A Survey for Deep Reinforcement Learning Based Network Intrusion Detection

TL;DR

This survey reviews the application of deep reinforcement learning in network intrusion detection, highlighting recent advances, challenges, and future directions for deploying DRL in real-world cybersecurity scenarios.

Contribution

It provides a comprehensive overview of DRL techniques in intrusion detection, analyzes current challenges, and suggests future research directions including integration with generative methods.

Findings

Some DRL models achieve state-of-the-art results on public datasets.

DRL models sometimes outperform traditional deep learning methods.

Challenges include model training efficiency and detection of unknown attacks.

Abstract

Cyber-attacks are becoming increasingly sophisticated and frequent, highlighting the importance of network intrusion detection systems. This paper explores the potential and challenges of using deep reinforcement learning (DRL) in network intrusion detection. It begins by introducing key DRL concepts and frameworks, such as deep Q-networks and actor-critic algorithms, and reviews recent research utilizing DRL for intrusion detection. The study evaluates challenges related to model training efficiency, detection of minority and unknown class attacks, feature selection, and handling unbalanced datasets. The performance of DRL models is comprehensively analyzed, showing that while DRL holds promise, many recent technologies remain underexplored. Some DRL models achieve state-of-the-art results on public datasets, occasionally outperforming traditional deep learning methods. The paper concludes with recommendations for enhancing DRL deployment and testing in real-world network scenarios, with a focus on Internet of Things intrusion detection. It discusses recent DRL architectures and suggests future policy functions for DRL-based intrusion detection. Finally, the paper proposes integrating DRL with generative methods to further improve performance, addressing current gaps and supporting more robust and adaptive network intrusion detection systems.