PrimAITE/docs/source/simulation_components/system/data_manipulation_bot.rst

.. only:: comment

    © Crown-owned copyright 2023, Defence Science and Technology Laboratory UK


DataManipulationBot
===================

The ``DataManipulationBot`` class provides functionality to connect to a ``DatabaseService`` and execute malicious SQL statements.

Overview
--------

The bot is intended to simulate a malicious actor carrying out attacks like:

- Dropping tables
- Deleting records
- Modifying data
on a database server by abusing an application's trusted database connectivity.

The bot performs attacks in the following stages to simulate the real pattern of an attack:

- Logon - *The bot gains credentials and accesses the node.*
- Port Scan - *The bot finds accessible database servers on the network.*
- Attacking - *The bot delivers the payload to the discovered database servers.*

Each of these stages has a random, configurable probability of succeeding (by default 10%). The bot can also be configured to repeat the attack once complete.

Usage
-----

- Create an instance and call ``configure`` to set:
    - Target database server IP
    - Database password (if needed)
    - SQL statement payload
    - Probabilities for succeeding each of the above attack stages
- Call ``run`` to connect and execute the statement.

The bot handles connecting, executing the statement, and disconnecting.

In a simulation, the bot can be controlled by using ``DataManipulationAgent`` which calls ``run`` on the bot at configured timesteps.

Example
-------

.. code-block:: python

    client_1 = Computer(
        hostname="client_1",
        ip_address="192.168.10.21",
        subnet_mask="255.255.255.0",
        default_gateway="192.168.10.1"
        operating_state=NodeOperatingState.ON # initialise the computer in an ON state
    )
    network.connect(endpoint_b=client_1.ethernet_port[1], endpoint_a=switch_2.switch_ports[1])
    client_1.software_manager.install(DataManipulationBot)
    data_manipulation_bot: DataManipulationBot = client_1.software_manager.software.get("DataManipulationBot")
    data_manipulation_bot.configure(server_ip_address=IPv4Address("192.168.1.14"), payload="DELETE")
    data_manipulation_bot.run()

This would connect to the database service at 192.168.1.14, authenticate, and execute the SQL statement to drop the 'users' table.

Example with ``DataManipulationAgent``
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

If not using the data manipulation bot manually, it needs to be used with a data manipulation agent. Below is an example section of configuration file for setting up a simulation with data manipulation bot and agent.

.. code-block:: yaml

    game_config:
      # ...
      agents:
        - ref: data_manipulation_red_bot
          team: RED
          type: RedDatabaseCorruptingAgent

          observation_space:
            type: UC2RedObservation
            options:
              nodes:
                - node_ref: client_1
                  observations:
                  - logon_status
                  - operating_status
                  applications:
                  - application_ref: data_manipulation_bot
                    observations:
                      operating_status
                      health_status
                  folders: {}

          action_space:
            action_list:
              - type: DONOTHING
              - type: NODE_APPLICATION_EXECUTE
            options:
              nodes:
              - node_ref: client_1
                applications:
                  - application_ref: data_manipulation_bot
              max_folders_per_node: 1
              max_files_per_folder: 1
              max_services_per_node: 1

          reward_function:
            reward_components:
              - type: DUMMY

          agent_settings:
            start_settings:
              start_step: 25
              frequency: 20
              variance: 5
    # ...

    simulation:
      network:
        nodes:
        - ref: client_1
          type: computer
          # ... additional configuration here
          applications:
          - ref: data_manipulation_bot
            type: DataManipulationBot
            options:
              port_scan_p_of_success: 0.1
              data_manipulation_p_of_success: 0.1
              payload: "DELETE"
              server_ip: 192.168.1.14

Implementation
--------------

The bot extends ``DatabaseClient`` and leverages its connectivity.

- Uses the Application base class for lifecycle management.
- Credentials, target IP and other options set via ``configure``.
- ``run`` handles connecting, executing statement, and disconnecting.
- SQL payload executed via ``query`` method.
- Results in malicious SQL being executed on remote database server.
#1816 - Updated the DataManipulationBot to subclass DatabaseClient. Extended logging. Dropped the Link loading logging as it was clogging up the terminal output. 2023-09-11 16:15:03 +01:00			`.. only:: comment`

			`© Crown-owned copyright 2023, Defence Science and Technology Laboratory UK`


			`DataManipulationBot`
			`===================`

			The ``DataManipulationBot`` class provides functionality to connect to a ``DatabaseService`` and execute malicious SQL statements.

			`Overview`
			`--------`

			`The bot is intended to simulate a malicious actor carrying out attacks like:`

			`- Dropping tables`
			`- Deleting records`
			`- Modifying data`
#2068: Further typo and formatting changes. 2023-11-24 15:17:08 +00:00			`on a database server by abusing an application's trusted database connectivity.`
#1816 - Updated the DataManipulationBot to subclass DatabaseClient. Extended logging. Dropped the Link loading logging as it was clogging up the terminal output. 2023-09-11 16:15:03 +01:00
Update data manipulation bot 2023-11-24 10:05:36 +00:00			`The bot performs attacks in the following stages to simulate the real pattern of an attack:`

Improve data manipulation bot documentation 2023-11-24 15:15:24 +00:00			`- Logon - The bot gains credentials and accesses the node.`
Update data manipulation bot 2023-11-24 10:05:36 +00:00			`- Port Scan - The bot finds accessible database servers on the network.`
			`- Attacking - The bot delivers the payload to the discovered database servers.`

Improve data manipulation bot documentation 2023-11-24 15:15:24 +00:00			`Each of these stages has a random, configurable probability of succeeding (by default 10%). The bot can also be configured to repeat the attack once complete.`
Update data manipulation bot 2023-11-24 10:05:36 +00:00
#1816 - Updated the DataManipulationBot to subclass DatabaseClient. Extended logging. Dropped the Link loading logging as it was clogging up the terminal output. 2023-09-11 16:15:03 +01:00			`Usage`
			`-----`

			- Create an instance and call ``configure`` to set:
Update data manipulation bot 2023-11-24 10:05:36 +00:00			`- Target database server IP`
			`- Database password (if needed)`
			`- SQL statement payload`
			`- Probabilities for succeeding each of the above attack stages`
#1816 - Updated the DataManipulationBot to subclass DatabaseClient. Extended logging. Dropped the Link loading logging as it was clogging up the terminal output. 2023-09-11 16:15:03 +01:00			- Call ``run`` to connect and execute the statement.

			`The bot handles connecting, executing the statement, and disconnecting.`

Improve data manipulation bot documentation 2023-11-24 15:15:24 +00:00			In a simulation, the bot can be controlled by using ``DataManipulationAgent`` which calls ``run`` on the bot at configured timesteps.

#1816 - Updated the DataManipulationBot to subclass DatabaseClient. Extended logging. Dropped the Link loading logging as it was clogging up the terminal output. 2023-09-11 16:15:03 +01:00			`Example`
			`-------`

			`.. code-block:: python`

			`client_1 = Computer(`
#2064: documentation EVERYWHERE 2023-11-27 11:38:03 +00:00			`hostname="client_1",`
			`ip_address="192.168.10.21",`
			`subnet_mask="255.255.255.0",`
			`default_gateway="192.168.10.1"`
			`operating_state=NodeOperatingState.ON # initialise the computer in an ON state`
#1816 - Updated the DataManipulationBot to subclass DatabaseClient. Extended logging. Dropped the Link loading logging as it was clogging up the terminal output. 2023-09-11 16:15:03 +01:00			`)`
			`network.connect(endpoint_b=client_1.ethernet_port[1], endpoint_a=switch_2.switch_ports[1])`
			`client_1.software_manager.install(DataManipulationBot)`
#2084: change all instances of retrieving software from software['software_name'] to software.get() + adding some tests for describe state 2023-11-30 13:48:57 +00:00			`data_manipulation_bot: DataManipulationBot = client_1.software_manager.software.get("DataManipulationBot")`
Remove real database in favour of simulated 2023-11-18 03:40:08 +00:00			`data_manipulation_bot.configure(server_ip_address=IPv4Address("192.168.1.14"), payload="DELETE")`
#1816 - Updated the DataManipulationBot to subclass DatabaseClient. Extended logging. Dropped the Link loading logging as it was clogging up the terminal output. 2023-09-11 16:15:03 +01:00			`data_manipulation_bot.run()`

			`This would connect to the database service at 192.168.1.14, authenticate, and execute the SQL statement to drop the 'users' table.`

Improve data manipulation bot documentation 2023-11-24 15:15:24 +00:00			Example with ``DataManipulationAgent``
			`^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^`

			`If not using the data manipulation bot manually, it needs to be used with a data manipulation agent. Below is an example section of configuration file for setting up a simulation with data manipulation bot and agent.`

			`.. code-block:: yaml`

			`game_config:`
			`# ...`
			`agents:`
			`- ref: data_manipulation_red_bot`
			`team: RED`
			`type: RedDatabaseCorruptingAgent`

			`observation_space:`
			`type: UC2RedObservation`
			`options:`
			`nodes:`
			`- node_ref: client_1`
			`observations:`
			`- logon_status`
			`- operating_status`
			`applications:`
			`- application_ref: data_manipulation_bot`
			`observations:`
			`operating_status`
			`health_status`
			`folders: {}`

			`action_space:`
			`action_list:`
			`- type: DONOTHING`
			`- type: NODE_APPLICATION_EXECUTE`
			`options:`
			`nodes:`
			`- node_ref: client_1`
			`applications:`
			`- application_ref: data_manipulation_bot`
			`max_folders_per_node: 1`
			`max_files_per_folder: 1`
			`max_services_per_node: 1`

			`reward_function:`
			`reward_components:`
			`- type: DUMMY`

			`agent_settings:`
			`start_settings:`
			`start_step: 25`
			`frequency: 20`
			`variance: 5`
			`# ...`

			`simulation:`
			`network:`
			`nodes:`
			`- ref: client_1`
			`type: computer`
			`# ... additional configuration here`
			`applications:`
			`- ref: data_manipulation_bot`
			`type: DataManipulationBot`
			`options:`
			`port_scan_p_of_success: 0.1`
			`data_manipulation_p_of_success: 0.1`
			`payload: "DELETE"`
			`server_ip: 192.168.1.14`

#1816 - Updated the DataManipulationBot to subclass DatabaseClient. Extended logging. Dropped the Link loading logging as it was clogging up the terminal output. 2023-09-11 16:15:03 +01:00			`Implementation`
			`--------------`

			The bot extends ``DatabaseClient`` and leverages its connectivity.

			`- Uses the Application base class for lifecycle management.`
Update data manipulation bot 2023-11-24 10:05:36 +00:00			- Credentials, target IP and other options set via ``configure``.
#1816 - Updated the DataManipulationBot to subclass DatabaseClient. Extended logging. Dropped the Link loading logging as it was clogging up the terminal output. 2023-09-11 16:15:03 +01:00			- ``run`` handles connecting, executing statement, and disconnecting.
			- SQL payload executed via ``query`` method.
			`- Results in malicious SQL being executed on remote database server.`