Distributed reinforcement learning for adaptive and robust network intrusion response

Kleanthis Malialis*, Sam Devlin, Daniel Kudenko

*Corresponding author for this work

Research output: Contribution to journalArticlepeer-review

Abstract

Distributed denial of service (DDoS) attacks constitute a rapidly evolving threat in the current Internet. Multiagent Router Throttling is a novel approach to defend against DDoS attacks where multiple reinforcement learning agents are installed on a set of routers and learn to rate-limit or throttle traffic towards a victim server. The focus of this paper is on online learning and scalability. We propose an approach that incorporates task decomposition, team rewards and a form of reward shaping called difference rewards. One of the novel characteristics of the proposed system is that it provides a decentralised coordinated response to the DDoS problem, thus being resilient to DDoS attacks themselves. The proposed system learns remarkably fast, thus being suitable for online learning. Furthermore, its scalability is successfully demonstrated in experiments involving 1000 learning agents. We compare our approach against a baseline and a popular state-of-the-art throttling technique from the network security literature and show that the proposed approach is more effective, adaptive to sophisticated attack rate dynamics and robust to agent failures.

Original languageEnglish
Pages (from-to)234-252
Number of pages19
JournalConnection Science
Volume27
Issue number3
DOIs
Publication statusPublished - 3 Jul 2015

Keywords

  • DDoS attacks
  • decentralised coordination
  • distributed control
  • network security

Cite this