Autonomous and Adaptive Cyber Incident Detection and Response in Industrial Cyber-Physical Systems using Hierarchical Reinforcement Learning

Autonomous and Adaptive Cyber Incident Detection and Response in Industrial Cyber-Physical Systems using Hierarchical Reinforcement Learning

연구 분야: Safety

학회: ACM Transactions on Cyber-Physical Systems

Cyber-Physical Systems (CPS) are the backbone of many critical infrastructures. However, they have introduced an uncharted territory of security vulnerabilities and attack vectors, mainly due to the deeply integrated physical and cyber spaces. Moreover, in industrial CPS settings, network openness exposes the system to the outside world and renders it vulnerable to cyber threats. The security of industrial CPS significantly relies on the cyber incident detection and response systems which are fundamental to ensure the continuous and proper operation of cyber-physical processes. Among the key configuration parameters of these defense systems is the detection threshold. However, finding the optimal threshold that strikes the right balance between missed detection and false positive rates remains a challenging problem. In this paper, we propose a novel approach that leverages a Hierarchical Reinforcement Learning (HRL) architecture to autonomously detect the dynamic instability in an industrial CPS network and respond by adapting the cyber incident detection and response threshold range to minimize the effects of possible incidents. We developed and tested four HRL algorithmic variants, each offering potential avenues for optimization with its own strengths and limitations. Our agents dynamically select these ranges by assessing the expected risk and potential damage over time. In addition, the agent's selection process aims to minimize false positives and reduce the cost associated with changing the selected range. All four algorithmic adaptations show the effectiveness of HRL for designing adaptive cyber-physical defense compared to static approaches. Our experimental results indicate that our proposed technique is effective for building autonomous cyber incident detection systems in industrial CPS.