While looking into designing an efficient and capable machine learning algorithm to automate penetration testing, one might want to look at real-time strategy computer games, as both involve an entity that attacks another one, be it the penetration tester targeting the network or the computer targeting the player’s population within the video game. Historically, artificial intelligence and machine learning in computer games were implemented through reinforcement learning protocols, and such protocols are also well suited for autonomous penetration learning algorithms. An added similarity between real-time strategy games and penetration testing is that the games operate with large state spaces and complex mixtures of options. Over time this has become even more intricate, as commonly available computing power has increased, and human players have also become more proficient. The combination of choices in strategy games is infinite, and this is one more factor that they have in common with computer networks; trying to enter a cybersecurity network allows for many different options that are not always easy to predict - an excellent base for the application of reinforcement learning. Anot commonality between real-time strategy games and penetration testing is that the layout of both the network and the game are not entirely known beforehand. Penetration testers must employ reconnaissance to learn about network topology; the ’fog of war’ in strategy games prevents the player from knowing the lay of the land before he has explored it. Thus, many arguments favor using computer strategy games and simulations as a framework for developing autonomous cybersecurity products, such as penetration tests. Moreover, despite their large number of options, real-time strategy games can be played using a handful of larger strategy types; this can inform the type of attack tree a penetration test chooses to utilize, given the configuration of vulnerabilities found during reconnaissance.

Authors: George B. Stone, Douglas A. Talbert, William Eberle

Published in: World Congress on Internet Security (WorldCIS-2021)

• Date of Conference:  7-9 December 2021
• DOI: 10.20533/WorldCIS.2021.0003
• ISBN: 978-1-913572-40-2
• Conference Location: Virtual (London, UK)