Knowledge-Informed Auto-Penetration Testing Based on Reinforcement Learning with Reward Machine

TL;DR

This paper introduces DRLRM-PT, a reinforcement learning framework for automated penetration testing that incorporates domain knowledge via reward machines, improving training efficiency and effectiveness in lateral movement scenarios.

Contribution

The paper proposes a novel knowledge-informed AutoPT framework using reward machines to encode domain knowledge, enhancing RL training efficiency and interpretability in penetration testing.

Findings

DRLRM-PT outperforms knowledge-agnostic agents in training efficiency.

Detailed domain knowledge in RMs leads to better penetration testing performance.

The framework effectively guides RL in lateral movement scenarios using POMDPs.

Abstract

Automated penetration testing (AutoPT) based on reinforcement learning (RL) has proven its ability to improve the efficiency of vulnerability identification in information systems. However, RL-based PT encounters several challenges, including poor sampling efficiency, intricate reward specification, and limited interpretability. To address these issues, we propose a knowledge-informed AutoPT framework called DRLRM-PT, which leverages reward machines (RMs) to encode domain knowledge as guidelines for training a PT policy. In our study, we specifically focus on lateral movement as a PT case study and formulate it as a partially observable Markov decision process (POMDP) guided by RMs. We design two RMs based on the MITRE ATT\&CK knowledge base for lateral movement. To solve the POMDP and optimize the PT policy, we employ the deep Q-learning algorithm with RM (DQRM). The experimental results demonstrate that the DQRM agent exhibits higher training efficiency in PT compared to agents without knowledge embedding. Moreover, RMs encoding more detailed domain knowledge demonstrated better PT performance compared to RMs with simpler knowledge.