96 Int'l Conf. Security and Management | SAM'16 | Modeling Host OSI Layers Cyber-Attacks Using System Dynamics Uma Kannan1, Rajendran Swamidurai2, and David Umphress1 1Computer Science and Software Engineering, Auburn University, Auburn, AL, USA 2Mathematics and Computer Science, Alabama State University, Montgomery, AL, USA Networks are normally modeled or simulated through Abstract - Cyber security modeling is the process of creating discrete-event techniques, in which the state of system a normalized view of the cyber security situation. A typical changes only at discrete points in time. Depending on the cyber security model has information about the network granularity of the model, this means simulating the movement infrastructure, security settings, and a list of possible of packets throughout a network and measuring such things vulnerabilities and threats. By using known vulnerabilities, as throughput, latency, etc. In discrete-event simulation and information about the infrastructure and security controls (DES), cyber-attacks are simulated by altering the flow or in place, the cyber security simulation allows an organization rate of packets and observing the result. to imitate the attacker activities and helps to assess the system’s risk exposure. Networks are normally modeled or Discrete-event network simulation tools such as cnet, simulated through discrete-event techniques. But the discrete- EcoPredictor, IT SecisionGuru, NetCracker, and NetRule are event simulations can only simulate a few seconds worth of used by professional system administrators and systems network operations and the primary focus of discrete-event application designers to model and analyze packet traffic, models is on packet traffic. This means that cyber- buffer overflow, operating system compromise, and so on. attacks/defenses are viewed from the network layer, layer 3, in [1]. With respect to information security, these network the OSI model. This obscures more insidious attacks at higher simulation tools are normally used to model tasks such as layers in the OSI model. This paper presents a study which server availability and router availability. They also used to models a computer network as a systems dynamic model to make the in depth analysis of authentication server’s loads explore more insidious cyber-attacks and the resulting system- and unusual network traffic [1]. level effects that might occur on host OSI layers, layer 4 and above, in the OSI model. DES approach has two flaws. First, simulations can only simulate a few seconds worth of network operations due to Keywords: Cyber security; cyber security modeling; system the massive number of packets that are transmitted during dynamics; continuous simulation; simulation and modeling; normal operations. Second, these models focus primary on cyber-attacks/defenses. packet traffic. This means that cyber-attacks (and the resulting cyber defenses) are viewed from the network layer, 1 Introduction that is, layer 3 in the open system interconnection (OSI) model. This obscures more insidious attacks at higher layers Modeling is the process of capturing the key in the OSI model. characteristics or behavior of a real world system under study and it helps us in understanding the essential parts of a system This paper presents a study which models a computer and the relationship between them [1-3]. “Cyber security network as a systems dynamic model (a.k.a. continuous modeling is the process of creating a normalized view of the simulation). Its objective is to explore more insidious cyber- cyber security situation.” [4] A typical cyber security model attacks and the resulting system-level effects that might occur has information about the network infrastructure, security on host OSI layers (layer 4 and above); that is, on transport, settings, and list possible security vulnerabilities and threats session, presentation, and application layers. For modeling [4]. Simulation is the process of imitating a system, based we have used the concept of System Dynamics (SD), because upon our knowledge or assumptions about the behavior of the it allows us to see systemic effects – something that is not parts of a system, in order to get the insight of a whole system feasible with DES. In SD methodology, the stock-flow [5]. Similarly, by using known vulnerabilities and the current diagram is used depict the underlying mathematical model, knowledge about infrastructure and security controls, the the model structure and the interrelationships between its cyber security simulation allows an organization to imitate components. Once the underlying mathematical structure is the attacker activities and helps to assess the system’s risk captured, the stock-flow diagram can be easily translated into exposure [4]. system of differential equations, and simulated using continuous simulation software such as Powersim. ISBN: 1-60132-445-6, CSREA Press © Int'l Conf. Security and Management | SAM'16 | 97 Section 2 describes the system dynamics methodology. behavior of the systems under study. These are Section 3 explains the benefit of using modeling and middle level and lower cost methods. In this simulation technique in cyber security in detail. Section 4 approach, generally, fully synthetic or simulated presents the system dynamics cyber security models are used for analysis and system modeling/simulation process. Section 5 shows an example understanding. cyber security attack simulation model. Section 6 shows the results. Summary and conclusion is presented in Section 7. Though descriptive models are simple and least expensive, they do not predict the future behaviors or states 2 System Dynamics of the system under study. System testbeds are very good approach for simulating technology level network System dynamics (SD) [6] is a methodology used to attacks/defenses. But building system testbeds consume a study a system change over time. In SD, a system is defined large amount of resources, money, and time. Moreover, the as a collection of interacting elements [7]. SD modeling system testbeds must be brought into original state before technique was developed by Forrester at Massachusetts each and every cyber attack/defense run. In addition to these Institute of Technology (MIT) in the early 60’s to solve long- drawbacks, system testbeds are used to predict excessively standing dynamic industrial management problems [8]. narrow sets of problems due to the practical testbed sizes and Today, SD is widely used to solve various business policy practical limitations on approaches and measurement and strategy problems [9-11]. techniques. Therefore, the simulation model is used to better understand the behavior of the system under study or In SD, the “structure” of the system is defined by the expected behavior or states of the proposed system and to totality of the relationship between the physical processes, study the effectiveness of the system design. [12,14,15] information flows, and managerial policies. In SD, dynamic behavior patterns of a system are generated by its structure. A When information security threats are not acute, both typical SD study focuses on understanding how the information security and lay managers can use modeling and components of a system interact, how and why the dynamics simulation to better understand their information environment of concern are generated, and then search for policies and both on a concrete and abstract level. Once a model is decision rules used by upper management to improve the developed and validated (using simulation), proactively it can system performance. [11] be used to identify system vulnerabilities and reactively it can be used to investigate a real-world system or provide 3 Modeling and Simulation in education and training by means of various “what if” questions [1,16] Cybersecurity For analyzing complex problems such as cyber security Using modeling and simulation in the cyber security and developing design solutions, many approaches are used field provides many benefits including [4]: risk analysis, in engineering science. These methods include descriptive planned network change verification, security controls and models, system testbeds, and system (or simulation) models resources optimization, complex network analysis, complex [12]: networks comparison, and cost-effective training to cyber security personnel. • Descriptive Cyber Security Models: Diagrams with supporting text are used to describe a system in 4 Cyber Security Modeling Using descriptive models. Attack graphs are example for System Dynamics descriptive models. A typical attack graph consists of network diagrams plus descriptions of applicable In SD, the system’s behavior is modelled using a causal- malware methods and mitigation techniques. loop diagram. The causal-loop diagram clearly indicates the • System Testbed Cyber Security Models: System linkages between the system components, the feedback loops, testbeds are extreme and most rigorous tools used and the linkage between the system and its operating for model analysis. These testbeds include working environment. This casual-loop diagram/analysis helps the prototypes and live full-scale physical testbeds. decision-makers to understand a complex, inter-related LaboratoryǦscale equipment may be connected to system. SD simulation software, such as Powersim, lets the sophisticated control systems to study deviceǦlevel decision-makers’ to extend their understanding of a system vulnerabilities. Information Warfare Analysis and by adjusting the system