Upload
marilynn-banks
View
213
Download
0
Tags:
Embed Size (px)
Citation preview
THE DETER PROJECT:
SCIENTIFIC, SAFE AND EASY CYBERSECURITY EXPERIMENTATION
Jelena MirkovicUSC Information Sciences Institute [email protected] by Dr. Doug Maughan, DHS S&Thttp://www.isi.edu/deter
2
Talk Outline
• Long-term Vision: Advanced scientific instrument– Elevate the science of cybersecurity
• Platform: Advanced testbed technology– Robust, diverse, and scalable experiments
• Growing Community: Collaborative science– Effective and efficient sharing
• Next Steps: DETECT – Program to catalyze cybersecurity research
3
Talk Outline
• Long-term Vision: Advanced scientific instrument– Elevate the science of cybersecurity
• Platform: Advanced testbed technology– Robust, diverse, and scalable experiments
• Growing Community: Collaborative science– Effective and efficient sharing
• Next Steps: DETECT – Program to catalyze cybersecurity research
4
DETER Background I
• 20+ years investment in network security research• Platforms needed to efficiently explore design space
Time
Risk
Capability
5
DETER Background II
Dimension Barrier
Language Shared Vocabulary
Safety Risk management
Correctness Realism of setup
Scale Resources
Confidence Rigor, Repeatability
Efficiency AutomationSharing & Community
Flexibility Programmability
• Barriers to network security experimentation
• Systematically addressed by DETER project
6
DETER Goals
• Advance science of cybersecurity experimentation– Rigorous experiments– Repeatable experiments
• Advance testbed technologies– Federation– Risky experiment management
• Share infrastructure / broaden participation– Data, code, results, set up, ideas – Create community knowledge – Simplify, automate use– Testbeds in education
7
Talk Outline
• Long-term Vision: Advanced scientific instrument– Elevate the science of cybersecurity
• Platform: Advanced testbed technology– Robust, diverse, and scalable experiments
• Growing Community: Collaborative science– Effective and efficient sharing
• Next Steps: DETECT – Program to catalyze cybersecurity research
8
The DETER Facility
• Located at USC/ISI and UC Berkeley• Funded by NSF and DHS, started in 2004• 400+ Nodes ~ 200 each at ISI and UC Berkeley• Built with Emulab technology (http://www.emulab.net)
9
Data Center
10
Hardware
11 x Sunpc2800
64 x IBMpc733
64 x Dellpc3000
30 x Sunbpc2800
32 x Dellbpc3000 40 x HP
80 x Dell
64 x Dell
UCB
Cisco 6509 Nortel 5510
Foundry 1500 Nortel 5510
~150Mbps with IPSec
2x
5x
1x
2x
8 x 1Gbps
4 x 1Gbps
4 x 1Gbps
2 x 1Gbps
1 GBps (4 later)
1 GBps (4 later)
Juniper M7i
JuniperIDP-200
Cloud Shield 2200
McAfee Intrushield 2600
ISI
11
Master Server
NodePower
Controller
N X 4 @1000bTData ports
‘User’ Server
Routerwith Firewall
External VLAN
Node Node
Control Network VLAN
User
ControlDB
Node Serial Line Server
Power Serial Line Server
Userfiles
Ethernet Bridge with Firewall
Programmable Patch Panel (VLAN switch)
Sw
itch C
ontrol Interface
Internet
Web/DB/SNMP,Switch Mgmt
User Acct & Data logging server
UsersVLAN
BossVLAN
ControlHardware VLAN
Architecture
12
What is an experiment? Standard definition
• Background environment– Topology (physical nodes), OSes, applications– Cross-traffic– Cross-events
• Events of interest– Attack, intrusion– Worm spread– Botnet recruitment
• Perhaps a defense• Scenario combining the above• Measurement tools, metrics of success• A user specifies EVERY detail
13
Using DETER – summary
• All you need is a Web browser and an SSH client• Open a user account (open to all users)• Create (faculty members or PIs from labs/companies
are eligible) or join a project • Log on to our Web site• Run experiments
– Create a topology, or retrieve an existing one– Nodes are assigned to you
• Exclusive, sudoer access
– Load software you need or use DETER sw to create traffic and events of interest, deploy defenses, monitor (SSH)
• Swap out (return nodes) or terminate (if no longer needed) experiments
14
Using DETER – open account, manage exps
http://www.deterlab.net
15
Using DETER – start an experiment
topology
16
Using DETER – draw a topology
17
Using DETER – manage an experiment
18
• Java front-end and Python back-end, support for many OSes• Open-source, extensible tool
Using DETER – drive an experiment via SEERhttp://seer.isi.deterlab.net
19
DETER Advanced Capabilities
• Policy based federation– Integration of diverse testbeds
• Risky experiment management– Balance realism and safety
20
Federation
On-demand creation of experiments spanning multiple, independently controlled facilities
Researcher– Controls experiment
embedding Federants
– Control resource access– Constrain resource use
Related to (but not same as) experiment composition
http://fedd.isi.deterlab.net
21
Win for Everyone
Unique facilities access to specialized resources at different sites
Many communities of interest geographical areas, federation controlled by policy
Data and knowledge sharing facilitates collaboration
Information hiding enables multi-party scenarios with controlled views
Extreme scale larger number of nodes than at any single site
Multiple operating testbed environments
22
Federation System Architecture
ExperimentCreation
ToolFederator
Testbeds
ExperimentCreation
Tool
ExperimentCreation
Tool
TestbedProperties
ExperimentRequirements
ExperimentTopology
CEDL“Assembly Code”
Standard Experiment Representation
Experiment Decomposition Tools
TestbedProperties
23
Risky Experiment Management
• Risks for: testbed, experiments, Internet• Prohibit risky experiments
– But these are necessary for security research• Strict isolation
– Really interesting experiments need to talk to the outside: visit Web sites, download files, Interact with a bot master
• Fixed containment– Difficult to come up with a set of fixed rules that would
work for every experiment• Experiment-driven containment
– Hardest to achieve but results in best utility for experimenters — our approach
24
Two-constraint Approach to Experiment Risk Management
Unconstrainedbehavior
Constrainedbehavior
Experimentbehavior constraint
transform: T1
Testbedbehavior constraint
transform: T2
Behavioral composition model: External behavior = T2(T1(experiment))
Safe and usefulbehavior
Testbed safety goals
User goalsfor research utility
25
Talk Outline
• Long-term Vision: Advanced scientific instrument– Elevate the science of cybersecurity
• Platform: Advanced testbed technology– Robust, diverse, and scalable experiments
• Growing Community: Collaborative science– Effective and efficient sharing
• Next Steps: DETECT – Multi-year program to catalyze cybersecurity
science
26
DETER Users
Class Value
Security Researchers Exploring/validating new ideasPublishing resultsSharing data/tools
Small Companies Testing product prototypes Sharing tools
DHS Constituencies Scenario explorationTraining
Emerging Technologies Data sharing (e.g., PREDICT)Scenario explorationTraining
Education RepeatabilityAbstractionHands-on experience
27
DETER Users
28
DETER User Organizations
Academia
Carnegie Mellon University
Columbia University
Cornell University
Dalhousie University
DePaul University
George Mason University
Georgia State University
Hokuriku Research Center
ICSI
IIT Delhi
IRTT
ISI
Johns Hopkins University
Jordan University of Science & Technology
Lehigh University
MIT
New Jersey Institute of Technology
Norfolk State University
Pennsylvania State University
Purdue University
Rutgers University
Sao Paulo State University
Southern Illinois University
TU Berlin
TU Darmstadt
Texas A&M University
UC Berkeley
Government
Air Force Research Laboratory
Lawrence Berkeley National Lab
Lawrence Livermore National Lab
Naval Postgraduate School Sandia National Laboratories
USAR Information Operations Command
Industry
Agnik, LLC
Aerospace Corporation
Backbone Security
BAE Systems, Inc.
BBN
Bell Labs
Cs3 Inc.
Distributed Infinity Inc.
EADS Innovation Works
FreeBSD Foundation
iCAST
Institute for Information Industry
Intel Research Berkeley
IntruGuard Devices, Inc.
Purple Streak
Secure64 Software Corp
Skaion Corporation
SPARTA
SRI International
Telcordia Technologies
UC Davis
UC Irvine
UC Santa Cruz
UCLA
UCSD
UIUC
UNC Chapel Hill
UNC Charlotte
Universidad Michoacana de San Nicolas
Universita di Pisa
University of Advancing Technology
University of Illinois, Urbana-Champaign
University of Maryland
University of Massachusetts
University of Oregon
University of Southern Callfornia
University of Washington
University of Wisconsin - Madison
University of Wisconsin-Madison
USC
UT Arlington
UT Austin
UT Dallas
Washington State University
Washington University in St. Louis
Western Michigan University
Xiangnan University
Youngstown State University
29
UCBttc: Example Project
DETER Project Profile
30
Research done on DETER
23
23
18
12
16
11
7
5
4
33
32 2 2
Malware
Testing
Comprehensive
DDoS
Testbeds
Classes
Infrastructure
Botnets
Overlays
Wireless
Traceback
Privacy
Spoofing
Spam
Multicast
31
Education on DETER
Air Force Research LabColorado State UniversityIIT DelhiJordan University of S&TLehigh UniversitySanta Monica College
http://www.isi.edu/deter/education
• Special support for education projects– Recyclable student accounts, automated setup– Class hand-off– Special resource access control– Resource reservation
• Shared exercise materials• Education usage so far
Sao Paolo State UniversityUC BerkeleyUCLAUS ARMY School of ITUniversity of Nebraska - LincolnUniversity of Southern CaliforniaYoungstown State University
32
Talk Outline
• Long-term Vision: Advanced scientific instrument– Elevate the science of cybersecurity
• Platform: Advanced testbed technology– Robust, diverse, and scalable experiments
• Growing Community: Collaborative science– Effective and efficient sharing
• Next Steps: DETECT – Program to catalyze cybersecurity research
33
What is an experiment? New definition
• Events of interest• Background environment, domain-specific
– Virtual topology (varies with phenomenon), could be dynamic, abstract, expresses needs and constraints
– Cross-traffic, cross-events• Perhaps a defense• Scenario combining the above, domain-specific• Measurement tools, metrics of success, domain-
specific• Research goals, domain-specific• Invariants (truths that must hold), domain-specific• A user specifies ONLY details of interest• Experiment description separate from deployment
34
DETECT: DETER Next Generation
ElementsGoalsInvariants
Experiment Creation System
Abstract Elements
Containers
Embedder
Federation System
Description
Federated Systems
Map Elements into
Containers
AssignContainers to
Distributed Resources
Interconnected Abstract Elements
• Increased testbed-wide expressiveness and control• Significantly expands the set of feasible & interesting
experiments
35
New Capabilities
ElementsGoalsInvariants
Experiment Creation System
Embedder
Federation System
Description
Federated Systems
Map Elements into
Containers
AssignContainers to
Distributed Resources
Interconnected Abstract Elements
New Style of Experiments
(AdvancedScientific Instrument)
New Abstractions(Advanced
Testbed Technology)
New Mapping Algorithms
(AdvancedTestbed Technology)
New Security & Control Algorithms
(AdvancedTestbed Technology)
New Domains
New
Sharing M
echanisms
New Resources(New Domains)
36
Advanced Scientific Instrument
• Experiment abstraction: Decrease barrier, increase efficiency
– Models– Recipes– Workbenches
• Invariants: Language for behavior– Refinement– Validity management– Risky experiment management
• Science of Repeatability
ElementsGoalsInvariants
37
Experiment Health System
Helps users understand their experiment’s behavior
Generates, records and uses higher level knowledge about the experiment
– Desired invariants– Expected behavior
Takes corrective or notification action if invariant is violated
– Monitor invariants– Trigger actions
Captures invariants in exportable form for experiment reuse, repeatability and validation, etc.
Event Architecture
Diagnostics & Analytics
Services
ThirdEyeDiagnostics and Analysis Framework
for Testbed Experiments
38
Advanced Testbed Technologies
• Focus: Virtualization and abstraction• Components:
– Element = abstract representation of capability e.g., VM, SCADA simulation
– Container = physical resources for element realization e.g., emulation hardware, PC
• Flexible, multi-level abstractions beyond VMs
– Fine-grained control for advanced users
– Interfaces and extension mechanisms– Mapping/embedding challenges
Map Elements
into Containers
Assign Containers to
Distributed Resources
Inter-connected Abstract Elements
39
New Specialization Domains
• Botnets– Modeling multiple infection vectors – Characterizing propagation models – Incorporating recent discoveries
• Critical Infrastructure– Simulation packages as modules – Visualization – Integration with vulnerability data
(S2TAR)• Wireless
– Integration with emulators – Wireless/wired risky experiments – Extend testbed with notions of mobility
© impactlab.com
©geeksquad.com
© reset.jp
40
Community Development
• Content sharing support– Experiments, data, models, recipes– Class materials, recent research results, ideas
• Shared spaces – Outreach: Conferences, tutorials, presentations – Share and connect: Website, exchange server, social
networking tools – Common experiment description: Templates– Build community knowledge: domain-specific communities
• Education support– NSF CCLI grant: develop hands-on exercises for classes– Capture-the-Flag exercises – Moodle server for classes on DETER
41
• Graduated, visual, and powerful experiments• Domain-specific (DDoS, worm, botnet) capabilities• Built-in sharing capabilities
Experiment Templates
ElementsGoalsInvariants
42
Enhanced Infrastructure
• Efficiency and scalability – Configuration management and
infrastructure protection– VLAN bandwidth (10Gbps) – VM models/archival capabilities
• High-performance co-processing – NetFPGA node deployment– Hardware modules
• Advanced O&M– Fault location and management– Integrate IPMI (Intelligent Platform
Monitor Interface) for early detection of problems
– Idleness detection and management
43
DETER Summary
DETER project develops scientific methods and infrastructure for advancing security in identified hard problems
• Six years of experience from multiple fronts– Operations– Research– Teaching
• Significantly improved safety, utility and usability of testbeds so far
• Exciting new developments planned, so stay tuned!
44
Thank you
We’d love to hear your questions and comments! Jelena Mirkovic
[email protected] Operations
[email protected] project Web page
http://www.isi.edu/deterDETER testbed Web page
http://www.deterlab.net