AWARE, aka A Windows Attack intRusion Emulator, is a project I worked on over the summer of 2004. I worked with a team of three other students, Michael Ware, Travis Woods, and David Knight and under the supervision of Professor Don Tobin.

     The purpose of the project is to train the modern computer user how to detect suspicious activity on their computer using the tools provided by Microsoft. A potential use of AWARE would be training employees at a company how to fix their own computer without resorting to bringing in outside help.

     The project was based on an idea Professor Tobin had been thinking up for a while. He supervised another team during the Spring semester of 2004 which I was also on. Our job in this team was to investigate the footprints left behind by several different viruses. We collected data on many specific viruses and used this information to determine where to look for suspicious activity on a Windows XP machine.

     After much deliberating we all decided to do the project in C# and the database of attacks would be stored in an XML file. Only one member of the team had ever worked with C# before and none of us had experience with XML. Yet, in one month we had a working prototype up and running.

     We stuck very close to the original design of the project. The attack footprint would be entered into a Data Entry Form and then saved to the XML file. Once the XML file is populated with attacks, the simulation can be activated. Upon entering the simulation, the user would need to make use of all the tools available to locate and remove all traces of the attack. Once completed the user would shutdown the simulation and be evaluated on his/her performance.

     At startup, the user can decide whether to enter more attacks into the database, run the simulation, or view a tutorial on the tools used in the simulation. When the user decides to run the simulation, there are two options, a specific attack can be generated or a random one may be selected. Once an attack is generated the simulation starts up and the footprint is injected into the simulation. From here the user must use the tools such as Task Manager, Windows Explorer, Services.msc, Registry Editor, Netstat, and others to locate all traces of the attack and eliminate them. Upon completion the user will shutdown the simulation and be immediately taken to an evaluation screen which tells the user which modifications were recognized, which were missed, and which were made that had nothing to do with the attack.

     XML files were used to store not just the database of attacks, but also a backup of the registry, file system, services, port information, processes, and a few others. The information stored in these XML files are what we use in the simulation to protect the user from inadvertently making changes to the information on the computer running the simulation. Upon startup, all the information is loaded into memory and the user can then remove whatever he/she chooses without making changes to either the system's information or the information stored in the XML files.

     When the user generates an attack, the attack footprint information is pulled from the XML file and placed into one object which goes to the simulation and is dispersed into the necessary locations. The footprint elements are then "hidden" within the simulation and the user must remove said elements. As these elements (and even those having nothing to do with the attack) are removed, a note is made in yet another XML file entitled UserCleanup. Once the user shuts down the simulator, all the changes the user made are restored from this XML file and displayed to the user as well as the changes the user didn't yet should have made.