Skip to content

Implement TTC in MalSimulator #84

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
mrkickling opened this issue Dec 16, 2024 · 2 comments · May be fixed by #113
Open

Implement TTC in MalSimulator #84

mrkickling opened this issue Dec 16, 2024 · 2 comments · May be fixed by #113

Comments

@mrkickling
Copy link
Contributor

TTCs should exist in the Simulator and affect if a step can be enabled or not.
But, how should they be defined and how should they be checked?

Currently:

  • Distributions can be defined in the language but are not cared for in the simulator

We want to:

  • Allow setting TTCs explicitly for combinations of
    • agents
    • attack step names
    • assets
    • asset types
  • It could happen in language, model or scenario level. To be decided.

Questions:

  • How to do it in a manner that is not super confusing and complex for the user?
  • Should we set distributions or values (num steps)?
  • If distribution - should it be converted to values or sampled?
  • Can we make a more simple solution in the meanwhile?

Adding @Hoclor as he brought the question back to life. Please add discussion if you have thoughts.
@mrkickling mrkickling mentioned this issue Dec 16, 2024
Open
@sandorstormen
Copy link
Contributor

sandorstormen commented Jan 17, 2025
edited
Loading

As I see it, there are three ways of handling the TTCs in the simulation:

  • Score: When performing an attack step, the attacker gets the TTC as a penalty.
    • This can either be the expected value, sampled once at the start of the simulation or sampled each time.
  • Success Probability: When performing an attack step, the attacker has a success probability which is proportional to the TTC distribution.
  • Time Ticker: When performing an attack step, the attacker spends once TTC unit towards completing the attack step. The attacker will complete the attack step once exceeding the TTC mandated by the TTC distribution associated with the attack step
    • This can be done probabilistic (the attacker having spent X TTC time units has Y probability of succeeding according to the TTC distribution). It can also be done by sampling a TTC (from the TTC distribution) each time the attacker chooses the attack step and checking if time spent on the time step exceeds the sampled value. These two methods should be equivalent. Another solution would be to sample the TTC-values at the start of the simulation and having them fixed for the duration of the simulation. The attacker would then have to choose the attack step X times before completing it.

I think the underlying questions here are:

  1. What aspects of time in the hacking process are we seeking to model, in terms of a strategic simulation?
  2. What sources of variability do the TTCs represent?
  • Is there variability due to the exploit having some randomness in its utilization? Or is there variability because the hacker does not act as a machine? Or is it a combination of both?

Preferably the simulator should be able support all these methods, unless/until it has been shown by research, that one of these options are superior.

@mrkickling
Copy link
Contributor Author

Thanks for writing it out. I almost assumed the third (time ticker) option.

Supporting all would be ideal, but if we can get everyone to agree that one of them is enough for their needs that could be a starting point.

We should bring your points to the next mal sim meeting.

@mrkickling mrkickling linked a pull request Mar 20, 2025 that will close this issue
Initial TTC solution #113
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Initial TTC solution mal-lang/mal-simulator
2 participants
@mrkickling @sandorstormen