Providing concise yet sufficiently detailed representations of potentially malicious interactions with network-exposed services could simplify attack analysis and help identify exploited vulnerabilities. A key challenge is the automatic, real-time generation of such representations to enable prompt defensive actions and rapid responses. Capture the Flag (CTF) competitions of type Attack and Defense (AD) are a gamified example of scenarios where the availability of such a tool could play a critical role. In addition, in CTF-AD environments, the problem of reverse engineering from network packet to high-level interactions is exacerbated by some provisions used to hide the packets’ source. This paper proposes an effective solution, based on process mining techniques, which is able to identify and infer the attacker’s behavior and to produce its representation as a Directly-Follows Graph (DFG). The approach has been thoroughly validated by exploiting a Cyber Range scenario where N teams fight a CTF-AD competition, comprising: a game server, a set of N machines, one for each team, hosting vulnerable services and from where the own services are handled, and a set of M ≥ N machines, one for each simulated player, from where attacks are launched. The developed tool can be used by teams to analyze attacks on their services in order to identify exploited vulnerabilities and replicate them against adversaries.
Unveiling Attack Patterns from CTF Network Logs with Process Mining Techniques
Romeo F.;Blefari F.;Pironti F. A.;Furfaro A.
2025-01-01
Abstract
Providing concise yet sufficiently detailed representations of potentially malicious interactions with network-exposed services could simplify attack analysis and help identify exploited vulnerabilities. A key challenge is the automatic, real-time generation of such representations to enable prompt defensive actions and rapid responses. Capture the Flag (CTF) competitions of type Attack and Defense (AD) are a gamified example of scenarios where the availability of such a tool could play a critical role. In addition, in CTF-AD environments, the problem of reverse engineering from network packet to high-level interactions is exacerbated by some provisions used to hide the packets’ source. This paper proposes an effective solution, based on process mining techniques, which is able to identify and infer the attacker’s behavior and to produce its representation as a Directly-Follows Graph (DFG). The approach has been thoroughly validated by exploiting a Cyber Range scenario where N teams fight a CTF-AD competition, comprising: a game server, a set of N machines, one for each team, hosting vulnerable services and from where the own services are handled, and a set of M ≥ N machines, one for each simulated player, from where attacks are launched. The developed tool can be used by teams to analyze attacks on their services in order to identify exploited vulnerabilities and replicate them against adversaries.I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
