Atlantic Consulting Services, Inc'

1
Integration of an Internet Attack Simulator in
an HLA Environment
Paper No 99F-SIW-039
Simulation Interoperability Workshop (SIW)
12-17 September 1999
John R. Mostow, JR. U.S. Army Communications-Elect
ronics Command and Control Directorate
John D. Roberts and John Bott Atlantic Consulting
Services, Inc.
2
Introduction

• Internet Attack Simulator (IAS) capability being
  developed by CECOM for simulating attacks that
  are likely to be encountered against networks
  based on commercial Internet technology.
• Support Test and Evaluation of protection schemes
  designed to ensure the integrity of networks for
  red teaming applications and laboratory
  experimentation.
• Integrate into distributed simulation environment
  to support man-in-the-loop virtual
  experimentation for training and development of
  Tactics, Techniques, and Procedures (TTPs) in a
  hostile C3 environment.
• Use the High Level Architecture (HLA) as key
  enabling technology for integration.

3
Conceptual Approach

• CECOM to Leverage Dual Use Science and Technology
  (DUST) program to develop basic IAS capability to
  include
• GUI for developing scenarios
• System Level Interfaces
• Attack script database
• Support plug-in components to invoke external
  processes.
• ACS to Develop HLA wrapper to provide
  standardized interface from IAS to distributed
  simulation environment.

Internet Attack Simulator (IAS)
4
Identification of Attack Scenarios

• Denial of Service (DoS)
• Disruption or destruction of components that
  contribute to the operation of an information
  system or systems.
• Examples are Flooding (e.g., tie up network port)
  and Forced Suicide (e.g., reboot).
• Unauthorized Access
• Bypassing or neutralizing protection mechanisms
  to obtain information from system.
• Use to leverage further compromise.
• Spoofing
• Provide false information for purpose of posing
  as host, process, user, or valid message.
• Most sophisticated requires knowledge of the
  system

5
DoS Scenario
Scenario - Attacker comprises system -
Disconnect and insert Attackers own system -
Sniff network and Identify IP address of Target
- Identify unreachable IP address - Launch
flooding attack
Target System
Comprised System
Attacker System
TCP connection request - Target specific
port - Numerous requests - Tie-up system
servicing request
Flood
Target Network
6
Unauthorized Access Scenario
Scenario - Attacker compromises system -
Disconnect and insert Attackers own system -
Identify target system IP address - Use tools
to identify available services on target -
Force buffer overflow using identified service to
open access to target - Gain access and obtain
unauthorized information
Comprised System
Target System
Attacker System
Available Files - password - host table
- OPORD Msg
- Open port-hole - Access system to acquire info
- ID Service - Buffer Overflow
Target Network
7
Spoofing
Scenario - Attacker compromises system -
Break username/password to gain administrative
privileges - Reconfigure role of system to take
on identity of different system - Send status
messages within incorrect identify to spoof
target system
Comprised System
Target System
Cause User to question reliability of system
- Take on new Role - Send Msg
- Msgs with Invalid Information - Spoof Target
Target Network
8
IAS Surrogate
Target System
IAS Surrogate
HLA Interface
HLA
Run-time Infrastructure (RTI)
Communications Server
HLA Gateway
ModSAF
9
Distributed Simulation Environment
Conduct Warfighter-in-the-loop experimentation
and develop Tactics, Techniques, and Procedures
in a hostile C2 environment
Internet Attack Simulator
C2 Devices
Comm Devices
LAN
HLA/DIS
Data Logger
...
Communication Servers
Constructive Simulation
Ft. Rucker
Ft. Leavenworth
Ft. Benning
Environment provides realistic network stress and
IW attacks
Ft.Hood
Ft. Knox
10
IW Taxonomy
IWEffects
targetHostAddr targetId targetHosttype targetOS os
PatchLevel
LaunchAttack()
UnAuthorizedAccess
Spoofing
DenialOfService
localAddr messageObjs
fileSpecification
targetService duration
ForcedSuicide
Flooding
floodType targetPort
commandType
11
Summary

• IAS capability to provide valuable C4I tool for
  evaluation of protect tools and identification of
  system vulnerabilities.
• Integration within a distributed simulation
  environment using the HLA to support
  man-in-the-loop training and development of TTPs.
• IW Taxonomy provides a starting point for further
  evolution of a comprehensive and robust set of
  attack scenarios.
• Incorporate resulting IAS SOM within a more
  general C4I Reference FOM.

12
-- Backups --
13
C4I FOM
Object Class Structure Table
Object Interaction Table
I - Initiates R - Reacts S - Senses
N - Neither Publishable nor Subscribable P -
Publishable S - Subscribable
14
C4I FOM - Object Representation
Association
Message
BaseEntity
VoiceMessage
DataMessage
CommUser
Aggregation
C4IDevice
Protocol
CommLink
NetworkDevice
EndUserDevice
RadioDevice
CommEffects
C2Device
IWDevice
NetworkDelay
PathLoss
Interference
Jamming
Modulation
IWEffects
Antenna
DenialOfService
UnAuthorizedAccess
Spoofing
SphericalHarmonicAntenna
BeamAntenna