Software Environment for Simulation and Evaluation of a Security Operation Center

It is somewhat problematic to evaluate the performance of security systems in the Internet due to complexity of these systems and the Internet itself. Therefore, modeling and simulation are becoming more and more important in optimizing the behavior of security systems, including security components intended for protecting various distributed geographic information systems (GIS). This paper presents an approach and software simulation environment for comprehensive investigation of the Security Operation Center (SOCBox) system which is in essence an intrusion detection “metasystem”. SOCBox collects data from a wide range of sources (intrusion detection systems (IDS), firewalls, routers, workstations, etc.) and therefore has a global view on the network. The simulation environment has been developed formerly for Distributed Denial of Service (DDoS) attacks and defense simulation. This tool is characterized by agentoriented approach, the packet-based imitation of network security processes and the open library of different attacks and defense mechanisms. We consider the SOCBox structure, the simulation environment architecture, the SOCBox models in the simulation environment and peculiarities of SOCBox simulation.