Abstract
Information technology system (ITS), informally, consists of hardware and software infrastructure (e.g., workstations, servers, laptops, installed software packages, databases, LANs, firewalls, etc.), along with physical and logical connections and inter-dependencies between various items. Nowadays, every company owns and operates an ITS, but detailed information about the system is rarely publicly available. However, there are many situations where the availability of such data would be beneficial. For example, cyber ranges need descriptions of complex realistic IT systems in order to provide an effective training and education platform. Furthermore, various algorithms in cybersecurity, in particular attack tree generation, need to be validated on realistic models of IT systems. In this paper, we describe a system we call the Generator that, based on the high-level requirements such as the number of employees and the business area the target company belongs to, generates a model of an ITS that satisfies the given requirements. We put special emphasis on the following two criteria: the generated ITS models a large amount of details, and ideally resembles a real system. Our survey of related literature found no sufficiently similar prior works, so we believe that this is the first attempt of building something like this. We created a proof-of-concept implementation of the Generator, validated it by generating ITS models for a simplified fictional financial institution, and analyzed the Generators performance with respect to the problem size. The research was done in an iterative manner, with coauthors continuously providing feedback on intermediate results. (...) We intend to extend this prototype to allow probabilistic generation of IT systems when only a subset of parameters is explicitly defined, and further develop and validate our approach with the help of domain experts.
Highlights
Practice is key in the learning process and Cyber Defense is no exception
The generation is based on expert rules that can be selected from the existing rule collection or added manually as needed
We intend to further test the system by developing a cybersecurity exercise theatre and scenario, validate the system with the help of domain experts, extend the proposed method and system to allow the use of probabilistic parameters, add virtualization, cloud and outsourcing support, increase the amount of technical details, and include additional network segmentation rules
Summary
Practice is key in the learning process and Cyber Defense is no exception. Knowing your information system well, knowing what would happen in the event of an attack, testing defenses and practicing with a simulated adversary on the network are critical to a successful defense. Cyber ranges are essentially virtualized environments that mimic real-world environments and contain additions that make practicing and learning more efficient. Cyber ranges can be used to test different security mechanisms and how they behave in the event of an attack. All of this requires that an organisation’s information technology system (IT system) - whether real or imagined - be implemented in the cyber range. In this paper we present a first step towards solving the problem of a finite set of different IT systems To this end, we describe a prototype system we have developed that, given requirements on its input, produces a description of an IT system on its outputs.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
