Multi-Agent Reinforcement Learning for Cybersecurity: Classification and survey
Salvo Finistrella, Stefano Mariani, Franco Zambonelli
Abstract
In the face of a rapidly evolving threat landscape, traditional cybersecurity measures – such as signature-based detection and static rules on firewalls, intrusion detection systems (IDS) and antivirus software – often lag behind sophisticated cyber attacks. Through a review of existing literature, we examine the shortcomings of traditional cybersecurity methods and how these can be surpassed with the application of Reinforcement Learning (RL) based methods. This study classifies RL-based approaches to cybersecurity, aimed at enhancing detection, mitigation and response to cyber attacks, along two orthogonal dimensions: the RL Frameworks used (e.g. single-agent vs. multi-agent) and the network configuration where they are deployed (e.g. host-based, or network-based cybersecurity). The goal is that of aiding researchers and practitioners interested in the field to quickly understand what are the opportunities for RL-based cybersecurity depending on the network environment to be protected and point them to the representative articles in the field. Finally, we emphasize the importance of further research and development to address challenges such as computational complexity, generalization and data quality. • A classification of reinforcement learning methods applied to cybersecurity. • Novel framework linking MARL Frameworks to specific network configurations for defense. • Discussion of adversarial multi-agent strategies to address evolving and dynamic cyber threats. • Review of MARL applications in SDN environments for enhanced scalability and security. • Panoramic view of multi-agent strategies for network-wide defense against advanced cyber attacks.