Search papers, labs, and topics across Lattice.
DeepStage, a deep reinforcement learning (DRL) framework, is introduced for adaptive defense against Advanced Persistent Threats (APTs). The system models the enterprise environment as a POMDP, fusing host provenance and network telemetry into provenance graphs, and uses a graph neural encoder with an LSTM to estimate attacker stages aligned with the MITRE ATT&CK framework. A hierarchical PPO agent then leverages these stage beliefs and graph embeddings to select defense actions, achieving a stage-weighted F1-score of 0.89, significantly outperforming a risk-aware DRL baseline.
By explicitly modeling attacker stages, DeepStage achieves significantly better defense performance against APTs than risk-aware baselines, suggesting that stage-aware reasoning is crucial for effective autonomous cyber defense.
This paper presents DeepStage, a deep reinforcement learning (DRL) framework for adaptive, stage-aware defense against Advanced Persistent Threats (APTs). The enterprise environment is modeled as a partially observable Markov decision process (POMDP), where host provenance and network telemetry are fused into unified provenance graphs. Building on our prior work, StageFinder, a graph neural encoder and an LSTM-based stage estimator infer probabilistic attacker stages aligned with the MITRE ATT&CK framework. These stage beliefs, combined with graph embeddings, guide a hierarchical Proximal Policy Optimization (PPO) agent that selects defense actions across monitoring, access control, containment, and remediation. Evaluated in a realistic enterprise testbed using CALDERA-driven APT playbooks, DeepStage achieves a stage-weighted F1-score of 0.89, outperforming a risk-aware DRL baseline by 21.9%. The results demonstrate effective stage-aware and cost-efficient autonomous cyber defense.
