LLSIM: network simulation for correlation and response testing

The Lincoln Laboratory Simulator, LLSIM, is an easily configurable network simulator that can produce a wide variety of data sets without expensive testbeds. These data sets are useful for researchers who are developing general-purpose correlation and response systems. LLSIM is a Java-based, event-driven simulator consisting of user-configurable core models of networks and hosts. Event generators produce network and host events in the simulated system and models of intrusion detection sensors generate realistic streams of alerts in relation to these events. On a typical PC workstation, LLSIM can emulate arbitrary networks with hundreds of nodes and communication links, and can accurately simulate hundreds of intrusion detection sensors operating in these environments. Researchers can generate many different datasets using LLSIM and can also evaluate the effectiveness of simple response actions like altering firewall policies in response to an attack. Sensor alert datasets generated by LLSIM have been used in the DARPA Cyber Panel program.