Intrusion Prevention Through Optimal Stopping

We study automated intrusion prevention using reinforcement learning. Following a novel approach, we formulate the problem of intrusion prevention as an (optimal) multiple stopping problem. This formulation gives us insight into the structure of optimal policies, which we show to have threshold prop...

Full description

Saved in:
Bibliographic Details
Published in:IEEE eTransactions on network and service management 2022-09, Vol.19 (3), p.2333-2348
Main Authors: Hammar, Kim, Stadler, Rolf
Format: Article
Language:English
Subjects:
Algorithms
automation
Computational modeling
Dynamic programming
Emulation
Intrusion
Logic gates
Machine learning
Markov decision process
Markov processes
MDP
Network security
optimal stopping
Policies
POMDP
Reinforcement learning
Security
Citations: Items that this one cites
Items that cite this one
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:We study automated intrusion prevention using reinforcement learning. Following a novel approach, we formulate the problem of intrusion prevention as an (optimal) multiple stopping problem. This formulation gives us insight into the structure of optimal policies, which we show to have threshold properties. For most practical cases, it is not feasible to obtain an optimal defender policy using dynamic programming. We therefore develop a reinforcement learning approach to approximate an optimal threshold policy. We introduce T- SPSA, an efficient reinforcement learning algorithm that learns threshold policies through stochastic approximation. We show that T- SPSA outperforms state-of-the-art algorithms for our use case. Our overall method for learning and validating policies includes two systems: a simulation system where defender policies are incrementally learned and an emulation system where statistics are produced that drive simulation runs and where learned policies are evaluated. We show that this approach can produce effective defender policies for a practical IT infrastructure.
ISSN:1932-4537
1932-4537
DOI:10.1109/TNSM.2022.3176781