Distributed Cyber Attack Simulator (DCAS)
1. Introduction
We have developed a simulation framework for distributed cyber attack modelling based on high-level architecture (HLA), which is de facto standard for distributed interactive simulation (DIS).
The proposed framework and the corresponding simulator, which is called distributed
cyber attack simulator (DCAS), help
administrators to model and evaluate the security measures of networks. We have
developed a distributed cyber attack simulation
engine based on Portico, which is an open source HLA run-time infrastructure.
The simulator works in two modes:
1. Interactive,
and
2. Automated.
The
simulator provides features for:
·
Graphical
design of networks and their elements
·
Animated
traffic simulation
·
Data
collection, statistical analysis.
·
Different
consoles for attackers and defending elements (e.g.,
IDSs or IPSs).
To increase the fidelity of the simulator outputs,
real-world payloads are used by the simulator. All the exploit information and
parameters of network elements can be extracted from open source vulnerability
database (OSVDB). Also,
the snort rule set is used as the signature database of IDSs and IPSs.
2. Architecture
The HLA-based
architecture of the proposed distributed cyber attack
simulator (DCAS) is shown below. The
architecture consists of three kinds of federates: network federates, attacker
federates, and defender federates. These federates have inter process
communication (IPC) with the help of the HLA runtime infrastructure (RTI).
The general
architecture of the simulator consists of the following three layers:
·
The first layer is the HLA middleware
(we use Portico RTI).
·
The second layer consists of federates
in the simulation.
·
The third layer is the applications
developed for each federates.
Also, in the
third layer, specific applications use different databases. For example,
defender applications use Snort rule set database for the exploit signatures.
The role of the cyber attack simulation engine is to create a mapping between
the state of federates and entities in the upper layer. Because every entity in
SimJava is a separate thread, our simulator is a multi-threaded application
running on a distributed infrastructure.
·
Synchronizing the time between
entities and their respective federates,
·
Entity management, and
·
Event management.
3. How to Work with
DCAS?
Working with DCAS is really
simple. you can build your network in the graphical
user interface by drag and dropping network elements such as :
1. hosts
2. servers
( DNS, FTP, Mail, Http)
3. firewalls,
IDSs, IPSs
4. routing
devices (Routers, HUBS)
below you can see an example of a constructed network.
after you built your network, you can place the attackers
in your network and get a console specific to that attacker in his own system. after the simulation ended you can see the results and
effects on your network.
4. For more information,
see our recent paper:
·
M. Ashtiani and M. Abdollahi Azgomi, "A Distributed Simulation
Framework for Modeling Cyber Attacks and the Evaluation of Security Measures," Simulation: Transactions
of the Society for Modeling and Simulation International, Vol. 90, No.
9, SAGE, Sept. 03, 2014, pp. 1071-1102