PenGym: Pentesting Training Framework for Reinforcement Learning Agents

Thanh Nguyen; Zhi Chen; Kento Hasegawa; Kazuhide Fukushima; Razvan Beuran

doi:10.5220/0012367300003648

PenGym: Pentesting Training Framework for Reinforcement Learning Agents

Thanh Nguyen, Zhi Chen, Kento Hasegawa, Kazuhide Fukushima, Razvan Beuran

2024

Abstract

Penetration testing (pentesting) is an essential method for identifying and exploiting vulnerabilities in computer systems to improve their security. Recently, reinforcement learning (RL) has emerged as a promising approach for creating autonomous pentesting agents. However, the lack of realistic agent training environments has hindered the development of effective RL-based pentesting agents. To address this issue, we propose PenGym, a framework that provides real environments for training pentesting RL agents. PenGym makes available both network discovery and host-based exploitation actions to train, test, and validate RL agents in an emulated network environment. Our experiments demonstrate the feasibility of this approach, with the main advantage compared to typical simulation-based agent training being that PenGym is able to execute real pentesting actions in a real network environment, while providing a reasonable training time. Therefore, in PenGym there is no need to model actions using assumptions and probabilities, since actions are conducted in an actual network and their results are real too. Furthermore, our results show that RL agents trained with PenGym took fewer steps on average to reach the pentesting goal—7.72 steps in our experiments, compared to 11.95 steps for simulation-trained agents.

Download

Paper Citation

in Harvard Style

Nguyen T., Chen Z., Hasegawa K., Fukushima K. and Beuran R. (2024). PenGym: Pentesting Training Framework for Reinforcement Learning Agents. In Proceedings of the 10th International Conference on Information Systems Security and Privacy - Volume 1: ICISSP; ISBN 978-989-758-683-5, SciTePress, pages 498-509. DOI: 10.5220/0012367300003648

in Bibtex Style

@conference{icissp24,
author={Thanh Nguyen and Zhi Chen and Kento Hasegawa and Kazuhide Fukushima and Razvan Beuran},
title={PenGym: Pentesting Training Framework for Reinforcement Learning Agents},
booktitle={Proceedings of the 10th International Conference on Information Systems Security and Privacy - Volume 1: ICISSP},
year={2024},
pages={498-509},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0012367300003648},
isbn={978-989-758-683-5},
}

in EndNote Style

TY - CONF

JO - Proceedings of the 10th International Conference on Information Systems Security and Privacy - Volume 1: ICISSP
TI - PenGym: Pentesting Training Framework for Reinforcement Learning Agents
SN - 978-989-758-683-5
AU - Nguyen T.
AU - Chen Z.
AU - Hasegawa K.
AU - Fukushima K.
AU - Beuran R.
PY - 2024
SP - 498
EP - 509
DO - 10.5220/0012367300003648
PB - SciTePress