Machine learning is increasingly being applied for intrusion detection, where a classifier is trained to separate malicious and benign activity, and an alert is raised when malicious activity is detected. Potentially false alerts must then be analyzed by a security analyst in a SOC/CERT, and responded to accordingly. This will typically involve some form of analysis and forensics in order to identify a suitable response action.
Reinforcement learning (RL) is a subfield of machine learning which essentially learns how to map situations to actions and is based on interaction with the environment. This project will address the use of RL for autonomous response to raised alerts. This is not a new field, and several have looked at this problem in past (see e.g. [1,2]). One of the tasks will be to survey the state-of-the-art of this subject in order to identify both possibilities and limitations. This will then be followed by some practical experiments with RL and one option is to conduct simple (simulated) experiments with an attacker and an RL-based defense with limited response possibilities (comparable to what has been done in [1].
It is possible to cooperate with the Norwegian Defence Research Establishment (FFI) on this project, which may require a Norwegian security clearance.
References:
[1] Ahmad Ridley, “Machine Learning for Autonomous Cyber Defense,” The Next Wave, 2018, 7–14. The Next Wave | Issue 22 | No. 1 | 2018 | Machine Learning (nsa.gov)
[2] Thanh Thi Nguyen, Vijay Janapa Reddi. Deep Reinforcement Learning for Cyber Security. [1906.05799] Deep Reinforcement Learning for Cyber Security (arxiv.org)