Reinforced Autonomous Agents with Attack-Defense Exercises in Realistic Environments
Frédéric Guihery, Damien Crémilleux, AMOSSYS & SEKOIA
The current trend is towards automation inside a security operations center (SOC), in particular on the remediation side. However, the implementation of remediation playbooks must be qualified in terms of impact on the protected service, in order to avoid loss of availability. Here we propose an approach aimed at automating the execution of attacker intrusion sets against an IT network, to learn the best
countermeasures to apply. This approach is based on an environment that automates attack and defense, with a learning capability. Attack automation relies on simulating the modus operandi of threat actors as well as their attack infrastructures. In defense, automated learning of the most suitable remediation action sequences for the protection of an information system (IS) is carried out. This article details the results obtained by the DALID platform, which allows the behavior of autonomous attackers and defenders to be observed during repeated exercises to automatically create the best remediation strategies for SOC teams. In the future, this platform aims to become an attack-defense gamification framework for evaluating the effectiveness of defensive computer warfare architectures.