2023-09-11 16:15:03 +01:00
.. only :: comment
© Crown-owned copyright 2023, Defence Science and Technology Laboratory UK
DataManipulationBot
===================
The `` DataManipulationBot `` class provides functionality to connect to a `` DatabaseService `` and execute malicious SQL statements.
Overview
--------
The bot is intended to simulate a malicious actor carrying out attacks like:
- Dropping tables
- Deleting records
- Modifying data
2023-11-24 15:17:08 +00:00
on a database server by abusing an application's trusted database connectivity.
2023-09-11 16:15:03 +01:00
2023-11-24 10:05:36 +00:00
The bot performs attacks in the following stages to simulate the real pattern of an attack:
2023-11-24 15:15:24 +00:00
- Logon - *The bot gains credentials and accesses the node.*
2023-11-24 10:05:36 +00:00
- Port Scan - *The bot finds accessible database servers on the network.*
- Attacking - *The bot delivers the payload to the discovered database servers.*
2023-11-24 15:15:24 +00:00
Each of these stages has a random, configurable probability of succeeding (by default 10%). The bot can also be configured to repeat the attack once complete.
2023-11-24 10:05:36 +00:00
2023-09-11 16:15:03 +01:00
Usage
-----
- Create an instance and call `` configure `` to set:
2023-11-24 10:05:36 +00:00
- Target database server IP
- Database password (if needed)
- SQL statement payload
- Probabilities for succeeding each of the above attack stages
2023-09-11 16:15:03 +01:00
- Call `` run `` to connect and execute the statement.
The bot handles connecting, executing the statement, and disconnecting.
2023-11-24 15:15:24 +00:00
In a simulation, the bot can be controlled by using `` DataManipulationAgent `` which calls `` run `` on the bot at configured timesteps.
2023-09-11 16:15:03 +01:00
Example
-------
.. code-block :: python
client_1 = Computer(
2023-11-27 11:38:03 +00:00
hostname="client_1",
ip_address="192.168.10.21",
subnet_mask="255.255.255.0",
default_gateway="192.168.10.1"
operating_state=NodeOperatingState.ON # initialise the computer in an ON state
2023-09-11 16:15:03 +01:00
)
#2248 - Enhances the PrimAITE documentation, covering the Node, network interfaces, Session Manager, Software Manager, PCAP service, SysLog functionality, and network devices like Routers, Switches, Computers, and Switch Nodes. It details their roles, workflows, and integration within the simulation, focusing on frame processing, software management, and logging. The documentation also clarifies the frame reception process, including port checks and application-level dispatching, ensuring a thorough understanding of network operations within the simulation
2024-02-08 22:37:21 +00:00
network.connect(endpoint_b=client_1.network_interface[1], endpoint_a=switch_2.network_interface[1])
2023-09-11 16:15:03 +01:00
client_1.software_manager.install(DataManipulationBot)
2023-11-30 13:48:57 +00:00
data_manipulation_bot: DataManipulationBot = client_1.software_manager.software.get("DataManipulationBot")
2023-11-18 03:40:08 +00:00
data_manipulation_bot.configure(server_ip_address=IPv4Address("192.168.1.14"), payload="DELETE")
2023-09-11 16:15:03 +01:00
data_manipulation_bot.run()
This would connect to the database service at 192.168.1.14, authenticate, and execute the SQL statement to drop the 'users' table.
2023-11-24 15:15:24 +00:00
Example with `` DataManipulationAgent ``
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
If not using the data manipulation bot manually, it needs to be used with a data manipulation agent. Below is an example section of configuration file for setting up a simulation with data manipulation bot and agent.
.. code-block :: yaml
game_config:
# ...
agents:
- ref: data_manipulation_red_bot
team: RED
type: RedDatabaseCorruptingAgent
observation_space:
type: UC2RedObservation
options:
nodes:
- node_ref: client_1
observations:
- logon_status
- operating_status
applications:
- application_ref: data_manipulation_bot
observations:
operating_status
health_status
folders: {}
action_space:
action_list:
- type: DONOTHING
- type: NODE_APPLICATION_EXECUTE
options:
nodes:
- node_ref: client_1
applications:
- application_ref: data_manipulation_bot
max_folders_per_node: 1
max_files_per_folder: 1
max_services_per_node: 1
reward_function:
reward_components:
- type: DUMMY
agent_settings:
start_settings:
start_step: 25
frequency: 20
variance: 5
# ...
simulation:
network:
nodes:
- ref: client_1
type: computer
# ... additional configuration here
applications:
- ref: data_manipulation_bot
type: DataManipulationBot
options:
port_scan_p_of_success: 0.1
data_manipulation_p_of_success: 0.1
payload: "DELETE"
server_ip: 192.168.1.14
2023-09-11 16:15:03 +01:00
Implementation
--------------
The bot extends `` DatabaseClient `` and leverages its connectivity.
- Uses the Application base class for lifecycle management.
2023-11-24 10:05:36 +00:00
- Credentials, target IP and other options set via `` configure `` .
2023-09-11 16:15:03 +01:00
- `` run `` handles connecting, executing statement, and disconnecting.
- SQL payload executed via `` query `` method.
- Results in malicious SQL being executed on remote database server.
