research-article

Generating Virtual Scenarios for Cyber Ranges from Feature-Based Context-Oriented Models: A Case Study

Authors:

Benoît Duhoux,

Axel LegayAuthors Info & Claims

COP '22: Proceedings of the 14th ACM International Workshop on Context-Oriented Programming and Advanced Modularity

Pages 35 - 43

https://doi.org/10.1145/3570353.3570358

Published: 10 December 2022 Publication History

Abstract

A cyber range is a virtual training ground for security experts. Trainees are separated into attacking and defending teams, whose roles are either to compromise or to protect some critical infrastructure. As reuse of a same scenario may significantly reduce training efficiency, recent research proposed to automate the process of defining and deploying arbitrarily complex cyber range scenarios through the use of a virtual scenario description language (VSDL). However, it remains a challenge to generate VSDL scenarios dynamically, i.e. in an adaptive manner, to avoid having to redefine new VSDL scenarios for each new situation. Moreover, existing VSDLs often consider limited contextual information (e.g., only the virtualization budget) and do not link explicitly the vulnerabilities of their scenarios together, which prevents from proposing scenarios with more advanced cyber security exploits. In this vision paper, we rely on feature-based context-oriented modelling to generate relevant cyber range scenarios from an explicit user profile and exploits described in attack-defence trees. This result has high industrial potential, as it could enable a kind of on-demand cyber range scenario generation service.

References

[1]

Mathieu Acher, Philippe Collet, Franck Fleurey, Philippe Lahire, Sabine Moisan, and Jean-Paul Rigault. 2009. Modeling context and dynamic adaptations with feature models. In 4th International Workshop Models@ run. time at Models 2009 (MRT’09). 10.

[2]

Eduard Baranov, Axel Legay, and Kuldeep S. Meel. 2020. Baital: an adaptive weighted sampling approach for improved t-wise coverage. In ESEC/FSE ’20: 28th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering, Virtual Event, USA, November 8-13, 2020, Prem Devanbu, Myra B. Cohen, and Thomas Zimmermann (Eds.). ACM, 1114–1126.

[3]

Clark Barrett, Christopher L Conway, Morgan Deters, Liana Hadarean, Dejan Jovanović, Tim King, Andrew Reynolds, and Cesare Tinelli. 2011. Cvc4. In International Conference on Computer Aided Verification. Springer, 171–177.

Digital Library

[4]

Rafael Capilla, Óscar Ortiz, and Mike Hinchey. 2014. Context Variability for Context-Aware Systems. Computer 47, 2 (2014), 85–87.

Digital Library

[5]

Gabriele Costa, Enrico Russo, and Alessandro Armando. 2020. Automating the Generation of Cyber Range Virtual Scenarios with VSDL. arXiv preprint arXiv:2001.06681 (January 2020).

[6]

Pascal Costanza and Robert Hirschfeld. 2005. Language Constructs for Context-Oriented Programming: An Overview of ContextL. In Proceedings of the 2005 Symposium on Dynamic Languages (DLS ’05). ACM, 1–10.

Digital Library

[7]

Benoît Duhoux. 2022. Feature-Based Context-Oriented Software Development. Ph. D. Dissertation.

[8]

Benoît Duhoux, Kim Mens, and Bruno Dumas. 2019. Implementation of a Feature-Based Context-Oriented Programming Language. In Proceedings of the Workshop on Context-oriented Programming(COP ’19). ACM, 9–16.

Digital Library

[9]

Benoît Duhoux, Kim Mens, Bruno Dumas, and Hoo Sing Leung. 2019. A Context and Feature Visualisation Tool for a Feature-Based Context-Oriented Programming Language. In Proceedings of the Seminar Series on Advanced Techniques & Tools for Software Evolution (SATTOSE ’19)(CEUR Workshop Proceedings, Vol. 2510). CEUR-WS.org.

[10]

Igor Nai Fovino, Marcelo Masera, and Alessio De Cian. 2009. Integrating cyber attacks within fault trees. Reliability Engineering & System Safety 94, 9 (2009), 1394–1402.

[11]

Mattijs Ghijsen, Jeroen Van Der Ham, Paola Grosso, and Cees De Laat. 2012. Towards an infrastructure description language for modeling computing infrastructures. In 2012 IEEE 10th International Symposium on Parallel and Distributed Processing with Applications. IEEE, 207–214.

Digital Library

[12]

Sebastián González, Nicolás Cardozo, Kim Mens, Alfredo Cádiz, Jean-Christophe Libbrecht, and Julien Goffaux. 2011. Subjective-C: Bringing Context to Mobile Platform Programming. In Proceedings of 3rd International Conference on Software Language Engineering(SLE ’10). Springer, 246–265.

[13]

Mehrdad Hajizadeh, Trung V Phan, and Thomas Bauschert. 2018. Probability analysis of successful cyber attacks in sdn-based networks. In 2018 IEEE Conference on Network Function Virtualization and Software Defined Networks (NFV-SDN). IEEE, 1–6.

[14]

Herman Hartmann and Tim Trew. 2008. Using Feature Diagrams with Context Variability to Model Multiple Product Lines for Software Supply Chains. In Proceedings of 12th International Software Product Line Conference(SPLC ’08). IEEE, 12–21.

Digital Library

[15]

Robert Hirschfeld, Pascal Costanza, and Michael Haupt. 2008. Generative and Transformational Techniques in Software Engineering II. Springer, Chapter An Introduction to Context-Oriented Programming with ContextS, 396–407.

[16]

Kyo C. Kang, Sholom G. Cohen, James A. Hess, William E. Novak, and A. Spencer Peterson. 1990. Feature-Oriented Domain Analysis (FODA) Feasibility Study. Technical Report. Carnegie-Mellon University Software Engineering Institute.

[17]

Guilherme Piegas Koslovski, Pascale Vicat-Blanc Primet, and Andrea Schwertner Charao. 2008. VXDL: Virtual resources and interconnection networks description language. In International Conference on Networks for Grid Applications. Springer, 138–154.

[18]

Diego Kreutz, Fernando MV Ramos, Paulo Esteves Verissimo, Christian Esteve Rothenberg, Siamak Azodolmolky, and Steve Uhlig. 2014. Software-defined networking: A comprehensive survey. Proc. IEEE 103, 1 (2014), 14–76.

[19]

Sunilkumar S Manvi and Gopal Krishna Shyam. 2014. Resource management for Infrastructure as a Service (IaaS) in cloud computing: A survey. Journal of network and computer applications 41 (2014), 424–440.

[20]

Pierre Martou, Kim Mens, Benoît Duhoux, and Axel Legay. 2021. Test Scenario Generation for Context-Oriented Programs. arXiv preprint arXiv:2109.11950(2021).

[21]

Kim Mens, Rafael Capilla, Herman Hartmann, and Thomas Kropf. 2017. Modeling and Managing Context-Aware Systems’ Variability. IEEE Software 34, 6 (2017), 58–63.

[22]

Guido Salvaneschi, Carlo Ghezzi, and Matteo Pradella. 2011. JavaCtx: Seamless Toolchain Integration for Context-oriented Programming. In Proceedings of 3rd International Workshop on Context-Oriented Programming(COP ’11). ACM, Article 4, 6 pages.

Digital Library

[23]

Muhammad Mudassar Yamin and Basel Katt. 2022. Modeling and executing cyber security exercise scenarios in cyber ranges. Computers & Security 116 (2022), 102635.

Digital Library

[24]

Ahmed S. Yesuf. 2014. Context-based attack tree modeling for software development: A framework for computer-aided and context-aware attack tree modeling approach for software development. LAP LAMBERT Academic Publishing.

Cited By

Zou XHu N(2024)Cyber-Range: the Scientific Infrastructure for Cyberspace Security Research2024 IEEE 9th International Conference on Data Science in Cyberspace (DSC)10.1109/DSC63484.2024.00032(188-195)Online publication date: 23-Aug-2024
https://doi.org/10.1109/DSC63484.2024.00032

Index terms have been assigned to the content through auto-classification.

Recommendations

AIT Cyber Range: Flexible Cyber Security Environment for Exercises, Training and Research
EICC '20: Proceedings of the 2020 European Interdisciplinary Cybersecurity Conference

With the evolution of threats and attacks and the speed of automation, new modern training and learning environments are needed to support the challenges of digital organizations and societies. In recent years, cyber ranges, i.e., virtual environments ...
Nautilus: A Tool For Automated Deployment And Sharing Of Cyber Range Scenarios
ARES '21: Proceedings of the 16th International Conference on Availability, Reliability and Security

In any cybersecurity training program, a non-marginal fraction of the activities are usually devoted to ”hands-on” practice, typically in the form of vulnerable scenarios that the trainee must evaluate/penetrate. The manual setup and implementation of ...
Train as you Fight: Evaluating Authentic Cybersecurity Training in Cyber Ranges
CHI '23: Proceedings of the 2023 CHI Conference on Human Factors in Computing Systems

Humans can play a decisive role in detecting and mitigating cyber attacks if they possess sufficient cybersecurity skills and knowledge. Realizing this potential requires effective cybersecurity training. Cyber range exercises (CRXs) represent a novel ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

COP '22: Proceedings of the 14th ACM International Workshop on Context-Oriented Programming and Advanced Modularity

June 2022

56 pages

ISBN:9781450399869

DOI:10.1145/3570353

Copyright © 2022 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 10 December 2022

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

COP '22

COP '22: International Workshop on Context-Oriented Programming and Advanced Modularity

June 7, 2022

Berlin, Germany

Acceptance Rates

Overall Acceptance Rate 17 of 25 submissions, 68%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

1
Total Citations
View Citations
83
Total Downloads

Downloads (Last 12 months)29
Downloads (Last 6 weeks)3

Reflects downloads up to 03 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Zou XHu N(2024)Cyber-Range: the Scientific Infrastructure for Cyberspace Security Research2024 IEEE 9th International Conference on Data Science in Cyberspace (DSC)10.1109/DSC63484.2024.00032(188-195)Online publication date: 23-Aug-2024
https://doi.org/10.1109/DSC63484.2024.00032

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Figures

Tables

Media

View Table of Conten