Reinforcement Learning in action: Powering intelligent intrusion responses to advanced cyber threats in realistic scenarios

Given the increasing incidence of sophisticated cyber-attacks, particularly Advanced Persistent Threats (APTs), there is a growing need for intelligent and adaptive intrusion response solutions. In this paper, we propose a Reinforcement Learning (RL)-based model for APT intrusion response that can manage dynamic, multi-stage attacks and large observation spaces. The model supports both policy-based and value-based learning approaches, enabling comparative evaluation between different strategies. We introduce a realistic RL training environment based on emulation infrastructure, which accurately reproduces APT scenarios using real systems and executes a wide range of authentic Intrusion Response System (IRS) actions. This setup includes time and variability constraints commonly encountered in operational environments, offering a more practical alternative to traditional simulations. The RL agents, implemented using Proximal Policy Optimization (PPO) and Deep Q-Network (DQN) algorithms, were both trained and evaluated within this industrial-style emulated environment. Empirical results demonstrate that both DRL algorithms successfully learned effective and well-timed defensive actions under realistic constraints, confirming their capability to operate in dynamic, real-world APT scenarios.