Automated intrusion response systems

  • Kieran Hughes

Student thesis: Doctoral ThesisDoctor of Philosophy


This thesis presents new research into Automated Intrusion Response Systems. These systems seek to evaluate information available to them at the time of attack detection, and subsequently determine and deploy the optimal response. Previous research proposes systems which are generally too static in both their understanding of a defended network, and in their response capability. This leads to difficulty when handling today’s dynamic networks and the ever-evolving threat landscape. The work in this thesis investigates the application of emerging technologies and proposes new frameworks to develop more dynamic automated Intrusion Response Systems, which are less reliant on pre-defined network security models, can respond to attacker tactics outlined in MITRE’s ATT&CK, and more closely integrate with user-defined security policies. Specifically, the work in this thesis culminates in the proposal of an IRS which leverages Model-Free Deep Reinforcement Learning, a change in direction to model-based methods. Reinforcement Learning in a novel containerised network testbed allows the Intrusion Response System to gain a better understanding of the impact of its actions in terms of stopping an ongoing attack scenario, and also how that action impacts normal network operation through experience. Results demonstrate successful response selection against multi-stage attack scenarios and restoration of compromised cyber-physical system processes.

Date of AwardJul 2024
Original languageEnglish
Awarding Institution
  • Queen's University Belfast
SponsorsNorthern Ireland Department for the Economy
SupervisorKieran McLaughlin (Supervisor) & Sakir Sezer (Supervisor)


  • intrusion
  • response
  • systems
  • IRS
  • network
  • security
  • reinforcement
  • learning
  • intel

Cite this