Network defence strategy evaluation: Simulation vs. live network

2017 IFIP/IEEE Symposium on Integrated Network and Service Management (IM) Pub Date : 2017-08-05 DOI:10.23919/INM.2017.7987267

Jana Medková, M. Husák, Martin Drasar

{"title":"Network defence strategy evaluation: Simulation vs. live network","authors":"Jana Medková, M. Husák, Martin Drasar","doi":"10.23919/INM.2017.7987267","DOIUrl":null,"url":null,"abstract":"A lot of research has been dedicated to finding an optimal strategy to defend network infrastructure. The proposed methods are usually evaluated using simulations, replayed attacks or testbed environments. However, these evaluation methods may give biased results, because in real life, attackers can follow a suboptimal strategy or react to a defence in an unexpected way. In this paper, we use a network of honeypots as a testing environment for evaluating network defence strategies. The honeypot network provides the opportunity to test a defence strategy against real attackers and is not as time and resource consuming as using white hat hackers. In our experiment, we use two different strategies to defend a group of honeypots in a live network and we compare these results to the results of a simulation with replayed attacks. We show that the results of the strategies in the simulation significantly differ from the results on the honeypot network which implies simulations are not sufficient for strategy evaluation. We also investigate how the attacker adapts to the responses taken by a defence strategy and how this change in behaviour affects the evaluation results.","PeriodicalId":119633,"journal":{"name":"2017 IFIP/IEEE Symposium on Integrated Network and Service Management (IM)","volume":"15 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2017-08-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2017 IFIP/IEEE Symposium on Integrated Network and Service Management (IM)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.23919/INM.2017.7987267","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 1

Abstract

A lot of research has been dedicated to finding an optimal strategy to defend network infrastructure. The proposed methods are usually evaluated using simulations, replayed attacks or testbed environments. However, these evaluation methods may give biased results, because in real life, attackers can follow a suboptimal strategy or react to a defence in an unexpected way. In this paper, we use a network of honeypots as a testing environment for evaluating network defence strategies. The honeypot network provides the opportunity to test a defence strategy against real attackers and is not as time and resource consuming as using white hat hackers. In our experiment, we use two different strategies to defend a group of honeypots in a live network and we compare these results to the results of a simulation with replayed attacks. We show that the results of the strategies in the simulation significantly differ from the results on the honeypot network which implies simulations are not sufficient for strategy evaluation. We also investigate how the attacker adapts to the responses taken by a defence strategy and how this change in behaviour affects the evaluation results.

查看原文本刊更多论文

网络防御策略评估:模拟与实时网络

许多研究都致力于寻找保护网络基础设施的最佳策略。所提出的方法通常使用模拟、重放攻击或测试平台环境进行评估。然而，这些评估方法可能会给出有偏差的结果，因为在现实生活中，攻击者可能会遵循次优策略或以意想不到的方式对防御做出反应。在本文中，我们使用一个蜜罐网络作为评估网络防御策略的测试环境。蜜罐网络提供了测试针对真实攻击者的防御策略的机会，并且不像使用白帽黑客那样耗费时间和资源。在我们的实验中，我们使用两种不同的策略来保护实时网络中的一组蜜罐，并将这些结果与具有重放攻击的模拟结果进行比较。结果表明，仿真结果与蜜罐网络上的结果存在显著差异，这意味着仿真不足以对策略进行评估。我们还研究了攻击者如何适应防御策略所采取的响应，以及这种行为变化如何影响评估结果。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2017 IFIP/IEEE Symposium on Integrated Network and Service Management (IM)

自引率

0.00%

发文量