Cyber Security Simulation
To test simulation methods of cyber attack scenarios.
The Arena Solution
A discrete-event simulation model has been developed for generating representative cyber attack and intrusion detection sensor alert data. Although the model is primarily designed to be used in testing cyber situational awareness and analysis tools, other applications such as training of systems analysts may also make effective use of the model. The simulation model is initially implemented in the ARENA simulation software. An object-oriented model written in Java is currently under development. Although this paper utilizes the ARENA model to illustrate the modeling concepts, the focus is on the concepts themselves.
The simulation model provides a user with the ability to construct a representative computer network and setup and execute a series of cyber attacks on certain target machines within that network. IDS sensors that are setup within this network produce appropriate alerts based on the traffic they observe within the network. The alerts produced consist of a combination of the alerts produced as a result of attack actions and as a result of typical “noise” (non-malicious network traffic that triggers an alert.)
The simulated computer networks consist of three primary types of devices: machines, connectors, and subnets. A machine can represent an individual computer or server. Machine characteristics can be specified including the IP address, the operating system, and the type of IDS sensor on the machine (if any). For each IDS sensor specified, an associated output file will be generated containing the sequence of alerts produced when the simulation is run. A connector represents the means by which computers are connected, such as through a switch or a router. The network connectivity plays in important role in establishing the path that an attacker can take through the network. The connector also has network IDS sensors that can be represented which are used to monitor any network traffic that travels through the connector and produce alerts corresponding to known potentially harmful actions. A subnet represents a group of several machines with connectivity to the network that all share a common set of properties (such as the operating system). Machines within a subnet contain the same set of properties that could be specified if the machines were placed into the network individually. The subnet just provides an efficient method of specifying groups of computers (particularly useful when specifying large networks.) Connector lines are used in the model to connect the modules and represent the connection of machines/subnets to a connector, as well as the connections between connectors themselves.
When a computer network has been created, an attack scenario can be setup and run on the network. An attack scenario consists of a series of specified cyber attacks occurring over a period of time along with a specified quantity of network noise. A user-interface with a series of forms is used to specify the desired scenario. The model structure enables manual or automatic attack generation. Additional parameters that represent the behavior of the attacker can also be specified. These parameters include the efficiency, stealth, and skill of the attack being modeled.
The Cyber Attack Simulator presented in this paper is capable of generating IDS alert and ground truth files based on the specification of a computer network and attacks. The simulator is built with a user interface to allow the creation of various computer network configurations and attack actions. The model also incorporates a method for automated attack generation given the network configuration, characteristics describing hacker capabilities, and vulnerabilities of the network.
As the use of computer networks grows, cyber security is becoming increasingly important. This work is based in the need for testing situational awareness tools that are being developed to detect and analyze attacks on computer networks. Since conducting cyber attack experiments on computer systems that contain critical data is very undesirable, several alternatives have been used. One alternative consists of setting up a physical computer network absent of any critical data, performing cyber attacks on the network, and collecting data from intrusion detection systems. A second alternative consists of generating synthetic data through the use of simulation.
These two approaches have varying degrees of requirements, capabilities, and limitations. The physical computer network requires the physical machines, networking, and IDS components. Consequently, conducting experiments on various network configurations involving different machines, servers, routing systems, IDS sensors, etc. requires reconfiguration of the network and setting up the network to produce the desired network activity and cyber attacks. The advantage of using the physical network is that the data produced is from a real network as opposed to an abstract representation. This also has some disadvantages in that it is impossible to replicate the experiment exactly (if so desired) and the data produced is difficult to validate to ensure all desired information is accounted for in the ground truth. Since physical networks are not perfectly reliable, data can be missed, processed incorrectly, etc.
Once the framework of the model has been established, various network configurations can be efficiently created and experiments can be conducted with various attack scenarios. Since the simulation experiments are controlled, they can be repeated exactly and all ground truth information is known.