Risk-Aware SOC Alert Handling in Adaptive Cyber Defense with Reinforcement Learning
摘要
Security operations centers (SOCs) are increasingly turning to machine learning to help analysts manage the growing volume of alerts. Although many of these systems use static classifiers, they often lack the ability to adapt to changing threat contexts or analyst feedback. Reinforcement learning (RL) offers a way to train agents that can learn from experience and make context-aware decisions. In this work, we investigate how the reward function, rather than the algorithm itself, can influence agent behavior in simulated SOC environments. We introduce a risk-aware reward formulation that encodes operational factors such as threat criticality, confidence, and isolation cost. We then evaluate whether a standard RL agent (PPO) can learn more useful behavior purely through reward shaping. Our experiments show that reward design plays a critical role: agents trained with shaped rewards not only achieve better performance, but also demonstrate more adaptive and risk-sensitive behavior, especially under uncertainty. These findings highlight the importance of aligning reward signals with real-world decision trade-offs in practical security settings.