Saved in:
Bibliographic Details
Main Authors: Claypoole, Jared, Cheung, Steven, Gehani, Ashish, Yegneswaran, Vinod, Ridley, Ahmad
Format: Preprint
Published: 2025
Subjects:
Online Access:https://arxiv.org/abs/2506.08192
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866915335185104896
author Claypoole, Jared
Cheung, Steven
Gehani, Ashish
Yegneswaran, Vinod
Ridley, Ahmad
author_facet Claypoole, Jared
Cheung, Steven
Gehani, Ashish
Yegneswaran, Vinod
Ridley, Ahmad
contents We analyze two open source deep reinforcement learning agents submitted to the CAGE Challenge 2 cyber defense challenge, where each competitor submitted an agent to defend a simulated network against each of several provided rules-based attack agents. We demonstrate that one can gain interpretability of agent successes and failures by simplifying the complex state and action spaces and by tracking important events, shedding light on the fine-grained behavior of both the defense and attack agents in each experimental scenario. By analyzing important events within an evaluation episode, we identify patterns in infiltration and clearing events that tell us how well the attacker and defender played their respective roles; for example, defenders were generally able to clear infiltrations within one or two timesteps of a host being exploited. By examining transitions in the environment's state caused by the various possible actions, we determine which actions tended to be effective and which did not, showing that certain important actions are between 40% and 99% ineffective. We examine how decoy services affect exploit success, concluding for instance that decoys block up to 94% of exploits that would directly grant privileged access to a host. Finally, we discuss the realism of the challenge and ways that the CAGE Challenge 4 has addressed some of our concerns.
format Preprint
id arxiv_https___arxiv_org_abs_2506_08192
institution arXiv
publishDate 2025
record_format arxiv
spellingShingle Interpreting Agent Behaviors in Reinforcement-Learning-Based Cyber-Battle Simulation Platforms
Claypoole, Jared
Cheung, Steven
Gehani, Ashish
Yegneswaran, Vinod
Ridley, Ahmad
Cryptography and Security
Machine Learning
We analyze two open source deep reinforcement learning agents submitted to the CAGE Challenge 2 cyber defense challenge, where each competitor submitted an agent to defend a simulated network against each of several provided rules-based attack agents. We demonstrate that one can gain interpretability of agent successes and failures by simplifying the complex state and action spaces and by tracking important events, shedding light on the fine-grained behavior of both the defense and attack agents in each experimental scenario. By analyzing important events within an evaluation episode, we identify patterns in infiltration and clearing events that tell us how well the attacker and defender played their respective roles; for example, defenders were generally able to clear infiltrations within one or two timesteps of a host being exploited. By examining transitions in the environment's state caused by the various possible actions, we determine which actions tended to be effective and which did not, showing that certain important actions are between 40% and 99% ineffective. We examine how decoy services affect exploit success, concluding for instance that decoys block up to 94% of exploits that would directly grant privileged access to a host. Finally, we discuss the realism of the challenge and ways that the CAGE Challenge 4 has addressed some of our concerns.
title Interpreting Agent Behaviors in Reinforcement-Learning-Based Cyber-Battle Simulation Platforms
topic Cryptography and Security
Machine Learning
url https://arxiv.org/abs/2506.08192