Ludus is a joint project between the Stratosphere Research Laboratory and CZ.NIC. The aim is to develop game theory based defense strategies for home Turris routers.
The Ludus system is a group of tools used for gathering information about the network in each of the Turris routers and applying the defence strategy gained from the Game Theory model. Since we use plenty of features for computing the Security Measure and the data comes from different sources and sensors, each tool collects data from one source.
Structure of Ludus system
Ludus System consists of several tools
- IPtables Analyzer
The purpose of our tool IPtables Analyzer is to find out how each router is being used. We analyze the iptables of settings of the router and extract set of production ports. Production port is a port that is actively used (there is a service running, port is forwarded to another port etc.) That is a crucial piece of information for the game theory because we can not open a honeypot in the production ports. We do not keep any record about the type of service for which the port is used. Second part of the analysis is to find out if there are any active honeypots. Currently we can use the minipots developed by CZNIC, SSH honeypot and TARPIT honeypot.
Suricata is free network threat detection software designed for real-time intrusion detection and network security monitoring. It is a rule-based engine which means it compares the traffic with a set of rules and generates alerts if any of the rules triggers. Suricata produces a “eve.json” file where all the events from the interface it is listening on are logged. Logs of suricata are not sorted or formated in a way in which the Ludus system could use. Therefore, we developed the a tool which reads the output file and filters the information required.
Ludus.py is a main program of the system. It controls all submodules of the Ludus system described above. Ludus program is designed to run iteratively. For that the concept of time windows is used. It divides the time continuum into discrete parts that can be analysed individually. With discrete time windows we can use Security Measure to determine the Security Level of the network. However, network traffic is continuous which means that Suricata has to run independently to minimize the chance of missing a packet between the two time windows. Ludus is the only part responsible for discretizing the traffic into time windows which means we can avoid the troubles with synchronizing the time windows in different parts of the system.
In every iteration two major actions are performed. Firstly, using the submodules it gathers the information necessary for computing the security measure. For that we use the Suricata Extractor. This information is stored in the log file and send to the CZNIC afterwards. Second task for Ludus is to analyze the settings of the router and apply the strategy consistent with the setup. IPTables Analyzer takes key part in this process. Since the strategy is based on probability it is only being changes if any of following criteria is met:
- Changes in the settings of router
- Changes in Strategy file
- Current strategy exceeds TTL( time to live)
If we detect any changes in the setup, strategy renewal is necessary to ensure the consistency with new setup of the router. If more recent strategy file is being distributed to the router same action is required. The concept of strategy Time To Live was developed to reevaluate after set time limit is reached if none of the previous conditions was satisfied. It prevents us from keeping static strategy. We generate the strategy with same conditions which means that possible change in the defence strategy is based on chance. TTL can differ in every strategy file as this parameter is part of the Game Theory model.