Cyber Resilience – Part 3 – Simulation Models for Assessing Cyber Resilience
Posted April 9, 2019
The next in our Cyber Resilience series explores how simulation models are an important tool in the effort to maintain cyber resilience in a system or set of systems. (Did you miss Part 2?)
Simulation Models for Assessing Cyber Resilience
To have confidence in any simulation assessment of the cyber resilience of a network and its applications, an at-scale (i.e., of the same size as the network being studied), high-fidelity simulation model is needed. This simulation model is composed of models of network components (network devices such as radios, routers and desktops, wireless channels, terrain, etc.), network applications, cyber attacks (DDOS, jamming, vulnerability attacks, etc.) and cyber defenses (firewalls, intrusion detection software, and anti-virus software). Models of network devices must represent the behavior of the protocols running at the devices as well as cyber vulnerabilities which may exist in the devices’ software (e.g., the operating system or word processor).
In the context of a computer network, misbehaving applications or network protocols can be considered cyberattacks. Therefore, to study the impact of cyber attacks, both the attacks and the targeted network must be modeled at a fidelity sufficient to adequately capture their interactions. For example, the study of the effects of SYN Flood or IP Fragmentation DDOS attacks requires accurately modeling the three-way handshake mechanism to establish TCP connections at the transport layer or the fragmentation and reassembly procedure at the network layer. Similarly, to study the effects of a jammer which can degrade throughput by selectively jamming only signals transmitted at high data rates, the adaptive data rate mechanism at the MAC layer needs to be modeled. Without the ability to model these interactions, there is serious risk that the potential impact of specific attacks will be grossly missed or grossly exaggerated. In either case, scarce resources will not be deployed to optimal effect.
By using high-fidelity models of network devices that reflect known and potential vulnerabilities, cyber defense experts can use network simulation to devise defensive strategies against zero-day attacks. Zero-day attacks, by definition, target vulnerabilities which are not known to the software architects and cyber defenders before an attack to exploit the vulnerability takes place, which makes them particularly dangerous because they have ‘free rein’ until a counter-measure is developed and deployed. Since network simulation can be used to model and study the effects of exploiting not only known vulnerabilities but also potential vulnerabilities, how potential future attacks can compromise the system can be studied and pre-emptive counter-measures developed to thwart them.
Visualizations and data collection from these simulations can provide detailed insights to planners and cyber defenders. While the simulation is executing, real-time visualization and statistics display can be used to gain valuable insight into the network dynamics, including how malware spreads within the network. Post-simulation, statistical data collected during the simulation can be analyzed to help identify potential issues. These analyses can also be used to evaluate the effectiveness of counter-measures.
SCALABLE’s Simulation Products
For a network simulator to be of practical use in assessing cyber resilience of networks, it should be able to run high-fidelity, at-scale network models at a high speed. SCALABLE’s library of models includes high-fidelity models of protocols at all layers of the protocol stack, applications, radios, terrain, etc., as well as models of different kinds of cyber attacks and defenses. SCALABLE’s cyber simulation and training products, EXata and Network Defense Trainer (NDT), provide several tools for easily creating models of real networks, visualizing the network during simulation, and collecting detailed statistics for post-simulation analysis. EXata and NDT were designed from the ground up to leverage parallel discrete event simulation and parallel computing technology to support high-fidelity, at-scale network simulations that also run faster than real-time. Therefore, network behavior under different operational conditions and cyber attacks can be studied in a reasonable time, making EXata and NDT particularly useful for assessing cyber resilience of both commercial and tactical networks.