A distributed simulation framework for modeling cyber attacks and the evaluation of security measures

Abstract

The aim of this work is to propose a framework for the distributed simulation of cyber attacks based on high-level architecture (HLA), which is a commonly used standard for distributed simulations. The proposed framework and the corresponding simulator, which is called the distributed cyber attack simulator (abbreviated by DCAS), help administrators to model and evaluate the security measures of the networks. At the core of the DCAS is a simulation engine based on Portico, which is an open source HLA run-time infrastructure. The DCAS works in two modes: interactive and automated. Three types of simulation components (which are called federates in HLA terminology) are considered in the framework: the (1) network federate, (2) attacker federate and (3) defender federate. The simulator provides features for graphical design of the network models, animated traffic simulation, data collection, statistical analysis and different consoles for attacking and defending elements (e.g., intrusion detection systems, intrusion prevention systems). To increase the fidelity of the simulation outputs, real-world payloads are used by the DCAS. All the exploits information and the parameters of various network elements are automatically extracted from the open source vulnerability database. Also, the Snort rule-set is used as the signature database of the defending elements. The architecture and algorithms of the DCAS and the corresponding underlying simulation engine plus the security evaluation results of two illustrative examples are presented in this paper.