LESS Is More: Host-Agent Based Simulator for Large-Scale Evaluation of Security Systems

  • John Sonchack
  • Adam J. Aviv
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8713)


Recently proposed network security systems have demonstrated the benefits of scale for achieving many security goals, including the detection of worm outbreaks, botnets, and denial of service attacks. However, scale is also a barrier to further advancement of such systems: obtaining and working with appropriately large data sets is difficult, and existing simulation techniques are ill suited for this domain. To overcome these challenges, we propose a host behavior simulator, LESS, designed for evaluating large scale network security systems. LESS build and automatically configures the behaviors of host agents using background traffic samples and malicious traffic models. In turn, host agents communicate with each other throughout a simulation, generating traffic records. We demonstrate the applicability and benefits of LESS by tuning it with publicly available traces, and then using generated records to reproduce results from several recently proposed systems. We also used LESS to extend the evaluations of these systems, highlighting dimensions of large scale security system performance that would be difficult to study without simulation.


Data Challenges Large Scale Security Simulation Agent Based Stochastic 


  1. 1.
    Wagner, A., Plattner, B.: Entropy based worm and anomaly detection in fast ip networks. In: WETICE (2005)Google Scholar
  2. 2.
    Boggs, N., Hiremagalore, S., Stavrou, A., Stolfo, S.J.: Cross-domain collaborative anomaly detection: so far yet so close. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 142–160. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  3. 3.
    Zhang, J., Porras, P., Ullrich, J.: Highly predictive blacklisting. In: USENIX Security, vol. 8, pp. 107–122 (2008)Google Scholar
  4. 4.
    Katti, S., Krishnamurthy, B., Katabi, D.: Collaborating against common enemies. In: ACM IMC (2005)Google Scholar
  5. 5.
    Coskun, B., Dietrich, S., Memon, N.: Friends of an enemy: identifying local members of peer-to-peer botnets using mutual contacts. In: Proceedings of the 26th Annual Computer Security Applications Conference (2010)Google Scholar
  6. 6.
    Sonchack, J., Aviv, A., Smith, J.M.: Bridging the data gap: Data related challenges in evaluating large scale collaborative security systems. In: 6th Workshop on Cyber Security Experitmentation and Testing (2013)Google Scholar
  7. 7.
    Aviv, A.J., Haeberlen, A.: Challenges in experimenting with botnet detection systems. In: USENIX 4th CSET Workshop (2011)Google Scholar
  8. 8.
    Floyd, S., Paxson, V.: Difficulties in simulating the internet. IEEE/ACM Transactions on Networking (TON) 9(4), 392–403 (2001)CrossRefGoogle Scholar
  9. 9.
    Riley, G.F.: The georgia tech network simulator. In: Proceedings of the ACM SIGCOMM MoMeTools Workshop, pp. 5–12. ACM (2003)Google Scholar
  10. 10.
    Lantz, B., Heller, B., McKeown, N.: A network in a laptop: rapid prototyping for software-defined networks. In: Proceedings of the 9th ACM SIGCOMM Workshop on Hot Topics in Networks, p. 19. ACM (2010)Google Scholar
  11. 11.
    Weigle, M.C., Adurthi, P., Hernández-Campos, F., Jeffay, K., Smith, F.D.: Tmix: a tool for generating realistic tcp application workloads in ns-2. ACM SIGCOMM Computer Communication Review 36(3), 65–76 (2006)CrossRefGoogle Scholar
  12. 12.
    Konda, V., Kaur, J.: Rapid: Shrinking the congestion-control timescale. In: IEEE INFOCOM 2009, pp. 1–9. IEEE (2009)Google Scholar
  13. 13.
    Cao, J., Cleveland, W.S., Gao, Y., Jeffay, K., Smith, F.D., Weigle, M.: Stochastic models for generating synthetic http source traffic. In: INFOCOM 2004, vol. 3, pp. 1546–1557. IEEE (2004)Google Scholar
  14. 14.
    Moore, D., Shannon, C., Voelker, G.M., Savage, S.: Internet quarantine: Requirements for containing self-propagating code. In: IEEE INFOCOM 2003, pp. 1901–1910. IEEE (2003)Google Scholar
  15. 15.
    Grizzard, J.B., Sharma, V., Nunnery, C., Kang, B.B., Dagon, D.: Peer-to-peer botnets: Overview and case study. In: HOTBOTS, pp. 1–8 (2007)Google Scholar
  16. 16.
    Sommers, J., Yegneswaran, V., Barford, P.: Recent advances in network intrusion detection system tuning. In: IEEE 40th Annual CISS, pp. 1490–1495 (2006)Google Scholar
  17. 17.
    Chen, G., Gray, R.S.: Simulating non-scanning worms on peer-to-peer networks. In: ACM INFOSCALE, p. 29 (2006)Google Scholar
  18. 18.
    Rossey, L.M., Cunningham, R.K., Fried, D.J., Rabek, J.C., Lippmann, R.P., Haines, J.W., Zissman, M.A.: Lariat: Lincoln adaptable real-time information assurance testbed. In: IEEE Aerospace Conference Proceedings 2002, vol. 6, pp. 6–2671. IEEE (2002)Google Scholar
  19. 19.
    Bonabeau, E.: Agent-based modeling: Methods and techniques for simulating human systems. PNAS 99(suppl. 3), 7280–7287 (2002)CrossRefGoogle Scholar
  20. 20.
    Ripley, B.D.: Stochastic simulation, vol. 316. Wiley. com (1987)Google Scholar
  21. 21.
  22. 22.
  23. 23.
    Argus: Audit records generation and utilization system,
  24. 24.
    Xie, G., Iliofotou, M., Keralapura, R., Faloutsos, M., Nucci, A.: Subflow: Towards practical flow-level traffic classification. In: IEEE INFOCOM, 2012 Proceedings, pp. 2541–2545. IEEE (2012)Google Scholar
  25. 25.
    Tan, G., Poletto, M., Guttag, J.V., Kaashoek, M.F.: Role classification of hosts within enterprise networks based on connection patterns. In: USENIX Annual Technical Conference, General Track, pp. 15–28 (2003)Google Scholar
  26. 26.
    Blondel, V.D., Guillaume, J.L., Lambiotte, R., Lefebvre, E.: Fast unfolding of communities in large networks. Journal of Statistical Mechanics: Theory and Experiment 2008(10), P10008 (2008)Google Scholar
  27. 27.
    Hutchins, E.M., Cloppert, M.J., Amin, R.M.: Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains. Leading Issues in Information Warfare & Security Research 1, 80 (2011)Google Scholar
  28. 28.
  29. 29.
    Moore, D., Shannon, C., et al.: Code-red: a case study on the spread and victims of an internet worm. In: Proceedings of the 2nd ACM SIGCOMM Workshop on Internet Measurment, pp. 273–284. ACM (2002)Google Scholar
  30. 30.
    Hagberg, A., Swart, P., Schult, D.: Exploring network structure, dynamics, and function using networkx. Technical report, Los Alamos National Laboratory, LANL (2008)Google Scholar
  31. 31.
    Steger, A., Wormald, N.C.: Generating random regular graphs quickly. Combinatorics Probability and Computing 8(4), 377–396 (1999)CrossRefzbMATHMathSciNetGoogle Scholar
  32. 32.
    Barabási, A.L., Albert, R.: Emergence of scaling in random networks. Science 286(5439), 509–512 (1999)CrossRefMathSciNetGoogle Scholar
  33. 33.
    Erdos, P., Renyi, A.: On random graphs i. Publ. Math. Debrecen 6, 290–297 (1959)MathSciNetGoogle Scholar
  34. 34.
    Dorogovtsev, S.N., Mendes, J.F.: Evolution of networks. Advances in Physics 51(4), 1079–1187 (2002)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • John Sonchack
    • 1
  • Adam J. Aviv
    • 2
  1. 1.University of PennsylvaniaPhiladelphiaUSA
  2. 2.United States Naval AcademyAnnapolisUSA

Personalised recommendations