Intranet User-Level Security Traffic Management with Deep Reinforcement Learning

Insider threats gradually exert great influence in cybersecurity, causing a significant loss to organizations or companies. However, whatever the form of the threat is, insiders have to conduct the unauthorized activities through the communication traffic, such as controlling the victim systems and unauthorizedly requesting the resources. Moreover, as one of the most fundamental intranet resources, bandwidth is frequently targeted by insider attackers for sabotage to traffic communication and service delivery of the network. In this paper, we present a user-level full-lifecycle security management scheme for intranet traffic from anomaly detection to mitigation execution in an online manner. This scheme dynamically monitors abnormal users that deviate from normal behavior patterns through bidirectional Gated Recurrent Unit (bi-GRU) based online unsupervised log parser, then adaptively adjusts the traffic scheduling policy according to the adequate consideration of network security, network performance and user requirements by using deep Reinforcement Learning (RL) method for online decision-making. Extensive experimental evaluations show that our scheme can stably maintain the high performance of traffic scheduling and effectively mitigate multifarious traffic threats. Our work is a valuable step towards designing self-adaptive intranets that learn to enhance security management by themselves with high scalability and deployability.