Wiki Navigation

Creating Synthetic Attacks

Creating synthetic attacks for use in the anomaly detection testbed is very simple and has very few requirements to make it available for public use. The attack should give some control to the user such as varying the magnitude of the attack, which helps develop fine grained anomaly detection methods and allows users to study at what magnitudes the methods and metrics are capable of detecting the attacks. All currently available attacks can be found in attacks.rb which can be used as a template for generating new attack models.

Requirements to make the attack public:

the first parameter to the attack flow generation function should be an interval in the form of a timestamp for which the flows are inserted in to

the flows are to be inserted in to the ATTACK_FLOWS table such that it does not require write access to a specific flow table or database

Useful Tips

Generating a large number of flows can be easily done in SQL with a single query using the generate_series() function. To generate 1000 static attack flows, the function could be used as follows:

INSERT INTO attack_flows
SELECT
  "2005-02-01 00:00:00",           # interval
  10000, 10001,                    # start_time, stop_time
  17,                              # protocol
  131012, 131013,                  # src_ip, dst_ip
  10204, 80,                       # src_port, dst_port
  10, 0                            # src_packets, dst_packets
  15000, 0                        # src_bytes, dst_bytes
  'CON', false                     # state, dir_unknown
FROM generate_series(1,1000) 
AS current_value;

Generating sequential activity such as scanning a whole subnet sequentially can be done using the generate_series() values. To generate a scan of a whole class B subnet whose first address is 0, the following could be used:

INSERT INTO attack_flows
SELECT
  "2005-02-01 00:00:00",           # interval
  10000, 10001,                    # start_time, stop_time
  17,                              # protocol
  131012, current_victim,          # src_ip, dst_ip
  10204, 80,                       # src_port, dst_port
  1, 0                             # src_packets, dst_packets
  1500, 0                          # src_bytes, dst_bytes
  'CON', false                     # state, dir_unknown
FROM generate_series(0,65534) 
AS current_victim;

Adding dynamic characteristics to generated attack flows can be done using the random() function in SQL. The random() function will generate a float between 0 and 1 which can be used to generate dynamic characteristics with a generate_series(). To spin off of the previously generated attack, if you wanted to randomly scan 1000 hosts in the class B subnet, you could use the following query:

INSERT INTO attack_flows
SELECT
  "2005-02-01 00:00:00",           # interval
  10000, 10001,                    # start_time, stop_time
  17,                              # protocol
  131012, random()*65534,          # src_ip, dst_ip
  10204, 80,                       # src_port, dst_port
  1, 0                             # src_packets, dst_packets
  1500, 0                          # src_bytes, dst_bytes
  'CON', false                     # state, dir_unknown
FROM generate_series(1,1000) 
AS current_victim;

Download in other formats:

Plain Text