Phase 4 predicted the attack paths. Phase 6 asks the operational question before anyone touches production: simulate every remediation against a digital twin, catch the cascading failures, prove zero disruption — and then decide whether the twin itself is authoritative enough to support the decision. The showpiece below is Exercise 11: a live drift lab that computes KL and Jensen-Shannon divergence and shows exactly when those metrics fail to see the change that matters.
Teaching demo built by RayveLabs to illustrate Dr. Mallarapu's SEAS-8414 Chapter 6. This is a client-side simulator with a synthetic 22-device network — it is not graded lab evidence (that requires the Dockerized Breakwater stack and real API output). Original course material © Dr. Mallarapu / The George Washington University.
The twin is only useful if it represents the real network. Profile mapping uses three tiers — device-type lookup, port inference, service-name hinting — each with a confidence. Fidelity = Σ(confidence) / device_count. Set your trust threshold and see which devices fall back to http-debug.
| IP | type | profile | conf | ports |
|---|
Figure (§6.3): A device mapped to "camera-variant" at 0.9 behaves realistically; a router mapped to "http-debug" at 0.1 does not. Low-confidence mappings poison any remediation that touches them.
You can't measure whether remediation reduced risk without a baseline. The deterministic scenario engine replays adversary techniques so the same input always yields the same result — the precondition for honest before/after comparison.
// results appear here
Amplification > 1 means each compromised host exposes others through firewall-permitted flows — a direct read on weak segmentation.
Figure (§6.5): Deterministic hashing makes the baseline reproducible. A stochastic engine would make "did remediation help?" unanswerable.
Patch only, service hardening, or network segmentation. Score them with a weighted multi-criteria model — then shift the weights toward zero-disruption and watch the winner change.
| criterion | A · Patch | B · Harden | C · Segment |
|---|
Figure (§6.8): Pareto-style trade-off. Patch is cheap but reversible-hard and leaves topology risk; segmentation cuts the most risk but introduces cascades and downtime.
A fix on device A can break device B that depends on A. The twin's dependency graph reveals these cascades before production. Three types: service-dependency, segmentation, credential.
| type | severity | affected | mitigation |
|---|
Figure (§6.10): Top dependency by blast count is the MQTT broker — rotating its shared credential cascades to every sensor that authenticates against it.
All-at-once is fast but a regression takes down everything; one-at-a-time is safe but slow. Find the group size that respects a concurrency limit and dependency separation.
Waves mix device types (catch type-specific regressions), keep interdependent devices apart, and put least-critical first.
Figure (§6.7): Speedup vs. sequential is bounded by ⌈N/c⌉ — past a point, adding concurrency stops helping and only raises blast risk.
The twin reporting zero_disruption=true (no cascades) is necessary but not sufficient. A doctoral zero-disruption claim must clear all eight conditions.
Figure (§6.12): The MQTT disable passes the naive flag in spirit but fails the strengthened claim on required-service-path and critical-dependency conditions.
Replay real protocol transcripts; compare simulated vs. expected responses. Fidelity = correct / total. Below 80% on an affected protocol is a Twin-Authority block condition.
| protocol | transcript | expected | twin | match |
|---|
Figure (§6.14): The twin returns 200 for /admin where the device enforces 403 — it does not model access control, so protocol-level remediation predictions are unreliable.
Side-by-side for the CISO: risk reduction by strategy, the cost/risk Pareto frontier, and a zero-disruption traffic light per strategy.
Figure (§6.8): A strategy is Pareto-optimal if no other beats it on both cost and risk; dominated strategies sit up-and-right of the frontier.
Aggregate drift metrics can miss small but operationally dangerous changes: one firewall rule, one changed dependency, one critical device remapped to a fallback. Toggle each controlled drift scenario — KL and JS divergence are computed live over the behavior distribution (open-port / unmapped bins) with ε-smoothing. Watch which scenarios the metrics can't see.
KL(P‖Q)=Σ Pᵢ·log(Pᵢ/Qᵢ) · JS=½KL(P‖M)+½KL(Q‖M), M=½(P+Q)
| scenario | material? | detecting metric | KL? | JS? | verdict | required action |
|---|
Figure (Ex 11): The targeted single-change scenarios (firewall, dependency, fallback, replay, subnet) are the most dangerous and the least visible to divergence — they require a mandatory companion metric, not a distribution test. "Small change, big consequence, invisible to KL" is the finding.
A favorable simulation is not production approval. Every result here was validated against the twin, not against production. The twin is decision-support, not a source of truth. Promotion to production still requires: canary deployment, live monitoring, change-advisory approval, and a tested rollback per wave.
Cleanup. The graded lab decommissions containers and volumes at exit (docker compose down) unless KEEP_LAB=1. This demo holds no state and starts no containers.