IMALSE (Integrated MALware Simulator and Emulator) is a framework to help researchers implement prototypes of botnet based network malware. Researchers only have to implement the behavior of the malware. Once this has been accomplished the malware can be run in the following three modes:
- Emulation mode: In this mode, each instance of IMALSE will behave exactly like real malware. You can install it on a real machine, or on a virtual machine to set up a test bed to analyze the characteristics of the malware.
- Netns3 simulation mode: In this mode you can specify the topology of the network and the ip addresses of each node. IMALSE will launch virtual machines (linux namespaces) for each node in the network and it will construct the network automatically. All virtual nodes will connect to ns-3 through tab bridge and all traffic will consume there. This is a real-time simulation and it is based on the ns-3 project.
- Pure ns-3 simulation mode: No virtual machince will be launched for the pure ns-3 simulation mode, the whole simulation will be done in ns-3. The ns-3 default scheduler will be used instead of the real time scheduler in netns3 case, which saves much time. One simulation day may only consume several real seconds.
Comparison with other tools
The primary goal of NS-3 is to provide a network simulator, which means that no real packets will be passing through the real network interface. Although the emulation support has been added, the development of simulation and emulation are mostly unconnected, which wastes a lot of development resources. However, the development goal of Imalse is not to just provide a simulator or emulator, it implements a higher layer that unifies the development of simulation and emulation tools (at least for bot-net based malware simulation). Actually, the simulations in Imalse are mostly done by NS-3 in the back-end.
Imalse depends on CORE for its topology editor and its encapsulation of the Linux name space. CORE is a very excellent network emulator. However, what CORE intends to do is to create a new network and run application in real time. However, as noted above, Imalse tries to make the switch between simulation and emulation (for bot-net based malware simulation) effortless.
The ultimate goal of Imalse is to provide a tool that will help you to run your code on both NS-3, CORE and a real network. In the current stage, we focus on bot-net based malware simulations.
Typical Use Case
The following user case will help to determine whether you should use Imalse or not.
Suppose Conan is a Ph.D student who has proposed a novel anomaly detection technique for Internet traffic. He wants to demonstrate the usefulness of this approach. To do this, he designs a scenario wherein 100 client computers accessing a server through the internet, 10 of which had already been compromised and controlled by the bot-master through bot-net. At some point, the bot-master will initiate a ddos attack by asking all compromised computers to send ping requests to the servers. The anomaly detection technique requires all the incoming and outgoing traffic of the server for at least two days.
How can he collect the data he wants? Imalse provides different solutions at different abstract levels. He decides to use TopoSimExperiment in which he can load some topology file generated by Inet topology generator and select ddos_ping_attack attacking scenario from the Imalse software which provide exactly what he wants.
The first question is since the method is not mature, Conan wants to test it under different parameter combinations. It will be forever if each simulation takes more than two days. Fortunately, by running the simulation under pure ns-3 simulation mode Conan can finish one simulation within less than 100 real seconds, though the time has past for more than two days in the simulator.
After extensive testing, Conan has been quite confident about the performance of the anomaly detection technique now. But he is still a little bit worried about whether the result of ns-3 is convincing enough. As a result, he runs a complete simulation under the netns3 simulation model and collects data. Of course, this time it runs more than two days, but he doesn't care that much because he only needs to run it a couple of times. Conan generates some plots and writes a paper with data of the netns3 simulation model and satisfied with this.
A rich company named NetSecurity reads this paper and think it is a good method. They want to deploy it but need more realistic test before deployment, so they decide to test it under their intranet. They ask Conan for a copy of the code and select several computer in the intranet to join the bot-net, each computer runs an independent copy of imalse under emulation client mode, there is a computer serving as bot-master and running a imalse under emulation server model (the server refers to the C&C server in the bot net). The data of attacked server is recorded and analyzed with Conan’s tools. It turns out to be good, and the Company decides to use this method.
As a lazy Ph.D student, Conan just needs to write one copy of code to describe the scenario during the whole process. With the help of imalse, he can have more time to sleep and enjoy classical music. :)