Researchers at the Pacific Northwest National Laboratory, a part of the US Department of Energy, have achieved a significant milestone in the advancement of artificial intelligence for safeguarding computer networks. However, cybersecurity experts emphasize that AI agents are not yet poised to supplant human professionals in this field.
The research team conducted extensive experiments using deep reinforcement learning (DRL) in a rigorous simulation environment. The results were impressive, as DRL successfully thwarted adversaries from achieving their goals in up to 95% of cases, even when facing sophisticated cyberattacks. The remarkable success of DRL in this domain has sparked optimism regarding its potential application in proactive cyber defense.
This week, the researchers unveiled their discoveries at a cybersecurity-focused workshop on AI. The workshop took place during the annual meeting of the Association for the Advancement of Artificial Intelligence in Washington, D.C.
Deep learning is rapidly becoming a formidable tool for cybersecurity professionals. It equips them with a defensive agent that can swiftly adapt to evolving threats and autonomously make informed decisions. This approach revolutionizes cybersecurity by enabling the orchestration of sequential decision-making strategies in daily confrontations with adversaries, offering a more comprehensive defense mechanism.
While conventional AI methods are effective in detecting intrusions and filtering spam messages, deep reinforcement learning enhances defenders’ capabilities to proactively prevent cyberattacks. The researchers’ findings provide a glimpse into a future where AI could play an increasingly pivotal role in safeguarding computer networks.
Deep Reinforcement Learning (DRL) merges the power of reinforcement learning with the capabilities of deep learning. It excels in scenarios that demand a sequence of decisions within intricate environments. This algorithm reinforces favorable choices by rewarding them and discourages unfavorable outcomes through negative costs. By combining these techniques, DRL empowers intelligent systems to navigate complex scenarios and achieve desirable results.
This parallels how individuals acquire multiple skills. For instance, when a child completes their household tasks, they might receive positive reinforcement in the form of a desired playdate. Conversely, if a child neglects their responsibilities, they may face negative reinforcement, such as the confiscation of a digital device. DRL’s capacity to learn from experience and utilize past outcomes to inform decisions renders it an invaluable asset in intricate decision-making processes across diverse domains, including cybersecurity.
AI wins in rigorous testing
The research team developed a custom simulation environment to assess the strengths and weaknesses of four deep reinforcement learning algorithms using the open-source software toolkit, Open AI Gym. Within this environment, the team incorporated seven tactics and fifteen techniques employed by three adversaries. These attack stages encompassed reconnaissance, execution, persistence, defense evasion, command and control, and collection and exfiltration (the transfer of data out of the system). The objective was for the adversary to successfully reach the final exfiltration stage. By subjecting the AI-based defensive methods to this rigorous testing environment, the researchers gained invaluable insights to enhance cybersecurity.
The team utilized four deep reinforcement learning algorithms, including DQN (Deep Q-Network), along with three variations of the actor-critic approach, to train defensive agents. These agents were then tested against cyberattacks that they had not encountered during training, after being trained with simulated data about such attacks.
While there has been notable progress, placing complete trust in an AI system for cyber defense is still not a widely accepted notion. According to coauthor Arnab Bhattacharya, formerly of PNNL, it is instead imperative to establish a harmonious collaboration between a DRL-based cybersecurity system and human expertise.