imalse /

Filename Size Date modified Message
104 B
132 B
2.1 KB
33.8 KB
7.9 KB
147 B
1.8 KB
80.2 KB
225 B
24.1 KB
857 B
471 B
1.8 KB
32 B
2.1 KB
961 B
1.1 KB
Imalse (Integrated MALware Simulator and Emulator) is a framework to help
researchers to implement prototype of botnet based network malware. Researchers
just need to implement the malware behaviour once and then it can run the
following modes:
    1. emulation mode: In this mode, each copy of imalse will behave exactly
    like a real malware. You can install it in a real machine, or in a virtual
    machine and set up a testbed to test the characteristic of the
    malware.(Don’t use it to attack other people’s machines;) ) [Note: you can
    potentially work with Common Open Research Emulator to emulate a lot of
    nodes in one machine]
    2. netns3 simulation mode: You can specifiy the topology of the network and
    the ip addresses of each node in this mode. IMALSE will launch virtual
    machines (linux namespace) for each node in the network and construct the
    network automatically. All virtualized nodes will connect to NS3 through
    tapbridge and all traffic will consume there. The simulation will be in real
    time. It is based on netns3 project.
    3. pure ns3 simulation mode: No virtual machince will be launched for the
    pure ns3 simulation mode, the whole simulation will be done in ns3. ns3
    default scheduler will be used instead of the real time scheduler in netns3
    case, which saves much time.  One simulation day may only consume several
    real seconds.  4. hybrid approach: of pure ns3 mode and netns3 mode

    As shown by its name, the primary goal for NS3 is to provide a network
    simulator, which means primarily there will be no real packet passing
    through the real network interface. Although the emulation support has been
    added, the development of simulation and emulation are mostly unconnected,
    which wastes a lot of development resource. However, the development goal of
    Imalse is not just simulator or emulator, it is a up layer that unifies the
    development of simulation and emulation tools( at least for botnet based
    malware simulation). Actually, the simulations in Imalse are mostly done by
    NS3 in the backend.

    Imalse depends on CORE for its gui editor and its capsulation of linux name
    space. CORE is a very excellent network emulator. However, what CORE intends
    to do is to create a new network and run application in real time. However,
    as noted above, Imalse try to make the switch between simulation and
    emulation (for botnet based malware simulation) effortless.

The utimate goal of Imalse a tool help you to run your code on both
NS3, CORE and real nework. In the current stage, we focus on botnet based
malware simulation.

The following user case will help to determine whether you should use Imalse or

Suppose Conan is a Ph.D student who has proposed a novel anomaly detection
technique for Internet traffic. He wants to demostrate the usefulness of this
approach. To do this, he designs a scenario that 100 client computers accessing
a server through the internet, 10 of which had already been compromised and
controlled by botmaster through botnet. At some point, the botmaster will
initiate a ddos attack by asking all compromised computers to send ping requests
to the servers. The anomaly detection technique requires all the incoming and
outcoming traffic of the server for at least two days. 

How can he collect the data he want? imalse provides different solutions at
different abstract level. He decides to use **TopoSimExperiment** in which he
can load some topology file generated by `Inet
<>`_ topology generator and select
**ddos_ping_attack** attacking scenario from the imalse software which provide
exactly what he wants.

The first question is since the method is not mature, Conan wants to test it
under different parameter combinations. It will be forever if each simulation
takes more than two days. Fortunately, by running the simulation under **pure
ns3 simulation mode** Conan can finish one simulation with less 100 real
seconds, though the time has past for more than two days in the simulator.

After extensive testing, Conan has been quite confident about the performance of
the anomaly detection techinique now. But he is still a little bit worried about
whether the result of ns3 is convincing enough. As a result, he run a complete
simulation under **netns3 simulation model** and collect data. Of course, this
time it runs more than two days, but he doesn't care that much because he only
need to run it for very few times. Conan generates some plots and writes a paper
with data of **netns3 simulation model** and satisfied with this.

A rich company named NetSecurity reads this paper and think it is a good method.
They want to deploy it but need more realistic test before deployment, so they
decide to test it under their intranet. They ask Conan for a copy of the code
and select several computer in the intranet to join the botnet, each computer
run an independent copy of imalse under **emulation client mode**, there is a
computer serving as botmster and running a imalse under **emulation server
model**\ (the server refers to the C&C server in the botnet). The data of
attacked server is recorded and analyzed with Conan's tools. It turns out to be
good, and the Company decide to use this method.

As a lazy Ph.D student, Conan just need to write one copy of code to describe
the secnario during the whole process. With the help of imalse, he can have more
time to sleep and enjoy the classical music. :)

Refer INSTALL for the installation instruction

before you do anything, update the ROOT variable in to be the
absolute path of current folder. no slash '/' at the end.

if you want to use emulator, run
    $ ./

if you want to use simulator, you have two ways:
    1. going to NS3 path and type:
        $ ./waf shell
       you will enter ns3 waf-sh. Then in this shell, go back to this folder and type
        $ ./
    2. if you are lazy. just update the NS3_PATH value in and type
        $ ./sim

You can go to the following webpage for help document

You can view wiki in the following webpage:

You can report issue in the following webpage:

Imalse is just a newbie. The features I am considering to add:

* Background Traffic Generator
    Now Imalse only describe the behaviour of abnormal nodes( which is so called
    "scenario"). Because of the lack of time, I haven't implemented the
    behaviour for normal nodes. An immediate feature that need to be added is to
    provide some modes for the normal nodes. It may require different
    implementation for sim node, netns3 node and read node, but they need to
    provide unified interface. My preliminary idea is to use NS3 on-off
    application for sim node.

* Full support of Common Open Research Emulator.
    The dependency of Imalse on CORE are two aspects. The CORE GUI is used with
    support of exporting Imalse Configuration Script. The netns3 mode rely on
    some components of the CORE. However, the whole procedure is not
    integrated and there are some features of CORE that has problems.

* More Practical Attacking Scenario and More APIs for Node
    Imalse is useful only when there are more pratical attacking scenario. Also, 
    different scenario may require different APIs for nodes. For example,
    key logger may need a node API to record key log. Whenever a Node API is
    added, support for Sim Node, Net ns3 Node and real node need to be