96 Int'l Conf. Security and Management | SAM'16 |

Modeling Host OSI Layers Cyber-Attacks Using System Dynamics

Uma Kannan1, Rajendran Swamidurai2, and David Umphress1 1Computer Science and Software Engineering, Auburn University, Auburn, AL, USA 2Mathematics and Computer Science, Alabama State University, Montgomery, AL, USA

Networks are normally modeled or simulated through Abstract - Cyber security modeling is the process of creating discrete-event techniques, in which the state of system a normalized view of the cyber security situation. A typical changes only at discrete points in time. Depending on the cyber security model has information about the network granularity of the model, this means simulating the movement infrastructure, security settings, and a list of possible of packets throughout a network and measuring such things vulnerabilities and threats. By using known vulnerabilities, as throughput, latency, etc. In discrete-event simulation and information about the infrastructure and security controls (DES), cyber-attacks are simulated by altering the flow or in place, the cyber security simulation allows an organization rate of packets and observing the result. to imitate the attacker activities and helps to assess the system’s risk exposure. Networks are normally modeled or Discrete-event network simulation tools such as cnet, simulated through discrete-event techniques. But the discrete- EcoPredictor, IT SecisionGuru, NetCracker, and NetRule are event simulations can only simulate a few seconds worth of used by professional system administrators and systems network operations and the primary focus of discrete-event application designers to model and analyze packet traffic, models is on packet traffic. This means that cyber- buffer overflow, operating system compromise, and so on. attacks/defenses are viewed from the network layer, layer 3, in [1]. With respect to information security, these network the OSI model. This obscures more insidious attacks at higher simulation tools are normally used to model tasks such as layers in the OSI model. This paper presents a study which server availability and router availability. They also used to models a computer network as a systems dynamic model to make the in depth analysis of authentication server’s loads explore more insidious cyber-attacks and the resulting system- and unusual network traffic [1]. level effects that might occur on host OSI layers, layer 4 and above, in the OSI model. DES approach has two flaws. First, simulations can only simulate a few seconds worth of network operations due to Keywords: Cyber security; cyber security modeling; system the massive number of packets that are transmitted during dynamics; continuous simulation; simulation and modeling; normal operations. Second, these models focus primary on cyber-attacks/defenses. packet traffic. This means that cyber-attacks (and the resulting cyber defenses) are viewed from the network layer, 1 Introduction that is, layer 3 in the open system interconnection (OSI) model. This obscures more insidious attacks at higher layers Modeling is the process of capturing the key in the OSI model. characteristics or behavior of a real world system under study and it helps us in understanding the essential parts of a system This paper presents a study which models a computer and the relationship between them [1-3]. “Cyber security network as a systems dynamic model (a.k.a. continuous modeling is the process of creating a normalized view of the simulation). Its objective is to explore more insidious cyber- cyber security situation.” [4] A typical cyber security model attacks and the resulting system-level effects that might occur has information about the network infrastructure, security on host OSI layers (layer 4 and above); that is, on transport, settings, and list possible security vulnerabilities and threats session, presentation, and application layers. For modeling [4]. Simulation is the process of imitating a system, based we have used the concept of System Dynamics (SD), because upon our knowledge or assumptions about the behavior of the it allows us to see systemic effects – something that is not parts of a system, in order to get the insight of a whole system feasible with DES. In SD methodology, the stock-flow [5]. Similarly, by using known vulnerabilities and the current diagram is used depict the underlying mathematical model, knowledge about infrastructure and security controls, the the model structure and the interrelationships between its cyber security simulation allows an organization to imitate components. Once the underlying mathematical structure is the attacker activities and helps to assess the system’s risk captured, the stock-flow diagram can be easily translated into exposure [4]. system of differential equations, and simulated using continuous simulation software such as Powersim.

ISBN: 1-60132-445-6, CSREA Press © Int'l Conf. Security and Management | SAM'16 | 97

Section 2 describes the system dynamics methodology. behavior of the systems under study. These are Section 3 explains the benefit of using modeling and middle level and lower cost methods. In this simulation technique in cyber security in detail. Section 4 approach, generally, fully synthetic or simulated presents the system dynamics cyber security models are used for analysis and system modeling/simulation process. Section 5 shows an example understanding. cyber security attack simulation model. Section 6 shows the results. Summary and conclusion is presented in Section 7. Though descriptive models are simple and least expensive, they do not predict the future behaviors or states 2 System Dynamics of the system under study. System testbeds are very good approach for simulating technology level network System dynamics (SD) [6] is a methodology used to attacks/defenses. But building system testbeds consume a study a system change over time. In SD, a system is defined large amount of resources, money, and time. Moreover, the as a collection of interacting elements [7]. SD modeling system testbeds must be brought into original state before technique was developed by Forrester at Massachusetts each and every cyber attack/defense run. In addition to these Institute of Technology (MIT) in the early 60’s to solve long- drawbacks, system testbeds are used to predict excessively standing dynamic industrial management problems [8]. narrow sets of problems due to the practical testbed sizes and Today, SD is widely used to solve various business policy practical limitations on approaches and measurement and strategy problems [9-11]. techniques. Therefore, the simulation model is used to better understand the behavior of the system under study or In SD, the “structure” of the system is defined by the expected behavior or states of the proposed system and to totality of the relationship between the physical processes, study the effectiveness of the system design. [12,14,15] information flows, and managerial policies. In SD, dynamic behavior patterns of a system are generated by its structure. A When information security threats are not acute, both typical SD study focuses on understanding how the information security and lay managers can use modeling and components of a system interact, how and why the dynamics simulation to better understand their information environment of concern are generated, and then search for policies and both on a concrete and abstract level. Once a model is decision rules used by upper management to improve the developed and validated (using simulation), proactively it can system performance. [11] be used to identify system vulnerabilities and reactively it can be used to investigate a real-world system or provide 3 Modeling and Simulation in education and training by means of various “what if” questions [1,16] Cybersecurity For analyzing complex problems such as cyber security Using modeling and simulation in the cyber security and developing design solutions, many approaches are used field provides many benefits including [4]: risk analysis, in engineering science. These methods include descriptive planned network change verification, security controls and models, system testbeds, and system (or simulation) models resources optimization, complex network analysis, complex [12]: networks comparison, and cost-effective training to cyber security personnel. • Descriptive Cyber Security Models: Diagrams with supporting text are used to describe a system in 4 Cyber Security Modeling Using descriptive models. Attack graphs are example for System Dynamics descriptive models. A typical attack graph consists of network diagrams plus descriptions of applicable In SD, the system’s behavior is modelled using a causal- malware methods and mitigation techniques. loop diagram. The causal-loop diagram clearly indicates the • System Testbed Cyber Security Models: System linkages between the system components, the feedback loops, testbeds are extreme and most rigorous tools used and the linkage between the system and its operating for model analysis. These testbeds include working environment. This casual-loop diagram/analysis helps the prototypes and live full-scale physical testbeds. decision-makers to understand a complex, inter-related LaboratoryǦscale equipment may be connected to system. SD simulation software, such as Powersim, lets the sophisticated control systems to study deviceǦlevel decision-makers’ to extend their understanding of a system vulnerabilities. Information Warfare Analysis and by adjusting the system parameters, linkages, feedback loops, Research (IWAR) Laboratory [13] is a classic or by rearranging components of the system. Thus, system example for the cyber security testbed. IWAR is an dynamic software allows the decision makers to model wide isolated laboratory for students to practice various verity of scenarios and observes the system’s behaviors under computer security attacks/defenses. these different conditions. [7] • Cyber Security System Models and Simulation: System models capture the essential characteristics or

ISBN: 1-60132-445-6, CSREA Press © 98 Int'l Conf. Security and Management | SAM'16 |

In our proposed model, the network is considered as a In order to simulate an attack on one or more nodes in system, similar to a physical system of pipes through which the IT infrastructure area and to study the system-level water flows. The amount of water that can flow into and out effects; that is to see what other parts of the system are of node represents the bandwidth of the network traffic. A affected, we have modeled the IT infrastructure system denial of service attack, for example, is modeled by trying to (shown in Figure 1) using system dynamics software known force more water into a node than it can handle. Another as Powersim. A part of the system dynamic model for Figure dimension of the model is the quality of the water. Network 1 is shown in Figure 2. traffic that contains bogus data or viruses is thought of as water that has contaminants. The degree or type of contaminants would affect the operation of nodes and perhaps allow us to explore OSI layer 4 and above.

5 An Example System Dynamic Cyber Attack Simulation Model Figure-1shows the part of a hypothetical University’s Information Technology (IT) infrastructure network. For simplicity purpose let us assume that the IT infrastructure network consists of a learning management system (LMS) such as Canvas, a course toolkit (which is used to communicate students registered in a particular course – such as sending bulk class emails/messages), and a mail system Fig.1. Part of a Hypothetical University’s IT Infrastructure (University email system).

Fig. 2. The System Dynamic Model for the IT Infrastructure

ISBN: 1-60132-445-6, CSREA Press © Int'l Conf. Security and Management | SAM'16 | 99

The mail system(s) shown in Figure 2 consists of the by instructors and students on every 30 minutes through the following queues: LMS mail system. As shown in Figure 4, the LMS able to deliver all the messages within few minutes to the 1.Mail drop queue: Used to hold the incoming mails destinations. from clients. The mail drop queue is normally a directory on the secondary memory in which messages can be added in offline as well. 2.Incoming queue: The incoming queue is analogous to the Operating Systems (OS) process ready queue. A program called pickup service will periodically scan the mail drop queue and brings the mails (if any) into the incoming queue. 3.Active queue: If the active queue is not full, the queue manager program will bring the new mails from incoming queue and retries of the emails from deferred queue in a round-robin fashion. Active queue is similar to the Operating Systems (OS) process run queue. 4.Deferred queue: The delivery failed mails will be Fig.4. LMS Queues (Normal Scenario) placed on the deferred queue. Each mail in the deferred queue will be assigned a cut-off time (a time In majority of the cases, email system will be hosted in for that mail to be eligible for retry). The queue the University’s private mail server(s) with their own unique manager will scan the incoming queue and deferred domain name such as “@abc.edu” and the mail system in the queue in a round-robin fashion to transfer the mails LMS will be hosted in the LMS provider’s mail servers and into active queue. uses the provider’s domain name such as 5.Hold queue: The mails placed on hold queue stay there “@instructures.com”. Many mail servers, such as Postfix until either the administrator intervenes or the stayed mail server, have a default destination concurrency limit (the time exceeds the maximum queue lifetime (normally default maximal number of parallel deliveries to the same 5 days). destination, say 20 per hour). Whenever a mail system is unable to deliver the mail to a remote server, then it (the 6 Results bounced mail) will be placed back in the deferred queue and the mail server will periodically (say every 4 minutes) retry to Let us assume that the University has 25,000 enrolled send the mail over a period of time (say 5 days) until it drops students and 25% of them are sending messages in every 30 the mail. minutes in average. Then the mail system will take approximately 10 minutes to deliver the message. This normal scenario results are shown in Figure 3.

Fig.5. Mail system queues (Attack Scenario)

Let us assume an attacker inserts a bulk email (with lot of recipients) at the LMS mail system (which is hosted at Fig.3. Mail System Queues (Normal Scenario) “@instructures.com”) with email addresses that contains the University mail server’s domain name “@abc.edu”. Since the The incoming queue receives approximately 6250 mails LMS mail system cannot deliver more than 20 mails per every 30 minutes and as indicated by the active queue values hours to the same destination, in our case the bulk class the mail system able to deliver all the mails within 10 minutes emails, the remaining emails will be still waiting on the LMS time. Similarly, let us assume there are 1000 messages sent

ISBN: 1-60132-445-6, CSREA Press © 100 Int'l Conf. Security and Management | SAM'16 |

active queue and eventually causing the LMS server’s active [4] “Using Risk Modeling and Attack Simulation for queue to be full in due course – causing Denial-of-Service Proactive Cyber Security: Predictive Solutions for Effective (DoS); That is, when the LMS mail server’s active queue is Security Risk Management”, Skybox Security Inc., full, new legitimate users cannot send emails. The resultant whitepaper, 2012. DoS attack situation result is shown in Figure 6. Figure 5 and Figure 6 show the mail system and LMS queues’ statuses [5] “System Modeling and Simulation”, under DoS attack. www.inl.gov/systemsengineering

[6] Jay Wright Forrester, “Industrial dynamics”, MIT Press; 1961

[7] Al Sweetser, “A Comparison of System Dynamics (SD) and Discrete Event Simulation (DES)”, [email protected]

[8] Barlas Y, “System dynamics: systemic feedback modeling for policy analysis in knowledge for sustainable development—an insight into the encyclopedia of life support systems”, UNESCO Publishing-Eolss Publishers, 2002

Fig.6. LMS queues (Attack Scenario) [9] Coyle RG, “System dynamics modelling: a practical approach”, Chapman & Hall, 1996

7 Summary and Conclusion [10] Sterman JD, “Business dynamics: systems thinking and Networks are normally modeled or simulated through modeling for a complex world”, McGraw-Hill, 2000 discrete-event techniques. Since the primary focus of the discrete-event simulations are on packet traffic i.e., the cyber- [11] Dimitrios Vlachos, Patroklos Georgiadis, and attacks/defenses are viewed from the network layer (layer 3 Eleftherios Iakovou, “A system dynamics model for dynamic in the OSI model), it obscures more insidious attacks at capacity planning of remanufacturing in closed-loop supply higher layers in the OSI model. Therefore to model cyber chains”, Computers & Operations Research 34 (2007) 367– security attacks on host OSI layers, we have adapted a system 394. dynamics based simulation modeling technique. In this paper we have modeled a University’s information technology [12] Michael McDonald, John Mulder, Bryan Richardson, cyber security situation using Powersim, system dynamic Regis Cassidy, Adrian Chavez, Nicholas Pattengale, modeling software, and shown the application layer Denial- Guylaine Pollock, Jorge Urrea, Moses Schwartz, William of-Service attack (LMS mail system in our case). Therefore, Atkins, and Ronald Halbgewachs, “Modeling and Simulation by using known vulnerabilities, similar to this, and the current for Cyber-Physical System Security Research, Development knowledge about infrastructure and security controls, the and Applications”, Sandia Report, SAND2010-0568 system dynamic cyber security simulation modeling allows an organization to imitate the attacker activities in OSI layer 4 [13] Scott Lathrop, Gregory Conti, and Daniel Ragsdale, and above and helps to assess and mitigate the system’s risk “INFORMATION WARFARE IN THE TRENCHES: exposure. Experiences from the Firing Range”, Third Annual World Conference on Information Security Education (WISE3), 8 References California, USA, 2003, DOI: 10.1007/978-0-387-35694-5 [1] John Saunders, “Modeling the Silicon Curtain”, SANS [14] Dessouky, “System Simulation”, lecture slides Institute, 2001 [15] Sinclair, J. B. “Simulation of Computer Systems and [2] Wikipedia, “Computer simulation”, Computer Networks: A Process-Oriented Approach”, Rice https://en.wikipedia.org/wiki/Computer_simulation University, 2004.

[3] Romano Elpidio, Chiocca Daniela, and Guizzi Guido, [16] Villarreal Gonzalo , De Giusti Marisa , and Texier José, “An Integrating approach, based on simulation, to define “GPSS Interactive Learning Environment”, Elsevier, 2012 optimal number of pallet in an Assembly Line”, 20th Issat Conference, Reliability and quality design, 2014

ISBN: 1-60132-445-6, CSREA Press ©