"The red agent deletes the contents of the database. When this happens, the web app cannot fetch data and users navigating to the website get a 404 error.\n"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Network\n",
"\n",
"- The web server has:\n",
" - a web service that replies to user HTTP requests\n",
" - a database client that fetches data for the web service\n",
"- The database server has:\n",
" - a POSTGRES database service\n",
" - a database file which is accessed by the database service\n",
" - FTP client used for backing up the data to the backup_server\n",
"- The backup server has:\n",
" - a copy of the database file in a known good state\n",
" - FTP server that can send the backed up file back to the database server\n"
"There are green agents logged onto client 1 and client 2. They use the web browser to navigate to `http://arcd.com/users`. The web server replies with a status code 200 if the data is available on the database or 404 if not available."
"The red agent waits a bit then sends a DELETE query to the database from client 1. If the delete is successful, the database file is flagged as compromised to signal that data is not available.\n",
"The blue agent can view the entire network, but the health statuses of components are not updated until a scan is performed. The blue agent should restore the database file from backup after it was compromised. It can also prevent further attacks by blocking client 1 from sending the malicious SQL query to the database server. This can be done by implementing an ACL rule on the router."
"The red agent sits on client 1 and uses an application called DataManipulationBot whose sole purpose is to send a DELETE query to the database.\n",
"The red agent can choose one of two action each timestep:\n",
"1. do nothing\n",
"2. execute the data manipulation application\n",
"The schedule for selecting when to execute the application is controlled by three parameters:\n",
"- start time\n",
"- frequency\n",
"- variance\n",
"Attacks start at a random timestep between (start_time - variance) and (start_time + variance). After each attack, another is attempted after a random delay between (frequency - variance) and (frequency + variance) timesteps.\n",
"\n",
"The data manipulation app itself has an element of randomness because the attack has a probability of success. The default is 0.8 to succeed with the port scan step and 0.8 to succeed with the attack itself.\n",
"Upon a successful attack, the database file becomes corrupted which incurs a negative reward for the RL defender.\n",
"\n",
"The red agent does not use information about the state of the network to decide its action.\n",
"The green agents use the web browser application to send requests to the web server. The schedule of each green agent is currently random, meaning it will request webpage with a 50% probability, and do nothing with a 50% probability.\n",
"The blue agent's observation space is structured as nested dictionary with the following information:\n",
"```\n",
"\n",
"- NODES\n",
" - <node_id 1-7>\n",
" - SERVICES\n",
" - <service_id 1-1>\n",
" - operating_status\n",
" - health_status\n",
" - FOLDERS\n",
" - <folder_id 1-1>\n",
" - health_status\n",
" - FILES\n",
" - <file_id 1-1>\n",
" - health_status\n",
" - NICS\n",
" - <nic_id 1-2>\n",
" - nic_status\n",
" - operating_status\n",
"- LINKS\n",
" - <link_id 1-10>\n",
" - PROTOCOLS\n",
" - ALL\n",
" - load\n",
"- ACL\n",
" - <rule_number 1-10>\n",
" - position\n",
" - permission\n",
" - source_node_id\n",
" - source_port\n",
" - dest_node_id\n",
" - dest_port\n",
" - protocol\n",
"- ICS\n",
"```\n",
"\n",
"### Mappings\n",
"\n",
"The dict keys for `node_id` are in the following order:\n",
"|node_id|node name|\n",
"|--|--|\n",
"|1|domain_controller|\n",
"|2|web_server|\n",
"|3|database_server|\n",
"|4|backup_server|\n",
"|5|security_suite|\n",
"|6|client_1|\n",
"|7|client_2|\n",
"\n",
"Service 1 on node 2 (web_server) corresponds to the Web Server service. Other services are only there for padding to ensure that each node's observation space has the same shape. They are filled with zeroes.\n",
"\n",
"Folder 1 on node 3 corresponds to the database folder. File 1 in that folder corresponds to the database storage file. Other files and folders are only there for padding to ensure that each node's observation space has the same shape. They are filled with zeroes.\n",
"\n",
"The dict keys for `link_id` are in the following order:\n",
"|link_id|endpoint_a|endpoint_b|\n",
"|--|--|--|\n",
"|1|router_1|switch_1|\n",
"|1|router_1|switch_2|\n",
"|1|switch_1|domain_controller|\n",
"|1|switch_1|web_server|\n",
"|1|switch_1|database_server|\n",
"|1|switch_1|backup_server|\n",
"|1|switch_1|security_suite|\n",
"|1|switch_2|client_1|\n",
"|1|switch_2|client_2|\n",
"|1|switch_2|security_suite|\n",
"\n",
"The ACL rules in the observation space appear in the same order that they do in the actual ACL. Though, only the first 10 rules are shown, there are default rules lower down that cannot be changed by the agent. The extra rules just allow the network to function normally, by allowing pings, ARP traffic, etc.\n",
"\n",
"Most nodes have only 1 nic, so the observation for those is placed at NIC index 1 in the observation space. Only the security suite has 2 NICs, the second NIC in the observation space is the one that connects the security suite with swtich_2.\n",
"\n",
"The meaning of the services' operating_state is:\n",
"|operating_state|label|\n",
"|--|--|\n",
"|0|UNUSED|\n",
"|1|RUNNING|\n",
"|2|STOPPED|\n",
"|3|PAUSED|\n",
"|4|DISABLED|\n",
"|5|INSTALLING|\n",
"|6|RESTARTING|\n",
"\n",
"The meaning of the services' health_state is:\n",
"|health_state|label|\n",
"|--|--|\n",
"|0|UNUSED|\n",
"|1|GOOD|\n",
"|2|PATCHING|\n",
"|3|COMPROMISED|\n",
"|4|OVERWHELMED|\n",
"\n",
"The meaning of the files' and folders' health_state is:\n",
"|health_state|label|\n",
"|--|--|\n",
"|0|UNUSED|\n",
"|1|GOOD|\n",
"|2|COMPROMISED|\n",
"|3|CORRUPT|\n",
"|4|RESTORING|\n",
"|5|REPAIRING|\n",
"\n",
"The meaning of the NICs' operating_status is:\n",
"|operating_status|label|\n",
"|--|--|\n",
"|0|UNUSED|\n",
"|1|ENABLED|\n",
"|2|DISABLED|\n",
"\n",
"Link load has the following meaning:\n",
"|load|percent utilisation|\n",
"|--|--|\n",
"|0|exactly 0%|\n",
"|1|0-11%|\n",
"|2|11-22%|\n",
"|3|22-33%|\n",
"|4|33-44%|\n",
"|5|44-55%|\n",
"|6|55-66%|\n",
"|7|66-77%|\n",
"|8|77-88%|\n",
"|9|88-99%|\n",
"|10|exactly 100%|\n",
"\n",
"ACL permission has the following meaning:\n",
"|permission|label|\n",
"|--|--|\n",
"|0|UNUSED|\n",
"|1|ALLOW|\n",
"|2|DENY|\n",
"\n",
"ACL source / destination node ids actually correspond to IP addresses (since ACLs work with IP addresses)\n",
"|source / dest node id|ip_address|label|\n",
"|--|--|--|\n",
"|0| | UNUSED|\n",
"|1| |ALL addresses|\n",
"|2| 192.168.1.10 | domain_controller|\n",
"|3| 192.168.1.12 | web_server \n",
"|4| 192.168.1.14 | database_server|\n",
"|5| 192.168.1.16 | backup_server|\n",
"|6| 192.168.1.110 | security_suite (eth-1)|\n",
"|7| 192.168.10.21 | client_1|\n",
"|8| 192.168.10.22 | client_2|\n",
"|9| 192.168.10.110| security_suite (eth-2)|\n",
"\n",
"ACL source / destination port ids have the following encoding:\n",
"|port id|port number| port use |\n",
"|--|--|--|\n",
"|0||UNUSED|\n",
"|1||ALL|\n",
"|2|219|ARP|\n",
"|3|53|DNS|\n",
"|4|80|HTTP|\n",
"|5|5432|POSTGRES_SERVER|\n",
"\n",
"ACL protocol ids have the following encoding:\n",
"|protocol id|label|\n",
"|--|--|\n",
"|0|UNUSED|\n",
"|1|ALL|\n",
"|2|ICMP|\n",
"|3|TCP|\n",
"|4|UDP|\n",
"\n",
"protocol"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Action Space\n",
"\n",
"The blue agent chooses from a list of 54 pre-defined actions. The full list is defined in the `action_map` in the config. The most important ones are explained here:\n",
"\n",
"- `0`: Do nothing\n",
"- `1`: Scan the web service - this refreshes the health status in the observation space\n",
"- `9`: Scan the database file - this refreshes the health status of the database file\n",
"- `13`: Patch the database service - This triggers the database to restore data from the backup server\n",
"- `19`: Shut down client 1\n",
"- `22`: Block outgoing traffic from client 1\n",
"- `26`: Block TCP traffic from client 1 to the database node\n",
"2. Whether each green agents' most recent webpage request was successful (+1 for a `200` return code, -1 for a `404` return code and 0 otherwise).\n",
"The file status reward and the two green-agent-related reward are averaged to get a total step reward.\n"
"This cell will print the observation when the network is healthy. You should be able to verify Node file and service statuses against the description above."
"The red agent will start attacking at some point between step 20 and 30. When this happens, the reward will go from 1.0 to 0.0, and to -1.0 when the green agent tries to access the webpage."
"The patching takes two steps, so the reward hasn't changed yet. Let's do nothing for another timestep, the reward should improve.\n",
"\n",
"The reward will be 0 as soon as the file finishes restoring. Then, the reward will increase to 1 when the green agent makes a request. (Because the webapp access part of the reward does not update until a successful request is made.)\n",
"\n",
"Run the following cell until the green action is `NODE_APPLICATION_EXECUTE`, then the reward should become 1. If you run it enough times, another red attack will happen and the reward will drop again."
"The blue agent can prevent attacks by implementing an ACL rule to stop client_1 from sending POSTGRES traffic to the database. (Let's also patch the database file to get the reward back up.)"
