Dynamical Attack Simulation for Security Information and Event Management

  • Igor Kotenko
  • Andrey Shorov
  • Andrey Chechulin
  • Evgenia Novikova
Part of the Lecture Notes in Geoinformation and Cartography book series (LNGC)


The chapter considers a simulation-based approach to analysis of network resilience to botnet attacks in security information and event management (SIEM) systems, which can be applied to distributed geographic information systems (GISs). On the other hand, SIEM systems can use GIS technology for network awareness, taking into account the geographical location of hosts and network segments. To be able to protect the network against botnet attacks, it is necessary to investigate the processes occurring on all stages of the botnet lifecycle (propagation, control, and attack). The suggested approach can detect the critical nodes in the network, as well as determine and evaluate the protection mechanisms against botnet attacks. We propose the architecture of the dynamic attack simulation component (DASC) and describe its interaction with other SIEM components. The component prototype is presented and results of the implemented experiments are discussed.


Network security analysis Infrastructure attacks Dynamic simulation Botnets Security information and event management 



This research is being supported by a grant from the Russian Foundation of Basic Research, Program of fundamental research of the Department for Nanotechnologies and Informational Technologies of the Russian Academy of Sciences (contract #2.2), State contract #11.519.11.4008, and partly funded by the EU as part of the SecFutur and MASSIF projects.


  1. Chen S, Tang Y (2004) Slowing down internet worms. Proceedings of the 24th international conference on distributed computing systems (2004)Google Scholar
  2. Gamer T, Mayer C (2009) Large-scale evaluation of distributed attack detection. Workshop on OMNeT++. Rome, Italy, pp 1–8Google Scholar
  3. Kotenko I, Chechulin A, Novikova E (2012) Attack modeling and security evaluation for security information and event management. SECRYPT 2012:391–394Google Scholar
  4. Krishnaswamy J (2009) Wormulator: simulator for rapidly spreading Malware. Master’s Projects, San JoseGoogle Scholar
  5. Li J, Mirkovic J, Wang M et al. (2002) Save: source address validity enforcement protocol. Proceedings IEEE INFOCOM, NY, pp 1557–1566Google Scholar
  6. Li L, Alderson D, Willinger W et al. (2004) A first-principles approach to understanding the internet’s router-level topology. ACM SIGCOMM computer communication review, pp 3–14Google Scholar
  7. Owezarski P, Larrieu N (2004) A trace based method for realistic simulation. Communications, IEEE International Conferences Toulouse, France, pp 2236–2239Google Scholar
  8. Peng T, Leckie C, Ramamohanarao K (2004) Proactively detecting distributed denial of service attacks using source IP address monitoring. Lect Notes Comput Sci 3042:771–782Google Scholar
  9. Riley G, Sharif M, Lee W (2004) Simulating internet worms. Proceedings 12th international workshop on modeling, analysis, and simulation of computer and telecommunication systems (MASCOTS). Atlanta, pp 268–274Google Scholar
  10. Schuchard M, Mohaisen A, Kune D et al. (2010) Losing control of the internet: using the data plane to attack the control plane. Proceedings 17th ACM conference on computer and communications security, CCS ‘10. ACM, USA, pp 726–728Google Scholar
  11. Simmonds R, Bradford R, Unger B (2000) Applying parallel discrete event simulation to network emulation. PADS ‘00. Proceedings of the fourteenth workshop on parallel and distributed simulation. Washington, pp 15–22Google Scholar
  12. Suvatne A (2010) Improved worm simulator and simulations. Master’s Projects, San JoseGoogle Scholar
  13. Varga A (2010) OMNeT++. Modeling and tools for network simulation. Wehrle K, Günes M, Gross J (eds) Springer, Berlin (2010)Google Scholar
  14. Vishwanath KV, Vahdat A (2006) Realistic and responsive network traffic generation. Proceedings of the conference on applications, technologies, architectures, and protocols for computer communicationsGoogle Scholar
  15. Wagner A, Dubendorfer T, Plattner B et al. (2003) Experiences with worm propagation simulations. Proceedings of the ACM workshop on rapid Malcode. NY, pp 34–41Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2014

Authors and Affiliations

  • Igor Kotenko
    • 1
  • Andrey Shorov
    • 1
  • Andrey Chechulin
    • 1
  • Evgenia Novikova
    • 1
  1. 1.Saint-Petersburg Institute for Informatics and Automation of Russian Academy of Sciences (SPIIRAS)Saint-PetersburgRussia

Personalised recommendations