A novel autonomous container-based platform for cybersecurity training and research

Web fronted

Web fronted module provides the graphical user interface for access between cyber range and users. Through web interface access compute, network, storage, and orchestration services and generate scenarios. The UNIWA cyber range provides an administrative user interface to perform management that includes resource management and access management to instances, volumes, flavors, images, projects, users, and services. Additionally, dynamic scenarios can be deployed over the Heat template according to user requirements.

Storage

The storage module aims to store artifacts that are needed for provision scenarios, testing, or image storage. Supports open standards including files, volumes, and block storage in various storage protocols (for example LVM, iSCSI, NFS). The UNIWA cyber range storage service supports a wide variety of disk (raw, qcow2, ISO, VHD) and container (OVF, Docker) formats for uploading images to the platform. Image service can act as an image registry for sharing images, allowing participants to discover, retrieve, and register VM (virtual machine) images and container images.

Scenario

The UNIWA cyber range uses Ansible and the YAML language and the Heat orchestration to create, deploy, execute, control, and destroy scenarios. The cybersecurity scenarios can create, designed, and saved in a file. The scenario can provide images already stored in the image repository or can be downloaded from Docker hub using Zun service API. The configuration file allows for the editing and modification of several aspects like network, storage, CPU, and ever more complex frameworks like CTFd, OSINT Opencti using hub.Docker.com. Using Docker repository or creating and injecting container images to Glance service can make more realistic scenarios.

Management

In the Management module resources like memory, computational resources, roles, storage capabilities, and network resources are managed. Exercise management assigns roles as well as computational resources to the scenario and running. The allocation of a participant’s roles and resources in an activity or experiment is taken into account. In an exercise or experiment, multiple scenarios can be conducted, and management deals with controlling multiple exercises or experiment scenarios in the environment. Additionally, log data can be gathered to evaluate.

Environment

The infrastructure on which the scenario is implemented, covering cloud, virtual, physical, and hybrid platforms, is depicted by the environment. Provisioning creates an environment that is used for exercise purposes. To make the cybersecurity exercise and environment more realistic, computational resources, user behavior characteristics, and random network traffic can be incorporated.

Orchestration

The orchestration module coordinates all services. Automates infrastructure lifecycle and software provision. Orchestration of infrastructure and the creation of an environment can be achieved with a single script file (Heat template). Resources (for example network IPs, user groups, and storage) can be created using templates, or more sophisticated features like high availability, and autoscaling. Orchestration focuses on infrastructure, but the templates work well with other IaC tools such as Ansible, Chef, and Puppet.

In the following paragraph we explain the workflow mechanism in the UNIWA cyber range architecture as illustrated in Fig. 1.

Participants access UNIWA cyber range system through the Web Fronted module’s graphical user interface. They log in and browse available scenarios, selecting the one they wish to participate in. Once a scenario is selected, participants can configure specific parameters such as network settings, storage requirements, and computational resources through the Web Fronted module. They can also specify any additional customization needed for the scenario. Upon confirming the configuration, the Orchestration module takes charge of provisioning the necessary infrastructure resources. It utilizes orchestration templates, such as Heat templates, to automatically create virtual machines, networks, storage volumes, and other required components. Alongside infrastructure provisioning, the Orchestration module integrates with IaC tools like Ansible. It deploys and configures the required software components, applications, and services within the provisioned infrastructure. This ensures that the cyber range environment is equipped with the necessary tools for the chosen scenario. Once the infrastructure and software resources are provisioned and configured, participants can start executing the scenario. They interact with the cyber range environment, perform tasks, and tackle the cybersecurity challenges presented within the scenario. Throughout the scenario execution, the Management module monitors various aspects of the cyber range environment, including resource utilization, performance metrics, and system health. Once participants complete the scenario initiate the cleanup process, deallocating and releasing the allocated resources, including virtual machines, networks, and storage volumes. The completed scenario, along with relevant logs and data, can be archived for future analysis and research purposes. This allows administrators and researchers to review the scenario’s execution, identify areas of improvement, and gain insights into participants’ performance and the effectiveness of the scenario design. The Storage module acts as a repository for scenarios, allowing administrators to store and manage scenario artifacts, templates, and configurations. It also enables sharing scenarios among different cyber range instances or with the broader cybersecurity community, fostering collaboration and knowledge exchange. Based on the feedback, analysis, and lessons learned from executed scenarios, administrators can make enhancements and updates to the scenarios, infrastructure templates, and software configurations. This iterative process ensures continuous improvement of the cyber range platform and the scenarios it offers.

The proposed cyber range platform offers several advantages over existing implementations. Firstly, it provides a flexible and scalable infrastructure for creating and running cybersecurity scenarios. The use of containerization technology allows for easy creation, distribution, and management of scenarios, reducing the time and effort required to deploy and manage them. Secondly, the platform allows for the customization of scenarios to meet the specific needs of different organizations and users. The use of open-source tools like Ansible and HEAT templates, as well as the availability of various pre-built images, allows for the creation of tailored scenarios that address specific security concerns and threats. Thirdly, the platform provides a user-friendly interface for managing the scenarios and the environment, making it accessible to users with varying levels of technical expertise. This makes it an ideal tool for cybersecurity education and training in academic institutions. Finally, the platform offers a cost-effective solution for cybersecurity education and training. The use of open-source tools and containerization technology reduces the cost of deploying and managing scenarios, making it an affordable option for small and medium-sized universities.

Virtual machine and docker container

Researchers (Lingayat, Badre & Gupta, 2018; Yadav, Sousa & Callou, 2018) compared the performance of Docker and VMs in terms of computing, storage, and memory, and the results show that Docker performs better in terms of execution times for the requests and startup time at least fifty percent higher. The VM’s architecture in conceptual contrast to Docker architecture is depicted in Fig. 2. Details on both architectures follow in the sequel.

A technology known as containerization organizes system libraries, networks, applications, and other components into a container structure. The programs are developed, organized, run, and delivered in containers. Docker container is a lightweight virtualization solution that ensures that the program functions in all environments and also automates the deployment of apps into containers. The container environment in which the programs are run and virtualized is supplemented by an additional layer of deployment engine.

Docker container assists in offering a speedy and light environment for code execution. Docker is based on an open-source container platform. Docker stores, shares, and exchanges in public repositories (hub.Docker.com), GitHub, etc., but also can upload in local and private repositories.

One of the benefits of using Docker containers is that applications are easily migrated to various machines and environments, which enhances development speed. Collaboration on complex projects is also facilitated by the ability to isolate project components into containers and evaluate them separately. Applications and services are scalable on-demand and in real-time, which significantly lowers IT costs. Finally, Docker provides simple commands to operate virtual devices. The main reason for Docker popularity is the simple commands and the reliability of the operation.

A virtual machine (VM) is a computer file, software program, or image that is built inside of a host computing system. A VM is perfect for testing other operating systems, developing operating systems, and running apps and software since it can perform tasks, like executing programs and applications on a separate computer.VMs give users access to a full operating system that can run a variety of software applications.

OpenStack Kolla-Ansible

As part of cyber range implementation, we are deploying the Kolla-Ansible OpenStack distribution. Kolla-Ansible facilitates the deployment of OpenStack services by utilizing Docker containers created with Kolla through the application of Ansible. It effectively orchestrates the creation of Docker containers specifically tailored for OpenStack services. Ansible serves as the primary deployment technique for managing these containers. The Kolla-Ansible solution offers a comprehensive and all-in-one deployment approach for OpenStack, rendering it a favored choice among DevOps practitioners. Particularly, individuals already familiar with Docker find Kolla-Ansible to be an ideal preference due to its compatibility and seamless integration. Additionally, leveraging the capabilities of Docker for virtual resource provisioning further enhances the advantages of adopting the Kolla-Ansible project.

Kolla-Ansible provides a highly streamlined approach for identifying and evaluating the system, which is a significant advantage when deploying OpenStack. The utilization of only two configuration files, namely “globals.yml” and “multinode.yml,” effectively specifies and manages the OpenStack services, including network, compute, and storage. The Kolla-Ansible installation file incorporates templates for each configuration file, ensuring proper deployment. Furthermore, the installation process requires the presence of the Ansible inventory file on each host, facilitating the configuration of connection parameters and services. Depending on the host’s group affiliations, Kolla-Ansible strategically deploys the necessary services on each host. This systematic procedure optimizes the deployment process and facilitates efficient management of the OpenStack environment.

OpenStack is a widely used platform for providing IaaS. As container solutions are increasingly being adopted, OpenStack must now develop numerous infrastructure resources (such as compute, network and storage) applicable to containers (Benomar et al., 2019). Zun is an OpenStack service that deploys container management services. Zun uses a variety of back-end technologies and offers APIs to conceal complexity and handle containers in an ambiguous form.

Zun can connect with other OpenStack services like Glance, Heat, and Nova, and supports Docker as a container run-time tool. Zun-compute is the core service of the Zun system and is carried out by an agent that runs on the compute nodes. The creation and use of containers are made without being concerned about managing servers or clusters. Zun can cover the complexity of the processes at the back-end by managing containers using a series of technologies, and thus interfaces with Glance and Neutron.

In order to provide networking resources, services, and functions for containers, Kuryr makes use of the high abstraction level and complicated services maintained by Neutron and its plugins. In fact, OpenStack Neutron APIs are mapped to the container network using Kuryr service. As a result, users can connect containers, bare metal servers, and VMs to the same networked system with equal net capabilities for every one of them.

Magnum leverages Container Orchestration Engines to automate cluster configuration using the OpenStack API. Use Openstack Heat service for orchestrating, and running Docker and Kubernetes operating systems on VMs or bare metal in a cluster.

Summarized, UNIWA cyber range provides a number of benefits, including:

• Scalability: UNIWA cyber range service provides a flexible container orchestration platform that can dynamically scale up or down based on demand. This means that cyber range environments can easily accommodate changes in the number of users, applications, or workloads without requiring significant manual intervention.

• Cost-effectiveness: A containerization is a cost-effective approach to managing cyber range environments. By using containers instead of virtual machines, administrators can reduce hardware and software costs, while also improving resource utilization.

• Portability: Containers are highly portable and can be easily moved between different environments. This means that cyber range environments can be easily replicated or moved to new locations as needed.

• Resource efficiency: Containers are lightweight and consume fewer resources than virtual machines, which means that more containers can be deployed on a given physical host. This helps improve resource utilization and reduces costs.

• Improved security: Containers provide a higher level of isolation between applications and users, which helps prevent security breaches. Additionally, OpenStack Zun service provides built-in security features such as encryption, authentication, and access control.

• Automation: OpenStack Zun service provides a powerful automation framework that can be used to automate many common tasks, such as container deployment, scaling, and management. This helps reduce the workload on cyber range administrators and improves operational efficiency. Overall, the proposed cyber range architecture based on provides a flexible, scalable, and cost-effective platform for managing cyber range environments. It enables cyber range administrators to deploy and manage containers more efficiently and provides a higher level of security compared to traditional virtual machine-based architectures.

Infrastructure environment

We implemented two instances of the UNIWA cyber range, both sharing the same OpenStack services and configurations. OpenStack Kolla-ansible is implemented in Ubuntu 22.04 OS and the following services are installed, Horizon, Neutron, Zun, Heat, Nova, Kuryr, Glance, Magnum, and Cinder. Instruction on the deployment of OpenStack with Kolla-Ansible is provided in Appendix. All OpenStack services created are Docker containers The primary distinction between these implementations lies in the computer resources utilized. The OpenStack services that are deployed are presented in Fig. 3.

The first implementation resides within the UNIWA data center, leveraging the ESXi hypervisor with the following specifications 32 GB of RAM, 2 × 100 GB of storage, and 16 VCPUs. The focus of this deployment is primarily centered around migrating the course curriculum lab exercises and creating intricate scenarios within the UNIWA data center environment.

The second implementation is deployed on a local ×380 laptop, utilizing VirtualBox as the type-2 hypervisor. The laptop is equipped with an Intel i5 8th Gen X380 processor, 4 CPU cores, 16 GB of RAM, and 2 × 40 GB of storage. VirtualBox is configured to allocate 4 Vcores, 8 GB of RAM, two virtual network interfaces, and 80 GB of storage for the virtual machine hosting the OpenStack services.

Infrastructure was implemented with Heat template using Web GUI or CLI. We use two main repositories Glance for local storing and hub.docker.com for Docker containers. In order to reduce resource consumption and maximize efficiency, we built the infrastructure environment with Docker images using Zun API service or Magnum API service. Heat interacts with Zun container API and Kuryr network API and creates infrastructure based on containers. The UNIWA cyber range system also supports the following container orchestration engines K8s, Swarm, and Mesos. In the future, we will include a cybersecurity scenario with COE.

Scenario engine

The primary purpose of the UNIWA cyber range platform is to facilitate cybersecurity exercises for educational, training, and research purposes. Existing exercises utilized in cybersecurity courses will be converted and ported to the platform.

Moreover, a key focus of the platform is to bridge the gap between theoretical knowledge and practical skills. Offering a wide array of exercises, it aims to provide students with the necessary resources to enhance their technical expertise. By applying new approaches and techniques (Macak, Oslejsek & Buhnova, 2022), trainees will be better prepared to tackle emerging threats in the field of cybersecurity (Maglaras & Kantzavelou, 2021).

Through Infrastructure as Code (IaC) tools and automated development processes, the unified platform will streamline the workload for all stakeholders involved in creating security exercises. It will also foster collaboration between students and professors within the university, as well as encourage collaboration with other institutions. The difficulty level of the cybersecurity exercises will be tailored to the specific course type, ranging from low difficulty for undergraduate or compulsory postgraduate courses to medium or high difficulty for core or elective courses.

The exercises aim to cover a comprehensive range of cybersecurity topics offered at the University of West Attica, including system security, network security, web security, internet security, and cryptography, among others. The chance to design their own exercises will be given to students, who can then include them in research-level courses or laboratory courses.

The exercises aim to cover a comprehensive range of cybersecurity topics offered at the University of West Attica, including system security, network security, web security, internet security, and cryptography, among others. Students will also have the opportunity to design their own exercises, which can be incorporated into research-level or laboratory courses.

At a research level, the following will be available to researchers and professionals:

• Development of new cybersecurity tools.

• Testing existing tools.

• Expand the platform to new sectors, such as industrial control systems, OT, or IoT.

• Participate in funded European cybersecurity projects.

• Collaboration with other universities in research and development programs.

• Conducts cybersecurity or Capture the Flag (CTF) exercises at the University, or in inter-university events, at national and international levels.

Pilot

The UNIWA cyber range underwent testing by UNIWA students participating in the UniCTF event. This evaluation aimed to assess the system’s performance, identify strengths, and uncover areas for improvement. The stress test involved subjecting the UNIWA cyber range to intense usage scenarios designed to simulate real-world conditions. UNIWA students actively engaged with the platform, analyzing its performance, and providing valuable feedback.

The evaluation highlighted the need for improvements in the user-friendliness of the web interface. Students reported difficulties in navigating the interface and accessing necessary features. Also, during the stress test, delays were observed in implementing certain scenarios.

To address the reported usability issues, developing an improved web service with enhanced user-friendly features is recommended for the next version of the UNIWA cyber range. This would enhance the overall accessibility and navigation experience within the UNIWA cyber range platform. To minimize scenario implementation delays, a thorough assessment of resource allocation should be conducted. This evaluation should explore allocating additional resources to ensure optimal performance.

Use cases

Our goal is to design complex scenarios that support a set of characteristics of cyber range platforms, such as automated deployment, high availability, scalability, reusable resources, and isolation. For the deployment, OpenStack delivers a Heat orchestration module to increase the scalability and performance of scenarios.

Using configurable YAML templates, Heat orchestration is responsible for controlling the provision of services, applications, and infrastructure. Instead of creating different operations such as instances, volumes, security groups, floating IPs, and images individually, we can define a STACK that consists of a set of resources in a text file written in YAML format. In this section, we present two case studies that have been already developed and are under testing in our platform. In the first use case, we describe a web security scenario. The second use case is a SQL injection vulnerability scenario. Finally, the third use case analyzes the performance characteristics of UNIWA cyber range and presents the result of our experiments.

Scenario 1

A company has deployed a WordPress website on a cloud infrastructure platform using a Heat template for provisioning the required resources such as virtual machines, storage, and networking components. The website is built on WordPress version 5.0, which is known to have multiple security vulnerabilities. An attacker scans the website using WPScan, a popular open-source tool that can scan WordPress websites for vulnerabilities. He discovers a critical vulnerability, CVE-2020-28036, which allows attackers to gain privileges by using XML-RPC. The attacker attempts then to exploit the vulnerability by commenting on a post using XML-RPC and successfully gains elevated privileges. With elevated privileges, the attacker can access sensitive data, install malicious plugins or themes, and potentially take control of the website. The attacker uses Metasploit, to gain full access to the website and execute arbitrary code. The attack is successful because the website was not updated to the latest version of WordPress, and the Heat template in the scenario did not include all the appropriate security measures such as WAF, IDS, or monitoring tools to prevent and detect attacks.

The infrastructure provision was developed with the OpenStack Heat Template (HOT) written in YAML language. The attacker’s host, the database, and the web server are Docker images. WordPress is a specific version preconfigured Docker image file with CVE-2020-28036 vulnerability (NIST CVE-2020-28036, 2020). The heat stack template written in YAML infrastructure code is illustrated in Fig. 4.

The scenario can easily be modified and reused by adding a different network topology to the infrastructure or changing the version of WordPress injecting vulnerable code only with a few lines of code. Docker images are stored in the local repository and can be uploaded to hub.Docker.com.

Scenario 2

In the second scenario (Fig. 5), we use the vulnerable website, Damn Vulnerable Web Application (DVWA), to learn the SQL injection vulnerability. The tool we will use to find the vulnerability is SQL ninja. The scenario’s primary educational objective was to obtain participants on how to identify a SQL injection on a website.

In the following scenario, a trainee wants to learn how to identify SQL injection vulnerabilities on a website. A testing environment is set up using Docker containers. One container contains the vulnerable website DVWA, which is a deliberately insecure web application that contains several vulnerabilities, including SQL injection. Trainee launches another Docker container containing the SQL Ninja tool, to access the DVWA website (Wood, 2022), and uses SQL Ninja to scan the DVWA website for SQL injection vulnerabilities. The tool automatically identifies the vulnerable input fields and suggests SQL injection payloads to test the vulnerability. In the next step, the attacker selects a suggested payload and executes the SQL injection attack. SQL Ninja identifies the SQL injection vulnerability and displays the results, including the type of vulnerability, the SQL query that was executed, and the results of the query. Finally, it analyzes the results and understands how the SQL injection vulnerability can be exploited to gain unauthorized access to the database. We can repeat the process with different payloads and input fields to gain a better understanding of how SQL injection attacks work.

In particular, infrastructure at SQL injection scenario was created in an Ansible YAML file. As a result, using the knowledge gained from this scenario, we can identify SQL injection vulnerabilities on other websites and provide recommendations for fixing them. Hence, the trainees are capable of comprehending the basic ideas of web security by establishing the vulnerable site and technically examining the vulnerabilities during the SQL injection by following and executing the cybersecurity scenario.

Additionally, in the web security scenarios portfolio of the UNIWA cyber range, we aim to create a set of tools such as the OWASP Broken Web Applications Project (a collection of vulnerable web applications), the OWASP Security Shepherd, DVWA, bWAPP, and other applications/suites for learning and improving web security expertise.

Furthermore, we will examine tools such as BurpSuite, OWASP ZAP, and w3af, in order to discover and attack vulnerable services, and security flaws such as SQL injection, XSS, CSRF, and HTML injection (Chouliaras, 2017).

Scenario 3

As scenario 3 we include all the performed stress tests/scenarios that we run in order to analyze the performance characteristics of UNIWA cyber range using dstat performance tool. In the following, we introduce these stress tests and present the result of our experiments.

In order to evaluate the impact of running instances on the environment, we performed measurements. The parameters analyzed encompassed CPU, RAM usage, and execution time to running scenario environment. For this evaluation, we incrementally added a node instance each time to facilitate the analysis process. The Yaml code is depicted in Fig. 6.

Experimental results

Our analysis of the cyber range’s performance revealed valuable insights. We observed the CPU utilization patterns during workload scenarios, enabling us to optimize resource allocation and prevent performance degradation. Memory consumption analysis helped identify memory-related issues and implement effective memory management practices. The examination of execution time aided in identifying and resolving operation speed measurements within the cyber range.

The performance analysis of the UNIWA cyber range using the dstat tool provided a comprehensive understanding of its performance characteristics. The stress tests focused on CPU utilization, memory consumption, and execution time is illustrated in Figs. 7–9 allowing us to identify areas for optimization and enhance the cyber range’s overall performance.

Based on the information presented in Tables 3 and 4, it is evident that increasing the resources utilized in the scenarios results in only a slight increase in computational resources and implementation time when using container technology. However, when employing VMs, there is an exponential increase in both computational resources and implementation time. The VM resources that are used in the instance are presented in Table 5.

Furthermore, as depicted in Fig. 10, the use of containers leads to significant savings in implementation time, with a reduction of approximately 79%. Moreover, containerization achieves over 90% reduction in memory usage and 50% reduction in CPU utilization. It is important to note that these percentages are estimated, and actual values may vary depending on the realism of the scenarios being executed.

Overall, the findings demonstrate that container technology offers notable advantages over VMs in terms of resource efficiency and implementation time. By leveraging containers in the UNIWA cyber range, we can optimize resource allocation and achieve efficient execution of scenarios.

In the specific tests, the UNIWA cyber range offers a unique capability that distinguishes it from other similar range systems, such as the KYPO CRP (Lieskovan & Hajný, 2021). The UNIWA cyber range excels in running test environments by utilizing orchestration for both VMs and containers. This approach allows for the minimization of computational resources and execution time, as demonstrated in Tables 3 and 4, as well as Fig. 10. By leveraging orchestration, the UNIWA cyber range optimizes resource allocation and streamlines the execution of tests. It provides the flexibility to choose between VMs and containers based on the specific requirements of each scenario. This adaptability allows for efficient resource utilization, resulting in reduced computation resources and execution time compared to similar cyber range systems.

Compared to CyExec, the UNIWA cyber range provides several advantages. Firstly, the UNIWA cyber range has the capability to run and manage the scenario environment infrastructure using structured orchestration templates, ensuring a streamlined and consistent setup across multiple scenarios. Secondly, the UNIWA cyber range offers enhanced flexibility by providing users with the choice to run scenarios either as containers or VMs. This flexibility empowers users to select the technology that best aligns with their specific requirements. Moreover, the UNIWA cyber range seamlessly integrates with the authentication service, ensuring secure access and user management within the range environment. This integration enhances the overall security posture and facilitates proper user authentication and authorization. Furthermore, the UNIWA cyber range enables network isolation, allowing for the creation of isolated network environments for individual scenarios. This ensures that each scenario operates in its own isolated network space, preventing interference and providing a more realistic and controlled testing environment.