Security scenario generator (SecGen): A framework for generating randomly vulnerable rich-scenario VMs for learning computer security and hosting CTF events

Z. Cliffe Schreuders; Thomas Shaw; Mohammad Shan-A-Khuda; Gajendra Ravichandran; Jason Keighley; Mihai Ordean

Security scenario generator (SecGen): A framework for generating randomly vulnerable rich-scenario VMs for learning computer security and hosting CTF events

Z. Cliffe Schreuders, Thomas Shaw, Mohammad Shan-A-Khuda, Gajendra Ravichandran, Jason Keighley, Mihai Ordean

Computer Science

Research output: Contribution to conference (unpublished) › Paper › peer-review

34 Citations (Scopus)

Abstract

Computer security students benefit from hands-on experience applying security tools and techniques to attack and defend vulnerable systems. Virtual machines (VMs) provide an effective way of sharing targets for hacking. However, developing these hacking challenges is time consuming, and once created, essentially static. That is, once the challenge has been "solved" there is no remaining challenge for the student, and if the challenge is created for a competition or assessment, the challenge cannot be reused without risking plagiarism, and collusion. Security Scenario Generator (SecGen) can build complex VMs based on randomised scenarios, with a number of diverse use-cases, including: building networks of VMs with randomised services and in-the-wild vulnerabilities and with themed content, which can form the basis of penetration testing activities; VMs for educational lab use; and VMs with randomised CTF challenges. SecGen has a modular architecture which can dynamically generate challenges by nesting modules, and a hints generation system, which is designed to provide scaffolding for novice security students to make progress on complex challenges. SecGen has been used for teaching at universities, and hosting a recent UK-wide CTF event.

Original language	English
Publication status	Published - 2017
Event	2017 USENIX Workshop on Advances in Security Education - Sheraton Vancouver Wall Centre Hotel, Vancouver, Canada Duration: 15 Aug 2017 → 15 Aug 2017 https://www.usenix.org/conference/ase17

Conference

Conference	2017 USENIX Workshop on Advances in Security Education
Abbreviated title	ASE '17
Country/Territory	Canada
City	Vancouver
Period	15/08/17 → 15/08/17
Internet address	https://www.usenix.org/conference/ase17

Bibliographical note

Funding Information:
This project is supported by a Higher Education Academy (HEA) learning and teaching in cyber security grant (2015-2017). Tom Chothia managed University of Birmingham’s contributions to the project.

Publisher Copyright:
© ASE 2017 - 2017 USENIX Workshop on Advances in Security Education, co-located with USENIX Security 2017. All rights reserved.

ASJC Scopus subject areas

Computer Networks and Communications
Information Systems
Safety, Risk, Reliability and Quality

Cite this

Cliffe Schreuders, Z., Shaw, T., Shan-A-Khuda, M., Ravichandran, G., Keighley, J., & Ordean, M. (2017). Security scenario generator (SecGen): A framework for generating randomly vulnerable rich-scenario VMs for learning computer security and hosting CTF events. Paper presented at 2017 USENIX Workshop on Advances in Security Education, Vancouver, British Columbia, Canada.

@conference{e882dd3271c84466afa68461bed3cba9,

title = "Security scenario generator (SecGen): A framework for generating randomly vulnerable rich-scenario VMs for learning computer security and hosting CTF events",

abstract = "Computer security students benefit from hands-on experience applying security tools and techniques to attack and defend vulnerable systems. Virtual machines (VMs) provide an effective way of sharing targets for hacking. However, developing these hacking challenges is time consuming, and once created, essentially static. That is, once the challenge has been {"}solved{"} there is no remaining challenge for the student, and if the challenge is created for a competition or assessment, the challenge cannot be reused without risking plagiarism, and collusion. Security Scenario Generator (SecGen) can build complex VMs based on randomised scenarios, with a number of diverse use-cases, including: building networks of VMs with randomised services and in-the-wild vulnerabilities and with themed content, which can form the basis of penetration testing activities; VMs for educational lab use; and VMs with randomised CTF challenges. SecGen has a modular architecture which can dynamically generate challenges by nesting modules, and a hints generation system, which is designed to provide scaffolding for novice security students to make progress on complex challenges. SecGen has been used for teaching at universities, and hosting a recent UK-wide CTF event.",

author = "{Cliffe Schreuders}, Z. and Thomas Shaw and Mohammad Shan-A-Khuda and Gajendra Ravichandran and Jason Keighley and Mihai Ordean",

note = "Funding Information: This project is supported by a Higher Education Academy (HEA) learning and teaching in cyber security grant (2015-2017). Tom Chothia managed University of Birmingham{\textquoteright}s contributions to the project. Publisher Copyright: {\textcopyright} ASE 2017 - 2017 USENIX Workshop on Advances in Security Education, co-located with USENIX Security 2017. All rights reserved.; 2017 USENIX Workshop on Advances in Security Education, ASE '17 ; Conference date: 15-08-2017 Through 15-08-2017",

year = "2017",

language = "English",

url = "https://www.usenix.org/conference/ase17",

}

Security scenario generator (SecGen): A framework for generating randomly vulnerable rich-scenario VMs for learning computer security and hosting CTF events. / Cliffe Schreuders, Z.; Shaw, Thomas; Shan-A-Khuda, Mohammad et al.
2017. Paper presented at 2017 USENIX Workshop on Advances in Security Education, Vancouver, British Columbia, Canada.

Research output: Contribution to conference (unpublished) › Paper › peer-review

TY - CONF

T1 - Security scenario generator (SecGen)

T2 - 2017 USENIX Workshop on Advances in Security Education

AU - Cliffe Schreuders, Z.

AU - Shaw, Thomas

AU - Shan-A-Khuda, Mohammad

AU - Ravichandran, Gajendra

AU - Keighley, Jason

AU - Ordean, Mihai

N1 - Funding Information: This project is supported by a Higher Education Academy (HEA) learning and teaching in cyber security grant (2015-2017). Tom Chothia managed University of Birmingham’s contributions to the project. Publisher Copyright: © ASE 2017 - 2017 USENIX Workshop on Advances in Security Education, co-located with USENIX Security 2017. All rights reserved.

PY - 2017

Y1 - 2017

N2 - Computer security students benefit from hands-on experience applying security tools and techniques to attack and defend vulnerable systems. Virtual machines (VMs) provide an effective way of sharing targets for hacking. However, developing these hacking challenges is time consuming, and once created, essentially static. That is, once the challenge has been "solved" there is no remaining challenge for the student, and if the challenge is created for a competition or assessment, the challenge cannot be reused without risking plagiarism, and collusion. Security Scenario Generator (SecGen) can build complex VMs based on randomised scenarios, with a number of diverse use-cases, including: building networks of VMs with randomised services and in-the-wild vulnerabilities and with themed content, which can form the basis of penetration testing activities; VMs for educational lab use; and VMs with randomised CTF challenges. SecGen has a modular architecture which can dynamically generate challenges by nesting modules, and a hints generation system, which is designed to provide scaffolding for novice security students to make progress on complex challenges. SecGen has been used for teaching at universities, and hosting a recent UK-wide CTF event.

AB - Computer security students benefit from hands-on experience applying security tools and techniques to attack and defend vulnerable systems. Virtual machines (VMs) provide an effective way of sharing targets for hacking. However, developing these hacking challenges is time consuming, and once created, essentially static. That is, once the challenge has been "solved" there is no remaining challenge for the student, and if the challenge is created for a competition or assessment, the challenge cannot be reused without risking plagiarism, and collusion. Security Scenario Generator (SecGen) can build complex VMs based on randomised scenarios, with a number of diverse use-cases, including: building networks of VMs with randomised services and in-the-wild vulnerabilities and with themed content, which can form the basis of penetration testing activities; VMs for educational lab use; and VMs with randomised CTF challenges. SecGen has a modular architecture which can dynamically generate challenges by nesting modules, and a hints generation system, which is designed to provide scaffolding for novice security students to make progress on complex challenges. SecGen has been used for teaching at universities, and hosting a recent UK-wide CTF event.

UR - http://www.scopus.com/inward/record.url?scp=85079352560&partnerID=8YFLogxK

M3 - Paper

Y2 - 15 August 2017 through 15 August 2017

ER -

Security scenario generator (SecGen): A framework for generating randomly vulnerable rich-scenario VMs for learning computer security and hosting CTF events

Abstract

Conference

Bibliographical note

ASJC Scopus subject areas

Fingerprint

Cite this