Research Paper Course Instructor: Dr. Aggrawal

PAPERS Active Vulnerability Assessment of Computer Networks by Simulation of Complex Remote Attacks Igor Kotenko St. Petersburg Institute for Informatics and Automation, 39, 14th Liniya, Russia Formal Framework for Modeling and Simulation of DDoS Attacks Based on Teamwork of Hackers-Agents Igor Kotenko, Alexey Alexeev, Evgeny Man’kov St. Petersburg Institute for Informatics and Automation, 39, 14th Liniya, Russia

Network Security Security Assurance We Have seen Practical tools We will see Underlying approach Theoretical Concepts With reference to Attack Simulator

Goal Of Paper Development Of General Approach Mathematical Models Software Simulation Tool For active analysis of computer network vulnerabilities

Security Assurance Important Problem Increasing Significance of information Potentially devastating Consequences Complex Growing Size Inter-Connectivity of Networks Number of Users Availability of Information

Attack Modeling and Simulation Approach Malefactors intention and attack task specification Application Ontology “Computer Network Attacks” Formal Grammar Based Framework State Machine based representation of attack generation Formal Model of Attacked Computer Network

Malefactors Intentions R - Reconnaissance Aiming at getting information about the network (host) I – Implantation And Threat Realization

List of Malefactor’s Intentions 1-6 R type 7-12 I type

Attack Task Specification A Top Level attack Goal Specified as Known Data specifies the information about attacked computer network. Attack Object corresponds to optional variable defining more exactly attack target

Hierarchy of Attacks Two Subsets Upper Level ( Macro-level attacks) Lower Level (Micro Level attacks)

Relations Part Of – decomposition relationship Kind Of – specialization relationship Seq Of – specifying sequence of relationship Example Of – type of object (specific sample of Object)

Mathematical Model of Attack Intentions Formal Grammar Particular intentions inter-connected through substitution operations Ma = Gi = {Gi} – formal Grammar {Su} – substitution

State Machines States First (Initial) Intermediate End (Final) Transition Arcs – can be carried out only under specific circumstances Examples of State Machines Implantation and Threat Realization Identification of Hosts

Factors Malefactors Strategy Depends on results of intermediate actions Reason – not possible to generate complete sequence of malefactor’s actions before-hand

Attack Simulator Implementation Multi Agent System Network Agent – simulates a attacked computer network Hacker Agent – performs attacks against computer networks Technology- MASDK (Multi Agent System Development Kit)

Key Components of Hacker Agent Kernel of Hacker Agent It calls specification of attack task Computes next state machine transition Script Component – specifies set of scripts that can be executed by state machines Attack Task Specification Component – provides user with interface to specify attack attributes Probabilistic decision making model – used to determine hackers agent further action in attack generation Network Traffic Generator – forms flow of network packets Attack Scenario Visualization – for visual representation of attack progress

Key Component of Network Agent Kernel of Network Agent Functions used for specification of network configuration through user interface Computation of network’s response to an attacking action State Machines Model – specifies the network agent behavior ( communication functionality) Network Configuration Specification Component – is used for a set of user interfaces for configuration of network to be attacked Firewall Model component – determines firewall’s response to action Network response component – network’s (host’s) response messages to attack

Component Models of Network Agent and Hacker Agent

Experiments with Attack Simulator Goals of experiment Checking a computer network security policy at stages of conceptual and logic design network security system. Checking security policy of a real life computer network

Factors affecting attack efficacy Protection Degree of Network firewall (PNF) Protection degree of Personal Firewall (PPF) Protection Parameters of attacked host(PP) Hackers Knowledge of Network (KN)

Attack outcome parameters Number of Attack steps (NS) Percentage of Intent realization (PIR) Percentage of Attack realization(PAR) Percentage of Firewall Blocking(PFB) Percentage of Reply Absence (PRA)

Example Realization of Intention CVR Protection of attacked host – Strong Hacker’s Knowledge – Good

Changes of Attack Outcome Parameters

Conclusion (Paper I) Paper presents formal approach to active vulnerability assessment based on modeling and simulation of remote computer network attacks Multi agent system Tries to give a standard procedure for security assurance

PAPER II Formal Framework for Modeling and Simulation of DDoS Attacks Based on Teamwork of Hackers-Agents Igor Kotenko, Alexey Alexeev, Evgeny Man’kov St. Petersburg Institute for Informatics and Automation, 39, 14th Liniya, Russia Concern Growth of Number Capacity of DDOS attacks

Goals of Paper Goals Of Paper Development for formal framework for modeling Elaboration of Formal Specification of a representative spectrum Implementation of software development tools

Teamwork Joint Intention Theory Shared Plans theory Combined theory of Agents

Creation of Hackers Agent Forming the subject domain ontology Determining the agents team structure Defining the agents interaction-and- coordination mechanisms Specifying the agents actions plans Assigning roles and allocating plans between agents Realizing the teamwork by set of state- machines

Structure Client Supervises a sub-team of masters Masters Each master supervises a group of demons Demons Execute immediate attack actions against victim hosts

Suggested Mechanisms Maintenance and Action coordination Monitoring and restoration of agent functionality Maintenance of Communication Selectivity

Plan Of DDoS Preliminary Reconnaissance and Installation of Agents Basic Realization of DDoS attack by joint action of agents Final Visualization of attack results

Formal Model of Attacked Networks Represented as Quadruple MA = Mcn – model of computer network structure {Mhi} – model of host resources Mp – model of computation of success probablilites Mhr – model of host reaction in response to attacks Input -> Output [& post condition]

Attack Simulation Tool Implementation MASDK – Multi-Agent System Development Kit Why Use Attack Simulator Checking a computer network security policy at stages of conceptual and logical design. Checking security of real life computer network

Conclusion (Paper II) Paper presents formal paradigm for modeling and simulation Presents a structure of team of agents Above approach used for evaluation of computer network security Analysis of both efficiency and effectiveness of security policy against DDoS attacks

References F.Cohen, “Simulating Cyber Attacks, Defenses, and Consequences”, IEEE Symposium on Security and Privacy,Berkeley, CA, 1999 V.Gorodetski, and I.Kotenko, “Attacks against Computer Network: Formal Grammar-based Framework and Simulation Tool”, Lecture V.Gorodetski, O.Karsayev, I.Kotenko, and A.Khabalov, “Software Development Kit for Multi-agent Systems Design and Implementation”, Lecture Notes in Artificial Intelligence, Vol. 2296, Springer Verlag, M.Tambe, “Towards Flexible Teamwork”, Journal ofArtificial Intelligence Research, No.7, M.Tambe, and D.V.Pynadath, “Towards Heterogeneous Agent Teams”, Lecture Notes in Artificial Intelligence,Vol.2086, 2001

Questions and Comments THANK YOU Presented By Ashutosh Sood