| | 1 | = Creating Synthetic Attacks = |
|---|
| | 2 | |
|---|
| | 3 | Creating synthetic attacks for use in the anomaly detection testbed is very simple and has very few requirements to make it available for public use. The attack should give some control to the user such as varying the magnitude of the attack, which helps develop fine grained anomaly detection methods and allows users to study at what magnitudes the methods and metrics are capable of detecting the attacks. All currently available attacks can be found in [source:scripts/ruby/include/attacks.rb attacks.rb] which can be used as a template for generating new attack models. |
|---|
| | 4 | |
|---|
| | 5 | Requirements to make the attack public: |
|---|
| | 6 | |
|---|
| | 7 | * the first parameter to the attack flow generation function should be an interval in the form of a timestamp for which the flows are inserted in to |
|---|
| | 8 | |
|---|
| | 9 | * the flows are to be inserted in to the ''[wiki:SyntheticAttacks#DatabasePerspective ATTACK_FLOWS]'' table such that it does not require write access to a specific flow table or database |
|---|
| | 10 | |
|---|
| | 11 | |
|---|
| | 12 | == Useful Tips == |
|---|
| | 13 | |
|---|
| | 14 | __Generating a large number of flows__ can be easily done in SQL with a single query using the ''[http://www.postgresql.org/docs/8.0/interactive/functions-srf.html generate_series()]'' function. To generate 1000 static attack flows, the function could be used as follows: |
|---|
| | 15 | {{{ |
|---|
| | 16 | INSERT INTO attack_flows |
|---|
| | 17 | SELECT |
|---|
| | 18 | "2005-02-01 00:00:00", # interval |
|---|
| | 19 | 10000, 10001, # start_time, stop_time |
|---|
| | 20 | 17, # protocol |
|---|
| | 21 | 131012, 131013, # src_ip, dst_ip |
|---|
| | 22 | 10204, 80, # src_port, dst_port |
|---|
| | 23 | 10, 0 # src_packets, dst_packets |
|---|
| | 24 | 15000, 0 # src_bytes, dst_bytes |
|---|
| | 25 | 'CON', false # state, dir_unknown |
|---|
| | 26 | FROM generate_series(1,1000) |
|---|
| | 27 | AS current_value; |
|---|
| | 28 | }}} |
|---|
| | 29 | |
|---|
| | 30 | __Generating sequential activity__ such as scanning a whole subnet sequentially can be done using the ''[http://www.postgresql.org/docs/8.0/interactive/functions-srf.html generate_series()]'' values. To generate a scan of a whole class B subnet whose first address is 0, the following could be used: |
|---|
| | 31 | {{{ |
|---|
| | 32 | INSERT INTO attack_flows |
|---|
| | 33 | SELECT |
|---|
| | 34 | "2005-02-01 00:00:00", # interval |
|---|
| | 35 | 10000, 10001, # start_time, stop_time |
|---|
| | 36 | 17, # protocol |
|---|
| | 37 | 131012, current_victim, # src_ip, dst_ip |
|---|
| | 38 | 10204, 80, # src_port, dst_port |
|---|
| | 39 | 1, 0 # src_packets, dst_packets |
|---|
| | 40 | 1500, 0 # src_bytes, dst_bytes |
|---|
| | 41 | 'CON', false # state, dir_unknown |
|---|
| | 42 | FROM generate_series(0,65534) |
|---|
| | 43 | AS current_victim; |
|---|
| | 44 | }}} |
|---|
| | 45 | |
|---|
| | 46 | __Adding dynamic characteristics__ to generated attack flows can be done using the ''random()'' function in SQL. The ''random()'' function will generate a float between 0 and 1 which can be used to generate dynamic characteristics with a ''[http://www.postgresql.org/docs/8.0/interactive/functions-srf.html generate_series()]''. To spin off of the previously generated attack, if you wanted to randomly scan 1000 hosts in the class B subnet, you could use the following query: |
|---|
| | 47 | {{{ |
|---|
| | 48 | INSERT INTO attack_flows |
|---|
| | 49 | SELECT |
|---|
| | 50 | "2005-02-01 00:00:00", # interval |
|---|
| | 51 | 10000, 10001, # start_time, stop_time |
|---|
| | 52 | 17, # protocol |
|---|
| | 53 | 131012, random()*65534, # src_ip, dst_ip |
|---|
| | 54 | 10204, 80, # src_port, dst_port |
|---|
| | 55 | 1, 0 # src_packets, dst_packets |
|---|
| | 56 | 1500, 0 # src_bytes, dst_bytes |
|---|
| | 57 | 'CON', false # state, dir_unknown |
|---|
| | 58 | FROM generate_series(1,1000) |
|---|
| | 59 | AS current_victim; |
|---|
| | 60 | }}} |
|---|
