INCORPORATING SIMULATION INTO THE COMPUTER SECURITY CLASSROOM
УДК 004.415(043)
Al Kaibi Eman Gabar Abdul Hasen
graduate student at Moscow State University of Economics, Statistics and Informatics Tel. 8(903) -279-31-91 E-mail: Eman 1974.2007@yahoo.com
Dr.Naufel Bahjat Mohammed
E-mail: nbm 1961@yahoo.com
Attacks on computer systems on any company are a serious and growing threat. The U. S. Naval Academy is examining a new tool to teach computer security to determine if the complex concepts relating to computer security can be more effectively taught by including simulations in the classroom. The simulation environment under investigation consists of both an Internet Attack Simulator and a Network Simulator. In this article we try to analyze new methods of teaching computer security.
Keywords: computer security, attacks, simulators, Internet, Attack Simulator, Network Simulator.
Ал Каиби Еман Габар Абдул Хасен
аспирантка Московского государственного университета экономики, статистики и информатики Тел. 8(903) -279-31-91 Эл. почта: Eman 1974.2007@yahoo.com
Науфел Бахжат Мохаммед
Эл. почта: nbm 1961@yahoo.com
ИСПОЛЬЗОВАНИЕ СИСТЕМ МОДЕЛИРОВАНИЯ В ОБУЧЕНИЕ КОМПЬЮТЕРНОЙ БЕЗОПАСНОСТИ
Атаки на компьютерные системы о любой компании являются серьезной и растущей угрозой. Военно-морская академия США использует новый инструмент для обучения компьютерной безопасности. Чтобы понять сложность проблем связанных с компьютерной безопасностью более эффективно в обучении используется моделирование атак. Среды моделирования атак состоит как из интернет симулятора атаки и симулятора сети. В данной статье мы попытаемся проанализировать новые методы обучения компьютерной безопасности.
Ключевые слова: компьютерная безопасность, атаки, симуляторы, интернет.
1. Introduction
Computers and computer networks are to today's Information Age what locomotives, automobiles and later aircraft and their associated roads, railways and airports were to the Industrial and Postindustrial Ages. The rules and relationships of computer networks are complex and critical to the functioning of cyberspace; a world within a world from where nearly every aspect of modern life is facilitated, controlled and dependent. Essential life sustaining elements of our country are purchased, distributed and sustained for much of our citizenry by way of networked computers. One need not own a computer to have life disrupted by the failure or compromise of a computer system. Fuels, electricity, water, payroll, food, healthcare, and communications for themajority of our nation are all computer and computer network dependent. Indeed, computer networks are critical elements to our national infrastructure. Understanding the significance of securing our computer networks and their sensitiveinformation is not just important to users and managers of information technology, it is important in varying degrees to all whose livelihood is dependent on these systems. The Department of Defense (DoD), with its networkcentric operations, has particularly stringent requirements to protect its information and systems. United States Space Command (USSPACECOM) was assigned the mission to defend DoD computer networks and systems as well as the mission to coordinate, support and conduct computer network attack in support of national objectives. In October 2002, USSPACECOM merged with United States Strategic Command (USSTRATCOM) who assumed the Computer Network Operations mission as part of its overall charter for the integration of Information Operations (IO) into military plans and operations across the spectrum of conflict.The United States Military Academies have made a commitment to educate graduates of Computer Science and Information Technology programs in the fundamentals of information systems security. Military and civilian personnel at every command perform missions in a distributed network environment with countless users. This dynamic network structure grows and shrinks depending on the task at hand. New users mean exposing systems to new threats, therefore the entire Information Technology (IT) staff must have a thorough appreciation for cyber warfare, which can be attained through training and education and reinforced by operational exercises.
2. Virtual network simulator
Education and Training courseware for computer security can be supported by simulation. The Virtual Network Simulation (VNS) provides a potential tool for such activities. Education and training are key to preparing computer security professionals within the DoD for real world missions. Although our research was focused on the contribution of simulation to the comprehension of complex computer security concepts in a classroom environment, it is easy to conceive how a simulation can be expanded to support various exercise scenarios.
The Virtual Network Simulation, Version 3.0, is a distributed simulation system designed to simulate Internet attacks in an interactive graphical environment. VNS' component systems are called the Internet Attack Simulator (IAS) and one or more Network Simulators (NS). The VNS began as a system comprised of a single NS interacting with a single IAS to educate students on the fundamental concepts of information assurance (IA). These include the ability to recognize attacks while they are underway and to differentiate between types of attacks as well as understanding IA policies and tools and how they mitigate attacks when properly employed. The VNS has evolved into a system comprised of multiple NSs and NS viewers with varying permissions to view and modify network components developed for specific events, while being engaged by an IAS. The NS models computer networks and network components, including hosts, routers, firewalls, Intrusion Detection Systems (IDSs), switches, hubs and links. The NS displays the entire network graphically, showing the current state of links and nodes using colors and icons. The NS operator can configure these devices to change the behavior of the model depending on the current configuration of the various nodes. The NS models background traffic and is capable of generating traffic from specific services running on the network.
The IAS includes a graphical user interface that allows the operator to easily select the attack technique, the target(s) of the attack, the intensity, and all other relevant
attack parameters. The IAS interjects simulated attacks into the simulated networks on the NS and displays the effects based on the Reaction Database. The Reaction Database is the key resource used by the VNS to determine the effects of the attacks and how to react. When the NS receives an attack, it will determine the outcome of an attack using information it collects from the attack itself, the node's configuration, and the Reaction Database. It is also a resource for the IAS to determine what attacks can launch and what parameters are required for each attack. Instructive in design, the IAS includes an onboard library called the attack taxonomy. The user can query the IAS for a description of the effects of a particular attack with links to descriptions of the myriad of real world variants of the particular attack. The system is essentially a real time interactive virtual cyber world with the focus on the student defender to implement security measures and respond to attacks. The defender learns the concepts of computer security through virtual experience.
Actual system architecture can be mimicked in the VNS and alternate security mechanisms can be placed appropriately. Various attack scenarios launched against the newly created network will be assessed and additional alternations can be made. The system is representing effects of attacks, not sending real attacks and is not a potential tool to wreak havoc were it to be connected to live networks.
3. Simulation in the classroom
VNS can reinforce the lecture in both concurrent demonstrations of the principles being taught, and later, in individual practical exercises. USSPACECOM developed an Advanced Computer Network Operations (CNO) Course for those professionals who need a more in-depth understanding of computer security issues than could be garnered from the introductory CNO Basic Course. In the first offering of the CNO Advanced Course, the simulation proved to be an effective means of reinforcing the facts and teaching the principles and analysis of computer security in the classroom.
USSTRATCOM later used this course on the USS Blue Ridge for 30 Information Technology sailors and is now integrating the simulator into its headquarters CNO Basic Course at Offutt Air Force Base. Given the interactive environment to visualize, construct and learn by trial and error, students attributed the majority of their knowledge gained to exposure
to the simulation. Understanding the complex and dynamic subject of the CNO environment can be accelerated when lecture is supported by interaction in a simulated cyber environment. Both the lay and the information technology professional benefit from the visualization of cyber behavior afforded in the risk free environment that a simulation provides. Probably the most effective training environment is the live one. However, a live and sufficiently robust computer network environment is an expensive and expansive labyrinth of cables, connections, switches, routers, servers and computersdistrib-uted over a building, campus or continent. To see a network of significant size means dedicating time and locomotion as well as gaining access to controlled areas. Naturally, it is an expensive proposition to construct a laboratory representing a network in the classroom. Laboratories are the appropriate next step from the classroom in any scientific learning progression. Lecture modules followed the methodology outlined in the classic "Hacker Exposed" series. [1] Hackers traditionally begin by performing reconnaissance on the target system, then gain access to the system, perform the exploit, cover their tracks, and, finally, add an alternate means of system access. Each module of the course included a lecture and one or more practical exercises using the VNS. The course included the following modules:
• DEFENSE IN DEPTH: Knowledge of security methods available to counter different attack methods and the weaknesses of safeguard mechanisms.
• HACKER METHODOLGY: Knowledge of methods employed by hackers to identify network architecture, retrieve/alter files, compromise hosts, and disable networks.
• HACKER EXPLOITS: Knowledge of the tools or techniques used by hackers that take advantage of security weaknesses or vulnerabilities within networks.
• RECONNAISSANCE: Knowledge of the different types of Internet reconnaissance attacks, what their effects are, and under what circumstances are they effective.
• DENIAL OF SERVICE: Knowledge of the different types of Denial of Service attacks, what the effects are, and under what circumstances they are effective.
• UNAUTHORIZED ACCESS: Knowledge of the different types of unauthorized access attacks, what the effects are, and under what circumstances they are effective.
• SOFTWARE AND OPERATING SYSTEM VULNERABILITES: Knowledge of the different
• types of attacks that specifically target software & OS vulnerabilities, what their effects are, and under what circumstances are they effective.
• INFORMATION ASSURANCE: Knowledge of how to defend against different types of attacks by running the proper IA tools.
• DECEPTION ATTACKS: Knowledge of how to defend against types of attacks by properly configuring firewalls and Access Control Lists.
• INFORMATION CONDITION (INFOCON): Knowledge of measures to uniformly heighten or reduce Computer Network Defense posture, to defend computer network attacks and mitigate sustained damage to the DoD information infrastructure. Students were introduced to the information security topic in a short 10-15 minute lecture followed by a demonstration performed by the instructor on a presentation system. The instructor was able to display both the attacker and the nominal network simultaneously. After a brief discussion regarding the demonstration, student pairs performed related exercises using existing network topologies. Each pair had one student in the role of attacker and one student in the role of defender. The attackers followed the systematic approach outlined above and added exploit opportunities as they were covered in lectures.
A simulation, however, may be able to compliment the material presented in lecture when computer security concepts are introduced to the students without requiring the intense overhead of a laboratory set up. We have validated the effectiveness of such a model, using the Virtual Network Simulation, as a means of highlighting specific technical details and training the principles and analysis of computer network operations in the classroom.
4. Simulations in the department of defense
In recent U.S. history, the Department of War used simulations in preparation for and prosecution of World War II. These simulations, known as "war games" were accompanied by operations research methods to model complex combat situations. A Rand Corporation simulation was converted from defense use for employment in business schools in the early 1960s. [2] From this point simulations entered education and later with the explosion of personal computing, simulations
Экономика, Статистика и Информатика
№3, 2011
199
have become part of modern American culture and possess an evident power given today's enormous public following. Participation is by no means restricted to the "digital generation". There are thousands of simulations that fall into the category of entertainment that model interests ranging from building cities, civilizations or reconstruction of significant events from various historical periods. In 1993, a management consultant, Kim Slack said, "Simulations produce powerful experiences, providing insight and skills for participants to use as a basis for changing their behavior." [2] A developer of simulations stated, the power behind simulations is that you experience something, rather than just talk about it. When people are asked to take action, they tend to become totally involved in what is happening. And when an experience touches people's minds, hearts, and bodies, they are more likely to change in response to it.
The U.S. Army Research Institute (ARI) for the Behavioral and Social Sciences [3] evaluated an alternative training method known as constructivism, also described as discovery learning, in a study on digital skills training. The supporters of constructivism claim the method in this study "support[ed] deeper understanding and better transfer of training by integrating the content knowledge and digital system functions as a single training event. Thus training builds on existing knowledge by using experiences embedded in a real-world context." In this ARI study, the realistic situations used in constructivism cause the soldiers to move toward solving tougher problems that increased both comprehension and new knowledge acquired. How does discovery learning differ from traditional methods? Essentially, in this more interactive learning environment, the student discovers by way of practical exercise, along with fellow students and the instructor, how something works by applying the principles to the problems and inputting them into the learning tool or simulation. Instructor intervention, a technique called scaffolding, allows for learning situations to continue when the student or group is floundering. This intervention may take the form of a demonstration, an example, a question or even a mini-lesson to get the students to re-approach the problem from a new perspective. Teaching a subject as complex as computer security to novices, by lecture only, without a place to see and analyze the facts and princi-
ples presented, risks simply passing on "inert knowledge." Inert knowledge is information taught without relevant context or meaning. In the ARI study and one released by the U.S. Department of Education [4], the phenomenon of inert knowledge is common with novices learning multifaceted skills. Inert knowledge results when students perform "tasks...stripped of the meanings and the context that they hold for real practitioners...[in this case] students are unable to extract anything that they can apply in richer, more complex situations outside of school." The audience for training and education of computer network operations in the Department of Defense is comprised of adults. Adult learning theory [5], or androgogy, is based on the following assumptions about how adults learn:
• Adults have the need to know why they are learning something.
• Adults have a need to be self-directed.
• Adults bring more work-related experiences into the learning situation.
• Adults enter into a learning experience with a problem-centered approach to learning.
• Adults are motivated to learn by both extrinsic and intrinsic motivators.
Androgogy and use of a simulation in the classroom to support training computer network operations are complimentary. The environment of practical exercises where decisions are played out on the computer screen are well suited to meet the expectations laid out in the assumptions of Adult Learning Theory. The first four of them are addressed here in the same order as presented:
1. Students know why they are learning computer security, since the simulated network before them is vulnerable and can be damaged without it.
2. A practical exercise will not only allow self-direction when properly constructed, it allows for exploration and experimentation. An interactive network can allow multiple solutions to a problem and the opportunity to compare and analyze what is best based on the outcomes rendered.
3. Anyone working in networks or computer security will have an experience to inject into the simulation. We found in teaching with the Virtual Network Simulation that all network savvy students wanted to see a particular feature added or modified to provide additional realism or facility.
4. Practical exercises are in essence story problems. The adult learner's inclination toward problem-centered learning is well met by the analysis and hands-on implementation of
solutions inherent in the simulation-supported environment.
"All learning takes place in the context of failure," according to Robert Schank, a professor emeritus of psychology, education and computer science, and former director of the Institute for the Learning Sciences (ILS) at Northwestern. [6] In his novel approach to learning might be summed up as "The best way to teach someone something is to give them information they need to do something they already want to do." According to one large corporate customer of LSI, the "learning by doing" approach in a multimedia self-study developed under Schank's program "is far more effective in getting concepts across to the trainees." Schank says, "In our system you try a task by jumping right into it. You make mistakes. The expertise then comes and finds you. If you are learning something and it does not involve failure, you haven't learned anything." Schank is a strong supporter of simulations as well, he stated, "The best educational software ever written is the flight simulator,... A 747 pilot can try different strategies, even crash the plane repeatedly with no consequences." Schank's ILS has moved into building simulations to teach people complex social tasks called Guided Social Simulation. The system's programs "contain teaching modules that monitor the simulation and provide stories, commentary and guidance." "Fun is the secret ingredient... An instructional designer's job is to make learning fun. ..Which means that students will enjoy what they are doing. If the instruction is designed correctly, they will learn. Dr. Schank's leveraging of technology to take advantage of natural learning goals, i.e., learning based on" increasing one's power to operate successfully in various endeavors" is a valuable consideration in developing more effective simulations.
5. Method of validation
The course developers and administrators presented a survey to the students involved with first use of the Virtual Network Simulation in a learning environment. The setting was the 20 hour CNO Advanced Course offered to 8 staff members of the U.S. Space Command in late May of2002. Prior to thefirst class session, the students filled out a survey that assessed
their knowledge level on the CNO subjects to be taught. After the course, a similar survey was administered that requested a self-assessment of knowledge gained and the percentage of the gain attributable to the lecture and VNS practical exercises, respectively. The course consisted of 17 modules, 9 taught by lecture only and 8 which were presented using the Virtual Network Simulation. The 9 lecture-only modules were conducted on day 1. The simulation-based modules were conducted with a brief lecture, followed by a VNS demonstration, and self-paced practical exercise withdirect interaction with the VNS. Due to a clerical error, datawas only collected on 7 of the 8 simulation modules.
The raw data from these surveys were entered into a spreadsheet and used to calculate the numerical changes in knowledge levels from the pre and post surveys for eachstudent for each module. These values were used, in turn, tocalculate the average percent increase. As expected, we saw a significant increase in understanding in the modules that included a simulation element. The average increase be-tweenthe lecture (23%) and simulation-supported modules (29%)was 6% and the individual module increases ranged from 6.25% to 34.2%. The most surprising aspect of these resultswe that the students attributed 54% of the knowledge gaine-din the 9 lecture-only based modules to the VNS. Recall thatthese modules we presented the day prior to the incorporation-of the VNS. Clearly, the use of the VNS and the imulationbased practical exercises reinforce the concepts introduced on day 1.
In the second CNO Advanced Course, 30 Information Technology sailors aboard the USS Blue Ridge, based in Yokosuka, Japan were trained in November 2003. In a comparison of pre- and post-training survey results, the sailors reported an overall increase of 31% in their knowledge level of the subjects trained with 64% attributed to their interaction with the Virtual Network Simulator. Since some of the lectures were provided in advance by the USS Blue Ridge leadership in the weeks leading up to the course. Also, three hours of lecture provided in the course were updated. Our second survey assessed only the overall increase in knowledge and what portion the students attributed to simulation.
6. Conclusions and recommendations
Simulations can significantly improve
the understanding of Computer Network Operations directly when integrated in the classroom environment and indirectly by reinforcing concepts previously delivered by lecture only. In the first course, the 7 CNO Advanced Course practical exercises with simulation support, students reported an average 29% increase in knowledge level with 78% of that increase attributed to the VNS practical exercises. This is the direct influence. The practical exercises were preceded by minilectures, approximately 10 minutes in length and demonstrations on "how to" use VNS for the particular module. These modules focused on discovery learning. This method of self-guided practical exercise allowed for novice and experts to learn at their optimal learning rates empowered by the visualization and interaction of simulation. In the second course, we had a more technically trained audience (system administrators vs. staff officers) and time constraints that caused us to have the students' leadership provide some lectures in advance.
Our results of a 31% increase in knowledge and 64% attribution to simulation confirmed the value of simulation although the training conditions did not permit an exact comparison with the two courses. Students on the USS Blue Ridge had the following comments:
• my level of network security increased
• learned a lot about protecting the system
• would like to have these training tools for FIWC CND!
• liked the hands on simulation
• course was good and brought my understanding of how weak we really are
• lectures, handouts, and the VNS laptops worked together perfectly in teaching and illustrating network hacking and security
• I have a better understanding of network security and what hackers can do to your network, and how fast it can happen
• very helpful to see what is going on in your network
Because simulations are effective, even powerful, tools to help us visualize and better understand complex concepts and relationships such as those in computer networks, we should use them to our advantage. Students can benefit from the integration like the Virtual Network Simulation into the early stages of learning about computer network behavior.Lectures are still necessary be-
cause they allow the instructor to stimulate, mentor, assess and intervene in the learning process, leading to optimal learning. Because simulations tend to require more classroom time, demand rigorous preparation, and require skilled facilitation, instructors shouldconduct a thorough analysis of return-on-investment be-foreplunging into integrating a simulation as part of courseware. The United States Naval Academy will incorporate simulation into the senior-level nformation Assurance course for the Information Technology Majors. While IT students have a firm background in Computer Architecture and Networking, their program emphasizes policy development and network architecture rather than protocol details and socket programming. The simulation environment is ideal for this program because class time is not spent on developing proficiency in a multitude of tools. Instead, valuable class time is devoted to discussing high-level concepts and illustrating the use of the tools without actually having to struggle with the inevitably steep learning curve required to use them successfully. In addition, simulation allows students to experiment with alternative implementations without the detriment of eloading a clean operating system or reloading multiple applications.
References
1. Scambray, J., McClure, S., and Kurtz, G., Hacking Exposed, McGraw- Hill, Berkley, 2001.
2. Slack, K., "Training for the Real Thing", Training and Development, 47 (6), May 1993, p 79.
3. Schaab, B.B, Moses, F.L., "Six Myths About Digital Skills Training", US Army Research Institute for the Behavioral and Social Sciences, ARI RR 1774, p 32.
4. Means, B., Balndo, J., Olson, K., Middleton, T., Morocco, C.C., Remz, A., and Zorfass, J., "Using Technology to Support Education Reform", Support for Student Learning Activities, Washington, DC. Downloaded from http:// www.ed.gov/oubs/EdReformStudies/ Tech Reforms/chap3a.html
5. Noe, R., Employee Training and Development, McGraw-Hill, Berkley, 2001, p. 87.
6. Srikumar, S., "The Simulator Classroom: Why Corporations are Betting Heavily on Sophisticated New Simulation Software", Financial World, Vol. 164 (3), p. 56.
Экономика, Статистика и Информатика 2Ш №3, 2011
.....- |