Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Network and Device Level Cyber Deception for Contested Environments Using RL and LLMs

Abhijeet Sahu, Shuva Paul, Richard Macwan

Abstract

Cyber deception assists in increasing the attacker's budget in reconnaissance or any early phases of threat intrusions. In the past, numerous methods of cyber deception have been adopted, such as IP address randomization, the creation of honeypots and honeynets mimicking an actual set of services, and networks deployed within an enterprise or operational technology(OT) network. These types of strategies follow naive approaches of recreating services that are expensive and that need a lot of human intervention. The advent of cloud services and other automations of containerized applications, such as Kubernetes, makes cyber defense easier. Yet, there remains a lot of potential to improve the accuracy of these deception strategies and to make them cost-effective using artificial intelligence (AI)-based solutions by making the deception more dynamic. Hence, in this work, we review various AI-based solutions in building network- and device-level cyber deception methods in contested environments. Specifically, we focus on leveraging the fusion of large language models (LLMs) and reinforcement learning(RL) in optimally learning these cyber deception strategies and validating the efficacy of such strategies in some stealthy attacks against OT systems in the literature.

Network and Device Level Cyber Deception for Contested Environments Using RL and LLMs

Abstract

Cyber deception assists in increasing the attacker's budget in reconnaissance or any early phases of threat intrusions. In the past, numerous methods of cyber deception have been adopted, such as IP address randomization, the creation of honeypots and honeynets mimicking an actual set of services, and networks deployed within an enterprise or operational technology(OT) network. These types of strategies follow naive approaches of recreating services that are expensive and that need a lot of human intervention. The advent of cloud services and other automations of containerized applications, such as Kubernetes, makes cyber defense easier. Yet, there remains a lot of potential to improve the accuracy of these deception strategies and to make them cost-effective using artificial intelligence (AI)-based solutions by making the deception more dynamic. Hence, in this work, we review various AI-based solutions in building network- and device-level cyber deception methods in contested environments. Specifically, we focus on leveraging the fusion of large language models (LLMs) and reinforcement learning(RL) in optimally learning these cyber deception strategies and validating the efficacy of such strategies in some stealthy attacks against OT systems in the literature.
Paper Structure (40 sections, 11 equations, 5 figures, 7 tables, 1 algorithm)

This paper contains 40 sections, 11 equations, 5 figures, 7 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Background
  3. DNP3 and OT Threat Landscape
  4. Objective of Cyber Deception in Critical Infrastructure
  5. Network-Based Cyber Deception
  6. Host-Based Cyber Deception via Generative Models
  7. Reinforcement Learning for Cyber Deception
  8. Problem Statement
  9. Contested Environment
  10. Threat Model
  11. Defender Objective
  12. MDP Formulation of Network Deception
  13. Episode Definition
  14. Role of LLM-Based Host Deception
  15. Proposed Solution
  16. ...and 25 more sections

Figures (5)

  • Figure 1: Proposed LLM-assisted RL agent for cyber deception
  • Figure 2: Snapshot of the personality file defining the deceptive agent's roles and responsibilities
  • Figure 3: Response from the honeypot
  • Figure 4: More realistic response from honeypot after multiple update of personality file
  • Figure 5: Cyber network topology of the contested environment shown in Phenix, an orchestration tool with GUI for the Minimega virtualization