= Generating Synthetic Attacks = Within the framework a script is provided to specify all of the synthetic attack variables and generate the attacks within the traffic set. The script can also observe the metrics as the attacks are taking place, outputting any information as the attack magnitude is varied. The following attacks are available and have pages with more details of specifying the parameters of each: * '''[wiki:SynDistributedFlood Distributed bandwidth flood]''' * '''[wiki:SynHorizontalScan Horizontal scan activity]''' * '''[wiki:SynWormActivity Worm activity]''' [wiki:DPUserFunctions#SyntheticAttacks The Synthetic attack methods] are provided for general use for building your own attack generation scripts, however we provide a very fine grained tool for generating synthetic attacks and observing them. The idea is that the tool provides the functionality of specifying the type of attack, how to vary the magnitude of the attack, at what rate should the magnitude of the attack increase, and ''you'' provide what happens as the magnitude of the attack is increased. This lets you monitor ''anything'' in the network as the attack changes. To do so you specify a single method, ''user_iteration(intervals,magnitude)'' which the ''[source:scripts/ruby/dp_synthetic.rb dp_synthetic.rb]'' script will pass an array of timestamps which are the intervals the attacks were inserted and the current magnitude of the attack. This method must be placed in to user_iteration.rb and in your current directory such that the ''[source:scripts/ruby/dp_synthetic.rb dp_synthetic.rb]'' knows where to find it. For example, lets say we want to monitor entropy as the magnitude of an attack increases, we would create the following ''user_iteration(intervals,magnitude)'' method: {{{ def user_iteration(intervals,magnitude) entropy_sum = Hash.new # keep track of sum of all intervals to get average entropy_sum.default = 0 # calculate the entropy for each interval and add it to our sum intervals.sort.each do |interval| $stderr.puts "\tcomputing entropy for interval #{interval}..." entropy=compute_all_entropy(interval,"all_flows") entropy.each {|metric,value| entropy_sum[metric]+=value;} end # get the average entropy values entropy_sum.each {|metric,value| entropy_sum[metric]/=$options.num_intervals} print_magnitude_entropy(magnitude,entropy_sum) end }}} This method is called for every magnitude of the attack, including a magnitude of 0 if the start was set to 0. The code was structured to support the use of multiple intervals for averaging. This could be done to remove bias of introducing the attack in to one specific interval by generating the sum of the entropy values of all the intervals and averaging them. An example of using this user defined method with the script can be found in our [wiki:SynDistributedFlood#ExampleAttacks distributed bandwidth flood example]. There is ''no'' limitation of your method. If you ran ''[source:scripts/ruby/dp_synthetic.rb dp_synthetic.rb]'' with the attack type of a bandwidth flood specified, you could choose through your user defined method to add an inbound horizontal scan in to the mix when the attack exceeds a magnitude of 100 by calling ''[wiki:DPUserFunctions#SyntheticAttacks insert_ib_hscan()]''. This can open up multi-dimensional attack spaces, which for every magnitude your base attack is inserted, you insert another attack, or possibly two other attacks. This keeps simplicity of the base ''[source:scripts/ruby/dp_synthetic.rb dp_synthetic.rb]'' script. Another idea would be to monitor one of the [wiki:TrafficFeatures traffic features] with some of the [wiki:MetricStatistics statistical] methods we provide. You could also build other methods which your ''user_iteration()'' method can call, creating a very modular environment. Here is the top level usage of the dp_synthetic.rb script: '''[source:scripts/ruby/dp_synthetic.rb dp_synthetic.rb]''' * ''Usage'': {{{ $ ./dp_synthetic.rb -h Usage: dp_synthetic.rb [options] Mandatory parameters: -a, --attack-type [TYPE] The attack type, available types: ib/ob_worm ib/ob_flood ib/ob_hscan -m, --magnitude [MAGNITUDE] The magnitude of the attack to use or start at -i, --interval [TIMESTAMP] The interval in timestamp format to insert the attack OR -n, --num-intervals [INTEGER] The number of random intervals to insert the attack into for averaging Optional parameters: -e, --end-magnitude [MAGNITUDE] Specify the magnitude to stop at when running iteratively (requires --step parameter) -s, --step [MAGNITUDE] The magnitude to step at from magnitude to end_magnitude (MANDATORY VALUE) -p, --scan-port [PORT] The port at which scans will take place on (default 80) -v, --victim [ADDRESS] Integer address of the victim to perform the attack against (default 0) -w, --worm-rate [RATE] The rate in hosts per second at which each worm infected host scans at (default 50) -c, --val-check [TYPE,LOW,HIGH] Specify that all random intervals selected must meet some value when using --num-intervals TYPE: entropy, sdev_score, wavelet_score LOW: check that 'TYPE' >= 'LOW' HIGH: check that'TYPE' <= 'HIGH' }}} * ''Description'': generated [wiki:SyntheticAttacks synthetic attacks], usage varies slightly on the attack type. See specific attack types for details. * ''Output'': main output goes to stdout, status output goes to stderr such that normal output can be piped while viewing the status of the script. * ''Example usage'': see the specific attack types for specific example usages