Reinforcement learning for intrusion response in network security
24th May - 22nd June 2025
Principal Investigator: Queen's University Belfast, Kieran McLaughlin & Matthew Reaney
Supporting Partner: BT Group (team led by Alfie Beard, Senior Research Specialist in AI & Cybersecurity)
Project overview
Rapid and effective response to cyber-attacks is crucial in network security to limit the damage caused by data breaches, ransomware and advanced persistent threats, which can escalate quickly. The longer such attacks remain undetected or uncontained, the more extensive the potential negative impact and losses related to sensitive data, reputation, and business operations, as recently seen in attacks targeting UK retailers.
Developing effective cyber-defence tools, using AI techniques to train active responses to cyber-attacks, is an important emerging research area that has great potential to help network operators contain attacks more quickly and comprehensively than possible by human monitoring and intervention alone. This collaboration between QUB and BT has focused on emerging research on training AI agents to recognise attack patterns within a network, particularly the use of deep reinforcement learning, to create AI tools that can respond and contain attacks with a degree of autonomy.
Activities
The project was based on a month-long placement by a QUB PhD student to work alongside the BT research team in Ipswich, with a focus on exploring the challenge of applying deep reinforcement learning agents to train attack detection and response in computer networks.
The main objectives were to build personal connections between the two research teams and to share experiences in research related to network defence using RL agents, with a focus on investigating approaches relevant to BT’s in-house large scale simulator environment.
Activities included an investigation of techniques such as coevolutionary games, multi-agent approaches, and the challenges for translating solutions developed in simulated environments to real networks.
Impact
Based on the short investigation described above, we have identified a number of candidate research activities, where there are shared interests between the two teams, which we will seek to pursue in a larger scale collaboration.
Future work
We plan to explore options for a more significant collaboration on the topic of agent-based attack response, and intend to propose a programme of research in order to apply for funding opportunities.
Outcomes/outputs
Internal technical report provided to BT, covering research activities, analysis of state-of-the-art agents in adversary/defender scenarios and preliminary implementation details. This provides a record of the activities explored during the secondment and provides a common baseline to explore follow-on opportunities for engagement.