Information Technology Reference
In-Depth Information
non-terminal, those that initiate the work of the corresponding nested state machines;
terminal, those that interact with the network model or real network; abstract (auxil-
iary) states. Transition arcs are identified with the productions of grammars, and can
be carried out only under certain conditions.
The model of each state machine was set by specifying the following components:
diagram of state machine; main parameters of the state machine; parameters of transi-
tions that determine the stochastic model of the state machine functioning for differ-
ent relevant intentions regarding the implementation of network attacks; transition
conditions. In the
state machine diagram
, the first and the final states are signified by
black circles, and the intermediate states — by rectangles with rounded corners. Ex-
amples of the state machines diagrams for intentions “Network Attack” (
A
), “Recon-
naissance” (
R
), and “Implantation and threat realization” (
I
) are represented in Fig. 1.
The peculiarity of any attack is that the malefactor's strategy depends on the results
of the intermediate actions. The malefactor's action has to be generated on-line in
parallel with the getting reaction from the attacked network. The network returns the
value of the result (success or failure).
The model of attacker receives it and generates
the next terminal symbol according to the attack model and depending on the returned
result of the previous phase of the attack.
Model of the attacked computer network and its response to attacks
is represented
as the following quadruple:
MA
= <
M
CN
, {
M
Hi
},
M
P
,
M
HR
>, where
M
CN
— the model of
the network structure; {
M
Hi
} — a set of models of the host resources;
M
P
— the model
of computation of attack success probabilities;
M
HR
— the model of the host reaction
in response of attack.
The
model M
CN
of the computer network structure
was determined as follows:
M
CN
= <
A, P, N, C
>, where
CN —
the computer network identifier,
A —
the network ad-
dress;
P —
a family of protocols used;
N —
a set {
CN
i
} of sub-networks and/or a set
{
H
i
} of hosts of the network
CN
;
C
is a set of connections between the sub-networks
(hosts) established as a mapping matrix.
The
models
{
M
Hi
}
of the network host (resources)
serve for representing the host
parameters that are important for attack simulation (IP-address, type and version of
OS, users' identifiers, domain names, host access passwords, users' security identifiers
(SID), domain parameters, active TCP and UDP ports and services of the hosts, etc.
Success or failure of any attack action (corresponding to terminal level of the at-
tack ontology) is determined by means of the
model M
P
of computation of the attack
success probabilities
. This model was specified as a set of rules each of which deter-
mines the action success probability depending on the basic parameters of the host
(attack target)
.
The result of each attack action is determined according to the
model M
HR
of the
host reaction
. This model is determined as a set of rules of the host reaction:
M
HR
=
{
R
HR
j
},
R
HR
j
: Input
→
Output
[
& Post-Condition
], where
Input —
the malefactor's
activity,
Output
— the host reaction,
Post-Condition —
a change of the host state,
& — logic connective “
AND
”,
[ ] —
optional part of the rule.
3
Attack Simulator Implementation
Attack Simulator
is built as a multi-agent system that uses two classes of agents: (1)
the “Network Agent” simulates defense system of the attacked computer network and
