Discover Deception
Bases: RemoteAction
A Red action that probes a remote host to see if it is running any decoy services.
Attributes:
| Name | Type | Description |
|---|---|---|
session |
int
|
The source session id. |
agent |
str
|
The name of the red agent executing the action. |
ip_address |
IPv4Address
|
The ip_address of the target host. |
target_hostname |
str
|
The name of the target host. |
duration |
int
|
This action takes 2 steps to complete, instead of the default 1. |
detection_rate |
float
|
The True Positive rate of the red agent to accurately detect whether the host is running a decoy service. A True Positive Rate only includes True Positives and False Negatives. |
fp_rate |
float
|
The False Positive rate of the red agent to incorrectly detect a normal service as a decoy. Defaults to 10%. |
Functions
__init__
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
session |
int
|
The source session id. |
required |
agent |
str
|
The name of the red agent executing the action. |
required |
ip_address |
IPv4Address
|
The ip_address of the target host. |
required |
execute
Probes the target host for decoy services.
Action process:
1) Check if there are sessions for the agent on this host
- if not, return unsuccessful obs
2) Get the route between the source and target/remote host
- if there is not a valid route (None), return unsuccessful obs
3) Given that there is a valid route, connect to the remote host
-
iterate over all processes on the remote host
-
after a detection_rate attribute check (defaults to 50%), add the process to the obs if it passes
-
return a successful obs regardless of whether a decoy was found
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
state |
State
|
The state of the simulated network at the current step. |
required |
Returns:
| Name | Type | Description |
|---|---|---|
obs |
Observation
|
An observation containing an indication of the action's successful execution as True/False, and any detected decoy processes. |