Hope that the value of sensitive host could be nagtive number
Joe-zsc opened this issue · comments
dear Schwartz,
I'm using the nasim benchmark to train my agent, however, I found that the value of the sensitive host must be a positive number.
could you please update nasim
thank you very much
Hey JoeJoe,
I set the restriction that the value of the sensitive hosts be positive since the goal of the environment is to can access to specific "sensitive" hosts on the network and so the agent receives a positive reward for when it succeeds in doing that.
Before I make any changes, I just to check why you may need the sensitive host to have a negative value?
Hey JoeJoe,
I set the restriction that the value of the sensitive hosts be positive since the goal of the environment is to can access specific "sensitive" hosts on the network and so the agent receives a positive reward for when it succeeds in doing that.Before I make any changes, I just to check why you may need the sensitive host to have a negative value?
I try to set a honeypot, and I think the host in the honeypot should have a negative value so that the agent can learn to avoid the honey pot host.
Hey JoeJoe,
I set the restriction that the value of the sensitive hosts be positive since the goal of the environment is to can access specific "sensitive" hosts on the network and so the agent receives a positive reward for when it succeeds in doing that.Before I make any changes, I just to check why you may need the sensitive host to have a negative value?
I add a sensitive host in the medium scenario, and I just set the value of this added host be -100. I see the honeypot host as a kind of "sensitive" host with a negative value. For this purpose, I changed the followed function in Nasim:
In network.py
def all_sensitive_hosts_compromised(self, state):
s=[]
for i in self.sensitive_hosts.items():
if i[1] > 0:
s.append(i[0])
for host_addr in s:
if not state.host_has_access(host_addr, AccessLevel.ROOT):
return False
return True
In loader.py
def _validate_sensitive_hosts(self, sensitive_hosts):
assert isinstance(value, (float, int)) , \
(f"Invalid sensitive host tuple: invalid value: {value}"
f" != a positive int or float")
Hey JoeJoe,
Sorry for the slow response. I see what your talking about. The way you have implemented it has some flaws. Mainly that the termination condition for an episode is when all sensitive hosts are compromised. That means that for the agent to finish an episode in the minimum number of steps they will have to compromise the honey pot and receive a large negative reward.
I am working on an update so that, in addition to specifying the sensitive hosts and their value, you can also specify the value of each host on the network. These values can be anything including negative, 0 or positive, and so would allow for modelling honeypots on the network. Implementing it this way has the benefit of not affected the termination condition of the scenario.
As an example on a network with two sensitive hosts (2, 0) and (3, 0) with values of 100 and a honeypot host (2, 1) with value -100:
sensitive_hosts:
(2, 0): 100
(3, 0): 100
...
host_configurations:
(1, 0):
os: linux
services: [ssh]
processes: [tomcat]
firewall:
(3, 0): [ssh]
(2, 0):
os: linux
services: [ssh]
processes: [tomcat]
firewall:
(1, 0): [ssh]
(2, 1):
os: linux
services: [ssh]
processes: [tomcat]
firewall:
(1, 0): [ssh]
value: -100
(3, 0):
os: linux
services: [ssh]
processes: [tomcat]
If a value for a host is not specified then it will default to 0. So the value for the host (1, 0) will be 0.
I should have the update pushed later today. Feel free to let me know if you have any feedback on the proposed change.
Ok I have added the changes. See the v0.8.0 release of Nasim.