Back

 Industry News Details

 
Microsoft open-sources tool to use AI in simulated attacks Posted on : Apr 10 - 2021

As part of Microsoft’s research into ways to use machine learning and AI to improve security defenses, the company has released an open source attack toolkit to let researchers create simulated network environments and see how they fare against attacks.

Microsoft 365 Defender Research released CyberBattleSim, which creates a network simulation and models how threat actors can move laterally through the network looking for weak points. When building the attack simulation, enterprise defenders and researchers create various nodes on the network and indicate which services are running, which vulnerabilities are present, and what type of security controls are in place. Automated agents, representing threat actors, are deployed in the attack simulation to randomly execute actions as they try to take over the nodes.

“The simulated attacker’s goal is to take ownership of some portion of the network by exploiting these planted vulnerabilities. While the simulated attacker moves through the network, a defender agent watches the network activity to detect the presence of the attacker and contain the attack,” the Microsoft 365 Defender Research Team wrote in a post discussing the project.

Using reinforcement learning for security

Microsoft has been exploring how machine learning algorithms such as reinforcement learning can be used to improve information security. Reinforcement learning is a type of machine learning in which autonomous agents learn how to make decisions based on what happens while interacting with the environment. The agent’s goal is to optimize the reward, and agents gradually make better decisions (to get a bigger reward) through repeated attempts.

The most common example is playing a video game. The agent (player) gets better at playing the game after repeated tries by remembering the actions that worked in previous rounds.

In a security scenario, there are two types of autonomous agents: the attackers trying to steal information out of the network and defenders trying to block the attack or mitigate its effects. The agents’ actions are the commands that attackers can execute on the computers and the steps defenders can perform in the network. Using the language of reinforcement learning, the attacking agent’s goal is to maximize the reward of a successful attack by discovering and taking over more systems on the network and finding more things to steal. The agent has to execute a series of actions to gradually explore the networks but do so without setting off any of the security defenses that may be in place. View More