Information technology system (ITS), informally, consists of hardware and software infrastructure (e.g., workstations, servers, laptops, installed software packages, databases, LANs, firewalls, etc.), along with physical and logical connections and inter-dependencies between various items. Nowadays, every company owns and operates an ITS, but detailed information about the system is rarely publicly available. However, there are many situations where the availability of such data would be beneficial. For example, cyber ranges need descriptions of complex realistic IT systems in order to provide an effective training and education platform. Furthermore, various algorithms in cybersecurity, in particular attack tree generation, need to be validated on realistic models of IT systems. In this paper, we describe a system we call the Generator that, based on the high-level requirements such as the number of employees and the business area the target company belongs to, generates a model of an ITS that satisfies the given requirements. We put special emphasis on the following two criteria: the generated ITS models a large amount of details, and ideally resembles a real system. Our survey of related literature found no sufficiently similar prior works, so we believe that this is the first attempt of building something like this. We created a proof-of-concept implementation of the Generator, validated it by generating ITS models for a simplified fictional financial institution, and analyzed the Generators performance with respect to the problem size. The research was done in an iterative manner, with coauthors continuously providing feedback on intermediate results. (...) We intend to extend this prototype to allow probabilistic generation of IT systems when only a subset of parameters is explicitly defined, and further develop and validate our approach with the help of domain experts.
翻译:非正式的信息技术系统(ITS)由硬件和软件基础设施(例如工作站、服务器、膝上型计算机、已安装的软件包、数据库、局域网、防火墙等)组成,以及各种项目之间的实际和逻辑联系和相互依存关系。现在,每个公司拥有并运行着ITS,但有关该系统的详细信息很少公开提供。然而,在很多情况下,提供这类数据将是有益的。例如,网络范围需要描述复杂的现实信息技术系统,以便提供一个有效的培训和教育平台。此外,网络安全方面的各种算法,特别是攻击性树类的生成,需要以现实的信息技术系统模型验证。在本论文中,我们称之为发电机的系统,根据高层次的要求,如雇员人数和目标公司所属的商业领域,产生一个能够满足既定要求的ITS模式。我们特别强调了以下两个标准:我们生成的ITS模型是大量的细节,而且理想地类似于一个真实的系统。我们对相关文献的调查发现,之前没有足够相似的关于攻击性树生成的参数。在本论文中,我们描述一个系统是试图建立一个标准化的系统。我们这个系统,这是用来建立一个标准化的模型, 用来建立一个像一个用来模拟的系统。