An Analysis on a Framework of Modeling and Simulation For Cyber Security: Development and Applications |
With the increasingoccurrence of various cyber-attacks such as distributed denial of service(DDoS) and worm attacks, simulations are being used to develop securitytechniques and policies against such attacks. In a cyber-security environment,there are many entities that have different resources and behaviors; attack anddefensive behaviors are exhibited upon interaction with other entities. Inorder to design simulation models for various cyber-security simulations, notonly a generalized model that can represent various attacks and target entitiesbut also a modeling method that considers different types of interactionsbetween entities to make simulation models should be developed. In this paper,we describe a modeling methodology for the cyber-security simulation based ondiscrete event system specification (DEVS) formalism. This paper describes anew hybrid modeling and simulation architecture developed for understanding anddeveloping protections against and mitigations for cyber threats upon controlsystems. It first outlines the challenges to PCS security that can be addressedusing these technologies. The paper then describes Virtual Control SystemEnvironments (VCSE) that use this approach and briefly discusses securityresearch that Sandia has performed using VCSE. It closes with recommendationsto the control systems security community for applying this valuabletechnology. Computer networks are nowrelied 011 more than ever before for gathering information and performingessential business functions. I11 addition, cyber-crime is frequently used as ameans of exploiting these networks to obtain useful and private information.Although intrusion detection tools are available to assist in detectingmalicious activity within a network, these tools often lack the ability toclearly identify cyber-attacks. This limitation makes the development ofeffective tools an imperative task to assist in both detecting and takingaction against cyber-attacks as they occur. In developing such tools, reliabletest data must be provided that accurately represents the activities ofnetworks and attackers without the large overhead of setting up physicalnetworks and cyber-attacks. The intent of this paper is to use operationresearch and simulation techniques to provide both data and data-generationtools representative of real-world computer networks, cyber-attacks, andsecurity intrusion detection systems. A simulation model is developed torepresent the structure of networks, the unique details of network devices, andthe aspects of intrusion detection systems used within networks. The simulationis also capable of generating representative cyber-attacks that accuratelyportray the capabilities of attackers and the intrusion detection alertsassociated with the attacks. To ensure that the data provided is reliable, thesimulation model is verified by evaluating the structure of the networks,cyber-attacks, and sensor alerts, and validated by evaluating the accuracy ofthe data generated with respect to what occurs in a real network.