Abstract
Cybersecurity tools are increasingly automated with artificial intelligent (AI) capabilities to match the exponential scale of attacks, compensate for the relatively slower rate of training new cybersecurity talents, and improve of the accuracy and performance of both tools and users. However, the safe and appropriate usage of autonomous cyber attack tools–especially at the development stages for these cyber attack tools – is still largely an unaddressed gap. Our survey of current literature and tools showed that most of the existing cyber range designs are mostly using manual tools and have not considered augmenting automated tools or the potential security issues caused by the tools. In other words, there is still room for a novel cyber range design which allow security researchers to safely deploy autonomous tools and perform automated tool testing if needed. In this paper, we introduce Pandora, a safe testing environment which allows security researchers and cyber range users to perform experiments on automated cyber attack tools that may have strong potential of usage and at the same time, a strong potential for risks. Unlike existing testbeds and cyber ranges which have direct compatibility with enterprise computer systems and the potential for risk propagation across the enterprise network, our test system is intentionally designed to be incompatible with enterprise real-world computing systems to reduce the risk of attack propagation into actual infrastructure. Our design also provides a tool to convert in-development automated cyber attack tools into to executable test binaries for validation and usage realistic enterprise system environments if required. Our experiments tested automated attack tools on our proposed system to validate the usability of our proposed environment. Our experiments also proved the safety of our environment by compatibility testing using simple malicious code.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Delamore, B., Ko, R.K.L.: A global, empirical analysis of the shellshock vulnerability in web applications. In: 2015 IEEE Trustcom/BigDataSE/ISPA, pp. 1129–1135. (2015)
Brumley, D.: The cyber grand challenge and the future of cyber-autonomy. USENIX Login 43, 6–9 (2018)
Ko, R.K.L.: Cyber autonomy: automating the hacker – self-healing, self-adaptive, automatic cyber defense systems and their impact on industry, society, and national security. In: Reuben Steff, J.B., Soare, S.R. Routledge, (ed.) Emerging Technologies and International Security – Machines, the State and War (in print). Routledge (2020)
Donevski, M., Zia, T.: A survey of anomaly and automation from a cybersecurity perspective. In: 2018 IEEE Globecom Workshops (GC Wkshps), pp. 1–6 (2018)
Smith, G.: The intelligent solution: automation, the skills shortage and cyber-security. Comput. Fraud Secur. 2018, 6–9 (2018)
Papanikolaou, N., Pearson, S., Mont, M.C., Ko, R.K.: A toolkit for automating compliance in cloud computing services. Int. J. Cloud Comput. 2(3), 45–68 (2014)
Ko, R., Choo, R.: The Cloud Security Ecosystem: Technical, Legal, Business and Management Issues. Syngress (2015)
Ko, R.K.L.: Data accountability in cloud systems. In: Nepal, S., Pathan, M. (eds.) Security, Privacy and Trust in Cloud Systems, pp. 211–238. Springer, Berlin Heidelberg, Berlin, Heidelberg (2014)
Ko, R.K., Lee, S.S., Rajan, V.: Understanding cloud failures. IEEE Spect. 49, 84 (2012)
Yuen, J.: Automated cyber red teaming (2015)
Appelt, D., Nguyen, C.D., Briand, L.C., Alshahwan, N.: Automated testing for SQL injection vulnerabilities: an input mutation approach. In: Proceedings of the 2014 International Symposium on Software Testing and Analysis, pp. 259–269. ACM, San Jose, CA, USA (2014)
Tilemachos, V., Manifavas, C.: An automated network intrusion process and counter-measures. In: Proceedings of the 19th Panhellenic Conference on Informatics, pp. 156–160. Association for Computing Machinery, Athens, Greece (2015)
Stricot-Tarboton, S., Chaisiri, S., Ko, R.K.L.: Taxonomy of man-in-the-middle attacks on HTTPS. In: 2016 IEEE Trustcom/BigDataSE/ISPA, pp. 527–534 (2016)
Cha, S.K., Avgerinos, T., Rebert, A., Brumley, D.: Unleashing mayhem on binary code. In: 2012 IEEE Symposium on Security and Privacy, pp. 380–394 (2012)
Kaloudi, N., Li, J.: The AI-based cyber threat landscape: a survey. ACM Comput. Surv. 53, Article 20 (2020)
Fraze, D.: Cyber Grand Challenge (CGC) (Archived). https://www.darpa.mil/program/cyber-grand-challenge
Furnell, S., Spafford, E.H.: The morris worm at 30. ITNOW 61, 32–33 (2019)
Schagen, N., Koning, K., Bos, H., Giuffrida, C.: Towards automated vulnerability scanning of network servers. In: Proceedings of the 11th European Workshop on Systems Security, pp. Article 5. Association for Computing Machinery, Porto, Portugal (2018)
Zhang, X., et al.: An automated composite scanning tool with multiple vulnerabilities. In: 2019 IEEE 3rd Advanced Information Management, Communicates, Electronic and Automation Control Conference (IMCEC), pp. 1060–1064 (2019)
Geffner, J.: VENOM Vulnerability Details. https://www.crowdstrike.com/blog/venom-vulnerability-details
VMware: VMSA-2015–0004. https://www.vmware.com/security/advisories/VMSA-2015-0004.html
Goosen, R., Rontojannis, A., Deutscher, S., Rogg, J., Bohmayr, W., Mkrtchian, D.: Artificial Intelligence is a Threat to Cybersecurity. It’s also a Solution. BCG Publication (2018)
Davis, J., Magrath, S.: A survey of cyber ranges and testbeds. Defence Science and Technology Organisation Edinburgh (Australia) Cyber and Electronic Warfare Div (2013)
Yamin, M.M., Katt, B., Gkioulos, V.: Cyber ranges and security testbeds: Scenarios, functions, tools and architecture. Comput. Secur. 88, 101636 (2020)
MITRE: Common Vulnerabilities and Exposures. https://cve.mitre.org/
Debatty, T., Mees, W.: Building a cyber range for training cyberdefense situation awareness. In: 2019 International Conference on Military Communications and Information Systems (ICMCIS), pp. 1–6. (2019)
Wang, L., Tian, Z., Gu, Z., Lu, H.: Crowdsourcing approach for developing hands-on experiments in cybersecurity education. IEEE Access 7, 169066–169072 (2019)
Du, W.: SEED: hands-on lab exercises for computer security education. IEEE Secur. Priv. 9, 70–73 (2011)
Frank, M., Leitner, M., Pahi, T.: Design considerations for cyber security testbeds: a case study on a cyber security testbed for education. In: 2017 IEEE 15th Intl Conf on Dependable, Autonomic and Secure Computing, 15th Intl Conf on Pervasive Intelligence and Computing, 3rd Intl Conf on Big Data Intelligence and Computing and Cyber Science and Technology Congress(DASC/PiCom/DataCom/CyberSciTech), pp. 38–46 (2017)
Amos-Binks, A., Clark, J., Weston, K., Winters, M., Harfoush, K.: Efficient attack plan recognition using automated planning. In: 2017 IEEE Symposium on Computers and Communications (ISCC), pp. 1001–1006 (2017)
Raytheon Technologies: Cyber-Physical Systems and Autonomy. BHEF (2017)
Benzel, T.: The science of cyber security experimentation: the DETER project. In: Proceedings of the 27th Annual Computer Security Applications Conference, pp. 137–148. Association for Computing Machinery, Orlando, Florida, USA (2011)
Common Vulnerabilities and Exposures: CVE-2018–10933. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10933
Yan, L., et al.: DECREE: a platform for repeatable and reproducible security experiments. In: 2018 IEEE Cybersecurity Development (SecDev), pp. 11–20 (2018)
Defense Advanced Research Projects Agency: virtual-competition. https://github.com/CyberGrandChallenge/virtual-competition
Shoshitaishvili, Y., et al.: Mechanical Phish: resilient autonomous hacking. IEEE Secur. Priv. 16, 12–22 (2018)
Defense Advanced Research Projects Agency: cb-testing. https://github.com/CyberGrandChallenge/cb-testing
Legitimate Business Syndicate: legit_00003. https://github.com/legitbs/quals-2016/tree/ma ster/legit_00003
Shoshitaishvili, Y., et al.: SOK: (State of) the art of war: offensive techniques in binary analysis. In: 2016 IEEE Symposium on Security and Privacy (SP), pp. 138–157 (2016)
angr: Phuzzer. https://github.com/angr/phuzzer
Zalewski, M.: american fuzzy lop (2.52b). https://lcamtuf.coredump.cx/afl/
angr: rex, https://github.com/angr/rex
Defense Advanced Research Projects Agency: Proof of Vulnerability (POV) in CFE. https://github.com/CyberGrandChallenge/cgc-release-documentation/blob/master/walk-throughs/understanding-cfe-povs.md
Jiang, C., Wang, Y.: Survey on memory corruption mitigation. In: 2019 IEEE 3rd Information Technology, Networking, Electronic and Automation Control Conference (ITNEC), pp. 731–738 (2019)
Acknowledgements
Special thanks to DARPA who have created the DECREE system, virtual-competition and other infrastructure-related modules, which have been used during our experiments. Also, thanks to the team from Legitimate Business Syndicate who have created the vulnerable binary legit_00003, which was a critical part of the experiments. Finally, thanks to the angr team and Shellphish team, who have created and open-sourced their outstanding designs.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Jiang, H., Choi, T., Ko, R.K.L. (2021). Pandora: A Cyber Range Environment for the Safe Testing and Deployment of Autonomous Cyber Attack Tools. In: Thampi, S.M., Wang, G., Rawat, D.B., Ko, R., Fan, CI. (eds) Security in Computing and Communications. SSCC 2020. Communications in Computer and Information Science, vol 1364. Springer, Singapore. https://doi.org/10.1007/978-981-16-0422-5_1
Download citation
DOI: https://doi.org/10.1007/978-981-16-0422-5_1
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-16-0421-8
Online ISBN: 978-981-16-0422-5
eBook Packages: Computer ScienceComputer Science (R0)