Web Interface

The web interface of CSLE can be used to view management information and to request management operations (see Fig. 17).** It can also be used to monitor emulations in real-time (see Fig. 18 and Fig. 19), to start or stop services (see Fig. 20), to monitor reinforcement learning workloads (see Fig. 21), to access terminals of emulated components (see Fig. 22), and to examine security policies (see Fig. 23).

Figure 17: The web interface of CSLE; this interface shows management information and and can be used to request management operations.

Figure 18: The monitoring page of the web interface; this page allows a user to view system metrics of a given emulation execution in real-time.

Figure 19: The statistics page of the web interface; this page allows a user to view empirical statistics of emulated infrastructures, e.g., empirical distributions of system metrics.

Figure 20: The control plane of the web interface; this page allows a user to request management operations, e.g., starting and stopping emulated components or services.

Figure 21 The training results page of the web interface; this page allows a user to view the results of reinforcement learning experiments.

Figure 22: The container-terminal page of the web interface; this page allows a user to execute arbitrary bash commands inside a container of an emulated infrastructure.

The Policy Examination System

The policy examination system allows a user to traverse episodes of Markov decision processes in a controlled manner and to track the actions triggered by security policies. Similar to a software debugger, a user can continue or or halt an episode at any time-step and inspect parameters and probability distributions of interest. The system enables insight into the structure of a given policy and in the behavior of a policy in edge cases. It is integrated with the rest of the web interface and can be accessed as a regular web page (see Fig. 23).

Figure 23: The demonstration view of the policy examination system; the system allows a user to interactively step through an episode of a Markov decision process.

Figure 23 pictures the main user interface of the policy examination system. The left part of the interface shows the defender’s view and the right part shows the attacker’s view. The plot on the upper left shows the defender’s belief about the infrastructure’s state and the probability that the defender takes an action at each time-step. The plot on the lower left shows the distribution of infrastructure metrics that the defender observes. The graphic on the right shows the attacker’s view, depicted as an overlay on the IT-infrastructure’s topology.

The policy examination system provides insight into the structure of the defender policy and its behavior in edge-cases. It can be used to observe correlations among the attacker’s actions, the infrastructure metrics, and the actions that the defender policy prescribes. It can also be used to examine which actions of the attacker are difficult for the defender to detect or trigger actions by the defender.

Implementation

The web interface is implemented by a web application written in JavaScript and the React framework, which executes on the management system. Each physical server of the management system runs a Flask web server that exposes an HTTP REST API (the REST API is detailed in the subsequent section). In front of these web servers is a Nginx reverse proxy that load balances client requests, decrypts incoming HTTPS traffic, and encrypts outgoing HTTP traffic using TLS (see Fig. 24).

Figure 24: Architecture diagram of the CSLE web application; a Nginx reverse proxy load balances requests to a group of Flask web servers, which expose HTTP REST APIs; these APIs can be used to view management information and to request management operations.

The web-based terminal emulation shown in Fig. 22 is implemented as follows. To create a web-based terminal session, the web client’s browser first opens a websocket to one of the HTTP servers. The server then opens an SSH tunnel to the emulated device and creates a terminal session. This tunnel is then used to pipe commands and terminal responses between the client and the terminal (see Fig. 25).

Figure 25: Architecture diagram of the web-based terminal emulation in CSLE; the web application in the client's browser opens a web socket to an HTTP server running on one of the physical servers of the management system; the web server then pipes the websocket to an SSH tunnel that connects to a terminal of the emulated component.

The REST API

The endpoints of the REST API are listed in Tables 20-23. An example HTTP request and response is given below.

curl https://csle.dev/emulations?ids=true\&token=<my_token>
[{"emulation":"csle-level1-010","id":1,"running":false`,
{"emulation":"csle-level2-010","id":2,"running":false`,
{"emulation":"csle-level3-010","id":3,"running":false`,
{"emulation":"csle-level4-010","id":4,"running":false`,
{"emulation":"csle-level5-010","id":5,"running":false`,
{"emulation":"csle-level6-010","id":6,"running":false`,
{"emulation":"csle-level7-010","id":7,"running":false`,
{"emulation":"csle-level8-010","id":8,"running":false`,
{"emulation":"csle-level9-010","id":9,"running":true`,
{"emulation":"csle-level10-010","id":10,"running":false`,
{"emulation":"csle-level11-010","id":11,"running":false`,
{"emulation":"csle-level12-010","id":12,"running":false`]

Listing 3: An HTTP request for the `emulations` resource of the CSLE REST API (line 1) and the corresponding HTTP response (lines 2-13); the request includes the flag `ids=true`, which means that the response only includes the identifiers, names, and statuses of the emulations, rather than the full configurations; the request is performed with `curl`.

Table 20: REST API resources (1/4).

Table 21: REST API resources (2/4).

Table 22: REST API resources (3/4).

Table 23: REST API resources (4/4).