Malevolent Activities Detection and Cyber Range Scenarios Orchestration

increasing availability of Internet accessible services driven by the di usion of connected devices. The consequent exposition to cyber-threats demands for suitable methodologies, techniques and tools allowing to adequately handle issues arising in such a complex domain. Most Intrusion Detection Systems are capable of detecting many attacks, but cannot provide a clear idea to the analyst because of the huge number of false alerts generated by these systems. This weakness in the IDS has led to the emergence of many methods in which to deal with these alerts, minimize them and highlight the real attacks. Furthermore, experience shows that the inter- pretation of the alerts usually requires more than the single messages provided by the sensors, so there is a need for techniques that can analyse the alerts within the context in which they have been generated. This might require the ability to correlate them with some other contextual information provided by other devices. Using synthetic data to design, implement and test these techniques its not fair and reliable because the variety and unpredictability of the real world data. On the other hand retrieve these information from real world networks is not easy (and sometimes impossible) due to privacy and con dential restrictions. Virtual Environments, Software De ned Systems and Software De ned Net- work will play a critical role in many cyber-security related aspects like the assessment of newly devised intrusion detection techniques, the generation of real world like logs, the evaluation of skills of cyber-defence team members and the evaluation of the disruptive e ects caused by the di usion of new malware. This thesis proposes, among other things, a novel domain-speci c platform, named SmallWorld, aimed to easily design, build and deploy realistic com- puter network scenarios achieved by the immersion of real systems into a software de ned virtual environment, enriched by Software De ned Agents put in charge of reproducing users or bot behaviours. Additionally, to provide validation and performance evaluation of the proposed platform, a number of Scenarios (including penetration testing laboratories, IoT and domotics net- works and a reproduction of the most common services on Internet like a DNS server, a MAIL server, a booking service and a payment gateway) have been developed inside SmallWorld. Over time the platform has been rewrit- ten and radically improved leading to the birth of Hacking Square. This new version is currently available on-line and freely accessible from anyone. The impact of this research prototype has been demonstrated, above all, during the course of "Metodi e Strumenti per la Sicurezza Informatica" for the mas- ter degree in Cyber Security at DIMES, University of Calabria. In fact, the platform has been employed to build the laboratory of the course as an in cloud service for students (including all the material to conduct exercises and assignments) and to organize a, practical, Capture the Flag (CTF) like nal test. Finally, the platform is under the attention of Consorzio Interuniver- sitario per l'Informatica (CINI), as it could be used to manage and deploy training content for the CyberChallenge 2018. Dottorato di Ricerca in Information and Computation Technologies, Ciclo XXX Università della Calabria