SPHINX Attack and Behaviour Simulators: PART I
The Security Incident/Attack Simulator constitutes one part of the Attack and Behaviours Simulators (ABS) component that is entailed to the SPHINX Toolkit. This part is responsible for the simulation of the real-life cyber-attacks, described in use cases provided by the project partners. The purpose of this simulation is to validate the developed functions and assess the effectiveness of the other SPHINX components, by providing an easy way to reproduce such attacks.
Based on the SPHINX toolkit architecture the ABS component has four (4) basic requirements that fulfil some of the functional requirements provided by target stakeholders of the SPHINX project. The requirements include the production of normal behaviour datasets, the evaluation of the produced datasets compared to original datasets, the production of datasets incorporating cyber-attacks and finally the use the output in the experimentation environment.
In order to evaluate the effectiveness of other SPHINX components, the simulator is programmed to create and test realistic cyber-attacks. In this context, the use cases elaborated by SPHINX partners are used as a point of reference. Drawing from this information the attack simulation function of the component is related to the following use cases:
- Attacking Obsolete Operating Systems in Hospital
- Rootkit Malware Attack in a Cancer Treatment Institute
- Theft of Health Data by Exploiting Vulnerable Software
- Ransomware Attack to Healthcare Data
- Compromised BYOD Enables Stealing of Patient Data
- Hijacking Access to National Healthcare Databases
- Tampering with Medical Devices
- Distributed Denial-of-Service Attack in Regional Hospital
- Compromising Health Services through Cryptocurrency Mining
- Taking Control of Connected Medical Devices
- Intrusion in the Clinical Centre’s Wireless Network
- Hacking Health IT Systems
- Exploiting Remote Patient Monitoring Services
- Zero-Day Attack to eHealth Services
- Theft of Hospital Equipment
- Intercepting Cross-border Healthcare Data Exchange
The attack simulator itself comprises three different sub-components, each responsible for simulating a different attack. The three sub-components are the Flask application, the Local Malware Execution, and the Abnormal Parametrisation of the Behaviour Simulator.
Being a subcomponent of the ABS module, the security incident attack simulator uses the interfaces for its communication with the internet and the sandbox as outlined in the architecture. In addition, it provides operational data for the CIP interface.
More information about the Security Incident/Attack Simulator of the ABS component can be found in Deliverable 5.3 that is publicly available here.