Title Page
Contents
Chapter 1. Introduction 11
1.1. Background and Motivation 11
1.2. Objectives and Approaches 15
1.3. Thesis Organization 18
Chapter 2. Related Works 19
2.1. Previous Cyber-security M&S Studies 19
2.2. Cyber-security Characteristics Analysis 22
2.3. Review of Cyber-attack Simulation Methods for Case Studies 26
2.3.1. Worm propagation simulation 26
2.3.2. DDoS attack simulation 29
Chapter 3. Cyber-security M&S Approach 30
3.1. Definition of Cyber-security M&S 30
3.2. Elicitation of Cyber-security M&S Factors 32
3.3. Modeling of Cyber-security M&S Factors 34
Chapter 4. Modeling of Abstracted Cyber-security Unit Model (ACSUM) 38
4.1. Definition of ACSUM 38
4.2. Coupling Relations of ACSUMs 45
4.3. Scenario Representation for ACSUMs Modeling 48
Chapter 5. Abstraction of Cyber-security Issues using ACSUMs 63
5.1. Modeling of Abstracted Cyber-security Simulation Model (ACSIM) with a Combination of ACSUMs 64
5.2. Model Abstraction considering Security Viewpoint 73
Chapter 6. Cyber-security Simulation Environment 83
6.1. Experimental Factors of Cyber-security M&S 83
6.2. Development of Cyber-security Simulation Experimental Frame 87
6.3. Design of Cyber-security M&S Process 90
Chapter 7. Case Studies 93
7.1. Worm Propagation Simulation 94
7.2. Availability Evaluation Simulation of Cloud Data Center 106
Chapter 8. Conclusion 120
References 123
Appendix. Extraction of Cyber-attack Methods and Defense Methods through CAPEC Analysis 130
국문요약 159
[Table 1] Analysis of frequency of use for attack methods needed to achieve various attack purposes 24
[Table 2] Analysis of attack consequences according to attack purpose 24
[Table 3] Main parameters for worm propagation simulations 28
[Table 4] Main simulation parameters for DDoS attack simulations 29
[Table 5] ACSIM modeling 1 - Abstracted states of ACSIMs obtained from ACSUMs 96
[Table 6] Parameters of cloud data center 110
[Table 7] The migration mechanism of XenServer 112
[Table 8] The parameters of the "Service Generator" (SG) model 113
[Table 9] Simulation parameters 117
(Figure 1) The concept and domain of cyber-security 30
(Figure 2) The composition of a cyber-security problem 32
(Figure 3) Cyber-security M&S factors 33
(Figure 4) Modeling of cyber-security M&S factors 34
(Figure 5) Entities of modeling and simulation (M&S) framework 36
(Figure 6) Elicitation of cyber-security factors from a basic cyber-security process 39
(Figure 7) Components of ACSUM 40
(Figure 8) A buffer attack process 40
(Figure 9) ACSUM components of a buffer attack 41
(Figure 10) The process of a man-in-the-middle attack 42
(Figure 11) ACSUM components of a man-in-the-middle attack 43
(Figure 12) Elicitation of components of ACSUM through CAPEC analysis 43
(Figure 13) Development of ACSUMs by the combination of pre-elicited components of ACSUMs 44
(Figure 14) The concept of coupling relations among ACSUMs 45
(Figure 15) Coupling relations of a man-in-the-middle attack 46
(Figure 16) Coupling relation of a buffer attack 46
(Figure 17) Input/output message format of an ACSUM 47
(Figure 18) An example of modeling a cyber-attack process using an attack tree 49
(Figure 19) Example cases of modeling an attack process using different source and destination elements 50
(Figure 20) Type 1 - Flow for an attack that does not allow the failure of each attack method 51
(Figure 21) Type 2 - Flow for an attack that allows the failure of each attack method and requires successive successes of all the methods.... 52
(Figure 22) Flow for an attack that allows each attack method to fail and requires sequential successes of all the methods. In this case, the attacker repeats a failed attack method so that the attack can progress... 53
(Figure 23) Time scheduling considering the processing time of the next attack method 54
(Figure 24) A structure and state diagram of a simulation model of a buffer attack 57
(Figure 25) A structure and state diagrams of a simulation model of a man-in-the-middle attack 59
(Figure 26) A structure and state diagrams of a simulation model of an APT attack 61
(Figure 27) Development of various simulation models using ACSUMs 63
(Figure 28) Composition of an ACSIM 64
(Figure 29) An example of creating ACSIMs from multiple ACSUMs 65
(Figure 30) A process of developing ACSIMs 67
(Figure 31) A process of developing a cyber-security model in phases 69
(Figure 32) The complete structure of a cyber-security model based on DEVS 69
(Figure 33) An I/O event of ACSIMs based on the location of the ACSUMs 71
(Figure 34) A time advance of ACSIM based on processing time of ACSUMs 72
(Figure 35) The concept of abstraction of security issues 73
(Figure 36) Network abstraction using firewall rules 74
(Figure 37) Applying firewall rules by each security zone 75
(Figure 38) User abstraction using the RBAC technique 75
(Figure 39) Granting a permission by user group 76
(Figure 40) An attack process of worm propagation simulation 77
(Figure 41) Example of ACSIM modeling - a case that observes a state of each host 78
(Figure 42) Example of ACSIM modeling - a case that observes networks when a worm is introduced 79
(Figure 43) Example of ACSIM modeling - a case that controls a local network 80
(Figure 44) Example of ACSIM modeling - a case that controls an entire network 81
(Figure 45) Relation between a performance index and output variables 84
(Figure 46) Process of a cyber-security model design based on a simulation purpose 85
(Figure 47) Relation among simulation input variables, output variables, and performance indices 86
(Figure 48) Structure of cyber-security EF 87
(Figure 49) Example of EF design of a worm propagation simulation 88
(Figure 50) Development of a cyber-security model with combinations of cyber-security M&S factors that is extracted in advance 89
(Figure 51) Cyber-security M&S process 91
(Figure 52) Two models used in the case studies 93
(Figure 53) Structure and state diagram of ACSUMs in a simulated worm attack 95
(Figure 54) ACSIM modeling 1- One-to-one modeling of ACSUM and ACSIM 95
(Figure 55) ACSIM modeling 1- Snapshot of a worm propagation simulation model implemented with DEVSJAVA 97
(Figure 56) Propagation rate depending on patching rate 98
(Figure 57) Propagation rate depending on filtering rate 100
(Figure 58) Propagation rate depending on patch and filtering techniques 101
(Figure 59) ACSIM modeling 2- five-to-one modeling of ACSUM and ACSIM 102
(Figure 60) ACSIM modeling 2 - An initial snapshot of a worm propagation simulation model implemented with DEVSJAVA 103
(Figure 61) Simulation result of ACSIM modeling 2 - A case in which the network is blocked before the worm propagates to the external network 104
(Figure 62) Simulation result of ACSIM modeling 2 - A case in which the worm propagates to the external network before the local network is blocked 105
(Figure 63) Block diagram representation of a CDC 107
(Figure 64) Availability evaluation model for cloud data center 108
(Figure 65) Resource management through "Server Manager" (SM) 111
(Figure 66) Screenshot of the DEVSJAVA implementation of the simulation model 114
(Figure 67) Resource allocation scheme for each scenario 115
(Figure 68) Simulation results of the average turnaround time and the average throughput 118