Simulating cyberattacks with extended Petri nets

Abstract

Cybersecurity is an urgent concern. Cybersecurity simulation is an important part of the response to it. This article describes a research program consisting of several interconnected cybersecurity simulation research projects. Cyberattacks are modeled using Petri nets extended with features designed for modeling cyberattacks, including representations of the attacker’s and defender’s strategies, their actions, and their actions’ cost. A database of known attack patterns is automatically processed to generate cyberattack component models, one for each attack pattern. The models are verified and validated using multiple application-relevant methods that consider both Petri nets’ theoretical properties and cyberattacks’ practical characteristics. Because the source attack pattern database is attacker-centric, the cyberattack component models are enhanced to include defender actions and responses, as well as representations of normal user activities on the computer system being attacked. Cyberattack component models stored in a repository are selected and composed into complete models of target computer systems. Metadata associated with each model guides the selection and composition. The cyberattack models are executed to simulate cyberattacks. Multiple simulation iterations are used to train reinforcement learning algorithms that automatically learn improved attacker or defender strategies.