Advancing LLM-Based Security Automation with Customized Group Relative Policy Optimization for Zero-Touch Networks

TL;DR

This paper introduces SecLoop, an automated security strategy framework using LLMs, and SA-GRPO, a policy optimization algorithm, to enhance security automation in dynamic 6G Zero-Touch Networks, demonstrated through extensive real-world experiments.

Contribution

It presents the first fully automated security strategy lifecycle framework and a novel policy optimization algorithm tailored for evolving threats in 6G ZTNs.

Findings

SecLoop effectively automates security strategy lifecycle management.

SA-GRPO improves security strategy adaptation through group feedback.

Experimental results show superiority over existing methods.

Abstract

Zero-Touch Networks (ZTNs) represent a transformative paradigm toward fully automated and intelligent network management, providing the scalability and adaptability required for the complexity of sixth-generation (6G) networks. However, the distributed architecture, high openness, and deep heterogeneity of 6G networks expand the attack surface and pose unprecedented security challenges. To address this, security automation aims to enable intelligent security management across dynamic and complex environments, serving as a key capability for securing 6G ZTNs. Despite its promise, implementing security automation in 6G ZTNs presents two primary challenges: 1) automating the lifecycle from security strategy generation to validation and update under real-world, parallel, and adversarial conditions, and 2) adapting security strategies to evolving threats and dynamic environments. This motivates us to propose SecLoop and SA-GRPO. SecLoop constitutes the first fully automated framework that integrates large language models (LLMs) across the entire lifecycle of security strategy generation, orchestration, response, and feedback, enabling intelligent and adaptive defenses in dynamic network environments, thus tackling the first challenge. Furthermore, we propose SA-GRPO, a novel security-aware group relative policy optimization algorithm that iteratively refines security strategies by contrasting group feedback collected from parallel SecLoop executions, thereby addressing the second challenge. Extensive real-world experiments on five benchmarks, including 11 MITRE ATT&CK processes and over 20 types of attacks, demonstrate the superiority of the proposed SecLoop and SA-GRPO. We will release our platform to the community, facilitating the advancement of security automation towards next generation communications.