COHORT: Collaborative Orchestration for Hardening via Offensive Replay on Emulated Topologies

📅 2026-06-29
📈 Citations: 0
Influential: 0
📄 PDF
🤖 AI Summary
This work addresses the challenge in enterprise cybersecurity where mitigation strategies against known attackers rely heavily on expert intuition, hindering efficient generation and rigorous validation. The authors propose the first end-to-end automated framework that leverages multi-agent large language models to collaboratively generate, deploy, and refine mitigation strategies expressed as real device commands. These strategies are validated through attack replay in a high-fidelity GNS3 simulation environment populated with genuine vendor firmware from firewalls, switches, and routers. The approach introduces an adversarial verification mechanism based on raw attack replays, augmented by connectivity regression testing and cumulative state evaluation, thereby eliminating dependence on reward signals or manual judgment. Evaluated across three network topologies and four attack scenarios, 46.7% of the generated strategies successfully blocked attacks while preserving normal connectivity—outperforming a single-agent baseline by a factor of 4.4.
📝 Abstract
Mitigating an observed adversary in an enterprise network typically takes weeks of expert work: an analyst derives a mitigation tailored to that adversary, validates it without breaking production, and verifies it disrupts the specific attack. The procedure relies on expert judgment and cannot safely be exercised against the production network. COHORT is the first end-to-end framework to automate this procedure for deployable mitigations. A role-decomposed multi-agent LLM workflow proposes candidates, implements them as real device commands, and refines them through a critique loop, all on a high-fidelity GNS3 emulator running real vendor firmware (firewall, switch, router). Each candidate is evaluated by offensive replay: re-executing the original adversary on the mitigated network for a paired comparison against the unmitigated baseline, rather than the reward-signal or expert-judgment proxies used in prior simulation, hybrid, and configuration-generation work. Two further checks complement replay: a connectivity-regression check (LAN ping and internet HTTP probe) rejects mitigations that disrupt legitimate LAN or internet connectivity, and a cumulative evaluation stacks approved mitigations onto a persistent state to surface compound effects. Across three topologies and four attack scenarios (ransomware, lateral movement, DNS exfiltration, data theft), 46.7% of generated mitigations both disrupt the attack and preserve connectivity under replay, 4.4 times the rate of a single-agent baseline using the same model and tool access. A demo video walking through the framework is available with our released artifacts.
Problem

Research questions and friction points this paper is trying to address.

adversary mitigation
enterprise network security
attack disruption
production-safe validation
network defense automation
Innovation

Methods, ideas, or system contributions that make the work stand out.

multi-agent LLM
offensive replay
network emulation
automated mitigation
GNS3
🔎 Similar Papers
No similar papers found.
💼 Related Jobs
No related jobs found.
C
Chen Frydman
Ben-Gurion University of The Negev, Beer Sheva, Israel
A
Aviram Zilberman
Jerusalem College of Technology, Jerusalem, Israel
R
Rubin Krief
Ben-Gurion University of The Negev, Beer Sheva, Israel
A
Abed Showgan
Ben-Gurion University of The Negev, Beer Sheva, Israel
A
Andres Murillo
Fujitsu
S
Sekiya Motoyoshi
Fujitsu
Asaf Shabtai
Asaf Shabtai
Software and Information Systems Engineering, Telekom Innovation Labs, Ben Gurion University
Computer and network securitymachine learning
Yuval Elovici
Yuval Elovici
Head of Cyber@BGU, Director of Telekom Innovation Laboratories at BGU, Ben Gurion University
Computer and Network SecurityCyber Security
Rami Puzis
Rami Puzis
Software and Information Systems Engineering Department, Ben-Gurion University of the Negev
complex networkssocial networksdeep learningcyber securitycyberbiosecurity