SPHINX Attack and Behaviour Simulators: PART III User Behaviour Simulation

In order to produce user behaviour information from captured traffic, it is important to also keep track of the type of users behind machine IPs. For example, a user can be a doctor, IT staff, secretarial staff, patient, or even a medical monitoring device etc. IP addresses usually change, therefore tracking MAC addresses is essential.

From this abstract and anonymised information correlations can be made to match the statistics from the extracted data to a type of user, identify its behaviour during the day (sites visited, number of interactions with mail servers, frequency of interaction with hospital servers etc.). The NetFlow information concerning the captured traffic can also be uploaded to a search and analytics engine such as Elasticsearch and statistical information about all relevant parameters can be extracted from the real data.

Normal User Behaviour Simulation

Modelling network and user behaviours at a low-level TCP/UDP (transport layer) cannot be representative of specific application layer user activities that are really important in order to build a traffic and user behaviour profile for the hospital infrastructure. This necessitates the simulation of normal user behaviour through scripts on the emulated network clients. During this process, it is important that specific guidelines are defined for generation of realistic network traffic. The first guideline focuses on the realistic simulation of user behaviour whereas the second guideline is to take into account the heterogeneity of operating systems. To fulfil these guidelines, during the implementation of scripts the following features should be considered:

  1. Be runnable on different operating systems;
  2. Define typical computerized activities of employees;
  3. Define different tasks and working methods of employees in possibly different subnets (e.g nurses, doctors, IT staff, managerial services);
  4. Avoid periodic repetition of user activities;
  5. Define typical working hours and breaks.

The first feature is met by using the platform-independent language Python for implementing the user behaviour scripts/agents. In the context of user behaviour, hospital employees have a wide range of activities during their daily work such as composing and sending emails, creating documents and presentations, browsing (private or business searches), printing, sharing files and so on. More specifically, for file transfers and printing tasks, it is important to ensure that the corresponding files vary in terms of type and size. In the same context, when sending emails, the number of attachments should vary amongst iterations of the process.

Realistic user behaviour cannot be characterized by repeating (replaying) a list of activities periodically. Instead, the temporal sequence of user activities should be randomised, and the kind of activities should vary. Additionally, activities should not be totally random instead follow probability distributions which subject to typical working hours. Typically, employees are not permanently performing tasks that cause network traffic. It is important to consider meetings, offline work or coffee breaks as mentioned above. Scripts should be developed in a way that boosts traffic footprints during working hours and minimises activities during the evening or breaks when at least most managerial and IT premises of the hospitals are inactive.

For simulating such activities with respect to potential different characteristics of different employees according to their habits and working position, each emulated client machine will require a unique configuration file. Configuration files shall control the kind and frequency of activities and for each client concerning each activity.  Hence, different user profiles will be assigned to different clients of the network. Client configuration files should of course be modular and modifiable in order to effectively reproduce various user behaviours.

All these user behaviour patterns are extracted either from analysing the network traces that are collected from traffic capturing or from extensive questionnaires regarding the activities of employees in different departments, labs and subnetworks of the pilots.

Abnormal Behaviour Simulation

Normal network traffic is planned to be generated by Python scripts as described above. The task of generation of malicious network traffic will follow a different process, which is carried out by the Security Incident/Attack Simulator sub-component of the ABS. Summarising this process, some (internal or external to the main emulated hospital network) clients are planned to perform various attacks using Linux tools and Python scripts (e.g Nmap for scanning, Metasploit for server exploitations, hping3 and Heartleech for DoS attacks, Brute Force Attacks, Worm code execution etc). Such attacks will be deployed by the ABS user inside the simulation/emulation environment, preserving the general concepts mentioned in the introduction.


More information about the user behaviour simulation of the SPHINX ABS component can be found in Deliverable 5.4 that is publicly available here.