Chapter

A Model Driven Approach for Cyber Security Scenarios Deployment

Authors:
To read the full-text of this research, you can request a copy directly from the authors.

Abstract

Cyber ranges for training in threat scenarios are nowadays highly demanded in order to improve people ability to detect vulnerabilities and to react to cyber-threats. Among the other components, scenarios deployment requires a modeling language to express the (software and hardware) architecture of the underlying system, and an emulation platform. In this paper, we exploit a model-driven engineering approach to develop a framework for cyber security scenarios deployment.We develop a domain specific language for scenarios construction, which allows the description of the architectural setting of the system under analysis, and a mechanism to deploy scenarios on the OpenStack cloud infrastructure by means of HEAT templates. On the scenario model, we also show how it is possible to detect network configuration problems and structural vulnerabilities. The presented results are part of our ongoing research work towards the definition of a training cyber range within the EU H2020 project THREAT-ARREST.

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the authors.

... Existing cybersecurity training offerings are based on static scenarios with limited or no adaptiveness to an individual student [3]. Although the instructor can intervene to help students interactively, this is feasible only in relatively small classes, and not every student actively asks for help. ...
... For instance, when a student submits an incorrect answer (e.g., .invoices2021), the system audits current timestamp in Epoch time (e.g., 1621524941312), the type of the training action (action.training.WrongAnswerSubmitted), user pseudo-identifier (e.g., 5) and the training run identifier (e.g., 3). The data are stored as JSON records. ...
Preprint
Full-text available
Hands-on computing education requires a realistic learning environment that enables students to gain and deepen their skills. Available learning environments, including virtual and physical labs, provide students with real-world computer systems but rarely adapt the learning environment to individual students of various proficiency and background. We designed a unique and novel smart environment for adaptive training of cybersecurity skills. The environment collects a variety of student data to assign a suitable learning path through the training. To enable such adaptiveness, we proposed, developed, and deployed a new tutor model and a training format. We evaluated the learning environment using two different adaptive trainings attended by 114 students of various proficiency. The results show students were assigned tasks with a more appropriate difficulty, which enabled them to successfully complete the training. Students reported that they enjoyed the training, felt the training difficulty was appropriately designed, and would attend more training sessions like these. Instructors can use the environment for teaching any topic involving real-world computer networks and systems because it is not tailored to particular training. We freely released the software along with exemplary training so that other instructors can adopt the innovations in their teaching practice.
... Similarly, the definition of the CTTP Models will drive the training process, and align it (where possible) with operational cyber system security assurance mechanisms to ensure the relevance of training. Lastly, Braghin et al. [2] provide a model-driven engineering approach based on the creation of a subset of the CTTP model, namely the Emulation sub-model (see Table 2). The approach presented herein is based on the Security Assurance Model proposed by Somarakis et al. [20], extended to cover the needs of the Cyber Range training developed under the H2020 THREAT-ARREST project. ...
... Table 2 shows a subset of the Response & Mitigation Emulation sub-model converted in an XML format. The XML is then converted (by the Emulation Tool) to a HEAT template and is being deployed in OpenStack [2]. More specifically, this sub-model specifies the creation of a Virtual Machine and its network configuration. ...
Conference Paper
Full-text available
In light of the ever-increasing complexity and criticality of applications supported by ICT infrastructures, Cyber Ranges emerge as a promising solution to effectively train people within organisations on cyber-security aspects, thus providing an efficient mechanism to manage the associated risks. Motivated by this, the work presented herein introduces the model-driven approach of the THREAT-ARREST project for Cyber Range training, presenting in detail the Cyber Threat Training and Preparation (CTTP) models. These models, comprising sub-models catering for different aspects of the training, are used for specifying and generating the Training Programmes. As such, the paper also provides details on implementation aspects regarding the use of these models in the context of a usable cyber range training platform and two specific training scenarios.
... THREAT-ARREST combines all modern training aspects of serious gaming [25,26], emulation and simulation in a concrete manner [27], and offers continuous security assurance and programme adaptation based on the trainee's performance and skills ( Table 1). The platform [24] offers training on known and/or new advanced cyber-attack scenarios, taking different types of action against them, including: preparedness, detection and analysis, incident response, and post incident response actions. ...
... With this Tool, we can: (i) export the system's security vulnerabilities and threats, (ii) conduct a risk analysis to identify the most significant of them, and (iii) perform statistical analysis on the various system log-files in order to produce realistic synthetic logs (i.e., with the platform's Data Fabrication Tool). Afterwards, these logs are utilized by the CTTP models and can be processed by the Gamification, Emulation, and/or Simulation Tools [25][26][27]. ...
Article
Full-text available
Nowadays, more-and-more cyber-security training is emerging as an essential process for the lifelong personnel education in organizations, especially for those which operate critical infrastructures. This is due to security breaches on popular services that become publicly known and raise people’s security awareness. Except from large organizations, small-to-medium enterprises and individuals need to keep their knowledge on the related topics up-to-date as a means to protect their business operation or to obtain professional skills. Therefore, the potential target-group may range from simple users, who require basic knowledge on the current threat landscape and how to operate the related defense mechanisms, to security experts, who require hands-on experience in responding to security incidents. This high diversity makes training and certification quite a challenging task. This study combines pedagogical practices and cyber-security modelling in an attempt to support dynamically adaptive training procedures. The training programme is initially tailored to the trainee’s needs, promoting the continuous adaptation to his/her performance afterwards. As the trainee accomplishes the basic evaluation tasks, the assessment starts involving more advanced features that demand a higher level of understanding. The overall method is integrated in a modern cyber-ranges platform, and a pilot training programme for smart shipping employees is presented.
... The approaches provided by Russo et al. (2018) and Braghin et al. (2019) are similar to our approach in the sense that they use some form of attack models as a foundation to design and execute training scenarios. Russo et al. (2018) introduce a Scenario Definition Language (SDL) based on the OASIS Topology and Orchestration Specification for Cloud Applications (TOSCA). ...
... Russo et al. (2018) introduce a Scenario Definition Language (SDL) based on the OASIS Topology and Orchestration Specification for Cloud Applications (TOSCA). Braghin et al. (2019) provide a domain specific language for scenario construction in which it is possible to capture configuration problems as well as structural vulnerabilities. We use CORAS risk modes which are acyclic directed graphs as described in Section 4. Thus, from a modelling perspective, our approach complements existing approaches. ...
Conference Paper
Full-text available
There is an urgent need for highly skilled cybersecurity professionals, and at the same time there is an awareness gap and lack of integrated training modules on cybersecurity related aspects on all school levels. In order to address this need and bridge the awareness gap, we propose a method to train and evaluate the cybersecurity skills of participants in cyber ranges based on cyber-risk models. Our method consists of five steps: create cyber-risk model, identify risk treatments, setup training scenario, run training scenario, and evaluate the performance of participants. The target users of our method are the White Team and Green Team who typically design and execute training scenarios in cyber ranges. The output of our method, however, is an evaluation report for the Blue Team and Red Team participants being trained in the cyber range. We have applied our method in three large scale pilots from academia, transport, and energy. Our initial results indicate that the method is easy to use and comprehensible for training scenario developers (White/Green Team), develops cyber-risk models that facilitate real-time evaluation of participants in training scenarios, and produces useful feedback to the participants (Blue/Red Team) in terms of strengths and weaknesses regarding cybersecurity skills.
... For instance, when a student submits an incorrect answer (e.g., .invoices2021), the system audits current timestamp in Epoch time (e.g., 1621524941312), the type of the training action (action.training.WrongAnswerSubmitted), user pseudo-identifier (e.g., 5) and the training run identifier (e.g., 3). The data are stored as JSON records. ...
Article
Full-text available
Hands-on computing education requires a realistic learning environment that enables students to gain and deepen their skills. Available learning environments, including virtual and physical labs, provide students with real-world computer systems but rarely adapt the learning environment to individual students of various proficiency and background. We designed a unique and novel smart environment for adaptive training of cybersecurity skills. The environment collects a variety of student data to assign a suitable learning path through the training. To enable such adaptiveness, we proposed, developed, and deployed a new tutor model and a training format. We evaluated the learning environment using two different adaptive trainings attended by 114 students of various proficiency. The results show students were assigned tasks with a more appropriate difficulty, which enabled them to successfully complete the training. Students reported that they enjoyed the training, felt the training difficulty was appropriately designed, and would attend more training sessions like these. Instructors can use the environment for teaching any topic involving real-world computer networks and systems because it is not tailored to particular training. We freely released the software along with exemplary training so that other instructors can adopt the innovations in their teaching practice.
... Unfortunately, an ITS in the domain of hands-on cybersecurity training is rare, mostly because the interactive lab environment and its setup differ for particular sessions. As a result, cybersecurity platforms offer static scenarios with limited or no adaptiveness [4]. We could create an ITS for a specific training session. ...
Preprint
Full-text available
This paper presents how learning experience influences students' capability to learn and their motivation for learning. Although each student is different, standard instruction methods do not adapt to individuals. Adaptive learning reverses this practice and attempts to improve the student experience. While adaptive learning is well-established in programming, it is rarely used in cybersecurity education. This paper is one of the first works investigating adaptive learning in security training. First, we analyze the performance of 95 students in 12 training sessions to understand the limitations of the current training practice. Less than half of the students completed the training without displaying a solution, and only in two sessions, all students completed all phases. Then, we simulate how students would proceed in one of the past training sessions if it would offer more paths of various difficulty. Based on this simulation, we propose a novel tutor model for adaptive training, which considers students' proficiency before and during an ongoing training session. The proficiency is assessed using a pre-training questionnaire and various in-training metrics. Finally, we conduct a study with 24 students and new training using the proposed tutor model and adaptive training format. The results show that the adaptive training does not overwhelm students as the original static training. Adaptive training enables students to enter several alternative training phases with lower difficulty than the original training. The proposed format is not restricted to a particular training. Therefore, it can be applied to practicing any security topic or even in related fields, such as networking or operating systems. Our study indicates that adaptive learning is a promising approach for improving the student experience in security education. We also highlight implications for educational practice.
... Unfortunately, an ITS in the domain of hands-on cybersecurity training is rare, mostly because the interactive lab environment and its setup differ for particular sessions. As a result, cybersecurity platforms offer static scenarios with limited or no adaptiveness [4]. We could create an ITS for a specific training session. ...
Conference Paper
This systematic review seeks to evaluate the impact of CyRIS in ascertaining accurate implementation of projects with a primary focus on the merits of its functionalities. Core to the study is the view that CyRIS-driven project implementation reduces the risks of inaccuracy to an acceptable level. Although CyRIS is an extensively researched area in cyber security, a comprehensive review of subcategories, specifically, the accurate implementation of projects using the tool remains understudied. The proposed systematic review of literature provides insights and future directions from selected databases, including ScienceDirect, Springer Journals, SAGE Journals, and Wiley Online Library. Moreover, the limitations and strengths of each article collected are assessed using the PRISMA model to identify risks of bias. The research, which consists of journal articles, conferences, and symposium papers, is analyzed using "Cyber-Range Instantiation Systems and accurate implementation of projects" as the key phrase and "Cyber-Risk Models", "Cyber Range Instantiation", and "Cyber Security Training", and "Accurate Implementation of Projects" as the keywords. The findings of the study will bridge the awareness gap in using CyRIS-led Cyber-Risk Models to execute accurate training scenarios, improve weaknesses of implementation, simulate real-time attack scenarios, and highlight existing gaps as well as prospects for future research.
Article
With the ever-changing cybersecurity landscape, the need for a continuous training for new cybersecurity skill sets is a requirement. Such continuous training programs can be delivered on platforms like cyber ranges. Cyber ranges support training by providing a simulated or emulated representation of a computer network infrastructure, besides additional training and testing services. Cyber attack and defense skills can be gained by attacking and defending a simulated or an emulated infrastructure. However, to provide a realistic training in such infrastructures, there is a need for necessary friction in the environment. Human teams, playing both attackers’ and defenders’ roles, provide this friction. Involving human teams in large-scale cybersecurity exercises is relatively inefficient and not feasible for standardizing training because different teams apply different tactics. Currently, the proposed solutions for cyber range training platforms focus on automating the deployment of the cybersecurity exercise infrastructure but not on the execution part. This leaves a room for improving exercise execution by adding realism and efficiency. This research presents an agent-based system that emulates cyber attack and defense actions during cybersecurity exercise execution; this helps provide realistic and efficient cybersecurity training. To specify agents’ behavior and decision making, a new formal model, called the execution plan (EP), was developed and utilized in this work.
Article
Full-text available
In recent years, there has been a growing demand for cybersecurity experts, and, according to predictions, this demand will continue to increase. Cyber Ranges can fill this gap by combining hands-on experience with educational courses, and conducting cybersecurity competitions. In this paper, we conduct a systematic survey of ten Cyber Ranges that were developed in the last decade, with a structured interview. The purpose of the interview is to find details about essential components, and especially the tools used to design, create, implement and operate a Cyber Range platform, and to present the findings.
Chapter
Cyber ranges are virtual environments used in several contexts to enhance the awareness and preparedness of users to cybersecurity threats. Effectiveness of cyber ranges strongly depends on how much realistic are the training scenarios provided to trainees and on an efficient mechanism to monitor and evaluate trainees’ activities. In the context of the emulation environment of the THREAT-ARREST cyber range platform, in this paper we present a preliminary design of our work in progress towards the definition of a model-driven approach to monitor and evaluate the trainee performance. We enhance the platform emulation environment with an agent-based system that checks trainees’ behavior in order to collect all the trainee’s actions performed while executing a training exercise. Furthermore, we propose a modular taxonomy of the actions that can be exploited for the description of the trainee’s expected behavior in terms of the expected trace, i.e., the sequence of actions that is required for the correct execution of an exercise. We model the expected and actual trainee activities in terms of finite state machines, then we apply an existing algorithm for graph matching to score the trainee performance in terms of graph distance.
Conference Paper
Full-text available
Cyber ranges are well-defined controlled virtual environments used in cybersecurity training as an efficient way for trainees to gain practical knowledge through hands-on activities. However, creating an environment that contains all the necessary features and settings, such as virtual machines, network topology and security-related content, is not an easy task, especially for a large number of participants. Therefore, we propose CyRIS (Cyber Range Instantiation System) as a solution towards this problem. CyRIS provides a mechanism to automatically prepare and manage cyber ranges for cybersecurity education and training based on specifications defined by the instructors. In this paper, we first describe the design and implementation of CyRIS, as well as its utilization. We then present an evaluation of CyRIS in terms of feature coverage compared to the Technical Guide to Information Security Testing and Assessment of the U.S National Institute of Standards and Technology, and in terms of functionality compared to other similar tools. We also discuss the execution performance of CyRIS for several representative scenarios.
Article
Full-text available
In the model-based development context, metamodel-based languages are increasingly being defined and adopted either for general purposes or for specific domains of interest. However, meta-languages such as the MOF (Meta Object Facility)—combined with the OCL (Object Constraint Language) for expressing constraints—used to specify metamodels focus on structural and static semantics but have no built-in support for specifying behavioral semantics. This paper introduces a formal semantic framework for the definition of the semantics of metamodel-based languages. Using metamodelling principles, we propose several techniques, some based on the translational approach while others based on the weaving approach, all showing how the Abstract State Machine formal method can be integrated with current metamodel engineering environments to endow language metamodels with precise and executable semantics. We exemplify the use of our semantic framework by applying the proposed techniques to the OMG metamodelling framework for the behaviour specification of the Finite State Machines provided in terms of a metamodel.
Conference Paper
We apply model based verification to cyber range event environment configurations, allowing for the early detection of errors in event environment configurations, and a reduction in the time and resources used during deployment. We categorize misconfiguration errors detected using the Common Cyber Environment Representation (CCER) ontology. We also provide an overview of a methodology to specify verification rules and the corresponding error messages. These rules have successfully detected errors in the designs of several cyber range event environments, thereby reducing cost and time to deployment.
Article
Network Centric System operation is the core of our military environment today. While much research and development has been accomplished in technology to support creating and exploiting these increasing complex, interdependent systems, testing technology has not kept pace with the rate of technology advancement. As our dependence on network centric operation grows, the limitations of our ability to rapidly and accurately test a distributed information system is a key challenge to mission readiness. The National Cyber Range (NCR) is a Defense Advanced Research Project Agency (DARPA) program that is currently focusing on addressing the challenge of testing cyber technologies. The NCR will be a scalable (to thousands of nodes), secure, reconfigurable, high fidelity test range to rapidly assess emerging cyber technology. Key innovations include automation for test range configuration and validation, test instrumentation, and test data analysis and a scientific testing methodology for large scale cyber systems. The vision of the NCR program is to create a general purpose test range that can be quickly repurposed to conduct evaluations of cyber technology or architectures in much the same way that the general purpose automated test systems like USN CASS are used to support the test and diagnostics of a wide range of electronic, electro-optical and electro-mechanical devices. NCR is advancing the mission of automated test beyond the production test and maintenance of fielded weapon systems or equipment, however, by extending the advantages of automated test to the front end of the product lifecycle, where it has been absent but desperately needed as a design aid. The automated cyber range will be used to support experimentation, evaluate early prototypes and directly conduct design verification testing. This paper will discuss the innovations in test automation in NCR, the potential adaptation of the NCR technology to network-centric system support systems and the implica- - tion to mission readiness.
Article
Within the context of (software) language engineering, language de-scriptions are considered first class citizens. One of the ways to describe languag-es is by means of a metamodel, which represents the abstract syntax of the language. Unfortunately, in this process many language engineers forget the fact that a language also needs a concrete syntax and a semantics. In this paper I argue that neither of these can be discarded from a language description. In a good lan-guage description the abstract syntax is the central element, which functions as pivot between concrete syntax and semantics. Furthermore, both concrete syntax and semantics should be described in a well-defined formalism.
Conference Paper
This paper is a written account of the keynote presented at the first International Conference on Software Language Engineering (SLE). Its key message is that although SLE is a new scientific field, we need to use existing knowledge from other fields. A number of research assignments are recognised, which are key research questions into software language design and use.
Conference Paper
The Jakarta Tool Suite (JTS) aims to reduce substantially the cost of generator development by providing domain-independent tools for creating domain-specific languages and component-based generators called GenVoca generators. JTS is a set of precompiler-compiler tools for extending industrial programming languages (e.g., Java) with domain-specific constructs. JTS is itself a GenVoca generator where precompilers for JTS-extended languages are constructed from components
Heat orchestration template (HOT) guide
  • Openstack
OpenStack: Heat orchestration template (HOT) guide (2019). https://docs. openstack.org/heat/latest/template guide/hot guide.html
Security scenario generator (SecGen): a framework for generating randomly vulnerable rich-scenario VMs for learning computer security and hosting CTF events
  • Z C Schreuders
  • T Shaw
  • M Shan-A-Khuda
  • G Ravichandran
  • J Keighley
  • M Ordean
Schreuders, Z.C., Shaw, T., Shan-A-Khuda, M., Ravichandran, G., Keighley, J., Ordean, M.: Security scenario generator (secgen): A framework for generating randomly vulnerable rich-scenario vms for learning computer security and hosting CTF events. In: 2017 USENIX Workshop on Advances in Security Education (ASE 17). USENIX Association, Vancouver, BC (2017), https://www.usenix. org/conference/ase17/workshop-program/presentation/schreuders