Research Team Status
Names of researchers and position
(e.g. Research Scientist, PostDoc, Student (Undergrad/Masters/PhD))David Garlan (PI)
Ehab Al-Shaer (co-PI)
Bradley Schmerl (co-PI) (Principal Systems Scientist)Any new collaborations with other universities/researchers?
No
Project Goals
- What is the current project goal?
- How does the current goal factor into the long-term goal of the project?
Accomplishments
The project is progressing well, with all milestones being met. Since its launch in January/February 2024, we have published two papers in well-reputed conferences and are currently preparing two additional papers for journal submission. Our research is now focused on developing self-adaptive cyber defense systems using Deep Reinforcement Learning (DRL). The objective is to enhance the reliability and scalability of DRL agents to effectively respond to dynamic attacks in large-scale networks, with DDoS serving as a case study. Our next step is to generalize this approach to other attack vectors, such as Exfiltration and Ransomware, by mapping responses to MITRE TTPs. Additionally, we plan to incorporate formal methods and verification techniques to ensure that the response process generates safe and provably correct playbooks.
The key innovations of this framework include (1) the VAE's adaptability as an anomaly detector that evolves with DRL actions, avoiding reliance on static rules or predefined thresholds and enhancing the robustness of the overall system adaptation; (2) the separation of traffic characterization (VAE) and decision-making (DRL), improving scalability by reducing the state space; and (3) real-time adaptability to evolving attackers’ strategies through dynamic collaboration between the VAE and DRL. Our evaluation experiments show that this framework accurately identifies malicious traffic flows, with a true positive rate of over 98\% and a false positive rate below 1%. Moreover, it efficiently learns the optimal mitigation strategy in under 20,000 episodes across most experimental settings.
Integrating actor-critic DRL with dual variational autoencoder learning allows DosSink agents to efficiently analyze traffic flow characteristics and scale the system to determine the most effective mitigation actions. In summary, our approach introduces several key innovations that empower the system to dynamically adapt to evolving attack patterns with high efficiency and accuracy.
- Independence from intrusion detection systems (IDS), which often lack the precision and dynamically adaptive thresholding required to handle evolving threats.
- Reduction in state complexity due to high traffic feature dimensionality}, allowing for efficient characterization of both benign and malicious traffic, while the DRL agent optimizes mitigation strategies without being overwhelmed by excessive data.
- Separation of traffic classification from mitigation actions}, which minimizes the state space for the DRL engine, enhancing scalability and responsiveness.
- Continuous adaptation and refinement of mitigation policies} through the dynamic interaction between the VAE and DRL, keeping the system ahead of rapidly evolving attacks.
Our approach delivers a fast, efficient, and robust defense against D-DDoS attacks by harnessing the combined capabilities of deep reinforcement learning and variational autoencoders.
Our novel dual layer adaptation approach offers new direction for adaptive systems particularly in cyber defense.
Publications and presentations
- Add publication reference in the publications section below. An authors copy or final should be added in the report file(s) section. This is for NSA's review only.
- Optionally, upload technical presentation slides that may go into greater detail. For NSA's review only.