DEVS-based Modeling Methodology for Cybersecurity Simulations from a Security Perspective

Abstract

Security administrators of companies and organizations need to come up with proper countermeasures against cyber-attacks considering infrastructures and security policies in their possession. In order to develop and verify such countermeasures, the administrators should be able to reenact both cyber-attacks and defenses. Simulations can be useful for the reenactment by overcoming its limitations including high risk and cost. If the administrators are able to design various scenarios of cyber-attacks and to develop simulation models from their viewpoints, they can simulate desired situations and observe the results more easily. It is challenging to simulate cyber-security issues, because there is lack of theoretical basis for modeling a wide range of the security field as well as pre-defined basic components used to model cyber-attacks. In this paper, we propose a modeling method for cyber-security simulations by developing a basic component and a composite model, called Abstracted Cyber-Security Unit Model (ACSUM) and Abstracted Cyber-security SIMulation model (ACSIM), respectively. The proposed models are based on DEVS(Discrete Event systems Specification) formalism, a modeling theory for discrete event simulations. We develop attack scenarios by sequencing attack behaviors using ACSUMs and then model ACSIMs by combining and abstracting the ACSUMs from a security perspective. The concepts of ACSUM and ACSIM enable the security administrators to simulate numerous cyber-security issues from their viewpoints. As a case study, we model a worm scenario using ACSUM and simulate three types of simulation models based on ACSIM from a different security perspective.

1. Introduction

As cyber-attacks become increasingly sophisticated, detecting and defending against attacks are challenging. For example, advanced persistent threats (APT) generally consist of seven steps: reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objectives[1]. Attackers try a variety of attacks until they finally achieve the goal of each step. In order to prevent such advanced cyber-attacks, it is necessary to predict various potential attacks and to design and verify countermeasures in advance. However, the following risks and limitations apply to the study of cyber-security in the real world.

• Risk of the destruction of targets - the purpose of most of active cyber-attacks is to cause damage to target systems. If we reenact cyber-attacks in the real world, damages such as the destruction of computer systems, networks, programs, and information, can occur.

• High cost of implementation of experimental environments – deploying a cyber attack infrastructure over the network is costly.

The higher cost of attacks has not only the more spatial restriction to conduct the attacks but also the higher risk by success of the attacks [2]. In other words, larger scale cyber-attacks are associated with higher risks and costs of the development. One alternative to overcome these limitations is a simulation. Dangerous or expensive experiments can be conducted in virtual environments [3,4]. It is also used for experiments that involve unexpected situations or high complex models [5].

Simulations have been used in many fields including manufacturing, network communications, and national defense [6,7]. Numerous studies on domain-specific simulations are in progress. These studies cover topics ranging from modeling methodologies to the development of simulation software that help easy implement, execution, and analysis of simulation models. Arena [8], OPNET (Optimized Network Engineering Tool) [9] and NS (Network Simulator) [10] are representative simulation software actively used in the domains of manufacturing and network communications. These software use pre-defined building blocks to design and implement simulation models for a variety of purposes. This is possible not only because the basic components of simulation are designed, but also because there is methodology to combine them.

Most of cyber-security simulations can hardly use building blocks from other studies, even they deal with same attacks. This is because security issues are diagnosed and resolved from a different perspective depending on the security manager's knowledge and their security policies. Furthermore, lack of theoretical basis for the modeling of security issues makes it difficult to develop and extend simulation models systematically. Applying various security goals to the simulation models is also challenging.  A well-defined model for cyber-security simulations is very essential in order to simulate a wide range of security issues.

In this paper, we propose a modeling methodology for the cyber-security simulations. There are two steps in modeling security issues: modeling of cyberattacks and modeling of viewpoints from a security perspective. For the first step, we develop a basic component of cyber-security simulations, called the ACSUM(Abstracted Cyber-Security Unit Model). Each ACSUM is a building block of one scenario of attack. By sequencing and coupling multiple ACSUMs, we are able to model a variety of attack scenarios. For the second step, we develop a composite model, called the ACSIM(Abstracted Cyber-security SIMulation model), which consists of more than one ACSUM. Each ACSIM is modelled to have a single state by abstracting the state of ACSUMs in it.

The abstraction is carried out in consideration of the security issues of interest. In other words, once we model the attack scenario using ACSUMs, we can develop multiple simulation models from various security perspectives. The concept of ACSUM makes it easier for security administrators to model the desired scenario by combining multiple ACSUMs as the building blocks. The concept of ACSIM enables the administrators evaluate their countermeasures against the attacks from a variety of security perspectives.

Our theoretical basis of the modeling methodology is DEVS(Discrete EVent systems Specification) formalism[11], a modeling theory for discrete event systems. DEVS allows us to develop modular models by separating models from input and output interfaces. Even if the scenario changes, all we need to do is change the coupling structures rather than changing the model design. Furthermore, we are able to employ DEVS regardless of the types of system elements(e.g. hosts, networks, applications) or attack mechanisms. DEVS is a general methodology that provides a mathematical frame to discrete event systems. In order to explain our modeling methods, we model numerous cyberattacks from different security perspectives.

The remainder of this paper is organized as follows. Section 2 briefly reviews DEVS formalism and investigates previous studies on modeling and simulation in the cyber-security field. We also describe the concept of abstracting models from a security perspective. In the Section 3, we design ACSUM and ACSIM based on DEVS. In Section 4, we model a worm simulation using ACSUM and ACSIM with three types of scenarios. We show the experimental results in Section 5. Finally, the conclusion, application, and future work are presented in Section 6.

2. Related Work

2.1 DEVS formalism

DEVS provides a modeling method for discrete even systems. There are two kinds of DEVS models: atomic model and coupled model. Hierarchical and modular models can be generated by using these two models. The atomic model M is represented by the following formalism:

M = < X, S, Y, δint , δext , λ, ta >       (1)

where X is a set of input events, S is a set of states, Y is a set of output events, δint is an internal transition function where S → S, δext is an external transition function where Q × X → S, λ is an output function where S → Y, and ta is a time advance function where Q = {(s,e) | s ∈ S, 0 ≦ ta(s)} where e is a time elapsed since last transition. The coupled model specifies connection structures between atomic models. The coupled model N is represented by the following formalism:

N = (X, Y, D, M_d|d ∈ D, EIC, EOC, IC, Select)       (2)

where X is a set of inputs through interfaces, Y is a set of outputs through interfaces, D is a set of the component names, M_d is DEVS models named one of the elements of D, EIC is connections between external inputs and component inputs, EOC is connections between component outputs and external outputs, IC is connections between component inputs and outputs, and Select is a tie-breaking function that determines priority of execution of components.

2.2 Modeling and simulation studies on cybersecurity

Attack tree[12] is the most well-known modeling method in cybersecurity. Attack tree models a process of achieving the final goal and represents detailed purposes or attacks. Attack tree is not enough for simulation models because there is no state transition function, time advanced function as well as state variables enabling the model to be traceable and executable. Most of previous studies on cyber-security simulations have addressed network attack, such as worm simulations and distributed denial of service (DDoS) simulations using network. Most worm simulation studies focus on network parameters and observe states of hosts on the basis of such parameters, because they model and simulate the simulations using network simulatiors. Ref. [14] conducts a worm simulation in the packet-level and observes the number of infected hosts according to scan rate, scanning strategy, link delay, network bandwidth, topology, payload size, and so on. Ref. [15] considers time delay, scan rate and a rate of vulnerable hosts in order to analyze a rate of infections of a random scanning worm. Ref. [16] observes the number of infected hosts considering rates of hiding hosts from external networks, online/offline of hosts, and downloading time in order to simulate a passive P2P worm. Refs. [17] configure network parameters including bandwidth, delay, and the types of transmission protocol. They also stochastically configure security properties including vulnerable hosts and system patching. Regarding previous DDoS simulation studies, Ref. [18] configures a network by considering background traffic and subnets. In addition, Ref. [19] also considers malicious traffic, the number of zombie systems, and properties of attack and defense. Although these studies show meaningful insights for worm or DDoS simulations, it is hard to model from a security perspective or to reflect countermeasures unless these features are implemented in the network simulator. In other words, the simulation performances are dependent on network simulators.

2.3 Model Abstraction from Security Viewpoints

Abstraction is a process that finds out the key nature of complex systems. In the security field, abstraction can be defined as a process that classifies the managed objects into specific groups according to security policies. Through the abstraction, security administrators can apply countermeasures to the groups by observing security status of each group, as shown in Fig. 1.

Fig. 1. The concept of abstraction of security issues

Security zone and RBAC (Role-based Access Control) are examples that use abstraction in the security field. In a security zone, a network can be classified into ‘trusted zone / untrusted zone’ or ‘high security area / Internet / Demilitarized zone (DMZ),’ according to the rules of the firewall. We call each classified zone a security zone. In addition, we can apply different countermeasures to each security zone according to the security policy, by making different detection rules as shown in Fig. 2.

Fig. 2. Security zone – Network abstraction using firewall rules

RBAC is a technique in system security. RBAC restricts the use of resources by abstracting user identities. Users are divided into several groups such as ‘student / professor’ or ’undergraduate / graduate’ according to the roles. In addition, a system can grant different permissions that allow the use of resources based on user group.

Considering the above examples, if we could develop multiple types of simulation models for an attack event, we can easily observe the effectiveness of various security policies and come up with optimal measures.

3. Modeling of ACSUM and ACSIM

3.1 Modeling of ACSUM

In order to model a cyber-security issue, we first need to look at a basic interaction process between a cyber-attack and a defense, because cyber-security is achieved by interactions between attackers and targets. If a target is vulnerable to an attack, the attack will be successful. If a target has countermeasures that can defend against the attack, the attack will fail because of the execution of the defense mechanisms. As shown in Fig. 3, by connecting the basic process with the cyber-security factors, attackers and targets can be matched to the elements of cyberspace, and their attack and defense mechanisms can be similarly matched to the attack and defense behaviors.

Fig. 3. Defining cyber-security factors from a basic cyber-security process

Accordingly, we need to design the elements of cyberspace and the cyber-attack behaviors for the modeling of the attackers, and to design the elements and the defense behaviors for the modeling of the targets. ACSUM is a unit model that can include a set of information about cyber-security factors. Therefore, we can design a basic scenario of cyber-attacks with a combination of ACSUMs.

Fig. 4. Components of ACSUM

In order to make use of ACSUMs as building blocks in a simulation, an ACSUM should be able to change its state during the simulation. That is, changes of state of an ACSUM can be primitive factors that make a cyber-security model change its state. We represent ACSUMs using DEVS formalism as follows:

M_ACSUM = {X_ACSUM ,Y_ACSUM ,S_ACSUM ,δext_ACSUM ,λ_ACSUM} ,       (3)

where X_ACSUM is a set of input events of ACSUM, Y_ACSUM is a set of output events of ACSUM, S_ACSUM is a set of states, δext_ACSUM is an external transition function where S_ACSUM x X_ACSUM → S_ACSUM , and λ_ACSUM is an output function. Although the ACSUM does not include the time advance function in the specification, it has a processing time as a state variable. The time advance function is considered in ACSIM that we finally run on a DEVS simulation engine.

As shown in Fig. 5, each arrow indicates the effect of the behavior, and that implies a relation between two ACSUMs. The following cases create coupling relations: 1) a behavior of an ACSUM targets another ACSUM, 2) sharing an element of cyberspace among ACSUMs. In the case that input/output data is transmitted among ACSUMs, the data must be able to include information about the source, destination, and content. Accordingly, we define that a message format of an ACSUM consists of “source ACSUM ID,” “destination ACSUM ID,”, and “content,” The “content” field can contain any exchanging messages including a worm file.

Fig. 5. The concept of coupling relations among ACSUMs

3.2 Modeling of ACSIM

Each ACSUM works as a building block of cyber-security simulations. On the other hand, there should be models for letting the ACSUMs operated in a discrete-event simulation environment. We transform ACSUMs into ACSIMs for this purpose. In order to develop a flexible cyber-security simulation model considering various security issues, we position ACSUMs into several groups according to various simulation purposes, as shown in Fig. 6. Each group is modeled into one ACSIM. By coupling ACSIMs, we can make a complete cyber-security simulation model. In the process of modeling an ACSIM, the concept of abstraction is required. This concept allows us to develop simulation models considering various security viewpoints.

Fig. 6. Development of various ACSIMs with combinations of ACSUMs

After determining the ACSUMs that belong to an ACSIM, we develop each ACSIM by extracting and combining key state variables from the ACSUMs based on a simulation purpose. Since a funcdamantal cyber-attack scenario should not be changed in the ACSIM modeling step, ACSIMs should be able to maintain coupling relations among ACSUMs as shown Fig. 7.

Fig. 7. An example of developing ACSIMs containing coupling relations among ACSUMs

Considering the above example, we can model a cyber-security model (CSM) in phases as shown in Fig. 8.

Fig. 8. A process of developing a cyber-security model in phases

In Fig. 8(a), an ACSIM is modeled with a partitioned set of ACSUMs. Let the sets of ACSUMs and ACSIMs to be U and D, respectively. Given U = {u | u ⊆ {acsum₁, acsum₂,… acsum_k}, u ≠ ø } and D = {d | d ∈ {ACSIM₁, ACSIM₂, …, ACSIM_m}} where both k and m are nature numbers, an abstraction function f is defined by f(u) = d. The specification of d is as shown in Equation (4).

d = <X_d, Y_d, S_d, δext_d, δint_d, λ_d , ta_d>       (4)

X_d and Y_d are the sets of inputs and outputs through interfaces of d, where d is one of the ACSIMs. S_d is a set of states, δext_d is an external transition function, and δint_d is an internal transition function of d. λ_d is an output function and ta is a time advance function. Each ACSIM advances its time by calculating the processing times of ACSUMs belonging to the ACSIM.

We can develop the CSM by coupling ACSIMs. The CSM consists of more than one d or more than one coupled model that is already composed of more than one d, as shown in Fig. 8(b). Accordingly, we can finally model the CSM in phases as shown in Fig. 8, and the complete structure of the model is shown in Fig. 9. The CSM is specified as shown in Equation (2).

Fig. 9. The complete structure of a cyber-security model based on DEVS

In Fig. 9, X and Y are sets of inputs and outputs of a CSM, respectively. EIC is a set of connections between inputs of the CSM and ACSIMs, EOC is a set of connections between outputs of ACSIMs and CSM, and IC is a set of connections between inputs and outputs of ACSIMs.

In the modeling of ACSIMs, the location of the ACSUMs determines whether ACSIM I/O events occur. For example, Fig. 10(a) is a case in which two ACSUMs belong to different ACSIMs. In this case, if acsum₂  sends a message to acsum₃, an I/O event between ACSIM₁ and ACSIM₂ occurs. Fig. 10(b) is a case in which two ACSUMs belong to the same ACSIM. In this case, ACSIM₁ processes an I/O event between acsum₂ and acsum₃ internally, so that no I/O event occurs.

Fig. 10. I/O event of ACSIMs based on the location of the ACSUMs

4. Modeling of a Worm Simulation from a Security Perspective

This section describes a process of modeling worm simulations under three scenarios that have different security purposes. In addition, we model and simulate the three scenarios to verify the models’ design and execution. We consider a fundamental behavior of a worm attack. Not only traditional worm attacks (e.g. Code red[20]) but also recent worm attacks (e.g. WannaCry[21]) have the characteristics of propagating themselves through the network. The infected host scans vulnerable hosts and transmits a worm file to the target host. When the target host executes the file, the host is infected and keeps propagating the worm following the fundamental behavior.

In Fig. 11(a), host0, which has been initially infected by a worm, propagates the worm file to the other hosts in the internal network (LAN A) and the external network (LAN B). Each host is modelled as ACSUM, which has the fundamental behavior. A set of ACSUMs is as follows:

ACSUM ={host1(system), host2(system),..., host# (system}       (5)

Fig. 11. Example scenarios(b, c, d) of modeling various forms of ACSIMs of a fundamental worm propagation process(a) from a different security perspective

Because each host targets each other, a worm attack corresponds to attacks involving a bidirectional relation. A set of coupling relations are defined as follows:

CR_ACSUM ={(host0, host0),(host0, host1),(host0, host2),..., (host2, host0),(host1, host0),..., (host# , host# )}       (6)

Each ACSUM is modeled after designing coupling relations. First, we determine the initial states of all the ACSUMs and then define the ACSUM behaviors as a set of states for each ACSUM. In the worm simulation, a host performs three functions: worm execution, scanning the other hosts, and worm transmission [22]. The set of states for each ACSUM is defined as follows:

S_host# = {s₀, execute,scan, transmit} , where s₀ is the initial state       (7)

Next, ACSIMs are modelled based on the simulation purposes. We develop three scenarios of ACSIMs by abstracting security issues. The purpose of Scenario 1 and 2 is to observe the status of the simulation model; the purpose of Scenario 3 is to control network groups according to security policies.

• Scenario 1 - observing the state of each host (Fig. 11(b))

This scenario is to observe the changing state of each host like numerous previous worm simulation studies. We can create an ACSIM from one ACSUM. The ACSIM can have states such as ‘vulnerable,’ ‘infected,’ and ‘invulnerable.’ In order for the ACSIM to abstract the three states, the key state variables from the ACSUMs must be extracted in advance. Vulnerabilities and attack behaviors from the ACSUMs can be key state variables. If one ACSUM is not vulnerable to a worm, the state of this ACSIM will always be ‘invulnerable.’ If an ACSUM is vulnerable to the worm, however, the state of the ACSIM will be different depending on the state of the ACSUM. If the state of the ACSUM is ‘execute,’ we can abstract, to the ACSIM, a state of ‘vulnerable’ because the host will be infected when the worm file has executed successfully. If the state of the ACSUM is one of the others, we can abstract the state ‘infected’ to the ACSIM.

• Scenario 2 - observing an entire network to alert Internet users in order to prepare for the worms (Fig. 11(c))

This scenarios is to observe an entire network when a worm is introduced. In this case, all hosts are developed into one ACSIM by abstracting the statuses of multiple ACSUMs. As states of the ACSIM, there can be five abstracted states: ‘green,’ ‘blue,’ ‘yellow,’ ‘orange,’ and ‘red.’ We can determine the state by observing the behaviors of host and calculating the number of behaviors of ‘scan’ and ‘transmit’ of ACSUMs in the network.

• Scenario 3 – controlling a local network when a worm is introduced (Fig. 11(d))

This scenarios is to control LANs according to security policies. In this case, each LAN is modeled into one ACSIM with states that can be ‘open’ or ‘blocked.’ If the number of behaviors of ‘scan’ and ‘transmit’ of hosts is more than a threshold of the security policies, a countermeasure that blocks outbound traffic will be applied.

As shown by these three scenarios of ACSIM modeling of a worm simulation, we are able to develop a basic worm propagation scenario that is modeled with combinations of ACSUMs into different types of ACSIMs including hosts, local networks, and an entire network. As a result, we are able to model and simulate the worm simulation considering management groups, and to apply countermeasures and evaluate the effects.

5. Simulation Results

We implement three simulation models using DEVSJAVA [23], which is a simulation software used for executing DEVS models. In our simulation, a scenario of Fig. 11(a) consists of 100 hosts and the percentage of invulnerable hosts on the network is set from 20 to 30.

Our basic worm propagation scenario comprising low-level behaviors is used for the following three simulations. Because the three simulations are modeled for different purposes from various viewpoints, we can observe and obtain different simulation results from each of them. Table 1 shows the first scenario and describes how the states of ACSUMs are abstracted to that of ACSIMs. This scenario can be also used in numerous studies that observe the state of hosts to find infected host.

Table 1. (Scenario 1) Abstracted states of ACSIMs obtained from ACSUMs

Table 2 presents the relation between security levels and the rate of infected hosts in Scenario 2.

Table 2. (Scenario 2) Security levels according to the rate of infected host in the network

Fig. 12 compares Scenario 1 and 2. Both scenarios are simulated based on the basic worm propagation scenario. However, because Scenario 2 is modeled to trace the state of the network rather than the state of the hosts, the changing security levels can be observed. The ‘yellow’ level only has a short time to stay because the worms spread very rapidly. In the graph, the greater the slope of Scenario 1, faster the change in security level.

Fig. 12. Scenario 1 vs Scenario 2

In the Scenario 3, there are five LANs in the network, with each LAN comprising 20 hosts. In this scenario, each LAN has a countermeasure that blocks outbound traffic when three hosts are infected with worms. Even though outbound traffic of a LAN is blocked, a worm propagation will continue until all vulnerable hosts on the LAN are infected. Fig. 13(a) shows a simulation result for Scenario 3. The number of infected hosts on LAN D is zero during the simulation. This is because all the LANs except LAN D blocked their outbound traffic, in accordance with security policies, before the vulnerable hosts on LAN D could be scanned. Table 3 shows simulation results of the blocking time for each LAN. Fig. 13(b) compares Scenario 1 and 3. In the case of Scenario 3, the total number of infected hosts on the entire network is less than that in the case of Scenario 1 because of the countermeasures, even though the total number of vulnerable hosts on the entire network is the same. In addition, it is clear that the velocity of Scenario 3 is also lower than that of Scenario 1.

Fig. 13. Simulation results of Scenario 3

Table 3. (Scenario 3) A simulation result of blocking time of outbout traffic

6. Conclusion

In order to simulate cyber-security problems from viewpoints of security administrators, we have proposed a modeling method for developing simulation models using basic components and composite models. We have developed the two types of models, the ACSUM and the ACSIM.

The ACSUM, a basic component, consists of an element of cyberspace and its attack or defense behaviors. By combining pre-defined ACSUMs, we can develop various cyber-attack scenarios, which progress based on the interactions among the elements. To help modelers develop ACSUMs easily, we suggested a scenario-based modeling method for ACSUMs.

The ACSUMs can be transformed into multiple composite models, the ACSIMs, after considering security issues. In the security field, the concept of abstraction, which is a process that classifies the objects to be managed into specific groups based on security policies, is usually employed to apply countermeasures. Accordingly, we suggested methods for classifying ACSUMs into specific groups using abstraction and developed each group into an ACSIM based on DEVS formalism, a specification method for discrete event systems.

As a case study, we have developed various worm simulation models considering countermeasures and observation group units, such as hosts, local networks, and entire network, using our modeling methods. We then have simulated and analyzed them to verify the models’ design and execution. Through the simulation, our model is useful for security administrators by enabling them to simulate their security issues from various viewpoints considering their security policies. Since ACSUMs can also represent other elements of cyberspace and their behaviors, we can model other cyber-attacks using our modeling method.

For example, we can model APT attacks based on our method. Fig. 14 shows the modeling of ACSUMs for an APT attack based on an example scenario usually used in APT attacks.

Fig. 14. ACSUM modeling for an APT attack

If we develop all the possible components of an ACSUM in advance, in addition, we can make it possible to develop a wide range of cyber-security issues into ACSUMs by combining them, as shown in Fig. 15.

Fig. 15. Development of ACSUMs by combination of pre-extracted elements of cyberspace and behaviors of cyber-attacks and defenses

For the extraction of the behaviors of cyber-attacks and defenses, we can analyze CAPEC (Common Attack Pattern Enumeration and Classification) [24] that defines 400 types of attack patterns. By incorporating, in advance, all possible behaviors from CAPEC, we can develop various cyber-attacks using combinations of the extracted behaviors.

This study can be used to develop a cyber-security simulator that supports various cyber-security simulations. In the simulator, ACSUMs can be used as building blocks for the cyber-security simulation, and subsequently can be transformed into a simulation model using the ACSIM modeling method. As future work, we will implement the simulator, and develop a database that involves cyber-attack behaviors and defense behaviors that are extracted from CAPEC. Moreover, we will develop various ACSUMs in advance so that modelers can easily model various cyber-security issues by combining the pre-developed ACSUMs.