Distributed Cyber Attack Simulator (DCAS)

1. Introduction

We have developed a simulation framework for distributed cyber attack modelling based on high-level architecture (HLA), which is de facto standard for distributed interactive simulation (DIS). The proposed framework and the corresponding simulator, which is called distributed cyber attack simulator (DCAS), help administrators to model and evaluate the security measures of networks. We have developed a distributed cyber attack simulation engine based on Portico, which is an open source HLA run-time infrastructure.

The simulator works in two modes:

1. Interactive, and

2. Automated.

The simulator provides features for:

·        Graphical design of networks and their elements

·        Animated traffic simulation

·        Data collection, statistical analysis.

·        Different consoles for attackers and defending elements (e.g., IDSs or IPSs).

 

To increase the fidelity of the simulator outputs, real-world payloads are used by the simulator. All the exploit information and parameters of network elements can be extracted from open source vulnerability database (OSVDB). Also, the snort rule set is used as the signature database of IDSs and IPSs.

 

2. Architecture

The HLA-based architecture of the proposed distributed cyber attack simulator (DCAS) is shown below.  The architecture consists of three kinds of federates: network federates, attacker federates, and defender federates. These federates have inter process communication (IPC) with the help of the HLA runtime infrastructure (RTI).

The general architecture of the simulator consists of the following three layers:

·         The first layer is the HLA middleware (we use Portico RTI).

·         The second layer consists of federates in the simulation.

·         The third layer is the applications developed for each federates.

 

 

Also, in the third layer, specific applications use different databases. For example, defender applications use Snort rule set database for the exploit signatures. The role of the cyber attack simulation engine is to create a mapping between the state of federates and entities in the upper layer. Because every entity in SimJava is a separate thread, our simulator is a multi-threaded application running on a distributed infrastructure.

Network federate is the main federate that starts the simulation. This federate provides a network designer, an animated simulator and a bunch of statistical data collectors. The simulation engine is responsible for the following:

·        Synchronizing the time between entities and their respective federates,

·        Entity management, and

·        Event management.

3. How to Work with DCAS?

Working with DCAS is really simple. you can build your network in the graphical user interface by drag and dropping network elements such as :

1. hosts

2. servers ( DNS, FTP, Mail, Http)

3. firewalls, IDSs, IPSs

4. routing devices (Routers, HUBS)

below you can see an example of a constructed network.

after you built your network, you can place the attackers in your network and get a console specific to that attacker in his own system. after the simulation ended you can see the results and effects on your network.

4. For more information, see our recent paper:

·        M. Ashtiani and M. Abdollahi Azgomi, "A Distributed Simulation Framework for Modeling Cyber Attacks and the Evaluation of Security Measures," Simulation: Transactions of the Society for Modeling and Simulation International, Vol. 90, No. 9, SAGE, Sept. 03, 2014, pp. 1071-1102