Wiki Navigation

Generating Synthetic Attacks

Within the framework a script is provided to specify all of the synthetic attack variables and generate the attacks within the traffic set. The script can also observe the metrics as the attacks are taking place, outputting any information as the attack magnitude is varied. The following attacks are available and have pages with more details of specifying the parameters of each:

Distributed bandwidth flood

Horizontal scan activity

Worm activity

The Synthetic attack methods are provided for general use for building your own attack generation scripts, however we provide a very fine grained tool for generating synthetic attacks and observing them. The idea is that the tool provides the functionality of specifying the type of attack, how to vary the magnitude of the attack, at what rate should the magnitude of the attack increase, and you provide what happens as the magnitude of the attack is increased. This lets you monitor anything in the network as the attack changes. To do so you specify a single method, user_iteration(intervals,magnitude) which the dp_synthetic.rb script will pass an array of timestamps which are the intervals the attacks were inserted and the current magnitude of the attack. This method must be placed in to user_iteration.rb and in your current directory such that the dp_synthetic.rb knows where to find it.

For example, lets say we want to monitor entropy as the magnitude of an attack increases, we would create the following user_iteration(intervals,magnitude) method:

def user_iteration(intervals,magnitude)
  entropy_sum = Hash.new   # keep track of sum of all intervals to get average
  entropy_sum.default = 0

  # calculate the entropy for each interval and add it to our sum
  intervals.sort.each do |interval|
    $stderr.puts "\tcomputing entropy for interval #{interval}..."
    entropy=compute_all_entropy(interval,"all_flows")
    entropy.each {|metric,value| entropy_sum[metric]+=value;}
  end

  # get the average entropy values
  entropy_sum.each {|metric,value| entropy_sum[metric]/=$options.num_intervals}
  print_magnitude_entropy(magnitude,entropy_sum)
end

This method is called for every magnitude of the attack, including a magnitude of 0 if the start was set to 0. The code was structured to support the use of multiple intervals for averaging. This could be done to remove bias of introducing the attack in to one specific interval by generating the sum of the entropy values of all the intervals and averaging them. An example of using this user defined method with the script can be found in our distributed bandwidth flood example.

There is no limitation of your method. If you ran dp_synthetic.rb with the attack type of a bandwidth flood specified, you could choose through your user defined method to add an inbound horizontal scan in to the mix when the attack exceeds a magnitude of 100 by calling insert_ib_hscan(). This can open up multi-dimensional attack spaces, which for every magnitude your base attack is inserted, you insert another attack, or possibly two other attacks. This keeps simplicity of the base dp_synthetic.rb script.

Another idea would be to monitor one of the traffic features with some of the statistical methods we provide. You could also build other methods which your user_iteration() method can call, creating a very modular environment.

Here is the top level usage of the dp_synthetic.rb script:

dp_synthetic.rb

Usage:

$ ./dp_synthetic.rb -h
Usage: dp_synthetic.rb [options]

Mandatory parameters:
    -a, --attack-type [TYPE]         The attack type, available types:
                                        ib/ob_worm
                                        ib/ob_flood
                                        ib/ob_hscan
    -m, --magnitude [MAGNITUDE]      The magnitude of the attack to use or start at

    -i, --interval [TIMESTAMP]       The interval in timestamp format to insert the attack
                OR
    -n, --num-intervals [INTEGER]    The number of random intervals to insert the attack into for averaging

Optional parameters:
    -e, --end-magnitude [MAGNITUDE]  Specify the magnitude to stop at when running iteratively (requires --step parameter)
    -s, --step [MAGNITUDE]           The magnitude to step at from magnitude to end_magnitude (MANDATORY VALUE)
    -p, --scan-port [PORT]           The port at which scans will take place on (default 80)
    -v, --victim [ADDRESS]           Integer address of the victim to perform the attack against (default 0)
    -w, --worm-rate [RATE]           The rate in hosts per second at which each worm infected host scans at (default 50)
    -c, --val-check [TYPE,LOW,HIGH]  Specify that all random intervals selected must meet some value when using --num-intervals
                                        TYPE: entropy, sdev_score, wavelet_score
                                        LOW: check that 'TYPE' >= 'LOW'
                                        HIGH: check that'TYPE' <= 'HIGH'

Description: generated synthetic attacks, usage varies slightly on the attack type. See specific attack types for details.
Output: main output goes to stdout, status output goes to stderr such that normal output can be piped while viewing the status of the script.
Example usage: see the specific attack types for specific example usages

Download in other formats:

Plain Text