Fonte: “Reinforcement Learning Agents for Simulating Normal and Malicious Actions in Cyber Range Scenarios”, Paper, https://ceur-ws.org/Vol-3260/paper1.pdf
Abstract
Cyber-attacks and their consequences have become one of the primary sources of risk in recent years.
Cyber-attacks have the potential to cause physical damage both to infrastructures and to people. To prevent such risks, several methods have been proposed.
Cyber security knowledge required for cyber defense can be developed by active learning in a cyber range. Although this type of cyber learning is popular and used worldwide by numerous organizations and companies, typically such simulations lack the presence of users and their relative effects on the systems.
In particular, in a cyber environment where the only activities on the systems are those carried out by the Red Team, the assessment of maliciousactions on the systems will be a trivial activity for the Blue Team. Hence, the reality of the resulting simulation does not reflect a real working condition.
Users simulation is needed for providing more realistic scenarios for training sessions. Additionally, a cyber range that relies on the actions of simulated users introduces the possibility to simulate a Zero Trust (ZT) condition. In such scenarios, the simulated users act also as virtual attackers or use social engineering attacks (i.e., phishing) within the company network.
This work presents the development of a model whose purpose is to generate human-addressable actions
in the cyber range. Moreover, the agent leverages a Reinforcement Learning (RL) algorithm to simulate
the user-system interactions. Finally, the agent simulates both normal and malicious actions on the systems.
Introduction
The rapid technological advancements (e.g., Internet of Things (IoT), 5G) have become the main transformation source for several IT/OT domains (e.g., energy, health care, public transport) by increasing their productivity, value creation, and the social welfare.
Despite these flourishing perspectives, the insufficient knowledge jointly with the lack of security awareness provides a
fertile ground for several threat actors. Threat actors may carry out different types of attacks that can produce tangible damages. In fact, there are several organizations or companies that own or access to different cyber systems that can be exposed to several known and/or unknown attack vectors.
The majority of the cyber attacks have involved the categories of Transportation and Storage, Industrial Control System (ICS), Government, Healthcare and Entertainment. Furthermore, the proliferation of the IoT devices in industrial plants (e.g., power grids, gas, and water distribution systems) led to an increasing transformation of the traditional ICS. Not only, due to the migration of the control components from the electronic world to the software one, the resulting ICS components are exponentially increased in complexity. Consequently, this led to the sudden increase of the attack surface.
