Detecting vulnerabilities in IT environments to prevent cyberattacks

Finding vulnerabilities in an IT system to quickly detect an ongoing cyberattack or even stop them has become increasingly important. To find these vulnerabilities and train on intrusion detection and defence, we use a simulation engine that builds a virtual environment, a so-called digital twin, where researchers can train both detection and defence.
"We see that cyber attacks and influencing operations are a growing problem in our digital society, and an attack can have devastating consequences for the whole society," says Pontus Johnson, professor at KTH.
Cyberattacks - a growing problem
Cyberattacks have become a growing problem over several decades. And in our digital world, we have entrusted large amounts of value managed by different computer systems.
In recent years, we have seen cyberattacks against central banks, critical infrastructure, large retail chains and much more. Cybersecurity has also become increasingly important in a deteriorating global security situation, where both espionage and influence operations occur and can even affect the outcome of democratic elections.
"In our digitalised world, imagining even worse scenarios than we have seen so far is easy. Consider, for example, the societal consequences of a major attack on our electric power systems or an attack on the world's nuclear weapons systems. We need to be better prepared than we are today," says Pontus Johnson.
Identifying vulnerabilities in IT environments
At KTH, research has long been conducted to identify vulnerabilities in IT environments. The work includes attack simulations and the application of reinforcement learning in simulated environments. Attack simulations provide insight into how cyber attacks develop and what consequences they can have. Pontus Johnson and his research colleagues use reinforcement learning in attack simulations to train autonomous defence agents to respond effectively to intrusions.
Today, all major IT systems contain vulnerabilities, and attackers with the right tools can often use the Internet to infiltrate IT systems anywhere in the world. Pontus Johnson points out that Sweden has reacted later than many other countries to the risks posed by these vulnerabilities.
"We have so far been spared from major attacks, but a concerted effort is needed in the future. The simulation engine developed by KTH is of great benefit, not least because it is available as open-source code. It creates a solid foundation for innovation and further development in cybersecurity," says Pontus Johnson.