Hi everyone, I'm interested in how the environment in this project performs under other reinforcement algorithms. But I'm new to reinforcement learning and not yet capable of implementing other reinforcement learning algorithms on my own. I noticed that algorithms such as Q-Learning and DQN have been implemented in the baselines directory. And the definition of the environment is quite different from some basic gym environments (e.g. CartPole), which made it difficult for me to understand. I wonder if it is possible to implement different RL algorithms in the environments of this project with the help of some RL algorithm libraries? (e.g. Stable-Baselines3, Keras-rl) I would greatly appreciate the help. Thank you

Environment instantiated with create_random_environment() from environment_generation.py is not working properly.

Minimal code:

from cyberbattle.simulation.environment_generation import create_random_environment
import cyberbattle.simulation.commandcontrol as commandcontrol

env = create_random_environment('test', 10)
c2 = commandcontrol.CommandControl(env)
c2.print_all_attacks()

Exception:

---------------------------------------------------------------------------
AssertionError                            Traceback (most recent call last)
<ipython-input-3-b4d0a458d7ea> in <module>
      4 env = create_random_environment('test', 10)
      5 c2 = commandcontrol.CommandControl(env)
----> 6 c2.print_all_attacks()

~/Documents/wrk/rrl/CyberBattleSim/notebooks/../cyberbattle/simulation/commandcontrol.py in print_all_attacks(self)
    101     def print_all_attacks(self) -> None:
    102         """Pretty print list of all possible attacks from all the nodes currently owned by the attacker"""
--> 103         return self._actuator.print_all_attacks()
    104 
    105     def run_attack(self,

~/Documents/wrk/rrl/CyberBattleSim/notebooks/../cyberbattle/simulation/actions.py in print_all_attacks(self)
    542     def print_all_attacks(self) -> None:
    543         """Pretty print list of all possible attacks from all the nodes currently owned by the attacker"""
--> 544         d.display(pd.DataFrame.from_dict(self.list_all_attacks()))  # type: ignore
    545 
    546 

~/Documents/wrk/rrl/CyberBattleSim/notebooks/../cyberbattle/simulation/actions.py in list_all_attacks(self)
    525     def list_all_attacks(self) -> List[Dict[str, object]]:
    526         """List all possible attacks from all the nodes currently owned by the attacker"""
--> 527         on_owned_nodes: List[Dict[str, object]] = [
    528             {'id': n['id'],
    529              'status': n['status'],

~/Documents/wrk/rrl/CyberBattleSim/notebooks/../cyberbattle/simulation/actions.py in <listcomp>(.0)
    530              'properties': self._environment.get_node(n['id']).properties,
    531              'local_attacks': self.list_local_attacks(n['id']),
--> 532              'remote_attacks': self.list_remote_attacks(n['id'])
    533              }
    534             for n in self.list_nodes() if n['status'] == 'owned']

~/Documents/wrk/rrl/CyberBattleSim/notebooks/../cyberbattle/simulation/actions.py in list_remote_attacks(self, node_id)
    507     def list_remote_attacks(self, node_id: model.NodeID) -> List[model.VulnerabilityID]:
    508         """Return list of all remote attacks that may be executed onto the specified node."""
--> 509         attacks: List[model.VulnerabilityID] = self.list_vulnerabilities_in_target(
    510             node_id, model.VulnerabilityType.REMOTE)
    511         return attacks

~/Documents/wrk/rrl/CyberBattleSim/notebooks/../cyberbattle/simulation/actions.py in list_vulnerabilities_in_target(self, target, type_filter)
    149         target_node_data: model.NodeInfo = self._environment.get_node(target)
    150 
--> 151         global_vuln: Set[model.VulnerabilityID] = {
    152             vuln_id
    153             for vuln_id, vulnerability in self._environment.vulnerability_library.items()

~/Documents/wrk/rrl/CyberBattleSim/notebooks/../cyberbattle/simulation/actions.py in <setcomp>(.0)
    153             for vuln_id, vulnerability in self._environment.vulnerability_library.items()
    154             if (type_filter is None or vulnerability.type == type_filter)
--> 155             and self._check_prerequisites(target, vulnerability)
    156         }
    157 

~/Documents/wrk/rrl/CyberBattleSim/notebooks/../cyberbattle/simulation/actions.py in _check_prerequisites(self, target, vulnerability)
    131         mapping = {i: ALGEBRA.TRUE if str(i) in node_flags else ALGEBRA.FALSE for i in expr.get_symbols()}
    132 
--> 133         is_true: bool = cast(boolean.Expression, expr.subs(mapping)).simplify() == ALGEBRA.TRUE
    134         return is_true
    135 

~/miniconda3/envs/cyberbattle/lib/python3.8/site-packages/boolean/boolean.py in simplify(self, sort)
   1185         # Create new instance of own class with canonical args.
   1186         # TODO: Only create new class if some args changed.
-> 1187         expr = self.__class__(*args)
   1188 
   1189         # Literalize before doing anything, this also applies De Morgan's Law

~/miniconda3/envs/cyberbattle/lib/python3.8/site-packages/boolean/boolean.py in __init__(self, arg1, arg2, *args)
   1466 
   1467     def __init__(self, arg1, arg2, *args):
-> 1468         super(AND, self).__init__(arg1, arg2, *args)
   1469         self.identity = self.TRUE
   1470         self.annihilator = self.FALSE

~/miniconda3/envs/cyberbattle/lib/python3.8/site-packages/boolean/boolean.py in __init__(self, arg1, arg2, *args)
   1132 
   1133     def __init__(self, arg1, arg2, *args):
-> 1134         super(DualBase, self).__init__(arg1, arg2, *args)
   1135 
   1136         # identity element for the specific operation.

~/miniconda3/envs/cyberbattle/lib/python3.8/site-packages/boolean/boolean.py in __init__(self, *args)
    943         self.operator = None
    944 
--> 945         assert all(isinstance(arg, Expression) for arg in args), \
    946             'Bad arguments: all arguments must be an Expression: %r' % (args,)
    947         self.args = tuple(args)

AssertionError: Bad arguments: all arguments must be an Expression: (FALSE, <class 'boolean.boolean._TRUE'>)

I have traced the error to this potential_linux_vulns:

    "SudoCaching":
    model.VulnerabilityInfo(
        description="Escalating privileges from poorly configured sudo on linux/unix machines",
        type=model.VulnerabilityType.REMOTE,
        URL="https://attack.mitre.org/techniques/T1206/",
        precondition=model.Precondition(f"Linux&(~{ADMINTAG})"),
        outcome=model.AdminEscalation(),
        rates=model.Rates(0, 1.0, 1.0))

The precondition is translated into AND(FALSE, NOT(FALSE)) which fails to be simplified with the boolean library. The used workaround in actions.py (from https://github.com/bastikr/boolean.py/issues/82) does not help:

ALGEBRA.TRUE.dual = type(ALGEBRA.FALSE)
ALGEBRA.FALSE.dual = type(ALGEBRA.TRUE)

I noticed by generating a random CyberBattleRandom-v0 environment and using the agent with random actions, that if the same node is discovered with different methods (e.g., traceroute / shared files) it leads to a repeated reward.

It seems as incorrect behaviour, because this way the agent is incentivized to repeatedly discover the same nodes with different actions.

Branch: master

Expected the following to produce output indicating the project is running:

docker build -t cyberbattle:1.1 . docker run -it -v "$(pwd)":/source --rm cyberbattle:1.1 cyberbattle/agents/baseline/run.py

Resulted in:

Traceback (most recent call last): File "cyberbattle/agents/baseline/run.py", line 16, in import torch ModuleNotFoundError: No module named 'torch'

Hi,

I have modified the environment to include additional nodes / vulns / attack vectors, keeping things mostly the same with respect to environment generation; graph = graph.add_edge[(s, t), (port)] which models fine and AIGym seems happy with the change. The only difference in network generation is that I am using an erdos-renyi generator instead of the nx.stochastic_block_model included in environment_generation.py

The issue is that when running the simulation, i'm met with two unexpected behaviors;

1. KeyError: 'kind' from commandcontrol.py.

This appears to fail randomly on certain nodes, but with no obvious pattern. For example, one play-through fails when data['kind'] from node 6 to node 3 is missing (default nodes, not ones I have added) which in-turn ends the simulation. E: Just to add, I guess i'm asking if there are any instances where a node wouldn't be assigned an EdgeAnnotation or is it likely something I've done that has broken something / not accounted for a change. This only seems to be an issue with the rendering of the network in network_as_plotly_traces(_) in cyberbattle_env.py and doesn't appear to affect the game.

2. Red agent can try to exploit RDP / SMB in targets that it shouldn't be able to

It seems that the attacker can try to exploit nodes it shouldn't be able to see. In the network, one node is selected to be a pivot point between other networks, this node has a single vulnerability allowing the pivot, with firewall settings set to block all. The red agent still appears to be able to scan this node for SMB / RDP from any node, and assigns them each EdgeAnnotation.REMOTE, which shouldn't be considered valid moves.

Any advice on where to look would be greatly appreciated,

Thanks

Hi, I am working on generating the random graph and I found some logical issues with the random graph generation design (maybe).

1. First, I think the add_leak_neighbors_vulnerability function in generate_network.py should not return library directly. Since it is a global dictionary, using it to assign the vulnerability will make all nodes share the same vulnerability outcomes which is not reasonable. It can be fixed by return return copy.deepcopy(library)
2. Here the nodes except the entry node are iteratively assigned with vulnerabilities and services. However, some nodes may be assigned empty services before their corresponding access passwords are generated in the assigned_passwords. I fix this issue simply by repeating the loop.

I am not familiar with network attacks, so would it be convenient for you to check whether the editions are right? Thx a lot.

This applies to several notebooks but using randomnetwork.ipynb as the example

Running the first two cells results in a couple of errors.

Cell contents

traffic = g.generate_random_traffic_network(
    seed=1, n_clients=50, 
    n_servers={
                "SMB": 15,
                "HTTP": 15,
                "RDP": 15,
            },
    alpha=np.array([(1, 1), (0.2, 0.5)], dtype=float),
    beta=np.array([(1000, 10), (10, 100)], dtype=float),
)

Ouptut from Cell

---------------------------------------------------------------------------
IndexError                                Traceback (most recent call last)
/usr/local/lib/python3.8/dist-packages/networkx/utils/decorators.py in _random_state(func, *args, **kwargs)
    451         try:
--> 452             random_state_arg = args[random_state_index]
    453         except TypeError:

IndexError: tuple index out of range

During handling of the above exception, another exception occurred:

NetworkXError                             Traceback (most recent call last)
<ipython-input-2-d4d566484044> in <module>
----> 1 traffic = g.generate_random_traffic_network(
      2     seed=1, n_clients=50,
      3     n_servers={
      4                 "SMB": 15,
      5                 "HTTP": 15,

/opt/CyberBattleSim/cyberbattle/simulation/generate_network.py in generate_random_traffic_network(n_clients, n_servers, seed, tolerance, alpha, beta)
     72 
     73         # sample edges using block models given edge probabilities
---> 74         di_graph_for_protocol = nx.stochastic_block_model(
     75             sizes=sizes, p=probs, directed=True, seed=seed)
     76 

/usr/local/lib/python3.8/dist-packages/decorator.py in fun(*args, **kw)
    229             if not kwsyntax:
    230                 args, kw = fix(args, kw, sig)
--> 231             return caller(func, *(extras + args), **kw)
    232     fun.__name__ = func.__name__
    233     fun.__doc__ = func.__doc__

/usr/local/lib/python3.8/dist-packages/networkx/utils/decorators.py in _random_state(func, *args, **kwargs)
    454             raise nx.NetworkXError("random_state_index must be an integer")
    455         except IndexError:
--> 456             raise nx.NetworkXError("random_state_index is incorrect")
    457 
    458         # Create a numpy.random.RandomState instance

NetworkXError: random_state_index is incorrect

Is it correct behavior to be able to "own" a node via PrivilegeEscalation, but not be rewarded for that node's value? It looks like the node value is never added to the reward unless it was owned via connect_to_remote_machine

My use case is exploiting a remote vulnerability that yields Admin or System privilege. The node is marked as owned, but the agent doesn't receive the node value as a reward.

I've tried to clone the repo and setup CyberBattleSim on a windows machine running WSL2 with Ubuntu 20.04.3 LTS as well as a linux machine running Ubuntu 20.04.02 LTS. I follow the instructions in the readme and simply run ./init.sh

This results in a venv being created and the libraries being downloaded, but seemingly not all are installed. There are several warnings and errors that occur during the execution of the script.

If need be, I can post the output from my install attempt, but it's quite long.

Hi,

I have three errors to check my environment.

After I set up the dev environment, I ran the following command:

python cyberbattle/agents/baseline/run.py --training_episode_count 1 --eval_episode_count 1 --iteration_count 10 --rewardplot_width 80  --chain_size=20 --ownership_goal 1.0                                 ✘ 1

1st error. ModuleNotFoundError: No module named 'asciichartpy'

import cyberbattle
>>> Traceback (most recent call last):
  File "/home/XXX/CyberBattleSim/cyberbattle/agents/baseline/run.py", line 20, in <module>
    import asciichartpy
ModuleNotFoundError: No module named 'asciichartpy'

To solve it, I installed 'asciichartpy'.

2nd error. ModuleNotFoundError: No module named 'cyberbattle.agents.baseline'

python cyberbattle/agents/baseline/run.py --training_episode_count 1 --eval_episode_count 1 --iteration_count 10 --rewardplot_width 80  --chain_size=20 --ownership_goal 1.0

>>> 

raceback (most recent call last):
  File "/home/XXX/CyberBattleSim/cyberbattle/agents/baseline/run.py", line 22, in <module>
    import cyberbattle._env.cyberbattle_env as cyberbattle_env
  File "<frozen zipimport>", line 259, in load_module
  File "/home/XXX/mambaforge/lib/python3.9/site-packages/loonshot_sim-0.1-py3.9.egg/cyberbattle/__init__.py", line 9, in <module>
  File "<frozen zipimport>", line 259, in load_module
  File "/home/XXX/mambaforge/lib/python3.9/site-packages/loonshot_sim-0.1-py3.9.egg/cyberbattle/agents/__init__.py", line 9, in <module>
ModuleNotFoundError: No module named 'cyberbattle.agents.baseline'

I stored "__init__.py" in "./cyberbattle/agents/baseline".

3rd error. AttributeError: 'Namespace' object has no attribute 'rewardplot_with'

torch cuda available=False
###### DQL
Learning with: episode_count=1,iteration_count=10,ϵ=0.9,ϵ_min=0.1, ϵ_expdecay=5000,γ=0.015, lr=0.01, replaymemory=10000,
batch=512, target_update=10
  ## Episode: 1/1 'DQL' ϵ=0.9000, γ=0.015, lr=0.01, replaymemory=10000,
batch=512, target_update=10
Episode 1|Iteration 10|reward:    9.0|last_reward_at:    6|Elapsed Time: 0:00:00|####################################################################################################################################################################################################|
  Episode 1 stopped at t=10
  Breakdown [Reward/NoReward (Success rate)]
    explore-local: 1/1 (0.50)
    explore-remote: 0/5 (0.00)
    explore-connect: 0/3 (0.00)
    exploit-local: 0/0 (NaN)
    exploit-remote: 0/0 (NaN)
    exploit-connect: 0/0 (NaN)
  exploit deflected to exploration: 1
            id      status properties              local_attacks              remote_attacks
0        start       owned         []  [ScanExplorerRecentFiles]                          []
1  1_LinuxNode  discovered        NaN                       None  [ProbeWindows, ProbeLinux]
simulation ended
###### Random search
Learning with: episode_count=1,iteration_count=10,ϵ=1.0,ϵ_min=0.0,
  ## Episode: 1/1 'Random search' ϵ=1.0000,
Episode 1|Iteration 10|reward:    0.0|last_reward_at: ----|Elapsed Time: 0:00:00|####################################################################################################################################################################################################|
  Episode 1 stopped at t=10
  Breakdown [Reward/NoReward (Success rate)]
    explore-local: 0/0 (NaN)
    explore-remote: 0/10 (0.00)
    explore-connect: 0/0 (NaN)
    exploit-local: 0/0 (NaN)
    exploit-remote: 0/0 (NaN)
    exploit-connect: 0/0 (NaN)
  exploit deflected to exploration: 0
simulation ended
Episode duration -- DQN=Red, Random=Green
   10.00  ┼
Cumulative rewards -- DQN=Red, Random=Green
Traceback (most recent call last):
  File "/home/XXX/CyberBattleSim/cyberbattle/agents/baseline/run.py", line 120, in <module>
    c = p.averaged_cummulative_rewards(all_runs, args.rewardplot_with)
AttributeError: 'Namespace' object has no attribute 'rewardplot_with'

I'd be grateful if you could give me advice about these issues.

Many thanks

In "model.py" module, the firewall rules are to constructed by randomly choosing from the list of ports in the dict "Identifiers". But in the function "create_random_firewall_configuration()", the firewall rules are constructed by choosing random properties instead of ports. This error is noticed and fixed.

I'm curious if this project will follow up by designing defender as an agent that can be trained with reinforcement learning algorithms and how we will achieve this based on the existing environment? Thanks in advance.

Sorry to bother.

I am wondering if class NodeTrackingInformation is not indicating the right occurrence time of the last attack?

The time() func at line 248 and 671 in actions.py would set the nodes's last_reimaging_time and last_owned time to be '00:00:00'. So when the cyber attacker attempts to re-connect to a conquered but lately reimaged node, func __is_node_owned_history at line 483 would recognize the reimaged node as a currently owned node. Therefore the cyber attacker can never connect to a reimaged node successfully.

Is it true, or am I mistaking something here😂?

Dear all,

With latest update, which allowed to increase the number of maximum nodes using kwargs dict inside registry(...) function, the default parameters are 100 nodes, https://github.com/microsoft/CyberBattleSim/blob/4fd228bccfc2b088d911e27072a923251203cac8/cyberbattle/_env/cyberbattle_env.py#L390, which makes action_space for local, remote and connect to be especially large. Although, that does not change the logic of computing action_mask and set valid node id to be nax number of discovered nodes, internally vector is set to be too big.

1. Question: I want to ask for the logic of change from using max_node_count parameter here https://github.com/microsoft/CyberBattleSim/blob/4fd228bccfc2b088d911e27072a923251203cac8/cyberbattle/_env/cyberbattle_env.py#L608, why we want to have option to enlarge the maximum nodes count using registry and this we had to change the value from inferred form initial_network to the one included in bounds for registry function?
2. Solution: The workaround as I see can be simply to make this parameters maximum_node_count: int | None and then make if else logic for setting them equal to initial number of parameters from network (done in previous commits from main)

Hi all,

I have encountered issue when running jupyter notebook inside docker container. While forwarding the port from docker container, I still cannot connect to it from browser. It does not work both on local machine and remote server I use.

Sample command is:

git clone https://github.com/microsoft/CyberBattleSim.git
cd CyberBattleSim
nvidia-docker build -t cyberbattle:1.1 .
nvidia-docker run -p 6789:8888 -it --name cyber_test cyberbattle:1.1 /bin/bash -c "jupyter notebook --no-browser --allow-root --port=8888"

[browser] localhost:6789
[Error] "Hmmm… can't reach this page\n Localhost refused to connect.

Hi everyone,

Found several bugs while checking the code of ipynb notebooks with benchmark results for 3 environments TinyToy, ToyCTF, Chain.

I think my findings might be useful for community, who uses this nice implementation of cyberattacks simulation.

1. Issue 1: learner.epsilon_greedy_search(...) is often used for training agents with different algorithms, including DQL in the dql_run. However dql_exploit_run with input network dql_run as policy-agent and eval_episode_count parameter for the number of episodes, gives an impression that runs are used for evaluation of the trained DQN. The only distinguishable difference between 2 runs is epsilon queal to 0, which leads to exploitation mode of training, but does not exclude training, because during run with learner.epsilon_greedy_search the optimizer.step() is executed on each step of training in the file agent_dql.py, function call learner.on_step(...).

• Solution: I will include in Pull request the code I used for better evaluation (based on learner.epsilon_greedy_search(...) and generate pictures below.
• Screenshots: Figure 1 & 2 and figure 3 & 4 , shows result of chain network evaluation using corresponding new cell in notebook_benchmark-chain.ipynb. As you can see on figure 1 training on the initial 50 episodes is not enough for owning 100% of the network (AttackerGoal), whereas original run dql_exploit_run internally using learner.on_step(...) figure 2 leads to much better results, due to optimization process, which still process ongoing experience of agent. We can overcome this inaccurate evaluation and still reach the goal in 100% of times figure 3, while training on 200 episodes with commented learner.on_step(). It fixes trained network and stops optimizing during evaluation, but leads to the ownership of all the network with larger amount of learning episodes. This means with 200 episodes it is feasible to learn optimal path of agent attacks inside chain network configuration. Lastly, figure 4 we can compare those runs with correct evaluation runs on 20 episodes reach 6000+ and 120+ cumulative reward for for 200 and 50 training episodes correspondently. Figure 1: (after PR) no optimizer during evaluation, 20 trained episodes, 20 evaluation episodes Figure 2: (before & after PR) dql_exploit_run with optimizer during evaluation, 20 trained episodes, 5 evaluation episodes Figure3: (after PR) no optimizer during evaluation, 200 trained episodes, 20 evaluation episodes Figure 4: (after PR) comparison of evaluation for network trained on 200 and 20 episodes, chain network configuration

2. Issue 2: During training each episode ends only within the maximum number of iterations, which is due to the mistype in AttackerGoal class. Default value for parameter own_atleast_percent: float 1.0 is included as condition with AND, for raising flag done = True, thus for TinyToy and ToyCTF (not Chain) leads to long duration of training, wrong RL signal for evaluating Q function and low sample-efficiency.

• Solution: In order to be coherent with originally defined environments, I included changes into gym registry with preserving previous environments version behavior and making new environments with standard behavior of using done. This means inclusion of own_atleast_percent: 1.0 in initialization of "v0" versions of toyctf and tinytoy environments and creation of new envs 'CyberBattleTiny-v1' and 'CyberBattleToyCTF-v1', by default own_atleast_percent=0 and own_atleast=6. This is reasonable, due to the fact that CTF solution includes only 6 nodes to be owned and with correct reward engineering training stops at the attack, which owns 6 nodes with highest reward.
• Screenshots: Figure 5: Length of training episodes, obvious increase during learning of optimal path Figure 6: 1500 max iterations during training of 20 episodes, before PR Figure 7: training on both 20 and 200 episodes, either use more RL techniques or learn for more episodes
• PR: included some leftover cells in ToyCTF for comparison, "Before PR", but it could be safely deleted.

3. Issue 3: ToyCTF benchmark is inaccurate, because with correct evaluation procedure, like with chain network configuration, agent does not reqch goal of 6 owned nodes after 200 training episodes.