-
Notifications
You must be signed in to change notification settings - Fork 260
Possible contributions
Here are a list of possible areas for contribution.
-
Simulation: Enhancement and refinements to the simulation:
-
Implement an
nmap-like port-scanning action (non-deterministic) -
Add dynamism to the model: event-based simulation
-
Make non-deterministic external events: e.g. random changes to the network state between two agent actions.
-
Add concept of 'client tools' installed on a node, associated with port number (e.g.
mstscfor RDP, OpenSSH for SSH) and validate that at least one exist for the appropriate port name when executing the 'connect' attack. Test: In CTF example, the AzureStorage node should not be able to SSH or RDP into other machines. -
Terminology: consider renaming
VulnerabilityLibrarytoAttackLibrary. We could introduce a separate concept of 'exploit' in addition to the 'vulnerabilities' that are exploited. -
Gradual discovery of remote vulnerabilities:
list_attack()should evaluate a boolean pre-condition expressed over the properties of the source node that are known by the agent. -
Represent user-initiated connections by having the environment issue external 'connect' actions
-
Add a Defender that blocks traffic with firewall rules
-
File system: presence of certain files is good indicator of presence of certain attacker toolkits. We could add a 'file hash' field for all services running on a node. Defender could make use of known file hash to detect presence of ransomware on the network.
-
Simulation of external events. Parameterize the Gym environment with a generator of external events
ExternalEventGeneratoroccurring either sequentially or concurrently with the actions taken by attacker agent. -
Simulation of Network Traffic:
- Add notion of protocol session with a timespan
- Generate legitimate RDP/SSH traffic
- Implement a simple defender trying to detect legitimate vs malicious RDP/SSH sessions. In particular detect reconnaissance techniques used by Ransomware
-
Model real attack techniques in our vulnerability/attack inventory with pre-condition, probability of success, successful detection rate:
- Email phishing attacks
- Office Excel Macro attacks
- SMB lateral movement technique
- Disabling Antivirus
-
Some more inspiration to refine the simulation:
-
-
Network topology generation and sampling
- Generating set of networks following similar patterns and see if RL can learn the pattern. E.g. nodes running IIS are more likely to have such and such vulnerability, or certain vulnerabilities are more risky to exploit than others
-
RL training
- Graph embedding representation: feed a graph embedding of the explored network to the RL agent
- Train a new RL algorithm on the existing simulation
- Implement DeepQL agent using Coax in addition to Torch
-
Benchmarking
- Randomly generate training/validation networks for agent benchmarking purpose.
- Design a method to compare and rank novelty of two agents playing on the same environment
-
Network modeling and sampling
- Generative models of networks topologies representative of real networks
-
Engineering
- Python package: one package for the gym environment; another one for the baseline agents with dependency on coax.
-
UI
- A graphical user interface to play with the simulation interactively (as opposed to python commands) with improved visualization of the simulation state, node properties and available actions.
-
Documentation
- Writing tutorial to quickly setup the Gym environment
- Write tutorial on how to create new agent on the Gym simulation
- Write tutorial on how to define new environment modeling enterprise network
- Jupyter notebook showing how to generate a random environment and display the graph