Modern network defense can benefit from the use of autonomous systems, offloading tedious and time-consuming work to agents with standard and learning-enabled components. These agents, operating on critical network infrastructure, need to be robust and trustworthy to ensure defense against adaptive cyber-attackers and, at the same time, provide explanations for their actions and network activity. However, learning-enabled components typically use models, such as deep neural networks, that are not transparent in their high-level decision-making leading to assurance challenges. Additionally, cyber-defense agents must execute complex long-term defense tasks in a reactive manner that involve coordination of multiple interdependent subtasks. Behavior trees have been known to be successful in creating interpretable, reactive, and modular agent models with learning-enabled components. In this paper, we develop an approach for autonomous cyber defense using behavior trees with learning-enabled components, which we refer to as Evolving Behavior Trees (EBTs). The proposed model architecture contains capabilities for adapting to various cyber-attacks and deploying security mechanisms. We develop a software architecture for evaluating EBT-based agents in computer network defense scenarios. Our results demonstrate that the EBT-based agent is robust to adaptive cyber-attacks and provides high-level explanations for interpreting its decisions and actions.
Hunter Bergstrom is a senior computer engineering undergraduate student at Vanderbilt University conducting research under his advisor Dr. Xenofon Koutsoukos. His research interests primarily lie in the design of efficient autonomous cyber-security agents.