Automated Computer Network Exploitation with Bayesian Decision Networks

Graeme Roberts
Gilbert L. Peterson, Air Force Institute of Technology

This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License. (CC BY 4)


Penetration Testing (pentesting) is the process of using tactics and techniques to penetrate computer systems and networks to expose any issues in their cybersecurity \cite{rsa}. It is currently a manual process requiring significant experience and time that are in limited supply. One way to supplement the shortage is through automation. This paper presents the Automated Network Discovery and Exploitation System (ANDES) which demonstrates that it is feasible to automate the pentesting process. The uniqueness of ANDES is the use of Bayesian decision networks to represent the pentesting domain and subject matter expert knowledge. ANDES conducts multiple execution cycles, which build upon previous action results. This process simulates the iterative thinking process of human attackers. Cycles begin by modeling the current belief state using Bayesian decision networks. ANDES uses these networks to select and execute an expected best action. Observed results are used to update the systems current belief state before the next cycle begins. ANDES was tested in a live-execution event, taking place within a virtual network environment designed to mimic a small business’s internal network. ANDES successfully performed a series of information gathering and remote exploit actions, across multiple network hosts, to gain access to the objective target.