THE DETER PROJECT: SCIENTIFIC, SAFE AND EASY CYBERSECURITY EXPERIMENTATION Jelena Mirkovic USC Information Sciences Institute [email protected] Sponsored

THE DETER PROJECT:

SCIENTIFIC, SAFE AND EASY CYBERSECURITY EXPERIMENTATION

Jelena MirkovicUSC Information Sciences Institute [email protected] by Dr. Doug Maughan, DHS S&Thttp://www.isi.edu/deter

2

Talk Outline

• Long-term Vision: Advanced scientific instrument– Elevate the science of cybersecurity

• Platform: Advanced testbed technology– Robust, diverse, and scalable experiments

• Growing Community: Collaborative science– Effective and efficient sharing

• Next Steps: DETECT – Program to catalyze cybersecurity research

3

Talk Outline





4

DETER Background I

• 20+ years investment in network security research• Platforms needed to efficiently explore design space

Time

Risk

Capability

5

DETER Background II

Dimension Barrier

Language Shared Vocabulary

Safety Risk management

Correctness Realism of setup

Scale Resources

Confidence Rigor, Repeatability

Efficiency AutomationSharing & Community

Flexibility Programmability

• Barriers to network security experimentation

• Systematically addressed by DETER project

6

DETER Goals

• Advance science of cybersecurity experimentation– Rigorous experiments– Repeatable experiments

• Advance testbed technologies– Federation– Risky experiment management

• Share infrastructure / broaden participation– Data, code, results, set up, ideas – Create community knowledge – Simplify, automate use– Testbeds in education

7

Talk Outline





8

The DETER Facility

• Located at USC/ISI and UC Berkeley• Funded by NSF and DHS, started in 2004• 400+ Nodes ~ 200 each at ISI and UC Berkeley• Built with Emulab technology (http://www.emulab.net)

9

Data Center

10

Hardware

11 x Sunpc2800

64 x IBMpc733

64 x Dellpc3000

30 x Sunbpc2800

32 x Dellbpc3000 40 x HP

80 x Dell

64 x Dell

UCB

Cisco 6509 Nortel 5510

Foundry 1500 Nortel 5510

~150Mbps with IPSec

2x

5x

1x

2x

8 x 1Gbps

4 x 1Gbps

4 x 1Gbps

2 x 1Gbps

1 GBps (4 later)

1 GBps (4 later)

Juniper M7i

JuniperIDP-200

Cloud Shield 2200

McAfee Intrushield 2600

ISI

11

Master Server

NodePower

Controller

N X 4 @1000bTData ports

‘User’ Server

Routerwith Firewall

External VLAN

Node Node

Control Network VLAN

User

ControlDB

Node Serial Line Server

Power Serial Line Server

Userfiles

Ethernet Bridge with Firewall

Programmable Patch Panel (VLAN switch)

Sw

itch C

ontrol Interface

Internet

Web/DB/SNMP,Switch Mgmt

User Acct & Data logging server

UsersVLAN

BossVLAN

ControlHardware VLAN

Architecture

12

What is an experiment? Standard definition

• Background environment– Topology (physical nodes), OSes, applications– Cross-traffic– Cross-events

• Events of interest– Attack, intrusion– Worm spread– Botnet recruitment

• Perhaps a defense• Scenario combining the above• Measurement tools, metrics of success• A user specifies EVERY detail

13

Using DETER – summary

• All you need is a Web browser and an SSH client• Open a user account (open to all users)• Create (faculty members or PIs from labs/companies

are eligible) or join a project • Log on to our Web site• Run experiments

– Create a topology, or retrieve an existing one– Nodes are assigned to you

• Exclusive, sudoer access

– Load software you need or use DETER sw to create traffic and events of interest, deploy defenses, monitor (SSH)

• Swap out (return nodes) or terminate (if no longer needed) experiments

14

Using DETER – open account, manage exps

http://www.deterlab.net

15

Using DETER – start an experiment

topology

16

Using DETER – draw a topology

17

Using DETER – manage an experiment

18

• Java front-end and Python back-end, support for many OSes• Open-source, extensible tool

Using DETER – drive an experiment via SEERhttp://seer.isi.deterlab.net

19

DETER Advanced Capabilities

• Policy based federation– Integration of diverse testbeds

• Risky experiment management– Balance realism and safety

20

Federation

On-demand creation of experiments spanning multiple, independently controlled facilities

Researcher– Controls experiment

embedding Federants

– Control resource access– Constrain resource use

Related to (but not same as) experiment composition

http://fedd.isi.deterlab.net

21

Win for Everyone

Unique facilities access to specialized resources at different sites

Many communities of interest geographical areas, federation controlled by policy

Data and knowledge sharing facilitates collaboration

Information hiding enables multi-party scenarios with controlled views

Extreme scale larger number of nodes than at any single site

Multiple operating testbed environments

22

Federation System Architecture

ExperimentCreation

ToolFederator

Testbeds

ExperimentCreation

Tool

ExperimentCreation

Tool

TestbedProperties

ExperimentRequirements

ExperimentTopology

CEDL“Assembly Code”

Standard Experiment Representation

Experiment Decomposition Tools

TestbedProperties

23

Risky Experiment Management

• Risks for: testbed, experiments, Internet• Prohibit risky experiments

– But these are necessary for security research• Strict isolation

– Really interesting experiments need to talk to the outside: visit Web sites, download files, Interact with a bot master

• Fixed containment– Difficult to come up with a set of fixed rules that would

work for every experiment• Experiment-driven containment

– Hardest to achieve but results in best utility for experimenters — our approach

24

Two-constraint Approach to Experiment Risk Management

Unconstrainedbehavior

Constrainedbehavior

Experimentbehavior constraint

transform: T1

Testbedbehavior constraint

transform: T2

Behavioral composition model: External behavior = T2(T1(experiment))

Safe and usefulbehavior

Testbed safety goals

User goalsfor research utility

25

Talk Outline




• Next Steps: DETECT – Multi-year program to catalyze cybersecurity

science

26

DETER Users

Class Value

Security Researchers Exploring/validating new ideasPublishing resultsSharing data/tools

Small Companies Testing product prototypes Sharing tools

DHS Constituencies Scenario explorationTraining

Emerging Technologies Data sharing (e.g., PREDICT)Scenario explorationTraining

Education RepeatabilityAbstractionHands-on experience

27

DETER Users

28

DETER User Organizations

Academia

Carnegie Mellon University

Columbia University

Cornell University

Dalhousie University

DePaul University

George Mason University

Georgia State University

Hokuriku Research Center

ICSI

IIT Delhi

IRTT

ISI

Johns Hopkins University

Jordan University of Science & Technology

Lehigh University

MIT

New Jersey Institute of Technology

Norfolk State University

Pennsylvania State University

Purdue University

Rutgers University

Sao Paulo State University

Southern Illinois University

TU Berlin

TU Darmstadt

Texas A&M University

UC Berkeley

Government

Air Force Research Laboratory

Lawrence Berkeley National Lab

Lawrence Livermore National Lab

Naval Postgraduate School Sandia National Laboratories

USAR Information Operations Command

Industry

Agnik, LLC

Aerospace Corporation

Backbone Security

BAE Systems, Inc.

BBN

Bell Labs

Cs3 Inc.

Distributed Infinity Inc.

EADS Innovation Works

FreeBSD Foundation

iCAST

Institute for Information Industry

Intel Research Berkeley

IntruGuard Devices, Inc.

Purple Streak

Secure64 Software Corp

Skaion Corporation

SPARTA

SRI International

Telcordia Technologies

UC Davis

UC Irvine

UC Santa Cruz

UCLA

UCSD

UIUC

UNC Chapel Hill

UNC Charlotte

Universidad Michoacana de San Nicolas

Universita di Pisa

University of Advancing Technology

University of Illinois, Urbana-Champaign

University of Maryland

University of Massachusetts

University of Oregon

University of Southern Callfornia

University of Washington

University of Wisconsin - Madison

University of Wisconsin-Madison

USC

UT Arlington

UT Austin

UT Dallas

Washington State University

Washington University in St. Louis

Western Michigan University

Xiangnan University

Youngstown State University

29

UCBttc: Example Project

DETER Project Profile

30

Research done on DETER

23

23

18

12

16

11

7

5

4

33

32 2 2

Malware

Testing

Comprehensive

DDoS

Testbeds

Classes

Infrastructure

Botnets

Overlays

Wireless

Traceback

Privacy

Spoofing

Spam

Multicast

31

Education on DETER

Air Force Research LabColorado State UniversityIIT DelhiJordan University of S&TLehigh UniversitySanta Monica College

http://www.isi.edu/deter/education

• Special support for education projects– Recyclable student accounts, automated setup– Class hand-off– Special resource access control– Resource reservation

• Shared exercise materials• Education usage so far

Sao Paolo State UniversityUC BerkeleyUCLAUS ARMY School of ITUniversity of Nebraska - LincolnUniversity of Southern CaliforniaYoungstown State University

32

Talk Outline





33

What is an experiment? New definition

• Events of interest• Background environment, domain-specific

– Virtual topology (varies with phenomenon), could be dynamic, abstract, expresses needs and constraints

– Cross-traffic, cross-events• Perhaps a defense• Scenario combining the above, domain-specific• Measurement tools, metrics of success, domain-

specific• Research goals, domain-specific• Invariants (truths that must hold), domain-specific• A user specifies ONLY details of interest• Experiment description separate from deployment

34

DETECT: DETER Next Generation

ElementsGoalsInvariants

Experiment Creation System

Abstract Elements

Containers

Embedder

Federation System

Description

Federated Systems

Map Elements into

Containers

AssignContainers to

Distributed Resources

Interconnected Abstract Elements

• Increased testbed-wide expressiveness and control• Significantly expands the set of feasible & interesting

experiments

35

New Capabilities


Experiment Creation System

Embedder

Federation System

Description

Federated Systems

Map Elements into

Containers

AssignContainers to


Interconnected Abstract Elements

New Style of Experiments

(AdvancedScientific Instrument)

New Abstractions(Advanced

Testbed Technology)

New Mapping Algorithms

(AdvancedTestbed Technology)

New Security & Control Algorithms

(AdvancedTestbed Technology)

New Domains

New

Sharing M

echanisms

New Resources(New Domains)

36

Advanced Scientific Instrument

• Experiment abstraction: Decrease barrier, increase efficiency

– Models– Recipes– Workbenches

• Invariants: Language for behavior– Refinement– Validity management– Risky experiment management

• Science of Repeatability


37

Experiment Health System

Helps users understand their experiment’s behavior

Generates, records and uses higher level knowledge about the experiment

– Desired invariants– Expected behavior

Takes corrective or notification action if invariant is violated

– Monitor invariants– Trigger actions

Captures invariants in exportable form for experiment reuse, repeatability and validation, etc.

Event Architecture

Diagnostics & Analytics

Services

ThirdEyeDiagnostics and Analysis Framework

for Testbed Experiments

38

Advanced Testbed Technologies

• Focus: Virtualization and abstraction• Components:

– Element = abstract representation of capability e.g., VM, SCADA simulation

– Container = physical resources for element realization e.g., emulation hardware, PC

• Flexible, multi-level abstractions beyond VMs

– Fine-grained control for advanced users

– Interfaces and extension mechanisms– Mapping/embedding challenges

Map Elements

into Containers

Assign Containers to


Inter-connected Abstract Elements

39

New Specialization Domains

• Botnets– Modeling multiple infection vectors – Characterizing propagation models – Incorporating recent discoveries

• Critical Infrastructure– Simulation packages as modules – Visualization – Integration with vulnerability data

(S2TAR)• Wireless

– Integration with emulators – Wireless/wired risky experiments – Extend testbed with notions of mobility

© impactlab.com

©geeksquad.com

© reset.jp

40

Community Development

• Content sharing support– Experiments, data, models, recipes– Class materials, recent research results, ideas

• Shared spaces – Outreach: Conferences, tutorials, presentations – Share and connect: Website, exchange server, social

networking tools – Common experiment description: Templates– Build community knowledge: domain-specific communities

• Education support– NSF CCLI grant: develop hands-on exercises for classes– Capture-the-Flag exercises – Moodle server for classes on DETER

41

• Graduated, visual, and powerful experiments• Domain-specific (DDoS, worm, botnet) capabilities• Built-in sharing capabilities

Experiment Templates


42

Enhanced Infrastructure

• Efficiency and scalability – Configuration management and

infrastructure protection– VLAN bandwidth (10Gbps) – VM models/archival capabilities

• High-performance co-processing – NetFPGA node deployment– Hardware modules

• Advanced O&M– Fault location and management– Integrate IPMI (Intelligent Platform

Monitor Interface) for early detection of problems

– Idleness detection and management

43

DETER Summary

DETER project develops scientific methods and infrastructure for advancing security in identified hard problems

• Six years of experience from multiple fronts– Operations– Research– Teaching

• Significantly improved safety, utility and usability of testbeds so far

• Exciting new developments planned, so stay tuned!

44

Thank you

We’d love to hear your questions and comments! Jelena Mirkovic

[email protected] Operations

[email protected] project Web page

http://www.isi.edu/deterDETER testbed Web page

http://www.deterlab.net

Documents

THE DETER PROJECT: SCIENTIFIC, SAFE AND EASY CYBERSECURITY EXPERIMENTATION Jelena Mirkovic USC Information Sciences Institute [email protected] Sponsored