Attack Simulation for a Realistic Evaluation and Comparison of Network Security Techniques

“…This paper builds upon the 2018 NordSec conference paper [8] which showed the general feasibility of attack simulation and its ability to generate meaningful insights. However, it also showed how susceptible results are to minute details of the benchmark network.…”

“…For our case study we assume a mid-sized corporate network consisting of nine subnets. These allow for a considerably more complex network hierarchy than the three subnets used in previous investigations [8], let alone scenarios that consist of merely three hypervisors and five unspecific VMs [24]. While this generally requires more lateral movement for the attacker to compromise all valuable resources, it also provides more occasions for defenses to unfold their potential and learn about their effects.…”

“…Seemingly unimportant details of the underlying network model may have a significant impact on simulation development. This was highlighted in previous work where the starting location of VMs drastically impacted the defense performance, rais-ing strong doubts on the usefulness of analyzing defenses in only few benchmark networks [8]. Therefore, we do not perform attack and defense simulation on a single modeled network, but on a large number of diverse benchmark networks that are carefully composed in an automated fashion based on a scenario definition and a "benchmark fuzzing" approach.…”

“…This allows for quantitative analysis and comparison which was previously not possible and increases the chances of detecting corner cases. To put findings into perspective, the same defenses as in prior research [8] are investigated. These comprise IP address randomization [11,20,26,28,33] (short: IP shuffling), state-preserving VM migration [1,5,24] which we denote as live migration, stateresetting VM migration [3,18] denoted as cold migration, as well as sole VM resetting.…”

Automated benchmark network diversification for realistic attack simulation with application to moving target defense

“…This paper builds upon the 2018 NordSec conference paper [8] which showed the general feasibility of attack simulation and its ability to generate meaningful insights. However, it also showed how susceptible results are to minute details of the benchmark network.…”

“…For our case study we assume a mid-sized corporate network consisting of nine subnets. These allow for a considerably more complex network hierarchy than the three subnets used in previous investigations [8], let alone scenarios that consist of merely three hypervisors and five unspecific VMs [24]. While this generally requires more lateral movement for the attacker to compromise all valuable resources, it also provides more occasions for defenses to unfold their potential and learn about their effects.…”

“…Seemingly unimportant details of the underlying network model may have a significant impact on simulation development. This was highlighted in previous work where the starting location of VMs drastically impacted the defense performance, rais-ing strong doubts on the usefulness of analyzing defenses in only few benchmark networks [8]. Therefore, we do not perform attack and defense simulation on a single modeled network, but on a large number of diverse benchmark networks that are carefully composed in an automated fashion based on a scenario definition and a "benchmark fuzzing" approach.…”

“…This allows for quantitative analysis and comparison which was previously not possible and increases the chances of detecting corner cases. To put findings into perspective, the same defenses as in prior research [8] are investigated. These comprise IP address randomization [11,20,26,28,33] (short: IP shuffling), state-preserving VM migration [1,5,24] which we denote as live migration, stateresetting VM migration [3,18] denoted as cold migration, as well as sole VM resetting.…”

Automated benchmark network diversification for realistic attack simulation with application to moving target defense

A critical view on moving target defense and its analogies