The NetSecGame (Network Security Game) is a framework for training and evaluation of AI agents in network security tasks (both offensive and defensive). It is built with CYST network simulator and enables rapid development and testing of AI agents in highly configurable scenarios. Examples of implemented agents can be seen in the submodule NetSecGameAgents.
docker pull stratosphereips/netsecgamepip install netsecgamepip install -e .For detailed installation instructions (venv, conda, building Docker locally, Whitebox variant), see the Getting Started guide.
-
Prepare a task configuration YAML file (see example or the Configuration docs).
-
Start the server:
# Docker
docker run -d --rm --name nsg-server \
-v $(pwd)/examples/example_task_configuration.yaml:/netsecgame/netsecenv_conf.yaml \
-v $(pwd)/logs:/netsecgame/logs \
-p 9000:9000 stratosphereips/netsecgame
# Or locally
python3 -m netsecgame.game.worlds.NetSecGame \
--task_config=./examples/example_task_configuration.yaml \
--game_port=9000- Connect an agent (see NetSecGameAgents for reference implementations).
Full documentation is available at https://stratosphereips.github.io/NetSecGame/
- Getting Started — Installation, configuration, first agent
- Architecture — Game components, actions, preconditions, project structure
- Configuration — Full task and environment configuration reference
- API Reference — Auto-generated code documentation
- NetSecGame works with the closed-world assumption. Only the defined entities exist in the simulation.
- If the attacker does a successful action in the same step that the defender successfully detects the action, the priority goes to the attacker. (From commit d6d4ac9, July 18th, 2024, the new action BlockIP removes controlled hosts from the state of others. So the state can get smaller)
- The action FindServices finds the new services in a host. If in a subsequent call to FindServices there are fewer services, they completely replace the list of previous services found. That is, each list of services is the final one, and no memory of previous open services is retained.
For detailed action preconditions and effects, see the Architecture documentation.
After every change, verify the environment is working correctly:
tests/run_all_tests.shThis runs the unit tests in the tests folder, followed by linting and formatting checks with ruff.
The code can be adapted to new configurations of games and for new agents. See the Agent repository for more details.
This code was developed at the Stratosphere Laboratory at the Czech Technical University in Prague.