Entity-based Reinforcement Learning for Autonomous Cyber Defence

TL;DR

This paper introduces an entity-based reinforcement learning approach using Transformers to improve the generalisation of autonomous cyber defence agents across diverse and changing network topologies, outperforming traditional MLP methods.

Contribution

The paper proposes a novel entity-based reinforcement learning framework with Transformer policies that enhances generalisation in autonomous cyber defence across varying network configurations.

Findings

Transformer-based policies outperform MLPs on diverse network topologies

The approach enables zero-shot generalisation to unseen network sizes

Significant improvement in policy robustness across dynamic environments

Abstract

A significant challenge for autonomous cyber defence is ensuring a defensive agent's ability to generalise across diverse network topologies and configurations. This capability is necessary for agents to remain effective when deployed in dynamically changing environments, such as an enterprise network where devices may frequently join and leave. Standard approaches to deep reinforcement learning, where policies are parameterised using a fixed-input multi-layer perceptron (MLP) expect fixed-size observation and action spaces. In autonomous cyber defence, this makes it hard to develop agents that generalise to environments with network topologies different from those trained on, as the number of nodes affects the natural size of the observation and action spaces. To overcome this limitation, we reframe the problem of autonomous network defence using entity-based reinforcement learning, where the observation and action space of an agent are decomposed into a collection of discrete entities. This framework enables the use of policy parameterisations specialised in compositional generalisation. We train a Transformer-based policy on the Yawning Titan cyber-security simulation environment and test its generalisation capabilities across various network topologies. We demonstrate that this approach significantly outperforms an MLP-based policy when training across fixed-size networks of varying topologies, and matches performance when training on a single network. We also demonstrate the potential for zero-shot generalisation to networks of a different size to those seen in training. These findings highlight the potential for entity-based reinforcement learning to advance the field of autonomous cyber defence by providing more generalisable policies capable of handling variations in real-world network environments.