AWARE is a tool that simulates different types of computer attacks on a personal computer running the Windows XP operating system. AWARE is designed to teach either experienced or casual Windows XP users how to use system-supplied tools to detect potential attacks on their system resources. The AWARE training system meets the following specifications:
- Create a simple-to-use learning system on a common platform.
- Give the learner the ability to evaluate the attack and respond to it.
- Provide simulated system tools as close to the actual system tools as possible.
- Allow the creation and injection of attack footprints without damaging the underlying system.
- Provide some form of automated evaluation to give the student immediate feedback on their results.
The Windows XP operating system was used as the platform to emulate, and as the development system. The footprint, or trail of evidence, for each attack currently consists of the following elements:
- Rogue processes spawned or terminated
- Files/directories added, deleted, or modified
- Registry modifications
- Ports opened
- Certain firewall log entries
- Services added, activated, or disabled
AWARE was developed to create a complete footprint on these parameters of many viruses and attacks, emulate the Windows XP environment, inject the footprint of a given attack, and provide the learner with the ability to discover all the simulated elements left behind after an attack.
We chose C# as the development language for two reasons:
- C# is a very powerful language for rapid Windows programming
- .NET has rich methods for XML integration and manipulation
Since Fairmont State University does not currently have courses covering C# or XML, our group had to first learn these two languages before any software development could begin.
From AWARE's startup screen, a user can create new attack footprints for entry into the knowledge base, or select an attack for injection to start a training run. When AWARE is first initiated on a system, it captures all the necessary system data it will need to do the emulation from XML files. AWARE uses default XML files that contain data on the file system and registry unless the user wishes to use the file system and registry data on the machine running the simulation. If the user doesn't want to use default data, then AWARE will generate file system and registry XML data files for use during simulations. When the user makes changes to the system, by deleting files or modifying registry entries, the learner is making changes to the data stored in XML, and not actual system data. In this way, system modifications are contained inside the emulator.
Windows Tools for Detection
Several normal Windows XP tools that can be utilized by a user to look for potential forensic patterns from attacks have been already emulated inside AWARE. The emulated tools currently implemented in AWARE are:
- Process list inside Task Manager, to monitor active processes
- Registry Editor, for entry searches
- Windows Explorer, to allow learners to look for unfamiliar files
- Internet Explorer, for Internet searches
- Search utility, for specific file searches
- Services List, similar to the Process List
- a visual version of netstat, to look for unusual port activity
- a limited version of the Windows firewall log
- Control Panel, although only partially implemented
- The Run dialog, also only partially implemented.
We also provided the capability to execute the actual version of Internet Explorer installed on the system. This allows users to do Internet searches while inside AWARE to support their learning process.
For the Windows tools available inside AWARE that allow the learner to monitor system behavior, tutorials are embedded inside the emulator that explain what the tool is, show an example of what it looks like, describe how to run it and use it, and finally, what to look for as potentially aberrant.
The Evaluator records the system state after all the attack injections are done as described earlier. It also logs the actions done by the learner during the simulation while they are trying to discover the various aspects of the attack and clean up after it. Upon exiting, the evaluator displays these results to the learner noting things they accomplished successfully, items they missed, and actions they took which were unnecessary.
Although every member of our team worked together in designing and building the framework used by AWARE, we were individually assigned tasks to write code for each Windows XP tool that was to be emulated. My assignments were to develop and/or extend the following tools:
- Simulation startup
- Netstat (GUI)
- Registry Editor
- Windows Explorer
- Internet Explorer
When all computer users religiously practice awareness, tomorrow’s computing world will benefit greatly. The primary goal of this effort is transforming each individual’s passive attitude, which allows an attack to take complete control of a system, into an active mindset that enforces system protection, anomalous activity detection, and counter action by the user through security awareness. AWARE is a tool that can help contribute to this much needed transformation.