Abstract
This paper describes two complementary approaches to modeling and simulation (M&S) of sophisticated malware attacks for their use in understanding and preparing for potential threats. Modern malware operates at multiple scales, and successfully defending against these attacks requires the ability to understand the effects of decisions across this range. We present two types of M&S frameworks that differ in fidelity and scalability. The first is a low fidelity, scalable approach for representing and studying the spread of malware in a large network at a macro scale. The network is both modelled and simulated in ns-3, a discrete event simulation tool typically used for protocol exploration and traffic monitoring that supports the simulation of tens of thousands of nodes. The second type of simulation is a higher-fidelity, micro scale approach that includes nodes that closely emulate the behavior of actual computer systems and may include real hardware and software. Ns-3 allows outside networks to interact in real-time with ns-3. This enables the combination of the network simulation environment with real and virtual machines to allow detailed observation of the ways in which a hypothetical advanced persistent threat would play out in a small subnetwork. The interface between the ns-3 simulation, attack framework (e.g. Metasploit), and the real and virtual nodes is managed by a controller that also supplies configuration, business logic and results logging. We present use cases for both simulation types, showing how each approach can be used in the analysis of malware.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Cohen, F.: Simulating cyber attacks, defences, and consequences. Comput. Secur. 18, 479–518 (1999)
Henderson, T.R., Lacage, M., Riley, G.F., Dowell, C., Kopena, J.B.: Network simulations with the ns-3 simulator. SIGCOMM Demonstr. 14, (2008)
Macal, C.M., North, M.J.: Tutorial on agent-based modeling and simulation. In: Proceedings of the 37th Conference on Winter Simulation, pp. 2–15 (2005)
Riley, G.F., Sharif, M., Lee, W.: Simulating internet worms. In: Modeling, Analysis, and Simulation of Computer and Telecommunications Systems, 2004. (MASCOTS 2004). The IEEE Computer Society’s 12th Annual International Symposium on Proceedings, pp. 268–274 (2004)
Davis, J., Magrath, S.: A Survey of Cyber Ranges and Testbeds (2013)
Dagon, D., Zou, C.C., Lee, W.: Modeling botnet propagation using time zones. In: NDSS, pp. 2–13 (2006)
Dagon, D., Gu, G., Lee, C.P., Lee, W.: A taxonomy of botnet structures. In: Computer Security Applications Conference, 2007. ACSAC 2007. Twenty-Third Annual, pp. 325–339 (2007)
Kotenko, I., Konovalov, A., Shorov, A.: Agent-based modeling and simulation of botnets and botnet defense. In: Czosseck, C., Podins, K. (eds.) Conference on Cyber Conflict, pp. 21–44. CCD COE Publications, Tallinn (2010)
Logsdon, J., Nash, D., Barnes, M.: One semi-automated forces (OneSAF) capabilities, architecture, and processes, http://handle.dtic.mil/100.2/ADA501150, (2008)
Varshney, M., Pickett, K., Bagrodia, R.: A live-virtual-constructive (LVC) framework for cyber operations test, evaluation and training. In: Military Communications Conference, 2011-MILCOM 2011, pp. 1387–1392 (2011)
Schneier, B.: Attack trees. Dr. Dobb’s J. 24, 21–29 (1999)
Mauw, S., Oostdijk, M.: Foundations of attack trees. In: Information Security and Cryptology-ICISC 2005. Springer, Berlin, pp. 186–198 (2006)
Camtepe, S.A., Yener, B.: Modeling and detection of complex attacks. In: Third International Conference on Security and Privacy in Communications Networks and the Workshops, 2007. SecureComm 2007, pp. 234–243. IEEE (2007)
Mishra, S., Kant, K., Yadav, R.S.: Multi tree view of complex attack–stuxnet. In: Advances in Computing and Information Technology. Springer, Berlin, pp. 171–188 (2012)
Eom, J., Han, Y.-J., Park, S.-H., Chung, T.-M.: Active cyber attack model for network system’s vulnerability assessment. In: International Conference on Information Science and Security, 2008. ICISS, pp. 153–158 (2008)
Cheung, S., Lindqvist, U., Fong, M.W.: Modeling multistep cyber attacks for scenario recognition. In: Proceedings DARPA Information Survivability Conference And Exposition, 2003, pp. 284–292 (2003)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Lee-Urban, S., Whitaker, E., Riley, M., Trewhitt, E. (2016). Two Complementary Network Modeling and Simulation Approaches to Aid in Understanding Advanced Cyber Threats. In: Nicholson, D. (eds) Advances in Human Factors in Cybersecurity. Advances in Intelligent Systems and Computing, vol 501. Springer, Cham. https://doi.org/10.1007/978-3-319-41932-9_33
Download citation
DOI: https://doi.org/10.1007/978-3-319-41932-9_33
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-41931-2
Online ISBN: 978-3-319-41932-9
eBook Packages: EngineeringEngineering (R0)