oxbrbtx/PrimAITE
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

#3110 UC7 notebook updates:

Browse Source 
- Improve clarity of some code cells (narrowed output)
- Reworded some questionably worded sections
- Updated some of the util functionality that using old action names
- Updated a lot of old names into kebab-case
- General tidy up and consistency changes.
This commit is contained in:
Archer Bowen
2025-03-13 15:21:07 +00:00
parent 7d37ddbb67
commit 6d4be8a653
7 changed files with 536 additions and 321 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
docs/source/how_to_guides/primaite_yaml_migration_guide.rst
View File

@@ -341,7 +341,7 @@ From the above old-style YAML ``action_space.options`` example, the following ch
+----------------------------------------------+----------------------------------------------+
| ``GREEN_ADMIN_DATABASE_UNREACHABLE_PENALTY`` | ``green-admin-database-unreachable-penalty`` |
+----------------------------------------------+----------------------------------------------+
| ``ACTION_PENALTY | ``action-penalty`` |
| ``ACTION_PENALTY`` | ``action-penalty`` |
+----------------------------------------------+----------------------------------------------+
| ``DATABASE_FILE_INTEGRITY`` | ``database-file-integrity`` |
+----------------------------------------------+----------------------------------------------+

204
src/primaite/notebooks/UC7-E2E-Demo.ipynb
View File

@@ -4,16 +4,18 @@
"cell_type": "markdown",
"metadata": {},
"source": [
"# UC7 Demonstration\n",
"# Use Case 7 Scenario Demonstration\n",
"\n",
"© Crown-owned copyright 2025, Defence Science and Technology Laboratory UK\n",
"\n",
"\n",
"UC7 is a cybersecurity scenario set in a generic medium sized organisation, where multiple LAN networks which interconnect via the 'internet' to represent a corporate WAN. Comprising of four major networks; `Home Office (HOME)`, `INTERNET (ISP)`, `REMOTE SITE (REMOTE)` and the larger main site `SOME_TECH`. Each network is comprised of routers, switches, computers and servers which green agents use to represent a more real-world accurate pattern of life.\n",
"Use Case 7 (UC7) is a cybersecurity scenario set in a generic enterprise organisation, where multiple LAN networks are connected via the 'internet' to represent a corporate WAN. Each network is comprised of routers, switches, computers and servers which green agents use to represent a more real-world accurate network architecture and pattern of life.\n",
"\n",
"Intended to be a step-up from the [smaller network of UC2](./Data-Manipulation-E2E-Demonstration.ipynb), UC7 introduces two new potential attacks (TAPS) that the blue agent must defend against. \n",
"Comprising of four major networks; `Home Office (HOME)`, `INTERNET (ISP)`, `REMOTE SITE (REMOTE)` and the larger main site `SOME_TECH`, UC7 is a significant step-up in fidelity from the [smaller network of UC2](./Data-Manipulation-E2E-Demonstration.ipynb). Additionally, two new red agents known as Threat Actor Profiles (TAPs) have been introduced which the blue agent can be trained to defend against. \n",
"\n",
"_This notebook acts as the starting point for any users unfamiliar with UC7 and will also sign post to any other UC7 relevant notebooks for further information._"
"Lastly, UC7 is intended to be a generic 'out-of-the-box' configuration that demonstrates the flexibility of PrimAITE rather than a predefined 'challenge' that can solved. Users are encouraged to modify, remove and introduce as much as they wish to create their own unique scenarios. \n",
"\n",
"_This notebook acts as the starting point for any users unfamiliar with UC7 and will sign post other UC7 relevant notebooks which provide further information._"
]
},
{
@@ -31,6 +33,7 @@
"metadata": {},
"outputs": [],
"source": [
"import yaml\n",
"from primaite.session.environment import PrimaiteGymEnv\n",
"from primaite.simulator.network.hardware.nodes.host.computer import Computer\n",
"from primaite.simulator.network.hardware.nodes.host.server import Server\n",
@@ -38,17 +41,10 @@
"from primaite.simulator.system.services.dns.dns_server import DNSServer\n",
"from primaite.simulator.system.software import SoftwareHealthState\n",
"from primaite.simulator.file_system.file_system_item_abc import FileSystemItemHealthStatus\n",
"from primaite.simulator.network.hardware.nodes.network.switch import Switch\n",
"from primaite.simulator.system.applications.web_browser import WebBrowser\n",
"from primaite.simulator.network.container import Network\n",
"from primaite.simulator.system.services.service import ServiceOperatingState\n",
"from primaite.simulator.network.hardware.node_operating_state import NodeOperatingState\n",
"from primaite.simulator.system.services.database.database_service import DatabaseService\n",
"from primaite.simulator.system.applications.database_client import DatabaseClient\n",
"from primaite.simulator.network.hardware.nodes.network.firewall import Firewall\n",
"from primaite.game.game import PrimaiteGame\n",
"from primaite.simulator.sim_container import Simulation\n",
"import yaml\n",
"from pprint import pprint\n",
"from primaite.config.load import load, _EXAMPLE_CFG"
]
@@ -339,7 +335,7 @@
"cell_type": "markdown",
"metadata": {},
"source": [
"### NETWORK | SOME_TECH MAIN SITE | SOME_TECH HEAD OFFICE (ST_HO)\n",
"### NETWORK | SOME_TECH MAIN SITE | SOME_TECH HEAD OFFICE (`ST_HO`)\n",
"\n",
"The some tech head office (`ST_HO`) is a simple LAN containing three computers with the default PC configuration."
]
@@ -358,7 +354,7 @@
"cell_type": "markdown",
"metadata": {},
"source": [
"### NETWORK | SOME_TECH MAIN SITE | SOME_TECH HUMAN RESOURCES (ST_HR)\n",
"### NETWORK | SOME_TECH MAIN SITE | SOME_TECH HUMAN RESOURCES (`ST_HR`)\n",
"\n",
"Similarly, the some tech head human resources office (`ST_HR`) consisting of three default PC configurations computers."
]
@@ -377,9 +373,9 @@
"cell_type": "markdown",
"metadata": {},
"source": [
"### NETWORK | SOME_TECH MAIN SITE | SOME_TECH DATA (ST_DATA)\n",
"### NETWORK | SOME_TECH MAIN SITE | SOME_TECH DATA (`ST_DATA`)\n",
"\n",
"The `ST_DATA` networks contains two servers pivotal to the daily operation of SOME_TECH.\n",
"The `ST_DATA` networks contains two servers pivotal to the daily operation of ``SOME_TECH``.\n",
"\n",
"| Server | Purpose |\n",
"|--------|---------|\n",
@@ -414,7 +410,7 @@
"cell_type": "markdown",
"metadata": {},
"source": [
"### NETWORK | SOME_TECH MAIN SITE | SOME_TECH PROJECT A (ST_PROJ_A)\n",
"### NETWORK | SOME_TECH MAIN SITE | SOME_TECH PROJECT A (`ST_PROJ_A`)\n",
"\n",
"All of the `ST_PROJ_A`/`B`/`C` project networks contain three computers and a switch which connects to the `ST_INTRA-PRV-RT-DR-1` router (as described previously)."
]
@@ -433,7 +429,7 @@
"cell_type": "markdown",
"metadata": {},
"source": [
"### NETWORK | SOME_TECH MAIN SITE | SOME_TECH PROJECT B (ST_PROJ_B)"
"### NETWORK | SOME_TECH MAIN SITE | SOME_TECH PROJECT B (`ST_PROJ_B`)"
]
},
{
@@ -450,7 +446,7 @@
"cell_type": "markdown",
"metadata": {},
"source": [
"### NETWORK | SOME_TECH MAIN SITE | SOME_TECH PROJECT C (ST_PROJ_C)"
"### NETWORK | SOME_TECH MAIN SITE | SOME_TECH PROJECT C (`ST_PROJ_C`)"
]
},
{
@@ -467,7 +463,7 @@
"cell_type": "markdown",
"metadata": {},
"source": [
"## Use Case 7 Agent Description / Demonstration"
"## Agent Description / Demonstration"
]
},
{
@@ -505,38 +501,38 @@
"\n",
" **ID** | **PoL Type** | **Description of Activity** | **Agent Name** | **Source Node** | **Source App / Service** | **Destination Node** | **Destination App / Service** | **Transport Protocol** | **Application Protocol** | **Behaviour Type** | **Probabilities** | **Start Step** | **Start Variance** | **Max Executions** | **Frequency** | **Variance** | **Reward Impact** \n",
":------:|:------------:|:---------------------------------------------------:|:-------------------:|:------------------:|:------------------------:|:-----------------------:|:-----------------------------:|:----------------------:|:------------------------:|:------------------:|:-----------------:|:--------------:|:------------------:|:------------------:|:-------------:|:------------:|:-----------------:\n",
" 1 | AGENT | Home Worker accessing Some Tech database | HOME_WORKER-1 | HOME-PUB-PC-1 | Database Client | ST_DATA-PRV-SRV-DB | Database Service | TCP | PostgreSQL | PERIODIC | | 4 | 1 | 1000 | 4 | 1 | MEDIUM \n",
" 2 | AGENT | Home Worker accessing Some Tech web pages | HOME_WORKER-1 | HOME-PUB-PC-1 | Web Browser | ST_DMZ-PUB-SRV-WEB | Web Server | TCP | HTTPS | PROBABILISTIC | 20% chance | | | | | | LOW \n",
" 3 | AGENT | Home Worker accessing Some Tech database | HOME_WORKER-2 | HOME-PUB-PC-2 | Database Client | ST_DATA-PRV-SRV-DB | Database Service | TCP | PostgreSQL | PERIODIC | | 8 | 1 | 1000 | 4 | 1 | MEDIUM \n",
" 4 | AGENT | Home Worker accessing Some Tech web pages | HOME_WORKER-2 | HOME-PUB-PC-2 | Web Browser | ST_DMZ-PUB-SRV-WEB | Web Server | TCP | HTTPS | PROBABILISTIC | 20% chance | | | | | | LOW \n",
" 5 | AGENT | Remote Worker accessing Some Tech database | REMOTE_WORKER-1 | REM-PUB-PC-1 | Database Client | ST_DATA-PRV-SRV-DB | Database Service | TCP | PostgreSQL | PERIODIC | | 12 | 1 | 1000 | 4 | 1 | MEDIUM \n",
" 6 | AGENT | Remote Worker accessing Some Tech web pages | REMOTE_WORKER-1 | REM-PUB-PC-1 | Web Browser | ST_DMZ-PUB-SRV-WEB | Web Server | TCP | HTTPS | PROBABILISTIC | 20% chance | | | | | | LOW \n",
" 7 | AGENT | Remote Worker accessing Some Tech database | REMOTE_WORKER-2 | REM-PUB-PC-2 | Database Client | ST_DATA-PRV-SRV-DB | Database Service | TCP | PostgreSQL | PERIODIC | | 16 | 1 | 1000 | 4 | 1 | MEDIUM \n",
" 8 | AGENT | Remote Worker accessing Some Tech web pages | REMOTE_WORKER-2 | REM-PUB-PC-2 | Web Browser | ST_DMZ-PUB-SRV-WEB | Web Server | TCP | HTTPS | PROBABILISTIC | 20% chance | | | | | | LOW \n",
" 9 | AGENT | Senior Developer accessing Some Tech database | PROJ_A-SENIOR_DEV | ST_PROJ_A-PRV-PC-1 | Database Client | ST_DATA-PRV-SRV-DB | Database Service | TCP | PostgreSQL | PERIODIC | | 1 | 1 | 1000 | 4 | 1 | HIGH \n",
" 10 | AGENT | Senior Developer accessing Some Tech web pages | PROJ_A-SENIOR_DEV | ST_PROJ_A-PRV-PC-1 | Web Browser | ST_DMZ-PUB-SRV-WEB | Web Server | TCP | HTTPS | PROBABILISTIC | 40% chance | | | | | | LOW \n",
" 11 | AGENT | Junior Developer accessing Some Tech database | PROJ_A-JUNIOR_DEV-1 | ST_PROJ_A-PRV-PC-2 | Database Client | ST_DATA-PRV-SRV-DB | Database Service | TCP | PostgreSQL | PERIODIC | | 1 | 1 | 1000 | 4 | 1 | MEDIUM \n",
" 12 | AGENT | Junior Developer accessing Some Tech web pages | PROJ_A-JUNIOR_DEV-1 | ST_PROJ_A-PRV-PC-2 | Web Browser | ST_DMZ-PUB-SRV-WEB | Web Server | TCP | HTTPS | PROBABILISTIC | 20% chance | | | | | | LOW \n",
" 13 | AGENT | Junior Developer accessing Some Tech database | PROJ_A-JUNIOR_DEV-2 | ST_PROJ_A-PRV-PC-3 | Database Client | ST_DATA-PRV-SRV-DB | Database Service | TCP | PostgreSQL | PERIODIC | | 1 | 1 | 1000 | 4 | 1 | MEDIUM \n",
" 14 | AGENT | Junior Developer accessing Some Tech web pages | PROJ_A-JUNIOR_DEV-2 | ST_PROJ_A-PRV-PC-3 | Web Browser | ST_DMZ-PUB-SRV-WEB | Web Server | TCP | HTTPS | PROBABILISTIC | 20% chance | | | | | | LOW \n",
" 15 | AGENT | Senior Developer accessing Some Tech database | PROJ_B-SENIOR_DEV | ST_PROJ_B-PRV-PC-1 | Database Client | ST_DATA-PRV-SRV-DB | Database Service | TCP | PostgreSQL | PERIODIC | | 1 | 1 | 1000 | 4 | 1 | HIGH \n",
" 16 | AGENT | Senior Developer accessing Some Tech web pages | PROJ_B-SENIOR_DEV | ST_PROJ_B-PRV-PC-1 | Web Browser | ST_DMZ-PUB-SRV-WEB | Web Server | TCP | HTTPS | PROBABILISTIC | 40% chance | | | | | | LOW \n",
" 17 | AGENT | Junior Developer accessing Some Tech database | PROJ_B-JUNIOR_DEV-1 | ST_PROJ_B-PRV-PC-2 | Database Client | ST_DATA-PRV-SRV-DB | Database Service | TCP | PostgreSQL | PERIODIC | | 1 | 1 | 1000 | 4 | 1 | MEDIUM \n",
" 18 | AGENT | Junior Developer accessing Some Tech web pages | PROJ_B-JUNIOR_DEV-1 | ST_PROJ_B-PRV-PC-2 | Web Browser | ST_DMZ-PUB-SRV-WEB | Web Server | TCP | HTTPS | PROBABILISTIC | 20% chance | | | | | | LOW \n",
" 19 | AGENT | Junior Developer accessing Some Tech database | PROJ_B-JUNIOR_DEV-2 | ST_PROJ_B-PRV-PC-3 | Database Client | ST_DATA-PRV-SRV-DB | Database Service | TCP | PostgreSQL | PERIODIC | | 1 | 1 | 1000 | 4 | 1 | MEDIUM \n",
" 20 | AGENT | Junior Developer accessing Some Tech web pages | PROJ_B-JUNIOR_DEV-2 | ST_PROJ_B-PRV-PC-3 | Web Browser | ST_DMZ-PUB-SRV-WEB | Web Server | TCP | HTTPS | PROBABILISTIC | 20% chance | | | | | | LOW \n",
" 21 | AGENT | Senior Developer accessing Some Tech database | PROJ_C-SENIOR_DEV | ST_PROJ_C-PRV-PC-1 | Database Client | ST_DATA-PRV-SRV-DB | Database Service | TCP | PostgreSQL | PERIODIC | | 1 | 1 | 1000 | 4 | 1 | HIGH \n",
" 22 | AGENT | Senior Developer accessing Some Tech web pages | PROJ_C-SENIOR_DEV | ST_PROJ_C-PRV-PC-1 | Web Browser | ST_DMZ-PUB-SRV-WEB | Web Server | TCP | HTTPS | PROBABILISTIC | 40% chance | | | | | | LOW \n",
" 23 | AGENT | Junior Developer accessing Some Tech database | PROJ_C-JUNIOR_DEV-1 | ST_PROJ_C-PRV-PC-2 | Database Client | ST_DATA-PRV-SRV-DB | Database Service | TCP | PostgreSQL | PERIODIC | | 1 | 1 | 1000 | 4 | 1 | MEDIUM \n",
" 24 | AGENT | Junior Developer accessing Some Tech web pages | PROJ_C-JUNIOR_DEV-1 | ST_PROJ_C-PRV-PC-2 | Web Browser | ST_DMZ-PUB-SRV-WEB | Web Server | TCP | HTTPS | PROBABILISTIC | 20% chance | | | | | | LOW \n",
" 25 | AGENT | Junior Developer accessing Some Tech database | PROJ_C-JUNIOR_DEV-2 | ST_PROJ_C-PRV-PC-3 | Database Client | ST_DATA-PRV-SRV-DB | Database Service | TCP | PostgreSQL | PERIODIC | | 1 | 1 | 1000 | 4 | 1 | MEDIUM \n",
" 26 | AGENT | Junior Developer accessing Some Tech web pages | PROJ_C-JUNIOR_DEV-2 | ST_PROJ_C-PRV-PC-3 | Web Browser | ST_DMZ-PUB-SRV-WEB | Web Server | TCP | HTTPS | PROBABILISTIC | 20% chance | | | | | | LOW \n",
" 27 | AGENT | CEO accessing Some Tech web pages | CEO | ST_HO-PRV-PC-1 | Web Browser | ST_DMZ-PUB-SRV-WEB | Web Server | TCP | HTTPS | PROBABILISTIC | 60% chance | | | | | | HIGH \n",
" 28 | AGENT | CTO accessing Some Tech web pages | CTO | ST_HO-PRV-PC-2 | Web Browser | ST_DMZ-PUB-SRV-WEB | Web Server | TCP | HTTPS | PROBABILISTIC | 60% chance | | | | | | MEDIUM \n",
" 29 | AGENT | CFO accessing Some Tech web pages | CFO | ST_HO-PRV-PC-3 | Web Browser | ST_DMZ-PUB-SRV-WEB | Web Server | TCP | HTTPS | PROBABILISTIC | 60% chance | | | | | | MEDIUM \n",
" 30 | AGENT | Senior HR accessing Some Tech web pages | SENIOR_HR | ST_HR-PRV-PC-1 | Web Browser | ST_DMZ-PUB-SRV-WEB | Web Server | TCP | HTTPS | PROBABILISTIC | 60% chance | | | | | | MEDIUM \n",
" 31 | AGENT | Junior HR accessing Some Tech web pages | JUNIOR_HR-1 | ST_HR-PRV-PC-2 | Web Browser | ST_DMZ-PUB-SRV-WEB | Web Server | TCP | HTTPS | PROBABILISTIC | 60% chance | | | | | | LOW \n",
" 32 | AGENT | Junior HR accessing Some Tech web pages | JUNIOR_HR-2 | ST_HR-PRV-PC-3 | Web Browser | ST_DMZ-PUB-SRV-WEB | Web Server | TCP | \n",
" 1 | AGENT | Home Worker accessing Some Tech database | HOME_WORKER-1 | HOME-PUB-PC-1 | `database-client` | ST_DATA-PRV-SRV-DB | `database-service` | TCP | PostgreSQL | PERIODIC | | 4 | 1 | 1000 | 4 | 1 | MEDIUM \n",
" 2 | AGENT | Home Worker accessing Some Tech web pages | HOME_WORKER-1 | HOME-PUB-PC-1 | `web-browser` | ST_DMZ-PUB-SRV-WEB | `web-server` | TCP | HTTPS | PROBABILISTIC | 20% chance | | | | | | LOW \n",
" 3 | AGENT | Home Worker accessing Some Tech database | HOME_WORKER-2 | HOME-PUB-PC-2 | `database-client` | ST_DATA-PRV-SRV-DB | `database-service` | TCP | PostgreSQL | PERIODIC | | 8 | 1 | 1000 | 4 | 1 | MEDIUM \n",
" 4 | AGENT | Home Worker accessing Some Tech web pages | HOME_WORKER-2 | HOME-PUB-PC-2 | `web-browser` | ST_DMZ-PUB-SRV-WEB | `web-server` | TCP | HTTPS | PROBABILISTIC | 20% chance | | | | | | LOW \n",
" 5 | AGENT | Remote Worker accessing Some Tech database | REMOTE_WORKER-1 | REM-PUB-PC-1 | `database-client` | ST_DATA-PRV-SRV-DB | `database-service` | TCP | PostgreSQL | PERIODIC | | 12 | 1 | 1000 | 4 | 1 | MEDIUM \n",
" 6 | AGENT | Remote Worker accessing Some Tech web pages | REMOTE_WORKER-1 | REM-PUB-PC-1 | `web-browser` | ST_DMZ-PUB-SRV-WEB | `web-server` | TCP | HTTPS | PROBABILISTIC | 20% chance | | | | | | LOW \n",
" 7 | AGENT | Remote Worker accessing Some Tech database | REMOTE_WORKER-2 | REM-PUB-PC-2 | `database-client` | ST_DATA-PRV-SRV-DB | `database-service` | TCP | PostgreSQL | PERIODIC | | 16 | 1 | 1000 | 4 | 1 | MEDIUM \n",
" 8 | AGENT | Remote Worker accessing Some Tech web pages | REMOTE_WORKER-2 | REM-PUB-PC-2 | `web-browser` | ST_DMZ-PUB-SRV-WEB | `web-server` | TCP | HTTPS | PROBABILISTIC | 20% chance | | | | | | LOW \n",
" 9 | AGENT | Senior Developer accessing Some Tech database | PROJ_A-SENIOR_DEV | ST_PROJ_A-PRV-PC-1 | `database-client` | ST_DATA-PRV-SRV-DB | `database-service` | TCP | PostgreSQL | PERIODIC | | 1 | 1 | 1000 | 4 | 1 | HIGH \n",
" 10 | AGENT | Senior Developer accessing Some Tech web pages | PROJ_A-SENIOR_DEV | ST_PROJ_A-PRV-PC-1 | `web-browser` | ST_DMZ-PUB-SRV-WEB | `web-server` | TCP | HTTPS | PROBABILISTIC | 40% chance | | | | | | LOW \n",
" 11 | AGENT | Junior Developer accessing Some Tech database | PROJ_A-JUNIOR_DEV-1 | ST_PROJ_A-PRV-PC-2 | `database-client` | ST_DATA-PRV-SRV-DB | `database-service` | TCP | PostgreSQL | PERIODIC | | 1 | 1 | 1000 | 4 | 1 | MEDIUM \n",
" 12 | AGENT | Junior Developer accessing Some Tech web pages | PROJ_A-JUNIOR_DEV-1 | ST_PROJ_A-PRV-PC-2 | `web-browser` | ST_DMZ-PUB-SRV-WEB | `web-server` | TCP | HTTPS | PROBABILISTIC | 20% chance | | | | | | LOW \n",
" 13 | AGENT | Junior Developer accessing Some Tech database | PROJ_A-JUNIOR_DEV-2 | ST_PROJ_A-PRV-PC-3 | `database-client` | ST_DATA-PRV-SRV-DB | `database-service` | TCP | PostgreSQL | PERIODIC | | 1 | 1 | 1000 | 4 | 1 | MEDIUM \n",
" 14 | AGENT | Junior Developer accessing Some Tech web pages | PROJ_A-JUNIOR_DEV-2 | ST_PROJ_A-PRV-PC-3 | `web-browser` | ST_DMZ-PUB-SRV-WEB | `web-server` | TCP | HTTPS | PROBABILISTIC | 20% chance | | | | | | LOW \n",
" 15 | AGENT | Senior Developer accessing Some Tech database | PROJ_B-SENIOR_DEV | ST_PROJ_B-PRV-PC-1 | `database-client` | ST_DATA-PRV-SRV-DB | `database-service` | TCP | PostgreSQL | PERIODIC | | 1 | 1 | 1000 | 4 | 1 | HIGH \n",
" 16 | AGENT | Senior Developer accessing Some Tech web pages | PROJ_B-SENIOR_DEV | ST_PROJ_B-PRV-PC-1 | `web-browser` | ST_DMZ-PUB-SRV-WEB | `web-server` | TCP | HTTPS | PROBABILISTIC | 40% chance | | | | | | LOW \n",
" 17 | AGENT | Junior Developer accessing Some Tech database | PROJ_B-JUNIOR_DEV-1 | ST_PROJ_B-PRV-PC-2 | `database-client` | ST_DATA-PRV-SRV-DB | `database-service` | TCP | PostgreSQL | PERIODIC | | 1 | 1 | 1000 | 4 | 1 | MEDIUM \n",
" 18 | AGENT | Junior Developer accessing Some Tech web pages | PROJ_B-JUNIOR_DEV-1 | ST_PROJ_B-PRV-PC-2 | `web-browser` | ST_DMZ-PUB-SRV-WEB | `web-server` | TCP | HTTPS | PROBABILISTIC | 20% chance | | | | | | LOW \n",
" 19 | AGENT | Junior Developer accessing Some Tech database | PROJ_B-JUNIOR_DEV-2 | ST_PROJ_B-PRV-PC-3 | `database-client` | ST_DATA-PRV-SRV-DB | `database-service` | TCP | PostgreSQL | PERIODIC | | 1 | 1 | 1000 | 4 | 1 | MEDIUM \n",
" 20 | AGENT | Junior Developer accessing Some Tech web pages | PROJ_B-JUNIOR_DEV-2 | ST_PROJ_B-PRV-PC-3 | `web-browser` | ST_DMZ-PUB-SRV-WEB | `web-server` | TCP | HTTPS | PROBABILISTIC | 20% chance | | | | | | LOW \n",
" 21 | AGENT | Senior Developer accessing Some Tech database | PROJ_C-SENIOR_DEV | ST_PROJ_C-PRV-PC-1 | `database-client` | ST_DATA-PRV-SRV-DB | `database-service` | TCP | PostgreSQL | PERIODIC | | 1 | 1 | 1000 | 4 | 1 | HIGH \n",
" 22 | AGENT | Senior Developer accessing Some Tech web pages | PROJ_C-SENIOR_DEV | ST_PROJ_C-PRV-PC-1 | `web-browser` | ST_DMZ-PUB-SRV-WEB | `web-server` | TCP | HTTPS | PROBABILISTIC | 40% chance | | | | | | LOW \n",
" 23 | AGENT | Junior Developer accessing Some Tech database | PROJ_C-JUNIOR_DEV-1 | ST_PROJ_C-PRV-PC-2 | `database-client` | ST_DATA-PRV-SRV-DB | `database-service` | TCP | PostgreSQL | PERIODIC | | 1 | 1 | 1000 | 4 | 1 | MEDIUM \n",
" 24 | AGENT | Junior Developer accessing Some Tech web pages | PROJ_C-JUNIOR_DEV-1 | ST_PROJ_C-PRV-PC-2 | `web-browser` | ST_DMZ-PUB-SRV-WEB | `web-server` | TCP | HTTPS | PROBABILISTIC | 20% chance | | | | | | LOW \n",
" 25 | AGENT | Junior Developer accessing Some Tech database | PROJ_C-JUNIOR_DEV-2 | ST_PROJ_C-PRV-PC-3 | `database-client` | ST_DATA-PRV-SRV-DB | `database-service` | TCP | PostgreSQL | PERIODIC | | 1 | 1 | 1000 | 4 | 1 | MEDIUM \n",
" 26 | AGENT | Junior Developer accessing Some Tech web pages | PROJ_C-JUNIOR_DEV-2 | ST_PROJ_C-PRV-PC-3 | `web-browser` | ST_DMZ-PUB-SRV-WEB | `web-server` | TCP | HTTPS | PROBABILISTIC | 20% chance | | | | | | LOW \n",
" 27 | AGENT | CEO accessing Some Tech web pages | CEO | ST_HO-PRV-PC-1 | `web-browser` | ST_DMZ-PUB-SRV-WEB | `web-server` | TCP | HTTPS | PROBABILISTIC | 60% chance | | | | | | HIGH \n",
" 28 | AGENT | CTO accessing Some Tech web pages | CTO | ST_HO-PRV-PC-2 | `web-browser` | ST_DMZ-PUB-SRV-WEB | `web-server` | TCP | HTTPS | PROBABILISTIC | 60% chance | | | | | | MEDIUM \n",
" 29 | AGENT | CFO accessing Some Tech web pages | CFO | ST_HO-PRV-PC-3 | `web-browser` | ST_DMZ-PUB-SRV-WEB | `web-server` | TCP | HTTPS | PROBABILISTIC | 60% chance | | | | | | MEDIUM \n",
" 30 | AGENT | Senior HR accessing Some Tech web pages | SENIOR_HR | ST_HR-PRV-PC-1 | `web-browser` | ST_DMZ-PUB-SRV-WEB | `web-server` | TCP | HTTPS | PROBABILISTIC | 60% chance | | | | | | MEDIUM \n",
" 31 | AGENT | Junior HR accessing Some Tech web pages | JUNIOR_HR-1 | ST_HR-PRV-PC-2 | `web-browser` | ST_DMZ-PUB-SRV-WEB | `web-server` | TCP | HTTPS | PROBABILISTIC | 60% chance | | | | | | LOW \n",
" 32 | AGENT | Junior HR accessing Some Tech web pages | JUNIOR_HR-2 | ST_HR-PRV-PC-3 | `web-browser` | ST_DMZ-PUB-SRV-WEB | `web-server` | TCP | \n",
"</details>"
]
},
@@ -548,7 +544,7 @@
"\n",
"The `database-client` green agents will attempt to use their host's `database-client` application to make a simple connection to the `database-service` on the `ST_DATA-PRV-SRV-DB` host (these connections have no direct impact to the `database-service` or the `database.db` file itself).\n",
"\n",
"Additionally, `database-client` green agents are *Periodic* meaning they will attempt to use the database based on game time-steps. Specifically, these agents will begin on the time-step given in their `start step` setting and will then will reattempt on each subsequence timestep based on the `Frequency` setting. These settings are then randomised using the remaining `Start Variance` and `Variance` options (also given in timesteps). These values are used to *±* their respective base settings to ensure the green agents achieve a moderate amount of domain randomisation in each PrimAITE episode.\n",
"Additionally, `database-client` green agents are *Periodic* meaning they will attempt to use the database based on game time-steps. Specifically, these agents will begin on the time-step given in their `start_step` setting and will then will reattempt on each subsequence timestep based on the `Frequency` setting. These settings are then randomised using the remaining `start_variance` and `variance` options (also given in timesteps). These values are used to *±* their respective base settings to ensure the green agents achieve a moderate amount of domain randomisation in each PrimAITE episode.\n",
"\n",
"For example, take a *Periodic* green agent set with a `start_step` of 4 and a `frequency` of **4** with a `start_variance` and a `variance` of **4** will cause a green agent to make it's first action on timestep $4 \\pm 1$ and then any subsequent actions every $4 \\pm 1$ timesteps afterwards.\n"
]
@@ -581,9 +577,9 @@
"cell_type": "markdown",
"metadata": {},
"source": [
"#### AGENTS | Green *PoL* | web-browser Agents Demo\n",
"#### AGENTS | Green PoL | `web-browser` Agents Demo\n",
"\n",
"Unlike the `database-client` green agents, the `web-browser` green agents are *probabilistic*. These agents are quite simple; on every timestep a probability roll is made to determine whenever the agent acts. On a successful outcome the agent will attempt to execute the `web-browser` application which will then attempt to connect to the `ST-DMZ-PUB-SRV-WEB` host (Some Tech's web-server). On a unsuccessful outcome then the green agent will simply perform not action on this timestep.\n",
"Unlike the `database-client` green agents, the `web-browser` green agents are *probabilistic*. These agents are quite simple; on every timestep a probability roll is made to determine whenever the agent acts. On a successful outcome the agent will attempt to execute the `web-browser` application which will then attempt to connect to the `ST-DMZ-PUB-SRV-WEB` host. On a unsuccessful outcome then the green agent will simply perform not action on this timestep.\n",
"\n",
"For example, a `web-browser` green agent with a `20%` chance has a $\\frac{1}{5}$ chance of actioning it's host's `web-browser` to access the `ST-DMZ-PUB-SRV-WEB` web-server. "
]
@@ -618,9 +614,9 @@
"cell_type": "markdown",
"metadata": {},
"source": [
"### AGENTS | Red Agent\n",
"### AGENTS | Red Agents\n",
"\n",
"For UC7, two new red agents have been developed which introduce a much more complex and realistic attacks in comparison to UC2's [data manipulation red agent](./Data-Manipulation-Customising-Red-Agent.ipynb) for the blue agent to defend against. These new red agents, or more commonly referred to `Threat Actor Profiles` (_TAPS_), utilise a series of different green, blue and red actions to simulate the different steps of a real-world attack.\n",
"For UC7, two new red agents have been developed which introduce a much more complex and realistic attacks in comparison to UC2's [data manipulation red agent](./Data-Manipulation-Customising-Red-Agent.ipynb) for the blue agent to defend against. These new red agents, or more commonly referred to `Threat Actor Profiles` (*TAPS*), utilise a series of different green, blue and red actions to simulate the different steps of a real-world attack.\n",
"\n",
"This notebook does not cover the red agents in much detail, hence it is highly recommended that readers should check out the respective TAP notebooks for a much more in-depth look at each TAP and their impacts.\n"
]
@@ -629,11 +625,11 @@
"cell_type": "markdown",
"metadata": {},
"source": [
"### AGENTS | RED AGENT | Threat Actor Profile 001 (TAP001)\n",
"### AGENTS | RED AGENT | Threat Actor Profile 001 (`TAP001`)\n",
"\n",
"This TAP aims to exfiltrate and then encrypt the `database.db` file on `ST_DATA-PRV-SRV-DB` host, whilst leaving the functionality of the database intact. Configured by default to start on the `ST_PROJ-A-PRV-PC-1` host, `TAP001` must first embed itself on the host, locate the target (`ST_DATA-PRV-SRV-DB`) through a series of NMAP scans, establish a connection to it's `C2Server` (`ISP-PUB-SRV-DNS` by default) and then finally attempt to exfiltrate and encrypt. \n",
"This TAP aims to exfiltrate and then encrypt the `database.db` file on `ST_DATA-PRV-SRV-DB` host, whilst leaving the functionality of the database intact. Configured by default to start on the `ST_PROJ-A-PRV-PC-1` host, `TAP001` must first embed itself on the host, locate the target (`ST_DATA-PRV-SRV-DB`) through a series of [`nmap`](/PrimAITE/docs/source/simulation_components/system/applications/nmap.rst) scans, establish a connection to it's [`c2-server`](./Command-and-Control-E2E-Demonstration.ipynb)(`ISP-PUB-SRV-DNS` by default) and then finally attempt to exfiltrate and encrypt. \n",
"\n",
"If successful, the blue agent is configured to receive a serve negative reward and thus must prevent `TAP001` from ever reaching the target database. This could be through blocking it's connection to the target or it's `C2Server` via a carefully crafted ACL or perhaps through more a forceful approach such as shutting down the starting host.\n",
"If successful, the blue agent is configured to receive a serve negative reward and thus must prevent `TAP001` from ever reaching the target database. This could be through blocking it's connection to the target or it's `c2-server` via a carefully crafted ACL or perhaps through more a forceful approach such as shutting down the starting host.\n",
"\n",
"For more information on `TAP001` and it's impacts, [please refer to the TAP001 E2E notebook](./UC7-TAP001-Kill-Chain-E2E.ipynb) or for more blue agent involved demonstration refer to the [UC7 attack variants notebook](./UC7-attack-variants.ipynb) "
]
@@ -690,9 +686,9 @@
"cell_type": "markdown",
"metadata": {},
"source": [
"### AGENTS | RED AGENT | Threat Actor Profile 003 (TAP003)\n",
"### AGENTS | RED AGENT | Threat Actor Profile 003 (`TAP003`)\n",
"\n",
"Unlike `TAP001` more traditional representation of a threat actor, `TAP003` represents a malicious insider which leverages it's pre-existing knowledge to covertly add malicious access control lists (ACLs) to three different routers each of which affecting green agent traffic in a different way causing the blue agent to receive negative rewards. Thus, the blue agent must learn to leverage it's ability to remove rules and change credentials throughout the network to rectify the impacts of `TA003` and re-establish green POL and prevent TAP003 from accessing additional routers.\n",
"Unlike `TAP001`'s more traditional representation of a threat actor, `TAP003` represents a malicious insider which leverages it's pre-existing knowledge to covertly add malicious access control lists (ACLs) to three different routers each of which affecting green agent traffic in a different way causing the blue agent to receive negative rewards. Thus, the blue agent must learn to leverage it's ability to remove rules and change credentials throughout the network to rectify the impacts of `TA003` and re-establish green POL and prevent `TAP003` from accessing additional routers.\n",
"\n",
"The table below is a brief summary of the malicious acls added by `TAP003`\n",
"\n",
@@ -776,7 +772,7 @@
"\n",
"- `observation_space`\n",
"\n",
"The observation_space (or more commonly `OBS`) refers to the what simulation components the blue agent observes each `time_step`. A blue agent `OBS` can be configured to be as large the entire network or just an individual node. \n",
"The observation space (or more commonly `OBS`) refers to the what simulation components the blue agent observes each `time_step`. A blue agent `OBS` can be configured to be as large the entire network or just an individual node. \n",
"\n",
"- `action_space`\n",
"\n",
@@ -918,14 +914,14 @@
"source": [
"#### HOSTS\n",
"\n",
"By default the blue agent is monitoring `3` different computers and `1` server:\n",
"By default the blue agent is monitoring **3** different computers and **4** server:\n",
"\n",
"|Host label|hostname| services | applications | folders | files |\n",
"|:--:|:--:|:--:|:--:|:--:|:--:|\n",
"|HOST1|ST_PROJ-A-PRV-PC-1 | ftp-client | ransomware_script, database-client | downloads, exfiltration_folder | malware_dropper.ps1, database.db |\n",
"|HOST2|ST_PROJ-B-PRV-PC-2| ftp-client | ransomware-script, database-client | downloads, exfiltration_folder | malware_dropper.ps1, database.db |\n",
"|HOST3|ST_PROJ-C-PRV-PC-3| ftp-client | ransomware-script, database-client | downloads, exfiltration_folder | malware_dropper.ps1, database.db |\n",
"|HOST4|ST_DATA-PRV-SRV-DB||| database | database.db|\n",
"|HOST0|**ST_PROJ-A-PRV-PC-1** | `ftp-client` | `ransomware_script`, `database-client` | `downloads`, `exfiltration_folder `|` malware_dropper.ps1`, `database.db` |\n",
"|HOST1|**ST_PROJ-B-PRV-PC-2**| `ftp-client` | `ransomware-script`, `database-client` | `downloads`, `exfiltration_folder` | `malware_dropper.ps1`, `database.db` |\n",
"|HOST2|**ST_PROJ-C-PRV-PC-3**| `ftp-client` | `ransomware-script`, `database-client `|` downloads`, `exfiltration_folder` | `malware_dropper.ps1`, `database.db` |\n",
"|HOST3|**ST_DATA-PRV-SRV-DB**||| `database` | `database.db`|\n",
"\n",
"\n",
"Each `time_step` these hosts report the following to the blue agent:\n",
@@ -1102,9 +1098,9 @@
"\n",
"In addition, the agent can observe the list of Access Control List rules present on routers and firewalls.\n",
"\n",
"Routers have one ACL and a list of network interfaces (ports)\n",
"`Routers` have one ACL which apply to each network interface (which in the context of networking devices are referenced as ports).\n",
"\n",
"Firewalls have six ACLs and three ports (ports are Internal/External/DMZ, with an Inbound and Outbound ACL for each)\n",
"`Firewalls` have six ACLs and three ports. These port are predefined as the `Internal`, `External` and `DMZ` port. Each port comes with two ACL lists - inbound and outbound which apply to traffic ingress and egress on a specific port.\n",
"\n",
"by default, the UC7 agent is configured to observe `3` different routers:\n",
"\n",
@@ -1228,7 +1224,7 @@
"source": [
"obs, reward, _,_,info = env.step(0)\n",
"for node_id, node_obs in obs['NODES'].items():\n",
" if not \"HOST\" in node_id: # filter out hosts OBS and focus on ROUTER\n",
" if not \"HOST\" in node_id: # filter out hosts OBS and focus on ROUTERs\n",
" print(node_id)\n",
" pprint(node_obs)\n"
]
@@ -1248,7 +1244,7 @@
"\n",
"#### `action_map`\n",
"\n",
"Numerically ordered, the `action_map` combines the options set out previously to define the actual details of what actions and the amount of actions that a blue agent can perform.\n",
"Numerically ordered, the `action_map` define the actual details of what actions and the amount of actions that a blue agent can perform.\n",
"\n",
"For example, the snippet below details the first four actions the the default UC7 blue agent is setup with:\n",
"\n",
@@ -1284,19 +1280,19 @@
"\n",
"|Action Num | Action Type | Options|\n",
"|:---------:|:-----------:|:------:|\n",
"|0|**DONOTHING**|*n/a*|\n",
"|1|**NODE_OS_SCAN**|*node_name: ST_PROJ-A-PRV-PC-1*|\n",
"|2|**NODE_SHUTDOWN**|*node_name: ST_PROJ-A-PRV-PC-1*|\n",
"|3|**NODE_STARTUP**|*node_name: ST_PROJ-A-PRV-PC-1*|\n"
"|0|**donothing**|*n/a*|\n",
"|1|**node-os-scan**|*node_name: ST_PROJ-A-PRV-PC-1*|\n",
"|2|**node-shutdown**|*node_name: ST_PROJ-A-PRV-PC-1*|\n",
"|3|**node-startup**|*node_name: ST_PROJ-A-PRV-PC-1*|\n"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"`0: DONOTHING`:\n",
"`0: do-nothing`:\n",
"\n",
"The first action, `DONOTHING` is a default standard that all agents are setup to use by default in primAITE. Quite simply this action makes no impact to the simulation - literally does nothing. Although this obviously does not seem all that useful, in practice an agent with a small yet impactful actions (such as adding or removing ACL's rules) may find that performing no action may be better than risking a potentially detrimental one.\n",
"The first action, `do-nothing` is the default standard that all agents are setup to use by default in primAITE. Quite simply this action makes no impact to the simulation - literally does nothing. Although this obviously does not seem all that useful, in practice an agent with a small yet impactful actions (such as adding or removing ACL's rules) may find that performing no action may be better than using a potentially detrimental one .\n",
"\n",
"Additionally, you may spotted the code snippet below dotted around this notebook and many others.\n",
"\n",
@@ -1316,20 +1312,20 @@
"env.reset()\n",
"env.step(0)\n",
"defender = env.game.rl_agents.get(\"defender\")\n",
"print(defender.history[0])"
"defender.show_history(ignored_actions=['']) # By default `show_history()` will ignore 'do-nothing'"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"`1: NODE_OS_SCAN`:\n",
"`1: node-os-scan`:\n",
"\n",
"The first actual action that the blue agent can perform is scanning action. A variety of different scanning type actions (such as `NODE_APPLICATION_SCAN` or `NODE_FILE/FOLDER_SCAN`) which can be used to by the blue agent to gain a deeper understanding of the simulation state. Specifically, these actions will cause the blue agent's observations to update to the \"true\" `HEALTH_STATUS` of a simulation component. The `NODE_OS_SCAN` acts a combined version of all these scan type actions.\n",
"The first actual action that the blue agent can perform is scanning action. The blue agent is capable of a variety of different scanning type actions (such as `node-application-scan` or `node-file/folder-scan`) which can be used to gain a deeper understanding of the simulation state. Specifically, these actions will cause the blue agent's observations to update to the **\"true\"** `health_status` of a simulation component. The `node-os-scan` acts a combined version of all these scan type actions.\n",
"\n",
"For example, if a red agent corrupts and alters the health status of a file, the blue agent's observation space will not reflect this until the agent performs a `NODE_FILE_SCAN` on the newly corrupted file. It's worth noting that blue agents can be configured to see the true `HEALTH_STATUS` of software and files without needing to scan in the yaml. Although this may make it easier for an train and create an effective blue agent it could be seen as reducing the fidelity of the simulation.\n",
"For example, if a red agent corrupts and alters the health status of a file, the blue agent's observation space will not reflect this until the agent performs a `node-file-scan` on the newly corrupted file. It's worth noting that blue agents can be configured to see the true `health_status` of software and files without needing to scan in the yaml. Although this may make it easier for an train and create an effective blue agent it could be seen as reducing the fidelity of the simulation.\n",
"\n",
"The code snippet below demonstrates an example where the blue agent uses the `NODE_OS_SCAN` action to reveal the true health status `ST_PROJ-A-PRV-PC-1`."
"The code snippet below demonstrates an example where the blue agent uses the `node-os-scan` action to reveal the true health status `ST_PROJ-A-PRV-PC-1`."
]
},
{
@@ -1339,7 +1335,6 @@
"outputs": [],
"source": [
"obs, reward, term, trunc, info = env.step(0)\n",
"print(defender.history[1])\n",
"print(f\"ftp-client (Prior Scan) OBS: {defender.observation_manager.current_observation['NODES']['HOST0']['SERVICES'][1]}\")\n",
"print(f\"database-client (Prior Scan) OBS: {defender.observation_manager.current_observation['NODES']['HOST0']['APPLICATIONS'][2]}\")"
]
@@ -1371,7 +1366,7 @@
"source": [
"print(f'Node OS Scan time step duration: {cfg[\"simulation\"][\"defaults\"][\"node_scan_duration\"]}')\n",
"env.step(1)\n",
"print(defender.history[2])\n",
"print(defender.show_history())\n",
"for _ in range(9):\n",
" obs, reward, term, trunc, info = env.step(0)\n",
"\n",
@@ -1384,9 +1379,9 @@
"cell_type": "markdown",
"metadata": {},
"source": [
"`2: NODE_SHUTDOWN`:\n",
"`2: node-shutdown`:\n",
"\n",
"The next action available is the `NODE_SHUTDOWN` action. This action quite is quite simple in comparison and literally attempts to shut down the target host given in the `options` settings which is set to `ST_PROJ-A-PRV-PC-1`. Shutting a PC down affects the `operating_status` of the host machine which the following snippets demonstrate."
"The next action available is `node-shutdown`. This action quite simply attempts to shut down the given `node_name` which in this case is set to `ST_PROJ-A-PRV-PC-1`. Shutting a PC down affects the `operating_status` of the host machine which the following snippets demonstrate."
]
},
{
@@ -1397,7 +1392,14 @@
"source": [
"# `1` is equal to 'ON' in this case.\n",
"obs, reward, term, trunc, info = env.step(0)\n",
"print(f\"ST_PROJ-A-PRV-PC-1's (prior shutdown) operating state: {defender.observation_manager.current_observation['NODES']['HOST0']['operating_status']}\")"
"print(f\"ST_PROJ-A-PRV-PC-1's (prior `node-shutdown`) operating state: {defender.observation_manager.current_observation['NODES']['HOST0']['operating_status']}\")"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"As mentioned previously, some actions require a number of timesteps to elapse before their impact is resolved within the simulation. `node-shutdown` by default takes three timesteps to take effect."
]
},
{
@@ -1407,8 +1409,9 @@
"outputs": [],
"source": [
"obs, reward, term, trunc, info = env.step(2)\n",
"# Skipping three timesteps by forcing the blue agent into performing a `do-nothing` action.\n",
"for _ in range(3):\n",
" env.step(0) # 3 second shut down time.\n"
" env.step(0) "
]
},
{
@@ -1418,16 +1421,16 @@
"outputs": [],
"source": [
"obs, reward, term, trunc, info = env.step(0)\n",
"print(f\"ST_PROJ-A-PRV-PC-1's (post shutdown) operating state: {defender.observation_manager.current_observation['NODES']['HOST0']['operating_status']}\")"
"print(f\"ST_PROJ-A-PRV-PC-1's (post `node-shutdown`) operating state: {defender.observation_manager.current_observation['NODES']['HOST0']['operating_status']}\")"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"`3: NODE_STARTUP`:\n",
"`3: node-startup`:\n",
"\n",
"Luckily, the blue agent can use it's third action `NODE_STARTUP` has been configured to bring the `ST_PROJ-A-PRV-PC-1` back up and running. Although, with the a three timestep reboot time.\n"
"Lastly, the blue agent third action `node-startup` can be used to bring the `ST_PROJ-A-PRV-PC-1` back up and running. Similar to the previous action, `node-startup` takes three timesteps.\n"
]
},
{
@@ -1442,7 +1445,16 @@
" env.step(0) # 3 second reboot time.\n",
" \n",
"obs, reward, term, trunc, info = env.step(0)\n",
"print(f\"ST_PROJ-A-PRV-PC-1's (prior shutdown) operating state: {defender.observation_manager.current_observation['NODES']['HOST0']['operating_status']}\")"
"print(f\"ST_PROJ-A-PRV-PC-1's (post `node-startup`) operating state: {defender.observation_manager.current_observation['NODES']['HOST0']['operating_status']}\")"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"print(defender.show_history())"
]
},
{
@@ -1458,7 +1470,7 @@
"```yaml\n",
" reward_function:\n",
" reward_components:\n",
" - type: DATABASE_FILE_INTEGRITY\n",
" - type: database-file-integrity\n",
" weight: *HIGH_WEIGHT_IMPACT\n",
" options: \n",
" node_hostname: ST_DATA-PRV-SRV-DB \n",
@@ -1466,7 +1478,7 @@
" file_name: database.db\n",
"```\n",
"\n",
"The blue agent's remaining reward function is comprised of **32** different ``SHARED_REWARD`` components. These rewards will grant the blue agent a positive or negative reward based on the current reward of the **32** green agents. The next code snippets The code snippets below demonstrate how the blue agent's reward is affected by simulation state."
"The blue agent's remaining reward function is comprised of **32** different ``shared-reward`` components. These rewards will grant the blue agent a positive or negative reward based on the current reward of the **32** green agents. The next code snippets The code snippets below demonstrate how the blue agent's reward is affected by simulation state."
]
},
{
@@ -1584,7 +1596,7 @@
"st_dmz_pub_srv_web: Server = env.game.simulation.network.get_node_by_hostname(\"ST_DMZ-PUB-SRV-WEB\")\n",
"st_dmz_pub_srv_web.software_manager.software[\"web-server\"].operating_state = ServiceOperatingState.DISABLED\n",
"\n",
"# Shutting down the DNSServer\n",
"# Shutting down the dns-server\n",
"\n",
"isp_pub_srv_dns_server: Server = env.game.simulation.network.get_node_by_hostname(\"ISP-PUB-SRV-DNS\")\n",
"isp_pub_srv_dns_server.software_manager.software[\"dns-server\"].operating_state = ServiceOperatingState.DISABLED\n",
@@ -1597,7 +1609,7 @@
],
"metadata": {
"kernelspec": {
"display_name": ".venv",
"display_name": "Python 3 (ipykernel)",
"language": "python",
"name": "python3"
},

70
src/primaite/notebooks/UC7-TAP001-Kill-Chain-E2E.ipynb
View File

@@ -4,20 +4,19 @@
"cell_type": "markdown",
"metadata": {},
"source": [
"# Mobile Malware Kill Chain - Ransomware Script Variant\n",
"# TAP001 - Mobile Malware Kill Chain\n",
"\n",
"© Crown-owned copyright 2025, Defence Science and Technology Laboratory UK\n",
"\n",
"**Threat Actor Profile (TAP):** 001 <br/>\n",
"**Kill Chain**: Mobile Malware - Ransomware Script Variant\n",
"\n",
"This notebook demonstrates TAP001 on the UC7 network infrastructure. In this scenario, a some_tech employee within the development project network plugs in his personal device. Whilst browsing, they encounter a ransomware virus which moves onto the host machine thus triggering the malware! \n",
"<br/>\n",
"This notebook demonstrates the new threat actor profile (TAP) on the UC7 network infrastructure. In this scenario, a `some_tech` employee within the development project network plugs in his personal device. Whilst browsing, they encounter a ransomware virus which moves onto the host machine thus triggering the malware! \n",
"\n",
"This ransomware variant targets the database service's file directly, rather than the disrupting the database service, hence why in this scenario the data service still functions after becoming corrupted.\n",
"<br/>\n",
"\n",
"The red attack intends to introduce realistic impacts to the observation space, such as files created/removed and applications installing mid-episode whilst still providing usable data for agent training."
"This malware variant targets the database service's file directly, rather than the disrupting the service, hence why in this scenario the `data-service` is still functional after becoming corrupted.\n",
"\n",
"This new red agent intends to introduce more realistic impacts to the observation space, such as files created/removed and applications installing mid-episode whilst still providing the configurability needed for effective blue agent training."
]
},
{
@@ -173,9 +172,10 @@
"metadata": {},
"source": [
"### **Notebook Setup** | Instantiating Relevant Simulation Objects\n",
"Simulation objects can be instantiated and called independently of agents via the environment.game.simulation (PrimAITE API).\n",
"\n",
"[Please refer to the main UC7 notebook for further details regarding agent implementations and the general UC7 scenario.](./example layout-E2E-Demo.ipynb)"
"Simulation objects can be instantiated and called independently of agents via the environment.game.simulation (PrimAITE API) which is useful for demonstrating the simulation state at different points within an episode.\n",
"\n",
"Any readers unfamiliar with the UC7 scenario should refer to the [main UC7 notebook for further details](./UC7-E2E-Demo.ipynb)"
]
},
{
@@ -205,7 +205,7 @@
"cell_type": "markdown",
"metadata": {},
"source": [
"The first section of this notebook displays the relevant default Observation Space (OBS)."
"The first section of this notebook displays the relevant initial `observation_space` (OBS) of effected nodes before the attack takes place."
]
},
{
@@ -316,7 +316,7 @@
" </a> \n",
"</p>\n",
"\n",
"In this stage, TAP001 uses the **NODE_FOLDER_CREATE** and **NODE_FILE_CREATE** to create a file called ```\"malware_dropper.ps1\"``` within a ```\"Downloads\"``` folder. <br>\n",
"In this stage, TAP001 uses the **node-folder-create** and **node-file-create** to create a file called ```\"malware_dropper.ps1\"``` within a ```\"Downloads\"``` folder. <br>\n",
"These actions are intended to simulate the malicious payload creating a ```ps1``` (A windows powershell script) malware dropper on the `SOME_TECH` employee's phone. \n",
"\n",
"Currently, PrimAITE cannot simulate hosts joining the simulation mid-episode thus we must treat `ST_PROJ-A-PRV-PC-1`'s as also including the employee's phone. <br>\n",
@@ -350,7 +350,8 @@
"metadata": {},
"outputs": [],
"source": [
"tap001.logger.show()"
"tap001.logger.show()\n",
"tap001.show_history()"
]
},
{
@@ -369,7 +370,7 @@
" \n",
"</p>\n",
"\n",
"In this stage, TAP001 uses the **NODE_FILE_ACCESS** to increase the number of accesses of the ```\"malware_dropper.ps1\"```. <br>\n",
"In this stage, TAP001 uses the **node-file-access** to increase the number of accesses of the ```\"malware_dropper.ps1\"```. <br>\n",
"\n",
"These actions represent the employee executing malware dropper created in the previous stage. "
]
@@ -399,7 +400,8 @@
"metadata": {},
"outputs": [],
"source": [
"tap001.logger.show()"
"tap001.logger.show()\n",
"tap001.show_history()"
]
},
{
@@ -419,12 +421,10 @@
" \n",
"</p>\n",
"\n",
"In this stage, TAP001 uses the **NODE_APPLICATION_INSTALL** to install the ransomware application onto the starting host. <br>\n",
"In this stage, TAP001 uses the **node-application-install** to install the ransomware application onto the starting host. <br>\n",
"\n",
"These actions represent the malware dropper successfully installing ransomware on the host machine. Similarly to the malware dropper, the ransomware currently implemented is intended to be a generic and OS agnostic ransomware which is not intended to represent any specific real world implementation. \n",
"\n",
"Please see the [Ransomware Notebook](./Ransomware-Kill-Chain-E2E.ipynb) for further information about the current implementation of the ransomware application.\n",
"\n",
"Future versions of PrimAITE intend to expand the capability of the ransomware application to more faithfully represent a real-world example; for example, a Trickbot variation such as Ryuk or Conti."
]
},
@@ -463,7 +463,7 @@
"|-----|------------|----------|---------|\n",
"|4|Propagate|HOST:NICS:NIC:TRAFFIC:PROTOCOL:PORT:*|The malware attempts to spread to other systems or networks, looking for vulnerable services.|\n",
"\n",
"In this stage, TAP001 uses **NODE_NMAP_PORT_SCAN**, **NODE_NMAP_PING_SCAN** and **NODE_NMAP_NETWORK_SERVICE_RECON** to scan the simulation in order to search for a valid database target.\n",
"In this stage, TAP001 uses **node-nmap-port-scan**, **node-nmap-ping-scan** and **node-nmap-network-service-recon** to scan the simulation in order to search for a valid database target.\n",
"\n",
"Unlike previous stages, the behaviour of this stage is dependant on the simulation and thus will perform differently dependant on the location of the target as well as the topology of the network. Specifically, the ```PROPAGATE``` stage uses three network enumeration actions and their action responses to populate its knowledge of the network.<br>\n",
"These actions represent the now infected `ST_PROJ-A-PRV-PC-1` searching the UC7 network for valid targets ransomware. \n",
@@ -481,7 +481,7 @@
"source": [
"#### **Kill Chain** | PROPAGATE | Scan walkthrough\n",
"\n",
"The next juypter cells of this notebook will go through each individual CAOS action that the TAP001 leverages to reach the target host as well as the OBS each action impacts.\n",
"The next juypter cells of this notebook will go through each individual nmap action that the TAP001 leverages to reach the target host as well as the OBS each action impacts.\n",
"\n",
"This section uses the following ```PROPAGATE``` relevant TAP001 settings:\n",
"```yaml\n",
@@ -788,7 +788,7 @@
"</p>\n",
"\n",
"\n",
"For further details please refer to the ``Command-and-Control-E2E-Demonstration`` notebook.\n",
"For further details please refer to the [Command-and-Control-E2E-Demonstration notebook](./Command-and-Control-E2E-Demonstration.ipynb).\n",
"\n",
"_Note: The referenced notebook above uses the UC2 scenario for demonstration purposes, however all the OBS impacts and C2 suite functionality is equally applicable to UC7._\n",
"\n"
@@ -921,7 +921,7 @@
"cell_type": "markdown",
"metadata": {},
"source": [
"We can also see that the database.db file was successfully exfiltrated."
"We can also see that the `database.db` file was successfully exfiltrated."
]
},
{
@@ -948,16 +948,7 @@
"cell_type": "markdown",
"metadata": {},
"source": [
"## **Post Attack Impacts**\n",
"\n",
"Please refer to the [Ransomware E2E Notebook](./Ransomware-Kill-Chain-E2E.ipynb) for an in-depth look on the knock-on affects of the ransomware application."
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### **Attack Configurations** | Threat Actor Profile Settings"
"### **Attack Configurations** "
]
},
{
@@ -1294,7 +1285,7 @@
"\n",
"<sup>[1]</sup> _PrimAITE does not actually enforce agent type (Red/Green/Blue) specific actions_\n",
"\n",
"_However, some actions such as ``APPLICATION_EXECUTE`` and ``NETWORK_RECON_SCAN`` require an understanding of the simulation that is beyond the blue agent's current observation and thus are not suitable for use by reinforcement algorithms._\n",
"_However, some actions such as `node-application-execute` and `node-nmap-network-service-recon` require an understanding of the simulation that is beyond the blue agent's current observation and thus are not suitable for use by reinforcement algorithms._\n",
"\n",
"_These actions are usually only leveraged by Green or Red agents; hence why they are commonly referenced as such._\n",
"\n",
@@ -1307,7 +1298,7 @@
"source": [
"#### **Attack Configurations** | Mobile Malware Kill Chain | Command and Control Stage\n",
"\n",
"TAP001's Command and Control stage leverages the C2 beacon which has it's own set of configuration options. In the case of TAP001 some of these settings are already pre-defined based on other settings such as ``target_node``. The table below details the currently available options.\n",
"TAP001's Command and Control stage leverages the `c2-beacon` which has it's own set of configuration options. In the case of TAP001 some of these settings are already pre-defined based on other settings such as ``target_node``. The table below details the currently available options.\n",
"\n",
"<details> <summary> Command and Control Configuration Settings </summary>\n",
"\n",
@@ -1318,9 +1309,10 @@
"|keep_alive_frequency | How often should the C2 Beacon confirm its connection in timesteps. Defaults to 5 |Int | _Optional_ |\n",
"|masquerade_port | What port should the C2 traffic use? Defaults to TCP. |Str | _Optional_ |\n",
"|masquerade_protocol | What protocol should the C2 traffic masquerade as? Defaults to HTTP. |Str | _Optional_ |\n",
"\n",
"</details> \n",
"\n",
"For further information around the configuration of the C2 beacon please refer to the ``Command-&-Control-E2E-Demonstration`` last section on configurability."
"For further information around the configuration of the `c2-beacon` please refer to the [Command-&-Control-E2E-Demonstration notebook](./Command-and-Control-E2E-Demonstration.ipynb)'s last section on configurability."
]
},
{
@@ -1347,7 +1339,7 @@
" cfg['agents'][32]['agent_settings']['kill_chain']['COMMAND_AND_CONTROL'][\"masquerade_protocol\"] = \"TCP\"\n",
"env = PrimaiteGymEnv(env_config = cfg)\n",
"env.reset()\n",
"# TAP001 runs for exactly 110 timesteps using default TAP settings.\n",
"# TAP001 requires around 110 timesteps using default TAP settings.\n",
"for _ in range(110):\n",
" env.step(0)"
]
@@ -1356,7 +1348,7 @@
"cell_type": "markdown",
"metadata": {},
"source": [
"The code cells below use .show() methods to show that the configuration options have successfully altered the C2's suite configuration. For example the C2 beacon's remote connection is now ``REM-PUB-PC-1``'s ip address which is ``192.168.20.2``."
"The code cells below use .show() methods to show that the configuration options have successfully altered the C2's suite configuration. For example the `c2-beacon`'s remote connection is now ``REM-PUB-PC-1``'s ip address which is ``192.168.20.2``."
]
},
{
@@ -1448,7 +1440,7 @@
"|exfiltrate | Should TAP001 exfiltrate the target database.db file? |Boolean | _Required_ |\n",
"\n",
"\n",
"Similar to ``corrupt``, this option is a boolean value which indicates if TAP001 should attempt to exfiltrate the database.db file.\n",
"Similar to ``corrupt``, this option is a boolean value which indicates if TAP001 should attempt to exfiltrate the `database.db` file.\n",
"\n",
"By default this is enabled but if users wish to disable the exfiltration for training purposes then this value can be set to ``False`` which will prevent the TAP001 agent from attempting to exfiltrate the database.db file."
]
@@ -1457,14 +1449,14 @@
"cell_type": "markdown",
"metadata": {},
"source": [
"_If both ``exfiltrate`` and ``corrupt`` options are enabled then the TAP001 agent will exfiltrate the database.db and then launch the ``RansomwareScript`` against the target._"
"_If both ``exfiltrate`` and ``corrupt`` options are enabled then the TAP001 agent will exfiltrate the database.db and then launch the ``ransomware-script`` against the target._"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"#### Yaml Example:\n",
"_yaml config example_\n",
"\n",
"```yaml\n",
" kill_chain:\n",
@@ -1822,7 +1814,7 @@
],
"metadata": {
"kernelspec": {
"display_name": ".venv",
"display_name": "Python 3 (ipykernel)",
"language": "python",
"name": "python3"
},

76
src/primaite/notebooks/UC7-TAP003-Kill-Chain-E2E.ipynb
View File

@@ -4,26 +4,25 @@
"cell_type": "markdown",
"metadata": {},
"source": [
"# Backdoor & Vulnerability Creation Kill Chain\n",
"# TAP003 - Malicious Insider Kill Chain\n",
"\n",
"© Crown-owned copyright 2025, Defence Science and Technology Laboratory UK\n",
"\n",
"**Threat Actor Profile (TAP):** 003 <br/>\n",
"**Kill Chain**: Backdoor & Vulnerability Creation"
"**Kill Chain**: Insider"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"This notebook demonstrates a new UC7 Kill Chain which aims to represent a different style of attack in comparison to the mobile malware kill chain (TAP001).\n",
"Kill chains aim to represent a potential real world cyber attack. In this scenario an malicious `SOME_TECH` admin (TAP003) leverages his legitimate credentials and permissions to create purposeful backdoors, establish footholds and use other legitimate features in malicious ways.\n",
"This notebook demonstrates the new TAP003 red agent which simulates a malicious insider which performs an internal cyber attack. In this scenario an malicious `some_tech` admin leverages their legitimate credentials and permissions to create purposeful backdoors, establish footholds and use other legitimate features in malicious ways.\n",
"<br/>\n",
"\n",
"In this version - this scenario is limited in scope. TAP003 opts to alter user accounts and implement malicious ACL rule by using the ``terminal`` service to SSH into target routers. These ACLs block green traffic which trigger a negative reward.\n",
"In this version of PrimAITE, TAP003 opts to alter user accounts and implement malicious ACL rule by using the ``terminal`` service to SSH into target routers. These ACLs block green traffic which trigger a negative reward.\n",
"<br/>\n",
"\n",
"This kill chain intends to introduce a new UC7 attack which is both realistic but also dissimilar to other kill chains."
"This TAP was designed to be both realistic but also dissimilar to the more traditional red agents such as [TAP001](./UC7-TAP001-Kill-Chain-E2E.ipynb) or use case 2's [data_manipulation_bot](./Data-Manipulation-Customising-Red-Agent.ipynb)."
]
},
{
@@ -101,10 +100,10 @@
" node = item.parameters.get('node_name')\n",
"\n",
" else:\n",
" if (node_id := item.parameters.get('node_id')) is not None:\n",
" node = env.game.agents[agent_name].action_manager.node_names[node_id]\n",
" if (application_id := item.parameters.get('application_id')) is not None:\n",
" application = env.game.agents[agent_name].action_manager.application_names[node_id][application_id]\n",
" if (item.parameters.get('node_name')) is not None:\n",
" node = item.parameters.get('node_name')\n",
" if (item.parameters.get('application_name')) is not None:\n",
" application = item.parameters.get('application_name')\n",
" if (application_name := item.parameters.get('application_name')) is not None:\n",
" application = application_name\n",
"\n",
@@ -157,39 +156,38 @@
"source": [
"### **Notebook Intro** | **Backdoor & Vulnerability Creation Kill Chain Intro** \n",
"\n",
"TAP003's kill chain is comprised of a variety of blue actions which are leveraged in unusual ways. This includes introducing malicious ACL's which block green traffic and installing and execute green applications in order to simulate unusual green pattern of life. The rest of this notebook will go through each step in more detail whilst demonstrating the impacts that each step has on both observation and simulation behaviour.\n",
"TAP003's kill chain is comprised of a variety of blue actions which are leveraged in unusual ways. This includes introducing malicious ACL's which block green traffic. The rest of this notebook will go through each step in more detail whilst demonstrating the impacts that each step has on both observation and simulation behaviour.\n",
"\n",
"_Reconnaissance - DONOTHING CAOS Action_\n",
"_Reconnaissance_\n",
"\n",
"|Index | Action Stage| OBS Impact | Narrative |\n",
"|-----|-------------|-------------|-----------|\n",
"|1|Reconnaissance|*No Direct Impact*|TAP003 is passively investigating sensitive systems, data and access control mechanisms.|\n",
"|Index | Action Stage| OBS Impact | Narrative |action(s)|\n",
"|-----|-------------|-------------|-----------|---|\n",
"|1|Reconnaissance|*No Direct Impact*|TAP003 is passively investigating sensitive systems, data and access control mechanisms.|`do-nothing`|\n",
"\n",
"_Planning - DONOTHING CAOS Action_\n",
"_Planning_\n",
"\n",
"|Index| Action Stage| OBS Impact | Narrative |\n",
"|-----|-------------|------------|-----------|\n",
"|2|Planning| **No current impact**|TAP003 is devising a plan to exploit their elevated privileges.|\n",
"|Index| Action Stage| OBS Impact | Narrative |action(s)|\n",
"|-----|-------------|------------|-----------|---|\n",
"|2|Planning| **No current impact**|TAP003 is devising a plan to exploit their elevated privileges.|`do-nothing`|\n",
"\n",
" _Access - DONOTHING CAOS Action__\n",
" _Access_\n",
"\n",
"|Index| Action Stage| OBS Impact | Narrative |\n",
"|-----|-------------|------------|-----------|\n",
"|3|Access|**No current impact** |TAP003 uses their legitimate credentials to access the access control settings.|\n",
"|Index| Action Stage| OBS Impact | Narrative |action(s)|\n",
"|-----|-------------|------------|-----------|---|\n",
"|3|Access|**No current impact** |TAP003 uses their legitimate credentials to access the access control settings.|`do-nothing`|\n",
"\n",
" _Manipulation - HOST:SESSIONS_SEND_REMOTE_COMMAND -> HOST:ACCOUNTS:CHANGE:PASSWORD CAOS ACTION_\n",
" _Manipulation_\n",
" \n",
"|Index| Action Stage| OBS Impact | Narrative |\n",
"|-----|-------------|------------|-----------|\n",
"|4|Manipulation| **Target Host(s)** HOST::SESSIONS:REMOTE |TAP003 exploits their insider knowledge/privilege to implement changes for sabotage.|\n",
"|Index| Action Stage| OBS Impact | Narrative |action(s)|\n",
"|-----|-------------|------------|-----------|---|\n",
"|4|Manipulation| **Target Host(s)** HOST::SESSIONS:REMOTE |TAP003 exploits their insider knowledge/privilege to implement changes for sabotage.| - `node-session-remote-login` & `sessions-send-remote-command` (`node-account-change-password`)|\n",
"\n",
" _Exploit - FIREWALL:ACL:add_rule CAOS ACTION_\n",
"_Exploit_\n",
"\n",
"|Index| Action Stage| OBS Impact | Narrative |\n",
"|-----|-------------|------------|-----------|\n",
"|5|Exploit| **Target Host(s)** FIREWALL:ACL:INTERNAL/EXTERNAL:*|TAP003 exploits their insider knowledge/privilege to implement changes for sabotage.|\n",
"\n",
"_Only the initial five steps are represented in the this version of this kill-chain._ <br/>\n"
"|Index| Action Stage| OBS Impact | Narrative |action(s)|\n",
"|-----|-------------|------------|-----------|---|\n",
"|5|Exploit| **Target Host(s)** ROUTER:ACL:INTERNAL/EXTERNAL:*|TAP003 exploits their insider knowledge/privilege to implement changes for sabotage.| `node-session-remote-login` & `node-session-send-remote-command` (`router-acl-addrule`) |\n",
"\n"
]
},
{
@@ -198,9 +196,7 @@
"source": [
"## **Notebook Setup** | **Network Configuration:**\n",
"\n",
"This notebook uses the same network setup as UC7. \n",
"\n",
"Please refer to the main [UC7-E2E-Demo notebook for further reference](./UC7-E2E-Demo.ipynb)."
"Any readers unfamiliar with UC7 can refer to the main [UC7-E2E-Demo notebook for further reference](./UC7-E2E-Demo.ipynb)."
]
},
{
@@ -255,7 +251,7 @@
"source": [
"env.reset() # resetting the environment\n",
"# The TAP003 Agent\n",
"tap003 = env.game.agents['attacker']\n",
"tap003: TAP003 = env.game.agents['attacker']\n",
"tap003.logger.logger.setLevel(\"INFO\")"
]
},
@@ -483,7 +479,7 @@
"|-----|-------------|------------|-----------|\n",
"|1|RECONNAISSANCE|*No Direct Impact*|TAP003 is identifying Sensitive systems, data and access control mechanisms in legitimate ways.|\n",
"\n",
"Currently, this stage in the kill chain is implemented via the 'DONOTHING' CAOS action."
"Currently, this stage in the kill chain is implemented via the 'do-nothing' CAOS action."
]
},
{
@@ -566,7 +562,7 @@
"\n",
"|Index| Action Stage| OBS Impact | Narrative |\n",
"|-----|-------------|------------|-----------|\n",
"|3|Access|_DONOTHING CAOS Action_|TAP003 uses their legitimate credentials to access the access control settings.|\n",
"|3|Access|_do-nothing CAOS Action_|TAP003 uses their legitimate credentials to access the access control settings.|\n",
"\n",
"Currently, at this point of the kill chain stage the TAP003 does not perform any simulations actions. Future versions of TAP003 aim to leverage more of the simulation to create and remove accounts at this stage."
]
@@ -1692,7 +1688,7 @@
],
"metadata": {
"kernelspec": {
"display_name": ".venv",
"display_name": "Python 3 (ipykernel)",
"language": "python",
"name": "python3"
},

22
src/primaite/notebooks/UC7-Training.ipynb
View File

@@ -8,11 +8,11 @@
}
},
"source": [
"# Training an SB3 Agent\n",
"# Training an Agent on UC7\n",
"\n",
"© Crown-owned copyright 2025, Defence Science and Technology Laboratory UK\n",
"\n",
"This notebook will demonstrate how to use primaite to create and train a PPO agent, using a pre-defined configuration file."
"This notebook is identical in content to the [training an SB3 agent](./Training-an-SB3-Agent.ipynb) except this notebook trains an agent on the [use case 7 scenario](./UC7-E2E-Demo.ipynb) rather than [use case 2](./Data-Manipulation-E2E-Demonstration.ipynb). By default, the `uc7_config.yaml` blue agent (`defender`) is setup to defend against Threat Actor Profile (TAP) 001 which can be explored in more detail [here](./UC7-TAP001-Kill-Chain-E2E.ipynb).\n"
]
},
{
@@ -42,10 +42,6 @@
"from primaite import PRIMAITE_PATHS\n",
"from prettytable import PrettyTable\n",
"from deepdiff.diff import DeepDiff\n",
"from primaite.simulator.network.hardware.nodes.host.server import Server\n",
"from primaite.simulator.network.hardware.nodes.network.router import Router\n",
"from primaite.simulator.network.hardware.nodes.host.computer import Computer\n",
"\n",
"scenario_path = PRIMAITE_PATHS.user_config_path / \"example_config/uc7_config.yaml\""
]
},
@@ -125,21 +121,9 @@
],
"metadata": {
"kernelspec": {
"display_name": ".venv",
"display_name": "Python 3 (ipykernel)",
"language": "python",
"name": "python3"
},
"language_info": {
"codemirror_mode": {
"name": "ipython",
"version": 3
},
"file_extension": ".py",
"mimetype": "text/x-python",
"name": "python",
"nbconvert_exporter": "python",
"pygments_lexer": "ipython3",
"version": "3.10.12"
}
},
"nbformat": 4,

361
src/primaite/notebooks/UC7-attack-variants.ipynb
View File

@@ -17,9 +17,11 @@
}
},
"source": [
"This notebook demonstrates the PrimAITE environment with the UC7 network laydown and multiple attack personas. The first attack persona is TAP001 which performs a ransomware attack against the database. The other one is TAP003 which is able to maliciously add ACL rules that block green pattern of life.\n",
"This notebook demonstrates the PrimAITE environment with the UC7 network laydown and multiple attack personas. The first threat actor persona is **TAP001** which performs a ransomware attack against the database. The other one is **TAP003** which is able to maliciously add ACL rules that block green pattern of life.\n",
"\n",
"The environment switches between these two attacks on a pre-defined schedule which is defined in the schedule.yaml file of the scenario folder."
"Any users unfamiliar with these red agents should take a look into the [TAP001 notebook](./UC7-TAP001-Kill-Chain-E2E.ipynb) and the [TAP003 notebook](./UC7-TAP003-Kill-Chain-E2E.ipynb) for further details.\n",
"\n",
"The environment switches between these two attacks on a pre-defined schedule which is defined in the `schedule.yaml` file of the scenario folder."
]
},
{
@@ -44,32 +46,15 @@
"metadata": {},
"outputs": [],
"source": [
"import yaml\n",
"from primaite.session.environment import PrimaiteGymEnv\n",
"from primaite import PRIMAITE_PATHS\n",
"from prettytable import PrettyTable\n",
"from deepdiff.diff import DeepDiff\n",
"from primaite.session.environment import PrimaiteGymEnv\n",
"from primaite.simulator.network.hardware.nodes.host.computer import Computer\n",
"from primaite.simulator.network.hardware.nodes.host.server import Server\n",
"from primaite.simulator.network.hardware.nodes.network.router import Router\n",
"from primaite.simulator.system.services.dns.dns_server import DNSServer\n",
"from primaite.simulator.system.software import SoftwareHealthState\n",
"from primaite.simulator.file_system.file_system_item_abc import FileSystemItemHealthStatus\n",
"from primaite.simulator.network.hardware.nodes.network.switch import Switch\n",
"from primaite.simulator.system.applications.web_browser import WebBrowser\n",
"from primaite.simulator.network.container import Network\n",
"from primaite.simulator.system.services.service import ServiceOperatingState\n",
"from primaite.simulator.network.hardware.node_operating_state import NodeOperatingState\n",
"from primaite.simulator.system.services.database.database_service import DatabaseService\n",
"from primaite.simulator.system.applications.database_client import DatabaseClient\n",
"from primaite.simulator.network.hardware.nodes.network.firewall import Firewall\n",
"from primaite.game.game import PrimaiteGame\n",
"from primaite.simulator.sim_container import Simulation\n",
"from primaite.config.load import load, _EXAMPLE_CFG\n",
"from primaite.simulator.network.hardware.nodes.host.server import Server\n",
"from primaite.simulator.network.hardware.nodes.network.router import Router\n",
"from primaite.simulator.network.hardware.nodes.host.computer import Computer\n",
"\n",
"scenario_path = PRIMAITE_PATHS.user_config_path / \"example_config/uc7_multiple_attack_variants\""
]
@@ -220,7 +205,7 @@
"source": [
"The blue agent should be able to prevent the ransomware attack by blocking the red agent's access to the database. Let's run the environment until the observation space shows symptoms of the attack starting.\n",
"\n",
"Because we are in episode index 1, the red agent will use `ST-PROJ-A-PRV-PC-1` to start the attack. On step 25, the red agent installs `RansomwareScript`."
"Because we are in episode index 1, the red agent will use `ST_PROJ-A-PRV-PC-1` to start the attack. On step 25, the red agent installs `ransomware-script`."
]
},
{
@@ -246,9 +231,33 @@
"cell_type": "markdown",
"metadata": {},
"source": [
"We can see that on HOST0, application index 1 has gone from `operating_status` 0 to 3, meaning there wasn't an application before, but now there is an application in the `INSTALLING` state. The blue agent should be able to detect this and block the red agent's access to the database. Action 43 will block `ST-PROJ-A-PRV-PC-1` from sending POSTGRES traffic to the DB server.\n",
"We can see that on HOST0, application index 1 has gone from `operating_status` 0 to 3, meaning there wasn't an application before, but now there is an application in the `INSTALLING` state. The blue agent should be able to detect this and block the red agent's access to the database. Action 43 will block `ST_PROJ-A-PRV-PC-1` from sending POSTGRES traffic to the DB server.\n",
"\n",
"If this were a different episode, it could have been `ST-PROJ-B-PRV-PC-2` or `ST-PROJ-C-PRV-PC-3` that are affected, and a different defensive action would be required."
"If this were a different episode, it could have been `ST_PROJ-B-PRV-PC-2` or `ST_PROJ-C-PRV-PC-3` that are affected, and a different defensive action would be required."
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"\n",
"```yaml\n",
"\n",
"# ST_INTRA-PRV-RT-CR | router-acl-add-rule | P2: ST_PROJ-A-PRV-PC-1 !==> ST_DATA-PRV-SRV-DB (TCP:POSTGRES_SERVER)\n",
"43:\n",
" action: router-acl-add-rule\n",
" options:\n",
" target_router: ST_INTRA-PRV-RT-CR\n",
" position: 1\n",
" permission: DENY\n",
" src_ip: 192.168.230.2 # (ST_PROJ-A-PRV-PC-1)\n",
" src_wildcard: 0.0.255.255\n",
" src_port: POSTGRES_SERVER\n",
" dst_ip: 192.168.220.3 # (ST_DATA-PRV-SRV-DB)\n",
" dst_wildcard: 0.0.255.255\n",
" dst_port: POSTGRES_SERVER\n",
" protocol_name: TCP\n",
"```"
]
},
{
@@ -257,9 +266,73 @@
"metadata": {},
"outputs": [],
"source": [
"env.step(43)\n",
"env.step(45)\n",
"env.step(47)"
"env.step(43);"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"```yaml\n",
"\n",
"# ST_INTRA-PRV-RT-CR | router-acl-add-rule | P3: ST_PROJ-B-PRV-PC-2 !==> ST_DATA-PRV-SRV-DB (TCP:POSTGRES_SERVER)\n",
"45:\n",
" action: router-acl-add-rule\n",
" options:\n",
" target_router: ST_INTRA-PRV-RT-CR\n",
" position: 2\n",
" permission: DENY\n",
" src_ip: 192.168.240.3 # (ST_PROJ-B-PRV-PC-2)\n",
" src_wildcard: 0.0.255.255\n",
" src_port: POSTGRES_SERVER\n",
" dst_ip: 192.168.220.3 # (ST_DATA-PRV-SRV-DB)\n",
" dst_wildcard: 0.0.255.255\n",
" dst_port: POSTGRES_SERVER\n",
" protocol_name: TCP\n",
"\n",
"```"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"env.step(45);"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"```yaml\n",
"\n",
"# ST_INTRA-PRV-RT-CR | router-acl-add-rule | P4: ST_PROJ-C-PRV-PC-3 !==> ST_DATA-PRV-SRV-DB (TCP:POSTGRES_SERVER)\n",
"47:\n",
" action: router-acl-add-rule\n",
" options:\n",
" target_router: ST_INTRA-PRV-RT-CR\n",
" position: 3\n",
" permission: DENY\n",
" src_ip: 192.168.250.4 # (ST_PROJ-C-PRV-PC-3)\n",
" src_wildcard: 0.0.255.255\n",
" src_port: POSTGRES_SERVER\n",
" dst_ip: 192.168.220.3 # (ST_DATA-PRV-SRV-DB)\n",
" dst_wildcard: 0.0.255.255\n",
" dst_port: POSTGRES_SERVER\n",
" protocol_name: TCP\n",
" \n",
"```"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"env.step(47);"
]
},
{
@@ -319,7 +392,7 @@
"|Target Router | Impact |\n",
"|----------------------|--------|\n",
"|`ST_INTRA-PRV-RT-DR-1`| Blocks all `POSTGRES_SERVER` that arrives at the `ST_INTRA-PRV-RT-DR-1` router. This rule will prevent all ST_PROJ_* hosts from accessing the database (`ST_DATA-PRV-SRV-DB`).|\n",
"|`ST_INTRA-PRV-RT-CR`| Blocks all `HTTP` traffic that arrives at the`ST_INTRA-PRV-RT-CR` router. This rule will prevent all SOME_TECH hosts from accessing the webserver (`ST-DMZ-PUB-SRV-WEB`)|\n",
"|`ST_INTRA-PRV-RT-CR`| Blocks all `HTTP` traffic that arrives at the`ST_INTRA-PRV-RT-CR` router. This rule will prevent all SOME_TECH hosts from accessing the webserver (`ST_DMZ-PUB-SRV-WEB`)|\n",
"|`REM-PUB-RT-DR`| Blocks all `DNS` traffic that arrives at the `REM-PUB-RT-DR` router. This rule prevents any remote site works from accessing the DNS Server (`ISP-PUB-SRV-DNS`).|"
]
},
@@ -418,26 +491,7 @@
"source": [
"## Preventing TAP003 attack\n",
"\n",
"The blue agent can prevent the red agent from adding ACL rules. TAP003 relies on connecting to the router via SSH, and sending remote ACL_ADDRULE requests. The blue agent can prevent this by pre-emptively changing the admin password on the affected routers or by blocking SSH traffic between the red agent's starting node and the target routers."
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"env.reset()\n",
"obs, reward, term, trunc, info = env.step(0)\n",
"old = obs\n",
"for i in range(128): \n",
" obs, reward, term, trunc, info = env.step(0)\n",
" new = obs\n",
"\n",
"diff = DeepDiff(old,new)\n",
"print(f\"Step {env.game.step_counter}\") # it's the next step now because the step counter is incremented after the step\n",
"for d,v in diff.get('values_changed', {}).items():\n",
" print(f\"{d}: {v['old_value']} -> {v['new_value']}\")"
"TAP003 relies on connecting to the routers via SSH, and sending `add_rule` terminal commands. The blue agent can prevent this by pre-emptively changing the admin password on the affected routers or by blocking SSH traffic between the red agent's starting node and the target routers."
]
},
{
@@ -453,8 +507,8 @@
"metadata": {},
"outputs": [],
"source": [
"env.reset()\n",
"finish_episode_and_print_reward()\n",
"\n",
"for ag in env.game.agents.values():\n",
" print(ag.config.ref, ag.reward_function.total_reward)"
]
@@ -473,7 +527,39 @@
"outputs": [],
"source": [
"env.reset()\n",
"env.step(51) # SSH Blocking ACL on ST-INRA-PRV-RT-R1\n",
"env.step(51) # SSH Blocking ACL on ST_INRA-PRV-RT-R1"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"```yaml\n",
"\n",
"# ST_INTRA-PRV-RT-DR-1 | router-acl-add-rule | P1: ST_INTRA-PRV-RT-DR-1 !==> ANY (TCP:SSH)\n",
"51:\n",
" action: router-acl-add-rule\n",
" options:\n",
" target_router: ST_INTRA-PRV-RT-DR-1\n",
" position: 1\n",
" permission: DENY\n",
" src_ip: 192.168.230.2 # (ST_PROJ-A-PRV-PC-1)\n",
" src_wildcard: 0.0.255.255\n",
" src_port: SSH\n",
" dst_ip: ALL\n",
" dst_wildcard: 0.0.255.255\n",
" dst_port: SSH\n",
" protocol_name: TCP\n",
"\n",
"```"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"finish_episode_and_print_reward()\n",
"\n",
"for ag in env.game.agents.values():\n",
@@ -484,7 +570,97 @@
"cell_type": "markdown",
"metadata": {},
"source": [
"Additionally, another option the blue agent can take is to change the passwords of the different target routers that TAP003 will attack through the `NODE_ACCOUNTS_CHANGE_PASSWORD` action."
"Additionally, another option the blue agent can take is to change the passwords of the different target routers that TAP003 will attack through the `node-account-change-password` action."
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"env.reset()"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"```yaml\n",
"\n",
"# ST_DATA-PRV-SRV-DB | node-account-change-password | Changes the password of a user account\n",
"50:\n",
" action: node-account-change-password\n",
" options:\n",
" node_name: ST_DATA-PRV-SRV-DB\n",
" username: admin # default account\n",
" current_password: admin # default password\n",
" new_password: thr33_alert_wolv3z # A more 'secure' password\n",
" \n",
"```\n"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"env.step(50); "
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"```yaml\n",
"\n",
"# ST_INTRA-PRV-RT-DR-1 | node-account-change-password\n",
"52:\n",
" action: node-account-change-password\n",
" options:\n",
" node_name: ST_INTRA-PRV-RT-DR-1\n",
" username: admin\n",
" current_password: admin\n",
" new_password: secure_password\n",
"\n",
"```"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"env.step(52);"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"```yaml\n",
"\n",
"# REM-PUB-RT-DR | node-account-change-password\n",
"54:\n",
" action: node-account-change-password\n",
" options:\n",
" node_name: REM-PUB-RT-DR\n",
" username: admin\n",
" current_password: admin\n",
" new_password: secure_password\n",
"\n",
"```"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"env.step(54); "
]
},
{
@@ -493,10 +669,6 @@
"metadata": {},
"outputs": [],
"source": [
"env.reset()\n",
"env.step(50) # NODE_ACCOUNTS_CHANGE_PASSWORD | ST_INTRA-prv-rt-cr\n",
"env.step(52) # NODE_ACCOUNTS_CHANGE_PASSWORD | ST_INTRA-prv-rt-dr-1\n",
"env.step(54) # NODE_ACCOUNTS_CHANGE_PASSWORD | rem-pub-rt-dr\n",
"finish_episode_and_print_reward()\n",
"\n",
"for ag in env.game.agents.values():\n",
@@ -527,15 +699,88 @@
"env.game.simulation.network.get_node_by_hostname(\"REM-PUB-RT-DR\").acl.show()"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"```yaml\n",
"\n",
"```"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"env.step(44) # ROUTER_ACL_REMOVERULE | ST_INTRA-prv-rt-cr\n",
"env.step(53) # ROUTER_ACL_REMOVERULE | ST_INTRA-prv-rt-dr-1\n",
"env.step(55) # ROUTER_ACL_REMOVERULE | rem-pub-rt-dr"
"env.step(44);"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"```yaml\n",
"\n",
"# ST_INTRA-PRV-RT-CR | REMOVE_ACL_ADDRULE | Removes a given ACL at position 1\n",
"44:\n",
" action: router-acl-remove-rule\n",
" options:\n",
" target_router: ST_INTRA-PRV-RT-CR\n",
" position: 1\n",
"\n",
"```"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"env.step(53);"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"```yaml\n",
"\n",
"# ST_INTRA-PRV-RT-DR-1 | router-acl-remove-rule | Removes the given ACL at position 1\n",
"53:\n",
" action: router-acl-remove-rule\n",
" options:\n",
" target_router: ST_INTRA-PRV-RT-DR-1\n",
" position: 1\n",
"\n",
"```"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"env.step(55);"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"```yaml\n",
"\n",
"# REM-PUB-RT-DR | router-acl-remove-rule | Removes the given ACL at position 1\n",
"55:\n",
" action: router-acl-remove-rule\n",
" options:\n",
" target_router: REM-PUB-RT-DR\n",
" position: 1\n",
"\n",
"```"
]
},
{
@@ -546,7 +791,7 @@
"source": [
"env.game.simulation.network.get_node_by_hostname(\"ST_INTRA-PRV-RT-CR\").acl.show()\n",
"env.game.simulation.network.get_node_by_hostname(\"ST_INTRA-PRV-RT-DR-1\").acl.show()\n",
"env.game.simulation.network.get_node_by_hostname(\"REM-PUB-RT-DR\").acl.show()\n"
"env.game.simulation.network.get_node_by_hostname(\"REM-PUB-RT-DR\").acl.show()"
]
},
{
@@ -564,7 +809,7 @@
],
"metadata": {
"kernelspec": {
"display_name": ".venv",
"display_name": "Python 3 (ipykernel)",
"language": "python",
"name": "python3"
},

122
src/primaite/notebooks/UC7-network_connectivity.ipynb
View File

@@ -9,6 +9,15 @@
"© Crown-owned copyright 2025, Defence Science and Technology Laboratory UK\n"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"This notebook is meant as supplementary material to the more expansive [UC7 E2E notebook](./UC7-E2E-Demo.ipynb).\n",
"\n",
"Focusing on the simulation components of UC7, this notebook primarily intends to demonstrate the default connectivity and prove that the simulation is operating as expected. Additionally, this notebook assumes that the reader is familiar with both UC7 and PrimAITE's networking simulation as no supplementary text cells to explain specific output are provided."
]
},
{
"cell_type": "markdown",
"metadata": {},
@@ -46,6 +55,7 @@
"from primaite.simulator.network.container import Network\n",
"from primaite.simulator.network.hardware.nodes.network.firewall import Firewall\n",
"from primaite.game.game import PrimaiteGame\n",
"from primaite.simulator.system.services.dns.dns_client import DNSClient\n",
"from primaite.simulator.sim_container import Simulation\n",
"import yaml\n",
"from pprint import pprint\n",
@@ -210,16 +220,6 @@
"home_pub_pc_1.ping(target_ip_address=isp_pub_srv_dns.network_interface[1].ip_address)"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"isp_pub_rt_br.show_nic()\n",
"isp_pub_rt_br.ping(\"192.168.1.2\")\n"
]
},
{
"cell_type": "markdown",
"metadata": {},
@@ -371,15 +371,6 @@
"st_pub_fw.ping(isp_pub_srv_dns.network_interface[1].ip_address)"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"# Some Tech DMZ public web serv"
]
},
{
"cell_type": "code",
"execution_count": null,
@@ -391,13 +382,6 @@
"st_pub_fw.ping(isp_pub_rt_br.network_interface[4].ip_address)"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": []
},
{
"cell_type": "markdown",
"metadata": {},
@@ -870,7 +854,7 @@
"metadata": {},
"outputs": [],
"source": [
"# ST Private Project c PC 3 --> Public DNS\n",
"# ST Private Project C PC 3 --> Public DNS\n",
"\n",
"st_project_c_private_pc_3.ping(isp_pub_srv_dns.network_interface[1].ip_address)"
]
@@ -881,6 +865,8 @@
"metadata": {},
"outputs": [],
"source": [
"# ST Private Project C PC 1 --> ST Private Project B PC 1\n",
"\n",
"st_project_c_private_pc_1.ping(st_project_b_private_pc_1.network_interface[1].ip_address)"
]
},
@@ -890,6 +876,8 @@
"metadata": {},
"outputs": [],
"source": [
"# ST Private Project B PC 1 --> ST Private Project A PC 1\n",
"\n",
"st_project_b_private_pc_1.ping(st_project_a_private_pc_1.network_interface[1].ip_address)"
]
},
@@ -899,6 +887,8 @@
"metadata": {},
"outputs": [],
"source": [
"# ST Private Project A PC 1 --> ST Head Office Private PC 1\n",
"\n",
"st_project_a_private_pc_1.ping(st_head_office_private_pc_1.network_interface[1].ip_address)"
]
},
@@ -908,6 +898,8 @@
"metadata": {},
"outputs": [],
"source": [
"# ST Private Project A PC 1 --> ST Human Resources Private PC 1\n",
"\n",
"st_project_a_private_pc_1.ping(st_human_resources_private_pc_1.network_interface[1].ip_address)"
]
},
@@ -924,7 +916,7 @@
"metadata": {},
"outputs": [],
"source": [
"# DNS Server\n",
"# dns-server\n",
"\n",
"isp_pub_srv_dns.software_manager.show()"
]
@@ -935,7 +927,7 @@
"metadata": {},
"outputs": [],
"source": [
"# Web Server & Web Browser\n",
"# web-browser\n",
"\n",
"st_project_a_web_browser = st_project_a_private_pc_1.software_manager.software[\"web-browser\"]\n",
"st_project_a_web_browser.get_webpage()"
@@ -947,6 +939,8 @@
"metadata": {},
"outputs": [],
"source": [
"# web-server\n",
"\n",
"st_web_server = st_dmz_pub_srv_web.software_manager.software[\"web-server\"]\n",
"st_web_server.sys_log.show()"
]
@@ -957,8 +951,19 @@
"metadata": {},
"outputs": [],
"source": [
"# database-client\n",
"\n",
"st_database_client = st_project_a_private_pc_1.software_manager.software[\"database-client\"]\n",
"st_database_client.connect()\n",
"st_database_client.connect()"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"# database-service\n",
"\n",
"st_database = st_data_private_server_database.software_manager.software[\"database-service\"]\n",
"st_database.sys_log.show()"
@@ -970,6 +975,8 @@
"metadata": {},
"outputs": [],
"source": [
"# ftp-server\n",
"\n",
"st_ftp_server = st_data_private_server_storage.software_manager.software[\"ftp-server\"]\n",
"\n",
"st_ftp_server.sys_log.show()"
@@ -981,24 +988,21 @@
"metadata": {},
"outputs": [],
"source": [
"from primaite.simulator.system.services.dns.dns_client import DNSClient\n",
"home_pub_rt_dr.acl.show()\n",
"# dns-client \n",
"\n",
"home_pub_pc_1: Computer = network.get_node_by_hostname(\"HOME-PUB-PC-1\")\n",
"dns_client: DNSClient = home_pub_pc_1.software_manager.software[\"dns-client\"]\n",
"\n",
"dns_client.check_domain_exists(target_domain=\"some_tech.com\")\n",
"dns_client.dns_cache.get(\"some_tech.com\", None) is not None\n",
"dns_client.dns_cache.get(\"some_tech.com\", None)\n",
"len(dns_client.dns_cache) == 1\n"
]
},
{
"cell_type": "code",
"execution_count": null,
"cell_type": "markdown",
"metadata": {},
"outputs": [],
"source": [
"env.step(0)"
"## UC7 Network | Green & Red Agent (TAP001) default behaviour"
]
},
{
@@ -1007,16 +1011,7 @@
"metadata": {},
"outputs": [],
"source": [
"env.step(0)"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"for _ in range(80):\n",
"for _ in range(100):\n",
" env.step(0)"
]
},
@@ -1029,13 +1024,13 @@
"def print_agent_actions_except_do_nothing(agent_name):\n",
" print(f\"\\n{agent_name} actions this episode:\")\n",
" for item in env.game.agents[agent_name].history:\n",
" if item.action != \"DONOTHING\":\n",
" if item.action != \"do-nothing\":\n",
" node, application = 'unknown', 'unknown'\n",
" if (node_id := item.parameters.get('node_id')) is not None:\n",
" node = env.game.agents[agent_name].action_manager.node_names[node_id]\n",
" if (application_id := item.parameters.get('application_id')) is not None:\n",
" application = env.game.agents[agent_name].action_manager.application_names[node_id][application_id]\n",
" print(f\"Step: {item.timestep}, action: {item.action}, {node}, {application}, response: {item.response.status}\")\n",
" if (item.parameters.get('node_name')) is not None:\n",
" node = item.parameters.get('node_name')\n",
" if (item.parameters.get('application_name')) is not None:\n",
" application = item.parameters.get('application_name')\n",
" print(f\"Step: {item.timestep}, action: {item.action}, node: {node}, application: {application}, response: {item.response.status}\")\n",
"\n",
"print_agent_actions_except_do_nothing(\"HOME_WORKER-1-DB\")"
]
@@ -1047,7 +1042,7 @@
"outputs": [],
"source": [
"green_agent = env.game.agents.get(\"HOME_WORKER-1-DB\")\n",
"green_agent.reward_function.total_reward"
"print(f\"Green Agent Ref: {green_agent.config.ref} Reward: {green_agent.reward_function.total_reward}\")"
]
},
{
@@ -1066,7 +1061,7 @@
"outputs": [],
"source": [
"green_agent = env.game.agents.get(\"HOME_WORKER-1-WEB\")\n",
"green_agent.reward_function.total_reward"
"print(f\"Green Agent Ref: {green_agent.config.ref} Reward: {green_agent.reward_function.total_reward}\")"
]
},
{
@@ -1085,26 +1080,17 @@
"metadata": {},
"outputs": [],
"source": [
"st_project_a_private_pc_1.file_system.show()\n",
"# successful TAP001 kill chain\n",
"\n",
"# # st_project_a_private_pc_1.file_system.folders[\"exfiltration\"].show()\n",
"st_project_a_private_pc_1.file_system.show(full=True)\n",
"\n",
"# st_project_a_private_pc_1.software_manager.show()"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"st_intra_prv_rt_cr.acl.show()"
"st_data_private_server_database.file_system.show(full=True)"
]
}
],
"metadata": {
"kernelspec": {
"display_name": ".venv",
"display_name": "Python 3 (ipykernel)",
"language": "python",
"name": "python3"
},