The internet is a warzone between cybersecurity companies and hackers. The battleground is never too big, as both sides are improving their arsenals.
But the thing is, security researchers are often lagging behind cybercriminals. Among the reasons, is because cybersecurity solutions often come after the attacks happens, meaning that victims may have fallen between the time the threat appears and the solution is made.
To improve the works of security researchers, Microsoft has released a cyberattack simulator that is specifically designed to create simulated network environments in order for researchers to observe the interactions between automated AI-driven attackers and the defenders.
Calling it the 'CyberBattleSim', the tool has been made available under an open-source license.
Researchers willing to use the tool must use the Python-based Open AI Gym toolkit to train the automated agents based on reinforcement learning algorithms.
“To stay ahead of adversaries, who show no restraint in adopting tools and techniques that can help them attain their goals, Microsoft continues to harness AI and machine learning to solve security challenges. One area we’ve been experimenting on is autonomous systems,” said William Blum from Microsoft 365 Defender Research Team in a blog post.
The goal of this CyberBattleSim, according to Blum, is to help researchers observe and understand how hackers laterally spread through a targeted network after compromising it.
With the tool, security researchers can create a dummy network with several nodes, complete with their running services, vulnerabilities, as well as the security mechanisms on individual nodes.
After all is done, researchers can use the simulator to run automated attackers to take ownership of as much of the network by exploiting the vulnerabilities of the nodes. At the same time, the simulator will also run automated defenders that are designed to detect the presence of the automated attackers, and try to remove them from the network to contain the attack.
Blum hopes that the security community in general can use this simulator tool to refine their strategies.
“With CyberBattleSim, we are just scratching the surface of what we believe is a huge potential for applying reinforcement learning to security. We invite researchers and data scientists to build on our experimentation," he said.
"A potential area for improvement is the realism of the simulation."
Microsoft said that CyberBattleSim is designed to be as simple as possible, and this is giving it a series of advantages.
For example, it's highly abstract nature prohibits direct application to real-world systems. This should provide a safeguard against potential nefarious use of automated agents trained with it. The tool also allows Microsoft to focus on specific aspects of security it aims to study and quickly experiment with recent machine learning and AI algorithms. At this time, Microsoft's focus is on observing lateral movement techniques, "with the goal of understanding how network topology and configuration affects these techniques."
It should be noted that the tool, at least at this time, only has some basic agents as a baseline for comparison.
This is because Microsoft found that creating a large action space can be a problem with reinforced learning.
"With CyberBattleSim, we are just scratching the surface of what we believe is a huge potential for applying reinforcement learning to security," Microsoft said.
The simulator is part of Microsoft’s efforts to use AI and machine learning in its battle against adversaries.