stratosphereips · eldraco · Jan 23, 2025 · Jan 23, 2025 · Jan 23, 2025 · Jan 23, 2025
diff --git a/.gitignore b/.gitignore
@@ -157,3 +157,4 @@ figures/*
 *trajectories*.json
 .vscode/settings.json
 trajectories/*
+*.tar.gz
diff --git a/NetSecGameAgents b/NetSecGameAgents
diff --git a/README.md b/README.md
@@ -65,15 +65,88 @@ The [scenarios](#definition-of-the-network-topology) define the **topology** of
 The defender does have the action to block an IP address in a target host. 
 
 
-> [!NOTE]  
-> The global defender, available in the previous environment versions, will not be supported in the future. To enable backward compatibility, the global defender functionality can be enabled by adding `use_global_defender: True` to the configuration YAML file in the `env` section. This option is disabled by default.
-
 The actions are:
 - BlockIP(). That takes as parameters:
   - "target_host": IP object where the block will be applied.
   - "source_host": IP object from which this action is executed.
   - "blocked_host": IP object to block in ANY direction as seen in the target_host.
 
+> [!NOTE]  
+> The global defender, available in the previous environment versions, will not be supported in the future. To enable backward compatibility, the global defender functionality can be enabled by adding `use_global_defender: True` to the configuration YAML file in the `env` section. This option is disabled by default.
+
+
+#### How the global defender detects
+
+The global defender is implemented as a stochastic detection, which means the detection is probabilistic.
+
+First, all the actions are analyzed in time windows (TW) (default is 5 actions). So the last 5 actions are analyzed together. Every new action moves the slides the TW by one position.
+
+
+##### Detection Thresholds
+
+- Detection Probabilities
+
+Each action type has a predefined probability of being detected. However, detection does not happen for every action; it depends on additional behavioral patterns.
+
+    - ScanNetwork: 0.05,
+    - FindServices: 0.075,
+    - ExploitService: 0.1,
+    - FindData: 0.025,
+    - ExfiltrateData: 0.025,
+    - BlockIP: 0.01
+
+This means that one action of the type ScanNetwork has a 5% probability of being detected by the defender. 
+This way we can define some basic probabilities based on how good we want the defender to be.
+
+- Type Ratio Threshold
+
+The Type Ratio Threshold defines how frequently an action must appear in the time window to be considered for detection. If the ratio is below this threshold, no detection occurs.
+
+For example, if the last action is ScanNetwork in a TW with [ScanNetwork, FindService, ScanNetwork, FindData, ScanNetwork], the ratio is 3/5 = 0.6
+
+The default values of the thresholds are:
+
+    - ScanNetwork: 0.25,
+    - FindServices: 0.3,
+    - ExploitService: 0.25,
+    - FindData: 0.5,
+    - ExfiltrateData: 0.25,
+    - BlockIP: 1
+
+- Consecutive Actions Threshold
+
+The Consecutive Actions Threshold determines the maximum number of consecutive occurrences of an action type within the time window before detection is triggered.
+
+The default values of the thresholds are:
+
+    - ScanNetwork: 2,
+    - FindServices: 3,
+    - ExfiltrateData: 2
+
+- Repeated Action Threshold
+
+The Repeated Action Threshold applies to certain action types and defines the number of times a specific action must appear in the __entire episode__ before it can be considered for detection.
+
+The default values are:
+
+    - ExploitService: 2
+    - FindData: 2
+
+
+##### Decision Logic
+
+The system monitors actions and maintains a history of recent ones within the time window.
+
+- If an action's Type Ratio Threshold is met within the time window or it exceeds the Consecutive Actions Threshold, it is evaluated for detection.
+
+- If the action type has a Repeated Action Threshold and has not been repeated enough times in the episode, it is ignored.
+
+- If an action meets the conditions above, it is subject to detection based on its predefined probability.
+
+- Actions that do not meet any threshold conditions are ignored, ensuring that occasional activity does not lead to unnecessary detections.
+
+This approach ensures that only repeated or excessive behavior is flagged, reducing false positives while maintaining a realistic monitoring system.
+
 
 ### Starting the game
 The environment should be created before starting the agents. The properties of the environment can be defined in a YAML file. The game server can be started by running:
+4 −1		.gitignore
+26 −14		CITATION.cff
+32 −11		README.md
+12 −4		agents/agent_utils.py
+13 −13		agents/attackers/concepts_q_learning/conceptual_q_agent.py
+2 −2		agents/attackers/double_q_learning/double_q_agent.py
+0 −0		agents/attackers/double_q_learning/netsecenv-task.yaml
+5 −2		agents/attackers/gnn_reinforce/gnn_REINFORCE_agent.py
+0 −0		agents/attackers/gnn_reinforce/netsecenv-task.yaml
+0 −0		agents/attackers/gnn_reinforce/schema.pbtxt
+10 −0		agents/attackers/interactive_tui/README.md
+2 −2		agents/attackers/interactive_tui/assistant.py
+17 −9		agents/attackers/interactive_tui/interactive_tui.py
+0 −0		agents/attackers/interactive_tui/layout.tcss
+0 −0		agents/attackers/interactive_tui/netsecenv-task.yaml
+0 −0		agents/attackers/llm/README.md
+3 −3		agents/attackers/llm/llm_agent-2.py
+3 −3		agents/attackers/llm/llm_agent-3.py
+3 −3		agents/attackers/llm/llm_agent.py
+0 −0		agents/attackers/llm/netsecenv-task.yaml
+0 −0		agents/attackers/llm/netsecenv-tests_01.yaml
+0 −0		agents/attackers/llm/netsecenv-tests_02.yaml
+0 −0		agents/attackers/llm/netsecenv-tests_03.yaml
+0 −0		agents/attackers/llm/netsecenv-tests_04.yaml
+0 −0		agents/attackers/llm/netsecenv-tests_05.yaml
+0 −0		agents/attackers/llm/netsecenv-tests_06.yaml
+2 −2		agents/attackers/llm_embed/llm_embed.py
+0 −0		agents/attackers/llm_embed/netsecenv-task.yaml
+0 −0		agents/attackers/llm_embed/netsecenv-tests_03.yaml
+0 −0		agents/attackers/llm_embed/netsecenv-tests_04.yaml
+0 −0		agents/attackers/llm_embed/netsecenv-tests_05.yaml
+0 −0		agents/attackers/llm_embed/netsecenv-tests_06.yaml
+2 −2		agents/attackers/llm_embed_dqn/llm_embed_dqn.py
+0 −0		agents/attackers/llm_embed_dqn/netsecenv-task.yaml
+0 −0		agents/attackers/llm_embed_dqn/netsecenv-tests_03.yaml
+0 −0		agents/attackers/llm_embed_dqn/netsecenv-tests_04.yaml
+0 −0		agents/attackers/llm_qa/README.md
+174 −0		agents/attackers/llm_qa/llm_action_planner.py
+316 −0		agents/attackers/llm_qa/llm_agent_qa.py
+0 −0		agents/attackers/llm_qa/netsecenv-task.yaml
+0 −0		agents/attackers/llm_qa/netsecenv-tests_03.yaml
+0 −0		agents/attackers/llm_qa/netsecenv-tests_04.yaml
+0 −0		agents/attackers/llm_qa/netsecenv-tests_05.yaml
+0 −0		agents/attackers/llm_qa/netsecenv-tests_06.yaml
+68 −0		agents/attackers/llm_qa/prompts.yaml
+15 −0		agents/attackers/markov_chain_agent/genetic/config.json
+525 −0		agents/attackers/markov_chain_agent/genetic/genetic_agent.py
+0 −0		agents/attackers/markov_chain_agent/genetic/results/parsed_population.json
+327 −0		agents/attackers/markov_chain_agent/markov_chain_agent.py
+0 −0		agents/attackers/markov_chain_agent/results/.gitignore
+0 −0		agents/attackers/markov_chain_agent/results/parsed_population.json
+59 −0		agents/attackers/markov_chain_agent/transition_probabilities.json
+60 −0		agents/attackers/markov_chain_agent/utils/filter_winning_solutions.py
+94 −0		agents/attackers/markov_chain_agent/utils/solutions_analyzer.py
+128 −0		agents/attackers/markov_chain_agent/utils/solutions_to_matrix.py
+1 −2		agents/attackers/q_learning/check_q_table.py
+12 −11		agents/attackers/q_learning/q_agent.py
+20 −4		agents/attackers/random/random_agent.py
+12 −8		agents/attackers/sarsa/sarsa_agent.py
+270 −27		agents/base_agent.py
+0 −258		agents/gnn_dqn/gnn_dqn_agent.py
+0 −23		agents/gnn_dqn/schema.pbtxt
+2 −2		agents/graph_agent_utils.py
+0 −499		agents/interactive/interactive_agent.py
+0 −360		agents/interactive_llm/assistant.py
+0 −392		agents/interactive_llm/interactive_llm_agent.py
+0 −99		agents/interactive_tui/netsecenv-task.yaml
+0 −715		agents/llm_qa/llm_agent_qa.py
+0 −36		agents/llm_qa_v2/run.py
+46 −0		docs/markov_chain.md