Can a Network Attack Be Simulated in an Emulated Environment for Network Security Training?
Abstract
:1. Introduction
- Design and implement a virtual network utilising common network services (see Section 3).
- Add the ability to configure the network based on user requirements (see Section 5).
- Generate and capture network traffic that simulates normal network usage (see Section 4.1 and Section 4.2).
- Automatically replay captured network traffic (see Section 4.3).
- Test the system (see Appendix B).
- Randomise the replay of captured network traffic, to further obfuscate any traffic of a malicious nature (see Section 4).
Paper Discovery Method
2. Related Work
2.1. Cyber Defence Exercises
2.2. Network Threats
2.2.1. Threat Actors
- Cyber Criminals—Individuals or groups that attack systems for financial gain, for reputation, for performing malicious activities, for carrying out “conventional crime” or for erasing data.
- States or State Sponsored—Individual or groups funded by governments to attack systems typically used for cyber espionage or to cause damage.
- Hacktivists—Individuals or groups who attack systems for political or social reasons.
- Terrorists—Individuals or groups that attack systems to cause damage and destroy.
- High Privileged Insiders—Individuals or groups with privileged user access seeking financial gain.
- Partner—Trusted partner of an organisation seeking financial gain or a competitive advantage.
2.2.2. Attack Taxonomy
2.3. Network Emulation
2.3.1. Netkit
2.3.2. Virtual Network User-Mode Linux (VNUML)
2.3.3. VMware Server
2.4. Replay of Network Traffic
2.5. Network Topologies
2.6. Common Network Services
2.7. Email
2.8. File Transfer
2.9. Webpages
2.10. Remote Access
2.11. Key References
3. Network Overview
3.1. Collision Domain: TAP
3.2. Collision Domain: D
3.3. Collision Domains: B & C
3.4. Collision Domain: A
3.4.1. File Transfer Protocol (FTP) Server
3.4.2. SSH File Transfer Protocol (SFTP) Server
3.4.3. Hypertext Transfer Protocol (HTTP) Server
3.4.4. Email Server
3.4.5. DHCP Server
3.4.6. Domain Name System (DNS) Server
3.4.7. Critical Analysis
4. Network Traffic Replay
4.1. Creation of Network Traffic
4.2. Capture of Network Traffic
4.3. Traffic Replay
5. Program Overview
6. Discussion
Author Contributions
Conflicts of Interest
Appendix A. Technical Network Report
Appendix A.1. Lab.conf
- router0[0]=A
- router0[1]=D
Appendix A.2. Lab.dep
- httpServer: dhcpServer dnsServer
Appendix A.3. Collision Domain: TAP
- route add -net 192.168.0.0 netmask 255.255.255.0 gw 192.168.4.10 eth1
- route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.4.20 eth1
- route add -net 192.168.2.0 netmask 255.255.255.0 gw 192.168.4.30 eth1
- tap[0]=tap,192.168.44.130,192.168.44.150
- tap[1]=D
- nameserver 192.168.0.5
- nameserver 8.8.8.8
- apt-get install links
Appendix A.4. Collision Domain: D
- ifconfig eth0 192.168.0.55 up
- ifconfig eth1 192.168.4.10 up
- route add -net 192.168.2.0 netmask 255.255.255.0 gw 192.168.4.30 eth1
- route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.4.20 eth1
- route add default gw 192.168.4.40
- echo “isc-dhcp-relay isc-dhcp-relay/servers string dhcpServer.test.sc.com”
- | debconf-set-selections
- echo “isc-dhcp-relay isc-dhcp-relay/interfaces string” | debconf-set-selections
- echo “isc-dhcp-relay isc-dhcp-relay/options string” | debconf-set-selections
- apt-get update
- apt-get –force-yes install isc-dhcp-relay -y
- domain test.sc.com
- nameserver 192.168.0.5
Appendix A.4.1. Installing from Local Files
- dpkg-scanpackages . /dev/null | gzip -c9 > Packages.gz
- deb file:///etc/debPackages /
Appendix A.5. Collision Domains: B & C
- remote1: dhcpServer dnsServer router0 router1
- dhclient eth0
- send host-name = gethostname();
- request subnet-mask, broadcast-address, time-offset, routers,
- domain-name, domain-name-servers, domain-search, host-name,
- dhcp6.name-servers, dhcp6.domain-search,
- netbios-name-servers, netbios-scope, interface-mtu,
- ntp-servers;
- inbox-path=imap.test.sc.com/user=remote1inbox
- bash/hosthome/Documents/netkitLabs/replayScripts/masterReplayScript.sh & disown
Appendix A.6. Collision Domain: A
- /etc/init.d/ssh start
- useradd -d /home/toor -m -s /bin/bash toor
- echo ’toor:root’ | chpasswd
Appendix A.6.1. FTP Server
- /etc/init.d/proftpd start
Appendix A.6.2. SFTP Server
Appendix A.6.3. HTTP Server
- #enable ssl site
- a2ensite default-ssl
- a2enmod ssl
- #Start apache server
- /etc/init.d/apache2 start
- SSLCertificateFile /etc/apache2/ssl/https.crt
- SSLCertificateKeyFile /etc/apache2/ssl/https.key
Appendix A.6.4. Email Server
- apt-get update
- apt-get –force-yes install exim4 -y
- chmod 644 /etc/exim4/exim4.conf
- chown root:root /etc/exim4/exim4.conf
- /etc/init.d/exim4 start
- /etc/init.d/openbsd-inetd start
- customized-hdrs=Reply-To: [email protected]
Appendix A.6.5. DHCP Server
- ifconfig eth0 hw ether 00:00:00:00:00:03 up
- ifconfig eth0 192.168.0.7 up
- apt-get update
- apt-get –force-yes install isc-dhcp-server -y
- cp /etc/dhcp/myConf/dhcpd.conf /etc/dhcp
- service isc-dhcp-server restart
- INTERFACES=“eth0”
- ddns-update-style interim;
- update-static-leases on;
- key ddns.key
- algorithm hmac-md5;
- secret NvoL1uVTOeWOmWQPbip1Rg==;
- ;
- zone test.sc.com
- primary 192.168.0.5;
- key ddns.key;
- zone reverse.in-addr.arpa
- primary 192.168.0.5;
- key ddns.key;
- option domain-name “test.sc.com”;
- option domain-name-servers dnsServer.test.sc.com;
- default-lease-time 600;
- max-lease-time 7200;
- authoritative;
- log-facility local7;
- subnet 192.168.1.0 netmask 255.255.255.0
- range 192.168.1.50 192.168.1.250;
- default-lease-time 600;
- max-lease-time 7200;
- option routers 192.168.1.11;
- option ip-forwarding off;
- option domain-name-servers 192.168.0.5;
- option broadcast-address 192.168.1.255;
- option subnet-mask 255.255.255.0;
- host dnsServer
- hardware ethernet 00:00:00:00:00:01;
- fixed-address 192.168.0.5;
Appendix A.6.6. DNS Server
- /etc/init.d/bind9 start
- zone “test.sc.com”
- type master;
- file “/etc/bind/db.com.sc.test”;
- allow-update key ddns.key; ; ;
- dhcpServer.test.sc.com. IN A 192.168.0.7
- mail.test.sc.com. IN A 192.168.0.8
- imap.test.sc.com. IN A 192.168.0.8
- pop.test.sc.com. IN A 192.168.0.8
- 7.0.168.192 IN PTR dhcpServer.test.sc.com.
Appendix B. System Testing
Appendix B.1. Function 1 Tests
Name | Function 1 Test Results | ||
---|---|---|---|
Description | Expected Results | Status (Pass/ Fail) | Notes |
Test 1 | |||
Send five emails using the email client on remote nodes. | The remote nodes will be able to send emails without error. | Pass | Initially this test failed. This was due to configuration changes to the network to implement DDNS (see Section 3.4.6), this was resolved by ensuring the email server updated the DNS server properly. |
Check emails are received in the remote nodes’ inbox. | The remote nodes are able to view emails sent to them. | Pass | |
Test 2 | |||
Send the FTP server 5 files from five nodes on the network. | The remote nodes are able to send files to the FTP server. | Pass | |
Use the get command to download files to five remote nodes from the FTP server. | The files will be downloaded by the host nodes. | Pass | |
Send the SFTP server 5 files from five nodes on the network. | The remote nodes are able to send files to the SFTP server. | Pass | |
Use the get command to download files to five remote nodes from the SFTP server. | The files will be downloaded by the host node. | Pass | |
Send the FTPS server 5 files from five nodes on the network. | N/A | Fail | This test is not possible as there is not an FTPS server on this network (see Section 3.4.7) |
Use the get command to download files to five remote nodes from the FTPS server. | N/A | Fail | This test is not possible as there is not an FTPS server on this network (see Section 3.4.7) |
Test 3 | |||
Use the links web browser on five different remote nodes to go to the two HTTP webpages provided by the HTTP server. | The remote nodes are able to view the webpages. | Pass | |
Use the links web browser on five of the remote nodes to go to the HTTPS webpage on the HTTP server. | The remote nodes are able to view the webpages. | Pass | |
Test 4 | |||
Use the ping tool on five different nodes to ping five other nodes via their DNS names. | All tested nodes will reply when pinged via their DNS names. | Pass | |
Use the ifconfig tool on five different nodes to ensure they are assigned IP addresses from the DHCP server. | All tested nodes will have valid IP addresses. | Pass |
Name | Function 1 Test Results | ||
---|---|---|---|
Description | Expected Results | Status (Pass/ Fail) | Notes |
Test 1 | |||
Send five emails using the email client on remote nodes. | The remote nodes will be able to send emails without error. | Pass | Initially this test failed. This was due to a misconfiguration when the program edits the .pinerc on the standardNode nodes. The line edited cannot contain capital letters, if it does the email client will be unable to send emails |
Check emails are received in the remote nodes’ inbox. | The remote nodes are able to view emails sent to them. | Pass | |
Test 2 | |||
Send the FTP server 5 files from five nodes on the network. | The remote nodes are able to send files to the FTP server. | Pass | |
Use the get command to download files to five remote nodes from the FTP server. | The remote nodes are able to download files from the FTP server. | Pass | |
Send the SFTP server 5 files from five nodes on the network. | The remote nodes are able to send files to the SFTP server. | Pass | |
Use the get command to download files to five remote nodes from the SFTP server. | The remote nodes are able to download files from the SFTP server. | Pass | |
Send the FTPS server 5 files from five nodes on the network. | N/A | Fail | This test is not possible as there is not an FTPS server on this network (see Section 3.4.7) |
Use the get command to download files to five remote nodes from the FTPS server. | N/A | Fail | This test is not possible as there is not an FTPS server on this network (see Section 3.4.7) |
Test 3 | |||
Use the links web browser on five different remote nodes to go to the two HTTP webpages provided by the HTTP server. | The remote nodes are able to view the webpages. | Pass | |
Use the links web browser on five of the remote nodes to go to the HTTPS webpage on the HTTP server. | The remote nodes are able to view the webpages. | Pass | |
Test 4 | |||
Use the ping tool on five different nodes to ping five other nodes via their DNS names. | All tested nodes will reply when pinged via their DNS names. | Pass | |
Use the ifconfig tool on five different nodes to ensure they are assigned IP addresses from the DHCP server. | All tested nodes will have valid IP addresses. | Pass |
Appendix B.2. Function 2 Tests
Name | Function 2 Test Results | ||
---|---|---|---|
Description | Expected Results | Status (Pass/ Fail) | Notes |
Test 1 | |||
Run through the network creation program and ensure values can be input where asked. This will be done 5 times, to ensure errors do not occur inconsistently | All areas that ask for user input will allow it. | Pass | |
Test 2 | |||
Run through the program and input special characters and letters where the input expects a number. This will be done using ten characters that are not numerical, and it will be a mix of special and alphabetical characters. Ten have been selected as it provides a large enough sample size to test the different available characters. | When entered special characters return an error message. | Pass | |
Run through the program and input characters that are not Y, y, N, or n where these are the expected response. This will be done using ten characters and it will be a mix of special and alphanumeric characters. Ten have been selected as it provides a large enough sample size to test the different available characters. | When entered, characters that are not Y, y, N, or n will return an error message. | Pass | |
Run through the program and where it expects numbers 0–254, enter the numbers −1 and 255. This will test that the boundaries implemented are effective. | When entered the numbers should return an error message. | Pass |
Appendix B.3. Function 3 Tests
Name | Function 3 Test Results | ||
---|---|---|---|
Description | Expected Results | Status (Pass/ Fail) | Notes |
Test 1 | |||
Run through the program and ensure files and folders are created. The program will be used five times, each time different values will be entered for the different fields. | Files and folders will be output to the createdLab folder. | Pass | |
Test 2 | |||
Run through the program and ensure files and folders are created with the names expected, given the values input. The program will be used five times, each time different values will be entered for the different fields. | The expected files and folders will be output to the createdLab folder. | Pass | |
Test 3 | |||
Run through the program and ensure files and folders are created with the names expected, given the values input. The program will be used five times, each time different values will be entered for the different fields. | The expected files and folders will be output to the createdLab folder. | Pass | |
Run through the program and ensure the files and folders created have expected names, given the values input. The program will be used five times, each time different values will be entered for the different fields, and ten different files will be checked each time, this will ensure a large number of the files output are checked for errors or discrepancies. | The expected files and folders will be output to the createdLab folder with the expected contents. | Pass |
Appendix B.4. Function 4 Tests
Name | Function 4 Test Results | ||
---|---|---|---|
Description | Expected Results | Status (Pass/ Fail) | Notes |
Test 1 | |||
Start the network lab and commence traffic captures on the router nodes, using the tcpdump tool. The router nodes will be used as these will see the most network traffic on the network. Leave these traffic captures running for ten minutes, this should be enough time for the traffic to be generated. | The traffic captures will contain data that represents the expected network traffic. | Pass |
Name | Function 4 Test Results | ||
---|---|---|---|
Description | Expected Results | Status (Pass/ Fail) | Notes |
Test 1 | |||
Start the network lab and commence traffic captures on the router nodes, using the tcpdump tool. The router nodes will be used as these will see the most network traffic on the network. Leave these traffic captures running for ten minutes, this should be enough time for the traffic to be generated. | The traffic captures will contain data that represents the expected network traffic. | Pass |
References
- Cook, A.; Smith, R.; Maglaras, L.; Janicke, H. Measuring the risk of cyber attack in industrial control systems. In Proceedings of the 4th International Symposium for ICS & SCADA Cyber Security Research 2016, Belfast, UK, 23–25 August 2016. [Google Scholar]
- Hallaq, B.; Nicholson, A.; Smith, R.; Maglaras, L.; Janicke, H.; Jones, K. CYRAN: A Hybrid Cyber Range for Testing. Secur. Solut. Appl. Cryptogr. Smart Grid Commun. 2016. [Google Scholar] [CrossRef]
- Cyber Security Training Delivery Options SANS Institute. Training Delivery Options. Available online: https://uk.sans.org/training-delivery-options/ (accessed on 20 July 2017).
- Hosted Penetration Testing Virtual Labs by Offensive Security Offensive Security. Available online: https://www.offensive-security.com/offensive-security-solutions/virtual-penetration-testing-labs/ (accessed on 20 July 2017).
- Pham, C.; Tang, D.; Chinen, K.I.; Beuran, R. CyRIS: A cyber range instantiation system for facilitating security training. In Proceedings of the Seventh Symposium on Information and Communication Technology, Ho Chi Minh City, Vietnam, 8–9 December 2016; pp. 251–258. [Google Scholar]
- The Ultimate Cyber Proving Ground for Critical Systems and Technologies Raytheon Cyber. Available online: http://www.raytheoncyber.com/capabilities/range/ (accessed on 20 July 2017).
- Cyberbit Range. Available online: https://www.cyberbit.com/solutions/cyber-range/ (accessed on 20 July 2017).
- Mullins, B.E.; Lacey, T.H.; Mills, R.F.; Trechter, J.E.; Bass, S.D. How the cyber defense exercise shaped an information-assurance curriculum. IEEE Secur. Priv. 2007, 5. [Google Scholar] [CrossRef]
- Adams, W.J.; Gavas, E.; Lacey, T.H.; Leblanc, S.P. Collective Views of the NSA/CSS Cyber Defense Exercise on Curricula and Learning Objectives. In Proceedings of the 2nd Conference on Cyber Security Experimentation and Test (CSET’09), Montreal, QC, Canada, 10–14 August 2009. [Google Scholar]
- Johnson, C.; Badger, L.; Waltermire, D.; Snyder, J.; Skorupka, C. Guide to cyber threat information sharing. NIST Spec. Publ. 2016, 800, 150. [Google Scholar]
- Cruz, B.; Gupta, D.; Kapoor, A.; Haifei, L.; McLean, D.; Moreno, F. McAfee Labs Threats Report; McAfee Inc.: Santa Clara, CA, USA, 2014; Available online: http://www.mcafee.com/us/resources/reports/rp-quarterlythreat-q1-2014.pdf (accessed on 20 July 2017).
- Hansman, S.; Hunt, R. A taxonomy of network and computer attacks. Comput. Secur. 2005, 24, 31–43. [Google Scholar] [CrossRef]
- Chapman, I.M.; Leblanc, S.P.; Partington, A. Taxonomy of cyber attacks and simulation of their effects. In Proceedings of the Military Modeling & Simulation Symposium, Boston, MA, USA, 3–7 April 2011; pp. 73–80. [Google Scholar]
- Janbeglou, M.; Zamani, M.; Ibrahim, S. Redirecting network traffic toward a fake DNS server on a LAN. In Proceedings of the 3rd IEEE International Conference on Computer Science and Information Technology (ICCSIT), Chengdu, China, 9–11 July 2010; Volume 2, pp. 429–433. [Google Scholar]
- McAfee Labs Threats Report: September 2016 McAfee. Available online: https://www.mcafee.com/us/security-awareness/articles/mcafee-labs-threats-report-sep-2016.aspx (accessed on 30 March 2017).
- Fuertes, W.M.; de Vergara, J.E.L. A quantitative comparison of virtual network environments based on performance measurements. In Proceedings of the 14th HP Software University Association Workshop, Munich, Germany, 2 July 2007; pp. 8–11. [Google Scholar]
- Wolny, W.; Szołtysik, M. Overview of Existing Computer Network Environments Virtualization for Computer Network Learning. Stud. Ekon. 2014, 188, 250–264. [Google Scholar]
- Pizzonia, M.; Rimondini, M. Netkit: Easy emulation of complex networks on inexpensive hardware. In Proceedings of the 4th International Conference on Testbeds and Research Infrastructures for the Development of Networks & Communities, ICST (Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering), Innsbruck, Austria, 18–20 March 2008; p. 7. [Google Scholar]
- Ruiz-Martinez, A.; Pereniguez-Garcia, F.; Marin-Lopez, R.; Ruiz-Martínez, P.M.; Skarmeta-Gomez, A.F. Teaching advanced concepts in computer networks: Vnuml-um virtualization tool. IEEE Trans. Learn. Technol. 2013, 6, 85–96. [Google Scholar] [CrossRef]
- Márquez, F.G.; Cambronero, D.F. Distributed Virtualization Scenarios Using VNUML. In Proceedings of the 1st International DMTF Academic Alliance Workshop on Systems and Virtualization Management: Standards and New Technologies, Toulouse, France, 23 October 2007; Volume 2007. [Google Scholar]
- Li, P. Selecting and using virtualization solutions: Our experiences with VMware and VirtualBox. J. Comput. Sci. Coll. 2010, 25, 11–17. [Google Scholar]
- Simulator, G.N. GNS 3. Available online: http://paginapessoal.utfpr.edu.br/lincolnh/palestras/ftsl/index.html/ApresentacaoGNS3.pdf (accessed on 9 August 2017).
- Anuzelli, G.; Files, N.; Emulation, P.; Optimizations, M.U.; Emulated, H.C. Dynamips/Dynagen Tutorial. Available online: http://dynagen.org/tutorial.htm (accessed on 10 July 2017).
- Kneale, B.; De Horta, A.Y.; Box, I. Velnet: Virtual environment for learning networking. In Proceedings of the Sixth Australasian Conference on Computing Education-Volume 30, Dunedin, New Zealand, 10 January 2004; pp. 161–168. [Google Scholar]
- Vahdat, A.; Yocum, K.; Walsh, K.; Mahadevan, P.; Kostić, D.; Chase, J.; Becker, D. Scalability and accuracy in a large-scale network emulator. ACM SIGOPS Oper. Syst. Rev. 2002, 36, 271–284. [Google Scholar] [CrossRef]
- Hashimoto, M. Vagrant: Up and Running: Create and Manage Virtualized Development Environments; O’Reilly Media, Inc.: Sebastopol, CA, USA, 2013. [Google Scholar]
- Sundararaj, A.I.; Gupta, A.; Dinda, P.A. Dynamic topology adaptation of virtual networks of virtual machines. In Proceedings of the 7th workshop on Workshop on Languages, Compilers, and Run-Time Support for Scalable Systems, Houston, TX, USA, 21–23 October 2004; pp. 1–8. [Google Scholar]
- Hillestad, O.I.; Libak, B.; Perkis, A. Performance evaluation of multimedia services over ip networks. In Proceedings of the IEEE International Conference on Multimedia and Expo (ICME), Amsterdam, The Netherlands, 6 July 2005; pp. 1464–1467. [Google Scholar]
- Dean, T. Network+ Guide to Networks; Cengage Learning: Boston, MA, USA, 2012. [Google Scholar]
- Duck, M.; Read, R. Data Communications and Computer Networks: For Computer Scientists and Engineers; Pearson Education: London, UK, 2003. [Google Scholar]
- Kurose, J.F.; Ross, K.W. Computer Networking: A Top-down Approach; Addison-Wesley Reading: Boston, MA, USA, 2010; Volume 5. [Google Scholar]
- White, C. Data Communications and Computer Networks: A Business User’s Approach; Cengage Learning: Boston, MA, USA, 2015. [Google Scholar]
- Ford-Hutchinson, P. Securing FTP with TLS. Available online: https://tools.ietf.org/html/rfc4217 (accessed on 9 August 2017).
- Maglaras, L.A.; Jiang, J.; Cruz, T.J. Combining ensemble methods and social network metrics for improving accuracy of OCSVM on intrusion detection in SCADA systems. J. Inf. Secur. Appl. 2016, 30, 15–26. [Google Scholar] [CrossRef]
© 2017 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).
Share and Cite
Chapman, S.; Smith, R.; Maglaras, L.; Janicke, H. Can a Network Attack Be Simulated in an Emulated Environment for Network Security Training? J. Sens. Actuator Netw. 2017, 6, 16. https://doi.org/10.3390/jsan6030016
Chapman S, Smith R, Maglaras L, Janicke H. Can a Network Attack Be Simulated in an Emulated Environment for Network Security Training? Journal of Sensor and Actuator Networks. 2017; 6(3):16. https://doi.org/10.3390/jsan6030016
Chicago/Turabian StyleChapman, Samuel, Richard Smith, Leandros Maglaras, and Helge Janicke. 2017. "Can a Network Attack Be Simulated in an Emulated Environment for Network Security Training?" Journal of Sensor and Actuator Networks 6, no. 3: 16. https://doi.org/10.3390/jsan6030016
APA StyleChapman, S., Smith, R., Maglaras, L., & Janicke, H. (2017). Can a Network Attack Be Simulated in an Emulated Environment for Network Security Training? Journal of Sensor and Actuator Networks, 6(3), 16. https://doi.org/10.3390/jsan6030016