A Real-Time Correlation of Host-Level Events in Cyber Range Service for Smart Campus

A Smart campus is an exciting, new, and emerging research area that uses technology and infrastructure to support and improve its processes in campus services, teaching, learning, and research, especially, the explosive growth in knowledge makes the role of cybersecurity of smart campus become increasingly important. Cyber range is an adaptable virtualization platform consisting of computers, networks, and systems on which various real-world cyber threat scenarios and systems can be evaluated to provide a comprehensive, unbiased assessment of the security of information and automated control systems. As an important part of features, cyber range must provide the capability of data collection, aggregation, correlation, and replay for the scenario owner or any "specialized users" to review attacks-defense processes on known targets and future zero-day research. To this end, based on our previous work, the Heetian cyber range, we proposed a method named C2RS meaning "a real-time correlation of host-level events in cyber range service." C2RS implements out-of-band data capturing for greater attack resistance with virtual machine introspection technique. This approach allows C2RS to isolate the data captured from monitored hosts. C2RS leverages these captured data by incorporating them into the volatility framework to aid in simplifying the analysis of operating system memory structures. Finally, we proposed an object-dependent method to analyze the evidence of illegal activity. We conduct extensive experiments to evaluate the functions and performance of C2RS in a dynamic service. Through the test, we confirm that the proposed method is effective for real-time correlation of host-level events in cyber range service.