IDEAS home Printed from https://ideas.repec.org/a/gam/jmathe/v12y2024i10p1508-d1392965.html
   My bibliography  Save this article

AARF: Autonomous Attack Response Framework for Honeypots to Enhance Interaction Based on Multi-Agent Dynamic Game

Author

Listed:
  • Le Wang

    (Cyberspace Institute of Advanced Technology, Guangzhou University, Guangzhou 510006, China
    Department of New Networks, Peng Cheng Laboratory, Shenzhen 518055, China)

  • Jianyu Deng

    (Cyberspace Institute of Advanced Technology, Guangzhou University, Guangzhou 510006, China)

  • Haonan Tan

    (Cyberspace Institute of Advanced Technology, Guangzhou University, Guangzhou 510006, China)

  • Yinghui Xu

    (Cyberspace Institute of Advanced Technology, Guangzhou University, Guangzhou 510006, China)

  • Junyi Zhu

    (Cyberspace Institute of Advanced Technology, Guangzhou University, Guangzhou 510006, China)

  • Zhiqiang Zhang

    (School of Computer Science and Technology, Harbin Institute of Technology (Shenzhen), Shenzhen 518055, China)

  • Zhaohua Li

    (Shenzhen Institute for Advanced Study, University of Electronic Science and Technology of China, Shenzhen 518000, China)

  • Rufeng Zhan

    (Cyberspace Institute of Advanced Technology, Guangzhou University, Guangzhou 510006, China)

  • Zhaoquan Gu

    (Department of New Networks, Peng Cheng Laboratory, Shenzhen 518055, China
    School of Computer Science and Technology, Harbin Institute of Technology (Shenzhen), Shenzhen 518055, China)

Abstract

Highly interactive honeypots can form reliable connections by responding to attackers to delay and capture intranet attacks. However, current research focuses on modeling the attacker as part of the environment and defining single-step attack actions by simulation to study the interaction of honeypots. It ignores the iterative nature of the attack and defense game, which is inconsistent with the correlative and sequential nature of actions in real attacks. These limitations lead to insufficient interaction of the honeypot response strategies generated by the study, making it difficult to support effective and continuous games with attack behaviors. In this paper, we propose an autonomous attack response framework (named AARF) to enhance interaction based on multi-agent dynamic games. AARF consists of three parts: a virtual honeynet environment, attack agents, and defense agents. Attack agents are modeled to generate multi-step attack chains based on a Hidden Markov Model (HMM) combined with the generic threat framework ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge). The defense agents iteratively interact with the attack behavior chain based on reinforcement learning (RL) to learn to generate honeypot optimal response strategies. Aiming at the sample utilization inefficiency problem of random uniform sampling widely used in RL, we propose the dynamic value label sampling (DVLS) method in the dynamic environment. DVLS can effectively improve the sample utilization during the experience replay phase and thus improve the learning efficiency of honeypot agents under the RL framework. We further couple it with a classic DQN to replace the traditional random uniform sampling method. Based on AARF, we instantiate different functional honeypot models for deception in intranet scenarios. In the simulation environment, honeypots collaboratively respond to multi-step intranet attack chains to defend against these attacks, which demonstrates the effectiveness of AARF. The average cumulative reward of the DQN with DVLS is beyond eight percent, and the convergence speed is improved by five percent compared to a classic DQN.

Suggested Citation

  • Le Wang & Jianyu Deng & Haonan Tan & Yinghui Xu & Junyi Zhu & Zhiqiang Zhang & Zhaohua Li & Rufeng Zhan & Zhaoquan Gu, 2024. "AARF: Autonomous Attack Response Framework for Honeypots to Enhance Interaction Based on Multi-Agent Dynamic Game," Mathematics, MDPI, vol. 12(10), pages 1-20, May.
  • Handle: RePEc:gam:jmathe:v:12:y:2024:i:10:p:1508-:d:1392965
    as

    Download full text from publisher

    File URL: https://www.mdpi.com/2227-7390/12/10/1508/pdf
    Download Restriction: no

    File URL: https://www.mdpi.com/2227-7390/12/10/1508/
    Download Restriction: no
    ---><---

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:gam:jmathe:v:12:y:2024:i:10:p:1508-:d:1392965. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    We have no bibliographic references for this item. You can help adding them by using this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: MDPI Indexing Manager (email available below). General contact details of provider: https://www.mdpi.com .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.