Automatic Generation of Cyber Architectures Optimized for Security, Cost, and Mission Performance: A Nature-Inspired Approach

Network segmentation refers to the practice of partitioning a computer network into multiple segments and restricting communications between segments to inhibit a cyberattacker’s ability to move and spread infection. While segmentation is widely recommended by cybersecurity experts, there is no clear guidance on what segmentation architectures are best to maximize a network’s security posture. Additionally, the security gained by segmentation does not come without cost. Segmentation architectures require resources to implement and may also cause degradation of mission performance. Network administrators currently rely on judgment to construct segmentation architectures that maximize security while minimizing resource cost and mission degradation. This chapter proposes an automated method for generating segmentation architectures optimized for security, cost, and mission performance. The method employs a hybrid approach that combines nature-inspired optimization with cyber risk modeling and simulation to construct candidate architectures, evaluate them, and intelligently search the space of possible architectures to hone in on effective ones. We implement the method in a prototype decision system and demonstrate the system via a case study on a representative network environment under cyberattack.