms used during the agent learning process provide CyberForce with notable robustness to malicious attacks.