A Model Driven Approach for Cyber Security Scenarios Deployment

To read the full-text of this research, you can request a copy directly from the authors.


Cyber ranges for training in threat scenarios are nowadays highly demanded in order to improve people ability to detect vulnerabilities and to react to cyber-threats. Among the other components, scenarios deployment requires a modeling language to express the (software and hardware) architecture of the underlying system, and an emulation platform. In this paper, we exploit a model-driven engineering approach to develop a framework for cyber security scenarios deployment.We develop a domain specific language for scenarios construction, which allows the description of the architectural setting of the system under analysis, and a mechanism to deploy scenarios on the OpenStack cloud infrastructure by means of HEAT templates. On the scenario model, we also show how it is possible to detect network configuration problems and structural vulnerabilities. The presented results are part of our ongoing research work towards the definition of a training cyber range within the EU H2020 project THREAT-ARREST.

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the authors.

... Similarly, the definition of the CTTP Models will drive the training process, and align it (where possible) with operational cyber system security assurance mechanisms to ensure the relevance of training. Lastly, Braghin et al. [2] provide a model-driven engineering approach based on the creation of a subset of the CTTP model, namely the Emulation sub-model (see Table 2). The approach presented herein is based on the Security Assurance Model proposed by Somarakis et al. [20], extended to cover the needs of the Cyber Range training developed under the H2020 THREAT-ARREST project. ...
... Table 2 shows a subset of the Response & Mitigation Emulation sub-model converted in an XML format. The XML is then converted (by the Emulation Tool) to a HEAT template and is being deployed in OpenStack [2]. More specifically, this sub-model specifies the creation of a Virtual Machine and its network configuration. ...
Conference Paper
Full-text available
In light of the ever-increasing complexity and criticality of applications supported by ICT infrastructures, Cyber Ranges emerge as a promising solution to effectively train people within organisations on cyber-security aspects, thus providing an efficient mechanism to manage the associated risks. Motivated by this, the work presented herein introduces the model-driven approach of the THREAT-ARREST project for Cyber Range training, presenting in detail the Cyber Threat Training and Preparation (CTTP) models. These models, comprising sub-models catering for different aspects of the training, are used for specifying and generating the Training Programmes. As such, the paper also provides details on implementation aspects regarding the use of these models in the context of a usable cyber range training platform and two specific training scenarios.
... The approaches provided by Russo et al. (2018) and Braghin et al. (2019) are similar to our approach in the sense that they use some form of attack models as a foundation to design and execute training scenarios. Russo et al. (2018) introduce a Scenario Definition Language (SDL) based on the OASIS Topology and Orchestration Specification for Cloud Applications (TOSCA). ...
... Russo et al. (2018) introduce a Scenario Definition Language (SDL) based on the OASIS Topology and Orchestration Specification for Cloud Applications (TOSCA). Braghin et al. (2019) provide a domain specific language for scenario construction in which it is possible to capture configuration problems as well as structural vulnerabilities. We use CORAS risk modes which are acyclic directed graphs as described in Section 4. Thus, from a modelling perspective, our approach complements existing approaches. ...
Conference Paper
Full-text available
There is an urgent need for highly skilled cybersecurity professionals, and at the same time there is an awareness gap and lack of integrated training modules on cybersecurity related aspects on all school levels. In order to address this need and bridge the awareness gap, we propose a method to train and evaluate the cybersecurity skills of participants in cyber ranges based on cyber-risk models. Our method consists of five steps: create cyber-risk model, identify risk treatments, setup training scenario, run training scenario, and evaluate the performance of participants. The target users of our method are the White Team and Green Team who typically design and execute training scenarios in cyber ranges. The output of our method, however, is an evaluation report for the Blue Team and Red Team participants being trained in the cyber range. We have applied our method in three large scale pilots from academia, transport, and energy. Our initial results indicate that the method is easy to use and comprehensible for training scenario developers (White/Green Team), develops cyber-risk models that facilitate real-time evaluation of participants in training scenarios, and produces useful feedback to the participants (Blue/Red Team) in terms of strengths and weaknesses regarding cybersecurity skills.
... Unfortunately, an ITS in the domain of hands-on cybersecurity training is rare, mostly because the interactive lab environment and its setup differ for particular sessions. As a result, cybersecurity platforms offer static scenarios with limited or no adaptiveness [4]. We could create an ITS for a specific training session. ...
Full-text available
This paper presents how learning experience influences students' capability to learn and their motivation for learning. Although each student is different, standard instruction methods do not adapt to individuals. Adaptive learning reverses this practice and attempts to improve the student experience. While adaptive learning is well-established in programming, it is rarely used in cybersecurity education. This paper is one of the first works investigating adaptive learning in security training. First, we analyze the performance of 95 students in 12 training sessions to understand the limitations of the current training practice. Less than half of the students completed the training without displaying a solution, and only in two sessions, all students completed all phases. Then, we simulate how students would proceed in one of the past training sessions if it would offer more paths of various difficulty. Based on this simulation, we propose a novel tutor model for adaptive training, which considers students' proficiency before and during an ongoing training session. The proficiency is assessed using a pre-training questionnaire and various in-training metrics. Finally, we conduct a study with 24 students and new training using the proposed tutor model and adaptive training format. The results show that the adaptive training does not overwhelm students as the original static training. Adaptive training enables students to enter several alternative training phases with lower difficulty than the original training. The proposed format is not restricted to a particular training. Therefore, it can be applied to practicing any security topic or even in related fields, such as networking or operating systems. Our study indicates that adaptive learning is a promising approach for improving the student experience in security education. We also highlight implications for educational practice.
Full-text available
In recent years, there has been a growing demand for cybersecurity experts, and, according to predictions, this demand will continue to increase. Cyber Ranges can fill this gap by combining hands-on experience with educational courses, and conducting cybersecurity competitions. In this paper, we conduct a systematic survey of ten Cyber Ranges that were developed in the last decade, with a structured interview. The purpose of the interview is to find details about essential components, and especially the tools used to design, create, implement and operate a Cyber Range platform, and to present the findings.
Cyber ranges are virtual environments used in several contexts to enhance the awareness and preparedness of users to cybersecurity threats. Effectiveness of cyber ranges strongly depends on how much realistic are the training scenarios provided to trainees and on an efficient mechanism to monitor and evaluate trainees’ activities. In the context of the emulation environment of the THREAT-ARREST cyber range platform, in this paper we present a preliminary design of our work in progress towards the definition of a model-driven approach to monitor and evaluate the trainee performance. We enhance the platform emulation environment with an agent-based system that checks trainees’ behavior in order to collect all the trainee’s actions performed while executing a training exercise. Furthermore, we propose a modular taxonomy of the actions that can be exploited for the description of the trainee’s expected behavior in terms of the expected trace, i.e., the sequence of actions that is required for the correct execution of an exercise. We model the expected and actual trainee activities in terms of finite state machines, then we apply an existing algorithm for graph matching to score the trainee performance in terms of graph distance.
Conference Paper
Full-text available
Cyber ranges are well-defined controlled virtual environments used in cybersecurity training as an efficient way for trainees to gain practical knowledge through hands-on activities. However, creating an environment that contains all the necessary features and settings, such as virtual machines, network topology and security-related content, is not an easy task, especially for a large number of participants. Therefore, we propose CyRIS (Cyber Range Instantiation System) as a solution towards this problem. CyRIS provides a mechanism to automatically prepare and manage cyber ranges for cybersecurity education and training based on specifications defined by the instructors. In this paper, we first describe the design and implementation of CyRIS, as well as its utilization. We then present an evaluation of CyRIS in terms of feature coverage compared to the Technical Guide to Information Security Testing and Assessment of the U.S National Institute of Standards and Technology, and in terms of functionality compared to other similar tools. We also discuss the execution performance of CyRIS for several representative scenarios.
Full-text available
In the model-based development context, metamodel-based languages are increasingly being defined and adopted either for general purposes or for specific domains of interest. However, meta-languages such as the MOF (Meta Object Facility)—combined with the OCL (Object Constraint Language) for expressing constraints—used to specify metamodels focus on structural and static semantics but have no built-in support for specifying behavioral semantics. This paper introduces a formal semantic framework for the definition of the semantics of metamodel-based languages. Using metamodelling principles, we propose several techniques, some based on the translational approach while others based on the weaving approach, all showing how the Abstract State Machine formal method can be integrated with current metamodel engineering environments to endow language metamodels with precise and executable semantics. We exemplify the use of our semantic framework by applying the proposed techniques to the OMG metamodelling framework for the behaviour specification of the Finite State Machines provided in terms of a metamodel.
Conference Paper
We apply model based verification to cyber range event environment configurations, allowing for the early detection of errors in event environment configurations, and a reduction in the time and resources used during deployment. We categorize misconfiguration errors detected using the Common Cyber Environment Representation (CCER) ontology. We also provide an overview of a methodology to specify verification rules and the corresponding error messages. These rules have successfully detected errors in the designs of several cyber range event environments, thereby reducing cost and time to deployment.
Network Centric System operation is the core of our military environment today. While much research and development has been accomplished in technology to support creating and exploiting these increasing complex, interdependent systems, testing technology has not kept pace with the rate of technology advancement. As our dependence on network centric operation grows, the limitations of our ability to rapidly and accurately test a distributed information system is a key challenge to mission readiness. The National Cyber Range (NCR) is a Defense Advanced Research Project Agency (DARPA) program that is currently focusing on addressing the challenge of testing cyber technologies. The NCR will be a scalable (to thousands of nodes), secure, reconfigurable, high fidelity test range to rapidly assess emerging cyber technology. Key innovations include automation for test range configuration and validation, test instrumentation, and test data analysis and a scientific testing methodology for large scale cyber systems. The vision of the NCR program is to create a general purpose test range that can be quickly repurposed to conduct evaluations of cyber technology or architectures in much the same way that the general purpose automated test systems like USN CASS are used to support the test and diagnostics of a wide range of electronic, electro-optical and electro-mechanical devices. NCR is advancing the mission of automated test beyond the production test and maintenance of fielded weapon systems or equipment, however, by extending the advantages of automated test to the front end of the product lifecycle, where it has been absent but desperately needed as a design aid. The automated cyber range will be used to support experimentation, evaluate early prototypes and directly conduct design verification testing. This paper will discuss the innovations in test automation in NCR, the potential adaptation of the NCR technology to network-centric system support systems and the implica- - tion to mission readiness.
Within the context of (software) language engineering, language de-scriptions are considered first class citizens. One of the ways to describe languag-es is by means of a metamodel, which represents the abstract syntax of the language. Unfortunately, in this process many language engineers forget the fact that a language also needs a concrete syntax and a semantics. In this paper I argue that neither of these can be discarded from a language description. In a good lan-guage description the abstract syntax is the central element, which functions as pivot between concrete syntax and semantics. Furthermore, both concrete syntax and semantics should be described in a well-defined formalism.
Conference Paper
This paper is a written account of the keynote presented at the first International Conference on Software Language Engineering (SLE). Its key message is that although SLE is a new scientific field, we need to use existing knowledge from other fields. A number of research assignments are recognised, which are key research questions into software language design and use.
Heat orchestration template (HOT) guide
  • Openstack
OpenStack: Heat orchestration template (HOT) guide (2019). https://docs. guide/hot guide.html
Security scenario generator (SecGen): a framework for generating randomly vulnerable rich-scenario VMs for learning computer security and hosting CTF events
  • Z C Schreuders
  • T Shaw
  • M Shan-A-Khuda
  • G Ravichandran
  • J Keighley
  • M Ordean
Schreuders, Z.C., Shaw, T., Shan-A-Khuda, M., Ravichandran, G., Keighley, J., Ordean, M.: Security scenario generator (secgen): A framework for generating randomly vulnerable rich-scenario vms for learning computer security and hosting CTF events. In: 2017 USENIX Workshop on Advances in Security Education (ASE 17). USENIX Association, Vancouver, BC (2017), https://www.usenix. org/conference/ase17/workshop-program/presentation/schreuders
Implementing Domain Specific Languages with Xtext and Xtend
  • L Bettini
Bettini, L.: Implementing Domain Specific Languages with Xtext and Xtend. Packt Publishing, 2 edn. (2016)