Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

What is an experiment? - UW Information Technology Wiki

advertisement 
THE DETER PROJECT:
SCIENTIFIC, SAFE AND EASY
CYBERSECURITY EXPERIMENTATION
Jelena Mirkovic
USC Information Sciences Institute
sunshine@isi.edu
Sponsored by Dr. Doug Maughan, DHS S&T
http://www.isi.edu/deter
Talk Outline
• Long-term Vision: Advanced scientific instrument
– Elevate the science of cybersecurity
• Platform: Advanced testbed technology
– Robust, diverse, and scalable experiments
• Growing Community: Collaborative science
– Effective and efficient sharing
• Next Steps: DETECT
– Program to catalyze cybersecurity research
2
Talk Outline
• Long-term Vision: Advanced scientific instrument
– Elevate the science of cybersecurity
• Platform: Advanced testbed technology
– Robust, diverse, and scalable experiments
• Growing Community: Collaborative science
– Effective and efficient sharing
• Next Steps: DETECT
– Program to catalyze cybersecurity research
3
DETER Background I
Risk
Capability
Time
• 20+ years investment in network security research
• Platforms needed to efficiently explore design space
4
DETER Background II
• Barriers to network security experimentation
Dimension
Barrier
Language
Shared Vocabulary
Safety
Risk management
Correctness
Realism of setup
Scale
Resources
Confidence
Rigor, Repeatability
Efficiency
Automation
Sharing & Community
Flexibility
Programmability
• Systematically addressed by DETER project
5
DETER Goals
• Advance science of cybersecurity experimentation
– Rigorous experiments
– Repeatable experiments
• Advance testbed technologies
– Federation
– Risky experiment management
• Share infrastructure / broaden participation
– Data, code, results, set up, ideas
– Create community knowledge
– Simplify, automate use
– Testbeds in education
6
Talk Outline
• Long-term Vision: Advanced scientific instrument
– Elevate the science of cybersecurity
• Platform: Advanced testbed technology
– Robust, diverse, and scalable experiments
• Growing Community: Collaborative science
– Effective and efficient sharing
• Next Steps: DETECT
– Program to catalyze cybersecurity research
7
The DETER Facility
•
•
•
•
Located at USC/ISI and UC Berkeley
Funded by NSF and DHS, started in 2004
400+ Nodes ~ 200 each at ISI and UC Berkeley
Built with Emulab technology (http://www.emulab.net)
8
Data Center
9
Hardware
ISI
64 x IBM
pc733
64 x Dell
pc3000
11 x Sun
pc2800
80 x Dell
2x
Juniper
IDP-200
8 x 1Gbps
5x
Juniper M7i
4 x 1Gbps
1x
Cloud Shield 2200
4 x 1Gbps
Nortel 5510
Cisco 6509
1 GBps (4 later)
~150Mbps with IPSec
UCB
30 x Sun
bpc2800
32 x Dell
bpc3000
Foundry 1500
40 x HP
64 x Dell
Nortel 5510
1 GBps (4 later)
10
McAfee
2x Intrushield 2600
2 x 1Gbps
Architecture
Internet
User
Control
DB
Ethernet Bridge
with Firewall
‘User’ Server
User
files
User Acct &
Data logging
server
Master Server
External
VLAN
Users
VLAN
Router
with Firewall
Node Serial
Line Server
Web/DB/SNMP,
Switch Mgmt
Boss
VLAN
Control
Hardware VLAN
Power Serial
Line Server
Control Network VLAN
Node
Node
Switch
Control
Interface
Node
N X 4 @1000bT
Data ports
Programmable Patch Panel (VLAN switch)
11
Power
Controller
What is an experiment? Standard definition
• Background environment
– Topology (physical nodes), OSes, applications
– Cross-traffic
– Cross-events
• Events of interest
– Attack, intrusion
– Worm spread
– Botnet recruitment
• Perhaps a defense
• Scenario combining the above
• Measurement tools, metrics of success
• A user specifies EVERY detail
12
Using DETER – summary
• All you need is a Web browser and an SSH client
• Open a user account (open to all users)
• Create (faculty members or PIs from labs/companies
are eligible) or join a project
• Log on to our Web site
• Run experiments
– Create a topology, or retrieve an existing one
– Nodes are assigned to you
• Exclusive, sudoer access
– Load software you need or use DETER sw to create
traffic and events of interest, deploy defenses,
monitor (SSH)
• Swap out (return nodes) or terminate (if no longer
needed) experiments
13
Using DETER – open account, manage exps
http://www.deterlab.net
14
Using DETER – start an experiment
topology
15
Using DETER – draw a topology
16
Using DETER – manage an experiment
17
Using DETER – drive an experiment via SEER
http://seer.isi.deterlab.net
• Java front-end and Python back-end, support for many OSes
• Open-source, extensible tool
18
DETER Advanced Capabilities
• Policy based federation
– Integration of diverse testbeds
• Risky experiment management
– Balance realism and safety
19
Federation
http://fedd.isi.deterlab.net




On-demand creation of
experiments spanning multiple,
independently controlled
facilities
Researcher
– Controls experiment
embedding
Federants
– Control resource access
– Constrain resource use
Related to (but not same as)
experiment composition
20
Win for Everyone






Unique facilities
 access to specialized resources at different sites
Many communities of interest
 geographical areas, federation controlled by policy
Data and knowledge sharing
 facilitates collaboration
Information hiding
 enables multi-party scenarios with controlled views
Extreme scale
 larger number of nodes than at any single site
Multiple operating testbed environments
21
Federation System Architecture
CEDL
“Assembly Code”
Standard Experiment
Representation
Experiment
Requirements
Experiment
Creation
Tool
Testbed
Properties
Experiment
Creation
Tool
Experiment
Topology
Testbeds
Federator
Experiment
Creation
Tool
Experiment
Decomposition Tools
22
Testbed
Properties
Risky Experiment Management
• Risks for: testbed, experiments, Internet
• Prohibit risky experiments
– But these are necessary for security research
• Strict isolation
– Really interesting experiments need to talk to the
outside: visit Web sites, download files, Interact with
a bot master
• Fixed containment
– Difficult to come up with a set of fixed rules that would
work for every experiment
• Experiment-driven containment
– Hardest to achieve but results in best utility for
experimenters — our approach
23
Two-constraint Approach to
Experiment Risk Management
User goals
for research utility
Testbed safety goals
Unconstrained
behavior
Constrained
behavior
Safe and useful
behavior
Testbed
behavior constraint
transform: T2
Experiment
behavior constraint
transform: T1
Behavioral composition model: External behavior = T2(T1(experiment))
24
Talk Outline
• Long-term Vision: Advanced scientific instrument
– Elevate the science of cybersecurity
• Platform: Advanced testbed technology
– Robust, diverse, and scalable experiments
• Growing Community: Collaborative science
– Effective and efficient sharing
• Next Steps: DETECT
– Multi-year program to catalyze cybersecurity
science
25
DETER Users
Class
Security Researchers
Value
Exploring/validating new ideas
Publishing results
Sharing data/tools
Small Companies
Testing product prototypes
Sharing tools
DHS Constituencies
Scenario exploration
Training
Emerging Technologies Data sharing (e.g., PREDICT)
Scenario exploration
Training
Education
Repeatability
Abstraction
Hands-on experience
26
DETER Users
27
DETER User Organizations
Government
Academia
Air Force Research Laboratory
Carnegie Mellon University
UC Irvine
Lawrence Berkeley National Lab
Columbia University
UC Santa Cruz
Lawrence Livermore National Lab
Cornell University
UCLA
Naval Postgraduate School
Sandia National Laboratories
Dalhousie University
UCSD
DePaul University
UIUC
USAR Information Operations Command
George Mason University
UNC Chapel Hill
Georgia State University
UNC Charlotte
Industry
Hokuriku Research Center
Universidad Michoacana de San Nicolas
Agnik, LLC
ICSI
Universita di Pisa
Aerospace Corporation
IIT Delhi
University of Advancing Technology
Backbone Security
IRTT
University of Illinois, Urbana-Champaign
BAE Systems, Inc.
ISI
University of Maryland
BBN
Johns Hopkins University
University of Massachusetts
Bell Labs
Jordan University of Science & Technology
University of Oregon
Cs3 Inc.
Lehigh University
University of Southern Callfornia
Distributed Infinity Inc.
MIT
University of Washington
EADS Innovation Works
New Jersey Institute of Technology
University of Wisconsin - Madison
FreeBSD Foundation
Norfolk State University
University of Wisconsin-Madison
iCAST
Pennsylvania State University
USC
Institute for Information Industry
Purdue University
UT Arlington
Intel Research Berkeley
Rutgers University
UT Austin
IntruGuard Devices, Inc.
Sao Paulo State University
UT Dallas
Purple Streak
Southern Illinois University
Washington State University
Secure64 Software Corp
TU Berlin
Washington University in St. Louis
Skaion Corporation
TU Darmstadt
Western Michigan University
SPARTA
Texas A&M University
Xiangnan University
SRI International
UC Berkeley
Youngstown State University
Telcordia Technologies
UC Davis
28
UCBttc: Example Project
DETER Project Profile
29
Research done on DETER
3
3
2
2 2
23
3
Malware
4
Testing
Comprehensive
5
DDoS
Testbeds
7
Classes
23
11
Infrastructure
Botnets
Overlays
Wireless
Traceback
Privacy
16
Spoofing
18
12
Spam
Multicast
30
Education on DETER
http://www.isi.edu/deter/education
• Special support for education projects
– Recyclable student accounts, automated setup
– Class hand-off
– Special resource access control
– Resource reservation
• Shared exercise materials
• Education usage so far
Air Force Research Lab
Colorado State University
IIT Delhi
Jordan University of S&T
Lehigh University
Santa Monica College
Sao Paolo State University
UC Berkeley
UCLA
US ARMY School of IT
University of Nebraska - Lincoln
University of Southern California
Youngstown State University
31
Talk Outline
• Long-term Vision: Advanced scientific instrument
– Elevate the science of cybersecurity
• Platform: Advanced testbed technology
– Robust, diverse, and scalable experiments
• Growing Community: Collaborative science
– Effective and efficient sharing
• Next Steps: DETECT
– Program to catalyze cybersecurity research
32
What is an experiment? New definition
• Events of interest
• Background environment, domain-specific
– Virtual topology (varies with phenomenon), could be
dynamic, abstract, expresses needs and constraints
– Cross-traffic, cross-events
• Perhaps a defense
• Scenario combining the above, domain-specific
• Measurement tools, metrics of success, domainspecific
• Research goals, domain-specific
• Invariants (truths that must hold), domain-specific
• A user specifies ONLY details of interest
• Experiment description separate from deployment
33
DETECT: DETER Next Generation
Abstract Elements
Containers
Federated
Systems
Embedder
Description
Elements
Goals
Invariants
Interconnected
Abstract
Elements
Map
Elements into
Containers
Experiment
Creation System
Assign
Containers to
Distributed
Resources
Federation
System
• Increased testbed-wide expressiveness and control
• Significantly expands the set of feasible & interesting
experiments
34
New Capabilities
New Abstractions
New Security &
Control Algorithms
(Advanced
Testbed Technology)
New Sharing Mechanisms
(Advanced
Testbed Technology)
Federated
Systems
Embedder
Description
Map
Elements into
Containers
Interconnected
Abstract
Elements
Elements
Goals
Invariants
Experiment
Creation System
Assign
Containers to
Distributed
Resources
Federation
System
New Style of
Experiments
New Mapping
Algorithms
(Advanced
Scientific Instrument)
(Advanced
Testbed Technology)
New Domains
35
New Resources
(New Domains)
Advanced Scientific Instrument
• Experiment abstraction: Decrease
barrier, increase efficiency
– Models
– Recipes
– Workbenches
• Invariants: Language for behavior
– Refinement
– Validity management
– Risky experiment management
• Science of Repeatability
36
Elements
Goals
Invariants
Experiment Health System




Helps users understand their
experiment’s behavior
Generates, records and uses higher
level knowledge about the experiment
Services
– Desired invariants
Diagnostics & Analytics
– Expected behavior
Event Architecture
Takes corrective or notification action
ThirdEye
if invariant is violated
Diagnostics and Analysis Framework
for Testbed Experiments
– Monitor invariants
– Trigger actions
Captures invariants in exportable form
for experiment reuse, repeatability and
validation, etc.
37
Advanced Testbed Technologies
• Focus: Virtualization and abstraction
• Components:
– Element = abstract representation
of capability e.g., VM, SCADA
simulation
– Container = physical resources for
element realization e.g., emulation
hardware, PC
• Flexible, multi-level abstractions
beyond VMs
– Fine-grained control for advanced
users
– Interfaces and extension
mechanisms
– Mapping/embedding challenges
38
Interconnected
Abstract
Elements
Map
Elements
into
Containers
Assign
Containers to
Distributed
Resources
New Specialization Domains
© reset.jp
©geeksquad.com
39
© impactlab.com
• Botnets
– Modeling multiple infection vectors
– Characterizing propagation models
– Incorporating recent discoveries
• Critical Infrastructure
– Simulation packages as modules
– Visualization
– Integration with vulnerability data
(S2TAR)
• Wireless
– Integration with emulators
– Wireless/wired risky experiments
– Extend testbed with notions of
mobility
Community Development
• Content sharing support
– Experiments, data, models, recipes
– Class materials, recent research results, ideas
• Shared spaces
– Outreach: Conferences, tutorials, presentations
– Share and connect: Website, exchange server, social
networking tools
– Common experiment description: Templates
– Build community knowledge: domain-specific
communities
• Education support
– NSF CCLI grant: develop hands-on exercises for classes
– Capture-the-Flag exercises
– Moodle server for classes on DETER
40
Experiment Templates
Elements
Goals
Invariants
• Graduated, visual, and powerful experiments
• Domain-specific (DDoS, worm, botnet) capabilities
• Built-in sharing capabilities
41
Enhanced Infrastructure
• Efficiency and scalability
– Configuration management and
infrastructure protection
– VLAN bandwidth (10Gbps)
– VM models/archival capabilities
• High-performance co-processing
– NetFPGA node deployment
– Hardware modules
• Advanced O&M
– Fault location and management
– Integrate IPMI (Intelligent Platform
Monitor Interface) for early
detection of problems
– Idleness detection and
management
42
DETER Summary
DETER project develops scientific methods and
infrastructure for advancing security in identified hard
problems
• Six years of experience from multiple fronts
– Operations
– Research
– Teaching
• Significantly improved safety, utility and usability of
testbeds so far
• Exciting new developments planned, so stay tuned!

43
Thank you





We’d love to hear your questions and comments!
Jelena Mirkovic
sunshine@isi.edu
DETER Operations
testbed-ops@isi.deterlab.net
DETER project Web page
http://www.isi.edu/deter
DETER testbed Web page
http://www.deterlab.net
44
Related documents
Test Strategy: DETER
Test Strategy: DETER
F910 Barriers to accessing services
F910 Barriers to accessing services
Plant Structure
Plant Structure
Competitive Strategy: Week 8 Entry Entry Barriers
Competitive Strategy: Week 8 Entry Entry Barriers
TAEG_meeting_2010_12_03_summary
TAEG_meeting_2010_12_03_summary
Lecture 5: Strategic commitment and applications to entry and exit
Lecture 5: Strategic commitment and applications to entry and exit
Read Key Cybersecurity`s full description of
Read Key Cybersecurity`s full description of
Download
advertisement