Reinforcement Learning for Intelligent Penetration Testing

Penetration testing (PT) is an active method for assessing and evaluating the security of digital assets by planning, generating and executing all possible attacks that can exploit existing vulnerabilities. Current PT practice is becoming repetitive, complex and resource consuming despite the use of automated tools. The goal of this paper is to design an intelligent PT approach using reinforcement learning (RL) that will allow regular and systematic testing, saving human resources. The system is modelled as a partially observed Markov decision process (POMDP), and tested using an external POMDP-solver with different algorithms. Although this paper is limited to only the planning phase and not the entire PT process, the results support the hypothesis that reinforcement learning can enhance PT beyond the capabilities of any human expert in terms of accurate and reliable outputs.