Papers
Topics
Authors
Recent
Search
2000 character limit reached

Replay-Based Attack Simulation Framework

Updated 4 July 2026
  • The paper introduces a replay-based attack simulation framework that parameterizes previously recorded signals with transformation rules to emulate a wide range of cyber attacks in controlled environments.
  • It employs diverse parameterization mechanisms—from modeling higher-order nonlinearity in voice interfaces to XML-based traffic mutation in 5G—to capture realistic attack dynamics.
  • Empirical evaluations demonstrate that controlled replay simulations can effectively expose vulnerabilities and inform robust mitigation strategies across various technological domains.

Taken together, the cited works describe a replay-based parameterized attack simulation framework as an architecture that reuses previously observed signals, traffic, or adversary procedures, and combines them with explicit scenario parameters, transformation rules, channel models, or decision tests to induce, study, or evaluate attacks in a controlled setting. In this literature, replay is not confined to packet resending: it appears as microphone-speaker-microphone re-emission in voice-driven interfaces, offensive re-execution of a fixed adversary in enterprise emulation, callback-triggered sensor manipulation in real-time simulators, physical replay-channel simulation for over-the-air speaker verification attacks, black-box retransmission of captured IoT flows, and protocol-aware replay and mutation of 5G traffic traces (Malik et al., 2019, Frydman et al., 29 Jun 2026, Girstein et al., 2023, Li et al., 2023, Lazzaro et al., 2024, Salazar et al., 2023).

1. Conceptual scope and threat model

A replay-based framework begins from the premise that a previously observed artifact remains operationally meaningful when reintroduced into a system. In voice-driven interfaces, the artifact is a recording of the victim’s voice, typically containing the wake word and command, which can be replayed to a smart speaker; the cited work emphasizes that this is the easiest spoofing attack compared with impersonation, synthesis, or voice conversion (Malik et al., 2019). In consumer IoT, the artifact is a captured local-network command or flow, and the question is whether a device accepts that previously observed command when it is resent later (Lazzaro et al., 2024). In 5G traffic fuzzing, the artifact is a live or captured packet stream that can be replayed and altered online or offline against a core or RAN component (Salazar et al., 2023).

Other frameworks use replay as an evaluation primitive rather than as the attack itself. COHORT evaluates a mitigation by re-executing the original adversary on the mitigated network and comparing the result to the unmitigated baseline, rather than relying on reward-signal or expert-judgment proxies (Frydman et al., 29 Jun 2026). SCART replays attacks when the recorded or observed sequence of events satisfies trigger conditions inside a discrete-event simulator (Girstein et al., 2023). In over-the-air automatic speaker verification, the replay process is the physical channel itself: a loudspeaker, a microphone, and a replaying environment alter the waveform, and the simulator is introduced so that adversarial perturbations are optimized through that transformation (Li et al., 2023).

A common misconception is to treat replay as equivalent to exact duplication. The surveyed systems contradict that simplification. The voice framework models replay distortion as a higher-order nonlinearity beyond 6th order (Malik et al., 2019). The neural replay simulator for ASV learns a waveform-to-waveform mapping from paired clean recording and replayed version (Li et al., 2023). 5Greplay does not only replay packets unchanged; it can change selected fields, duplicate or delete traffic, or drop it entirely, with conditions defined over protocol fields and timing relationships (Salazar et al., 2023). This suggests that replay, in the technical sense used across these works, is often a structured transformation of a previously valid execution trace rather than mere resubmission.

2. Replay objects and parameterization mechanisms

The replay object varies by domain, but each framework exposes an explicit parameter space.

Framework Replay object Parameterization mechanism
Voice replay countermeasure (Malik et al., 2019) Recorded and replayed speech Higher-order nonlinearity, HOSA, replay order
COHORT (Frydman et al., 29 Jun 2026) Fixed adversary scenario BB, KK, topology, attack scenario, cumulative state
SCART (Girstein et al., 2023) Sensor/state event sequence listeners, conditions, actions, Δt\Delta t
Neural replay simulator (Li et al., 2023) Replay-channel-transformed waveform learned F(⋅)F(\cdot), PGD, ϵ\epsilon, τ\tau
ReplIoT (Lazzaro et al., 2024) Captured IoT flows reverse-order replay, first jj responses, novelty model
5Greplay (Salazar et al., 2023) Live or PCAP 5G traffic XML rules, timing windows, mutation operators

In the voice-driven setting, the parameterization is rooted in the microphone-to-speaker-to-microphone path. The replay attack distortion is modeled as a higher-order nonlinearity beyond 6th order, and the dataset contains direct speech, 1st-order replay, and 2nd-order replay cloned audios (Malik et al., 2019). That formulation makes replay order itself an attack parameter.

SCART makes parameterization explicit through scenario decomposition. A scenario is defined by three lists: Listeners=[sensor1,sensor2,…,sensorn]\mathcal{L}\text{isteners} = [sensor_1,sensor_2,\dots,sensor_n]

Condiction=[c1,c2,…,cp]\mathcal{C}ondiction=[c_1,c_2,\dots,c_p]

Actions=[a1,a2,…,ak]\mathcal{A}ctions=[a_1,a_2,\dots,a_k]

with a history structure

KK0

The anomaly is active during a time interval KK1 in which all conditions hold (Girstein et al., 2023). The cited drone case study combines five manipulations—Duplicate, RandomChange, DisconnectSensor, AvgSensors, and AddWhiteNoise—yielding 32 combinations, 3 starting-condition options, 3 ending-condition options, and a total of 2048 attack options (Girstein et al., 2023).

COHORT parameterizes replay by network state, command budget, refinement depth, attack scenario, and topology. Let KK2 denote the network configuration state space, KK3 a fixed adversary scenario, and KK4 the device configuration command space; a mitigation is a finite sequence KK5, applied via KK6. The paper further introduces a per-refinement command budget KK7 and refinement cap KK8, with the reported setting up to 10 mitigations per run, KK9, and Δt\Delta t0 device commands per implementation cycle (Frydman et al., 29 Jun 2026).

The neural replay simulator for ASV does not specify a small closed-form acoustic parameterization. Instead, the replay process is parameterized implicitly by the neural simulator Δt\Delta t1, trained on paired clean and replayed utterances. Attack generation is then parameterized by the PGD step size Δt\Delta t2, threshold Δt\Delta t3, and the choice of surrogate models in the joint framework (Li et al., 2023).

ReplIoT parameterizes testing through flow grouping, replay order, and response-based decision logic. It groups request and response payloads into flows, replays the flows in reverse order, and evaluates only the first Δt\Delta t4 responses. If all of the first Δt\Delta t5 responses are classified as irregular, the attack is FAILED; if at least one response is classified as regular, the attack is SUCCESSFUL (Lazzaro et al., 2024).

5Greplay parameterizes scenario execution through XML properties with event conditions and timing constraints, using delay_units, delay_min, and delay_max, and exposes mutation operators

Δt\Delta t6

The paper notes that ORD(P1,P2) is not yet implemented (Salazar et al., 2023).

3. Architectural patterns and execution workflows

Although the domains differ sharply, the architectural organization of these systems follows a recurrent sequence: capture or define a baseline execution, specify a replayable scenario, apply a transformation or mitigation, and judge the outcome under controlled conditions.

COHORT is the most explicit role-decomposed realization. It defines five agents: Mitigation Suggester, Mitigation Implementer, Critic, Judge, and Summarizer. The mitigation cycle is formalized as replay on baseline state Δt\Delta t7,

Δt\Delta t8

followed by suggestion, refinement through implementer/critic iterations

Δt\Delta t9

application

F(â‹…)F(\cdot)0

and evaluation by replaying the same adversary on the modified network (Frydman et al., 29 Jun 2026). The cited paper emphasizes that this is not a purely advisory workflow: mitigations are turned into real device commands and executed in a high-fidelity GNS3 emulator running real vendor firmware.

SCART is not a standalone simulator but a layer added on top of an existing cycle-accurate or Digital-Twin simulator. Its workflow is: select a simulator close to the real hardware and communication patterns, define a scenario using listeners, conditions, and actions, install the scenario with a callback mechanism so attack logic is triggered when sensor updates arrive, run the scenario in the target simulator via the SCART API, and collect outputs, logs, and history for dataset creation or replay (Girstein et al., 2023). The callback determines which conditions are satisfied, whether actions should be applied, and when the attack should stop.

ReplIoT uses a three-module architecture: Training Module, Attack Module, and Detection Module. The Training Module captures local traffic with tcpdump, extracts transport-layer payloads using Pyshark, and trains a novelty-detection model on regular responses. The Attack Module captures traffic for a specific function, groups it into flows, replays the flows in reverse order, and stores replay responses. The Detection Module first applies a Response Check and a Protocol Check, then invokes novelty detection if needed (Lazzaro et al., 2024). The design is explicitly device-agnostic and black-box.

5Greplay organizes execution as packet acquisition, rule-based analysis and modification, and packet egress. A packet arrives from an input NIC or PCAP file, is classified by deep packet inspection, has relevant protocol attributes extracted, is matched against XML rules, and is then forwarded, modified, duplicated, deleted, or dropped (Salazar et al., 2023). The framework can be placed after another replay tool in a service chain, which allows generic replay to be combined with 5G-specific mutation.

The voice replay countermeasure uses a non-learning-based workflow. Recordings are segmented into frames with 50% overlap, bicoherence is estimated using 1024-point segment length, 1024-point FFT length, 50% overlap, and a Rao-Gabr optimal window for frequency-domain smoothing, and HOSA computations use the glstat function from the HOSA MATLAB Toolbox (Malik et al., 2019). Gaussianity and linearity test statistics are then evaluated frame by frame.

The neural replay simulator for ASV splits the pipeline into simulator training and attack generation. The simulator is first trained on 40,000 digital adversarial examples paired with replayed counterparts, split into 39,000 training and 1,000 validation examples, and then frozen. PGD is subsequently performed through the simulator so that perturbations are estimated under the simulated replay channel (Li et al., 2023).

4. Analytical models and decision criteria

These frameworks differ most visibly in how they convert replay outcomes into a detection, success, or mitigation decision.

For voice-driven interfaces, the central analytical claim is that replay distortion introduces higher-order nonlinear artifacts that are not adequately characterized by second-order analysis. The third-order cumulant is given as

F(â‹…)F(\cdot)1

and the bispectrum is the 2-D Fourier transform of the third-order cumulants. The framework focuses on the bispectrum and bicoherence and uses QPC or bicoherence features, Gaussianity test statistics, and linearity test statistics. The binary framing is

F(â‹…)F(\cdot)2

F(â‹…)F(\cdot)3

The paper states that if the third-order cumulants are zero, then bicoherence is zero; nonzero bicoherence implies non-Gaussianity; and if the process is linear and non-Gaussian, bicoherence becomes a nonzero constant (Malik et al., 2019). The decision criterion is thus statistical evidence of nonlinear spectral coupling rather than a trained classifier.

COHORT formalizes replay-based mitigation validation through Attack Step Success Rate and paired comparison. Mitigation effectiveness is

F(â‹…)F(\cdot)4

where F(â‹…)F(\cdot)5 is the ratio of successfully executed Caldera abilities to attempted abilities. Legitimate operation is gated by

F(â‹…)F(\cdot)6

and a mitigation is counted as successful only if

F(â‹…)F(\cdot)7

The same adversary is fixed across baseline and mitigated runs, which the paper presents as the mechanism that controls for attacker variation and makes observed changes attributable to the mitigation (Frydman et al., 29 Jun 2026).

In ASV, the analytical move is to optimize against the replay transformation rather than against the raw waveform. The adversarial loss is

F(â‹…)F(\cdot)8

and the replay-aware PGD update is

F(â‹…)F(\cdot)9

The main metric is attack success rate, defined as the ratio of successful attacks to total attacks (Li et al., 2023). The joint framework further uses a cascade ensemble PGD attack with two surrogate models, one representing the NRS-ASV OTA path and one representing the digital ASV path.

SCART operationalizes decision logic through event-driven activation rather than a single scalar effectiveness function. After each update in history, all conditions are checked; when all are true, actions are activated, and the attack continues until an ending condition is met (Girstein et al., 2023). This yields a state-contingent replay model that is especially suitable for reactive and bounded-time systems.

ReplIoT casts replay detection as novelty detection. Regular responses are responses seen during legitimate use; irregular responses are responses seen when the replay attack fails, often error messages or no responses. The early checks are decisive: if no response is received, the attack is FAILED; if communication uses standard security protocols like TLS or QUIC, the attack is considered FAILED (Lazzaro et al., 2024). Only otherwise are the received responses passed to Isolation Forest, Elliptic Envelope, or Local Outlier Factor.

5Greplay uses rule satisfaction rather than classification. A rule is fired when one or more <event> entries satisfy Boolean expressions over extracted protocol fields, possibly within a specified timing window. The resulting action can update a field, forward a mutated packet, or generate duplication- or deletion-based variants of the original traffic (Salazar et al., 2023). This makes the decision criterion semantic and protocol-structural.

5. Empirical findings across domains

The reported results show that replay-based simulation is empirically consequential across all surveyed settings, although the meaning of success differs by domain.

In the voice-driven interface study, replay audio showed more pronounced bicoherence magnitude and phase coupling than direct speech, with QPC scatter plots showing shifts in QPC peak locations for both 1st-order and 2nd-order replays. For all three replay recordings, every non-silence frame failed the Gaussianity and linearity tests, whereas for all three direct recordings, less than 35% of non-silence frames failed those tests (Malik et al., 2019). The experiments also showed that Amazon Echo did not distinguish replayed voice from live voice in the tested scenarios, and Google Home appeared to verify only the wake word and not subsequent commands.

COHORT reports the clearest mitigation-centric benchmark. Across three topologies and four attack scenarios, the mitigation success rates are 10.7% for Single-Agent, 38.6% for Multi-Agent without Critic, and 46.7% for Multi-Agent, which is 4.4 times the rate of the single-agent baseline using the same model and tool access. Run-level outcomes show at least one working mitigation in 98% of runs for Multi-Agent, 95% for Multi-Agent without Critic, and 78% for Single-Agent. Connectivity preservation is 92.0%, 94.3%, and 88.0%, respectively. Cumulative mitigation effectiveness plateaus at roughly 52%, 47%, and 28%, with no statistically significant topology effect on MSR; the reported values are 48.9% for small enterprise, 48.5% for medium enterprise, and 42.6% for large enterprise, with Welch’s ANOVA ϵ\epsilon0 (Frydman et al., 29 Jun 2026). The per-attack appendix reports 27% MSR on DNS Exfiltration and up to 60% on Lateral Movement.

SCART’s reported evidence is centered on attack-space generation and downstream anomaly detection rather than direct attack success against a defended target. In the PX4-based drone case study, a 30x30 square flight path is used with approximately 100 runs without attacks for baseline comparison. The framework exposes 2048 attack options and produces datasets for Telemanom, Tibstib, statistical methods, and DeepOD models including DeepSVDD, RDP, RCA, GOAD, and NeuTraL. The reported results list 58.2% TP Simulation, 89.6% TP CSV, and 90% TN No Attack for Telemanom; 42%, 86.2%, and 100% for Tibstib; 59.7%, 86.2%, and 100% for the statistical method; and 100%, 100%, and either 90% or 100% TN No Attack for the DeepOD models, depending on the method (Girstein et al., 2023). The paper claims that SCART is efficient, can increase the model’s accuracy, and significantly reduce false-positive rates.

The ASV replay simulator paper reports that the baseline OTA attack without a replay simulator achieves an average success rate of 53.3%. NRS variants yield 52.2% with Wav L1, 42.5% with Wav L2, 55.2% with GAN loss, 56.4% with Mel L1, 52.3% with Mel L1 + Wav L1, and 57.7% with Mel L1 + ASV loss. In the white-box OTA setting, the headline comparison is 53.3% for Baseline, 56.4% for NRS-only, and 73.6% for NRS-joint (Li et al., 2023). The digital white-box attacks remain at 100% because PGD is iterated until first success on the surrogate model. Transfer results are more mixed: digital transfer averages 19.8% for Baseline, 14.2% for NRS-only, and 19.9% for NRS-joint, while OTA transfer gives 12.3%, 11.6%, and 14.0%.

ReplIoT evaluates 41 consumer IoT devices. Of these, 22 did not communicate locally with the app, 1 of those used local APIs instead, and therefore 21/41 did not satisfy the ENISA-style reliability expectation of local functionality. Among the 20 devices that did use local connectivity, 15/20 were vulnerable to replay attacks; in the Non-Restart Scenario the attack succeeded against all 20, while in the Restart Scenario it succeeded against 14/20. The Detection Module, especially with Local Outlier Factor, achieved accuracy from 0.98 to 1 across devices in both scenarios (Lazzaro et al., 2024). The paper further reports that Response Check failed for 4 devices and Protocol Check failed for 1 device, so only the remaining 15 required ML-based detection.

5Greplay demonstrates both semantic mutation and stress capacity. In offline IDS-oriented replay, a PCAP is modified so that the UE RAN identifier in an NGAP authentication response is incremented by 100, and the Montimage Monitoring Tool raises an alert. In online malformed NGAP injection, changing the SCTP protocol identifier from 60 to 0 leads free5GC to log a warning but continue running, whereas open5GS crashes and can no longer accept new connections. In NAS-5G Security Mode Complete replay, the AMF logs show that the replayed packets were received, but free5GC recognizes that they do not belong to the same security context. As a throughput generator, 5Greplay reaches 9.56 Gbps and 1.28 Mpps with a single thread on an Intel Ethernet X710 adapter; endurance tests report that open5GS fails at around 1780 packet copies with average replay rate 509.5 pps and 834 kbps, while free5GC fails when the number of copies exceeds 3000, with average replay rate 594.9 pps and 974 kbps (Salazar et al., 2023).

6. Assumptions, limitations, and implications

Each framework is explicit about the conditions under which replay-based parameterization is expected to work. The voice framework assumes that replay attacks produce measurable nonlinear distortion, that the microphone-speaker-microphone path is sufficiently nonlinear to create detectable HOSA artifacts, that speech can be treated as a stationary sequence over short frames, and that bona fide and replayed speech differ in their higher-order statistics (Malik et al., 2019). The evaluation is relatively small, using only 12 recordings, and does not provide a full ROC or EER-style benchmark against large replay corpora.

COHORT assumes a high-fidelity emulation of the production network already exists, evaluates only scripted replayable Caldera adversaries, and does not generalize to adaptive adversaries that re-plan during replay, Windows endpoints, vendor families beyond FortiGate, Cisco IOS, and Open vSwitch, operational regressions beyond LAN and internet connectivity probes, or attack phases before initial foothold (Frydman et al., 29 Jun 2026). The same adversary is fixed across baseline and mitigated runs, which the paper describes as ensuring attribution but also creating an optimization-evaluation gap.

SCART is scenario-driven, so attack realism depends on how well scenarios are specified. The experimental validation is centered on a drone/PX4 case study, parts of the architecture discussion assume a vanilla setup with single anomaly per run, and no fully formal algorithm or mathematical proof is given for all attack classes (Girstein et al., 2023). The paper notes some validation on real drones, but most evaluation remains simulation-based.

The ASV replay simulator is trained and tested in a fixed OTA setup with one loudspeaker, one microphone, one distance, and a soundproof studio. The paper acknowledges that broader generalization to other devices and environments remains future work (Li et al., 2023). This suggests that replay-channel learning is promising, but also that robustness may depend materially on the fidelity and diversity of the paired clean and replayed training data.

ReplIoT is intentionally black-box and device-agnostic, but its success criterion is operational rather than protocol-semantic: acceptance is inferred from regular-looking responses and ground-truth state changes under OBVERSE/REVERSE testing (Lazzaro et al., 2024). The paper nonetheless identifies concrete causes of vulnerability—cleartext traffic without authentication, encoded proprietary protocols, non-standard encrypted protocols with weak replay protection, lack of post-reboot authentication, and signatures that remain valid under exact replay.

5Greplay currently supports only a defined set of mutation operators, does not yet implement ORD(P1,P2), focuses on traffic that can be parsed and inspected, and identifies encrypted traffic as a future challenge. The experimental evaluation is mainly centered on core-side signaling and UERANSIM-based emulation rather than a full real-world 5G deployment (Salazar et al., 2023).

A plausible implication of these combined results is that replay-based parameterized attack simulation should be understood less as a single algorithm than as a design pattern. In one variant, replay exposes physical-channel artifacts and motivates higher-order spectral countermeasures (Malik et al., 2019). In another, replay is the causal evaluation mechanism that distinguishes deployable mitigations from proxies (Frydman et al., 29 Jun 2026). In others, replay functions as a parameterized generator of attack data, a black-box vulnerability probe, or a protocol-aware fuzzing primitive (Girstein et al., 2023, Lazzaro et al., 2024, Salazar et al., 2023). Across all of them, the central technical requirement is not replay alone, but replay under a controlled parameterization that preserves enough realism to make the outcome attributable, reproducible, and operationally meaningful.

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Replay-Based Parameterized Attack Simulation Framework.