Less Is More: Host-Agent Based Simulator For Large-Scale Evaluation Of Security Systems

Recently proposed network security systems have demonstrated the benefits of scale for achieving many security goals, including the detection of worm outbreaks, botnets, and denial of service attacks. However, scale is also a barrier to further advancement of such systems: obtaining and working with appropriately large data sets is difficult, and existing simulation techniques are ill suited for this domain. To overcome these challenges, we propose a host behavior simulator, LESS, designed for evaluating large scale network security systems. LESS build and automatically configures the behaviors of host agents using background traffic samples and malicious traffic models. In turn, host agents communicate with each other throughout a simulation, generating traffic records. We demonstrate the applicability and benefits of LESS by tuning it with publicly available traces, and then using generated records to reproduce results from several recently proposed systems. We also used LESS to extend the evaluations of these systems, highlighting dimensions of large scale security system performance that would be difficult to study without simulation.