Experiences With DETER: A Testbed for Security Research
Terry Benzel2006
Sign up for access to the world's latest research
checkGet notified about relevant papers
checkSave papers to use in your research
checkJoin the discussion with peers
checkTrack your impact
Abstract
The DETER testbed is shared infrastructure designed for medium-scale repeatable experiments in computer security, especially those experiments that involve malicious code. The testbed provides unique resources and a focus of activity for an open community of academic, industry, and government researchers working toward better defenses against malicious attacks on our networking infrastructure, especially critical infrastructure. This paper presents our experience with the deployment and operation of the testbed, highlights some of the research conducted on the testbed, and discusses our plans for continued development, expansion, and replication of the testbed facility.
Related papers
EXPERIENCE WITH DETER: A TESTBED FOR SECURITY RESEARCH
2006
The DETER testbed is shared infrastructure designed for medium-scale repeatable experiments in computer security, especially those experiments that involve malicious code. The testbed provides unique resources and a focus of activity for an open community of academic, industry, and government researchers working toward better defenses against malicious attacks on our networking infrastructure, especially critical infrastructure. This paper presents our experience with the deployment and operation of the testbed, highlights some of the research conducted on the testbed, and discusses our plans for continued development, expansion, and replication of the testbed facility.
Design, deployment, and use of the DETER testbed
… on Cyber Security …, 2007
The DETER testbed provides infrastructure for conducting medium-scale repeatable experiments in computer security, especially experiments that involve malicious code. Built using Utah's EMULAB, the DETER testbed has been configured and extended to provide stronger ...
A Plan for Malware Containment in the DETER Testbed
The DETER testbed provides a shared Internet-accessible environment where security researchers can safely run experiments and companies can test their security products. Experimentation with malware in DETER has so far been limited to simulated worms, which only simulate the spreading action without actually infecting any computer systems. This paper outlines a set of architectural and procedural changes that should allow safe experimentation with a class of moderately risky, real malware in the DETER testbed.
Current Developments in DETER Cybersecurity Testbed Technology
2009 Cybersecurity Applications & Technology Conference for Homeland Security, 2009
From its inception in 2004, the DETER testbed facility has provided effective, dedicated experimental resources and expertise to a broad range of academic, industrial and government researchers. Now, building on knowledge gained, the DETER developers and community are moving beyond the classic "testbed" model and towards the creation and deployment of fundamentally transformational cybersecurity research methodologies. This paper discusses underlying rationale, together with initial design and implementation, of key technical concepts that drive these transformations.
The DETER Project: Towards Structural Advances in Experimental Cybersecurity Research and Evaluation
Journal of Information Processing, 2012
It is widely argued that today's largely reactive, "respond and patch" approach to securing cyber systems must yield to a new, more rigorous, more proactive methodology. Achieving this transformation is a difficult challenge. Building on insights into requirements for cyber science and on experience gained through 8 years of operation, the DETER project is addressing one facet of this problem: the development of transformative advances in methodology and facilities for experimental cybersecurity research and system evaluation. These advances in experiment design and research methodology are yielding progressive improvements not only in experiment scale, complexity, diversity, and repeatability, but also in the ability of researchers to leverage prior experimental efforts of others within the community. We describe in this paper the trajectory of the DETER project towards a new experimental science and a transformed facility for cyber-security research development and evaluation.
Replay of malicious traffic in network testbeds
2013 IEEE International Conference on Technologies for Homeland Security (HST), 2013
In this paper we present tools and methods to integrate attack measurements from the Internet with controlled experimentation on a network testbed. We show that this approach provides greater fidelity than synthetic models. We compare the statistical properties of real-world attacks with synthetically generated constant bit rate attacks on the testbed. Our results indicate that trace replay provides fine timescale details that may be absent in constant bit rate attacks. Additionally, we demonstrate the effectiveness of our approach to study new and emerging attacks. We replay an Internet attack captured by the LAN-DER system on the DETERLab testbed within two hours.
Testbed for Mitigation of Network Vulnerabilities -Enhancing organization's security resilience in an experimental environment
Timely identification and remediation of network vulnerabilities is every organization's need. Remediation of network vulnerabilities before exploit enhances organization's security level. Proactive remediation establishes security by eliminating the exploitability of assets. The need to defend against network attacks such as distributed denial of service, worms, and viruses requires an improvement in the state of the art of experimental evaluation of network security mechanisms. This paper introduces the conception, design, and development of a testbed for network security studies by providing emulation of resources for security testing. The primary objective of work is to advance the field of network security experimentation and test, by providing new methods, tools, and technologies. The developed testbed educates the organization's staff and provides a platform for training of security personnel to analyze their actions and activities.
Teaching Security With Network Testbeds
Network security topics are gaining importance but they are often taught using traditional, passive methods via lectures and textbooks. This paper describes our efforts to change this situation by developing teaching materials and technical support for use of network testbeds in security education. This practice cannot replace the traditional teaching approach but should complement it to better train our future security workforce. We describe our work on both the education and testbed support fronts and offer some preliminary success measures derived from observing the usage of DETER testbed and our materials in Fall 2010.
CLaaS: Cybersecurity Lab as a Service
J. Internet Serv. Inf. Secur., 2015
The explosive growth of IT infrastructures, cloud systems, and Internet of Things (IoT) have resulted in complex systems that are extremely difficult to secure and protect against cyberattacks which are growing exponentially in complexity and also in number. Overcoming the cybersecurity challenges is even more complicated due to the lack of training and widely available cybersecurity environments to experiment with and evaluate new cybersecurity detection and protection methods. Therefore, the goal of our research is to address the education, training, and experimentation challenges of the cybersecurity by exploiting cloud services. In this paper, we present the design, analysis, and evaluation of a cloud service, that we refer to as Cybersecurity Lab as a Service (CLaaS), which offers virtual cybersecurity experiments that can be accessed from anywhere and from any device (desktop, laptop, tablet, or mobile device) with Internet connectivity. In CLaaS, we exploit cloud computing sy...
Related papers
SEER: a security experimentation EnviRonment for DETER
… Workshop on Cyber Security …, 2007
Configuring a security experiment can be tedious, involving many low level and repetitive configuration tasks. In order to make DETER's capabilites accessible to users at all skill levels, we have designed and implemented a Security Experimentation EnviRonment (SEER) that provides security ...
Teaching Cybersecurity with DeterLab
IEEE Security & Privacy Magazine, 2012
DDoS Benchmarks and Experimenter's Workbench for the DETER Testbed
2007
While the DETER testbed provides a safe environment and basic tools for security experimentation, researchers face a significant challenge in assembling the testbed pieces and tools into realistic and complete experimental scenarios. In this paper, we describe our work on developing a set of sampled and comprehensive benchmark scenarios, and a workbench for experiments involving denial-of-service (DoS) attacks. The benchmark scenarios are developed by sampling features of attacks, legitimate traffic and topologies from the real Internet. We have also developed a measure of DoS impact on network services to evaluate the severity of an attack and the effectiveness of a proposed defense.
Safe and Automated Live Malware Experimentation on Public Testbeds
In this paper, we advocate for publicly accessible live malware experimentation testbeds. We introduce new advancements for high-fidelity transparent emulation and fine-grain automatic containment that make such experimentation safe and useful to researchers, and we propose a complete, extensible live-malware experimentation framework. Our framework, aided by our new technologies, facilitates a qualitative leap from current experimentation practices. It enables specific, detailed and quantitative understanding of risk, and safe, fully automated experimentation by novice users, with maximum utility to the researcher. We present preliminary results that demonstrate effectiveness of our technologies and map the path forward for public live-malware experimentation.
NCS security experimentation using DETER
Proceedings of the 1st international conference on High Confidence Networked Systems - HiCoNS '12, 2012
Numerous efforts are underway to develop testing and experimentation tools to evaluate the performance of networked control systems (NCS) and supervisory control and data acquisition (SCADA) systems. These tools offer varying levels of fidelity and scale. Yet, researchers lack an experimentation framework for systematic testing and evaluation of NCS reliability and security under a wide range of failure scenarios. In this paper, we propose a modular experimentation framework that integrates the NCS semantics with the DETERLab cyber security experimentation facilities. We develop several attack scenarios with realistic network topology and network traffic configurations to evaluate the impact of denial of service (DoS) attacks on scalar linear systems. We characterize the impact of the attack dynamics on six plants located at various levels in a hierarchical topology. Our results suggest that emulation-based evaluations can provide novel insights about the network-induced security and reliability failures in large scale NCS.
deter2007.pdf.
While the DETER testbed provides a safe environment and basic tools for security experimentation, researchers face a significant challenge in assembling the testbed pieces and tools into realistic and complete experimental scenarios. In this paper, we describe our work on automating experimentation for distributed denial-ofservice attacks. We developed the following automation tools: (1) the Experimenter's Workbench that provides a graphical user interface, tools for topology, traffic and monitoring setup and tools for statistics collection, visualization and processing, (2) a DDoS benchmark suite that contains a set of diverse and comprehensive attack scenarios, (3) the Experiment Generator that combines chosen AS-level and edge-level topologies, legitimate traffic and a set of attacks into DETER-compatible scripts. Jointly, these tools facilitate easy experimentation even for novice users.
Computer Network Testbed at Binghamton University
2011 - MILCOM 2011 Military Communications Conference, 2011
The Network Testbed at Binghamton University was designed to facilitate security research in the area of automated IDS. It offers a secure, controlled environment for experimental analysis of the efficiency of various intrusion detection/mitigation and computer forensics systems. It allows for staging large scale experiments with real self-propagating malware on thousands of interacting heterogeneous nodes. This paper addresses some principles implemented in the Testbed design including the architecture, accessibility, security, and visualization. The Testbed provides effective ways to collect data representing the network and software operation. It facilitates secure time sharing of the hardware among different research projects. Its enhanced security is achieved by separation and hardening of the core services. The application of the Testbed is demonstrated by the following three experiments featuring novel IDS technologies: behaviorbased IDS extracting predefined malicious functionalities from the system call data by semantic analysis, demonstration of the alarm propagation concept for the minimization of false alarms and the detection of distributed low and slow attacks, and network-wide IDS capable of automatic detection of functionalities and statistically significant variations of their relative frequencies indicative of information attacks.
Emulating sequential scanning worms on the DETER testbed
Proceedings of IEEE/Create-Net TridentCom.(Barcelona, Spain), 2006
Internet worm security threats have increased with their more advanced scanning strategies and malicious payloads. In this article, we extend our existing KMSim worm model to account for the self-destructive or removal/death behavior of worms. The modified model is then used to simulate the Witty and Blaster worms. Also in this paper we describe our experience of running worm emulation experiments on a clustered network testbed (DETER) and introduce the associated experiment specification and visualization tool (ESVT). The ...
Developing a virtualised testbed environment in preparation for testing of network based attacks
2013 International Conference on Adaptive Science and Technology, 2013
Computer network attacks are difficult to simulate due to the damage they may cause to live networks and the complexity required simulating a useful network. We constructed a virtualised network within a vSphere ESXi environment which is able to simulate: thirty workstations, ten servers, three distinct network segments and the accompanying network traffic. The VSphere environment provided added benefits, such as the ability to pause, restart and snapshot virtual computers. These abilities enabled the authors to reset the simulation environment before each test and mitigated against the damage that an attack potentially inflicts on the test network. Without simulated network traffic, the virtualised network was too sterile. This resulted in any network event being a simple task to detect, making network traffic simulation a requirement for an event detection test bed. Five main kinds of traffic were simulated: Web browsing, File transfer, e-mail, version control and Intranet File traffic. The simulated traffic volumes were pseudo randomised to represent differing temporal patterns. By building a virtualised network with simulated traffic we were able to test IDS' and other network attack detection sensors in a much more realistic environment before moving it to a live network.
Tools for worm experimentation on the DETER testbed
International Journal of Communication Networks and Distributed Systems, 2010
Worm experimentation is challenging for researchers today because of the lack of standardized tools to simulate and emulate worm spreads in a realistic setting. We have developed two tools for the DETER testbed to aid in worm experimentation: the PAWS simulator for Internet-wide worm propagation studies and the WE emulator for analysis of worm spread and defense strategies in local area networks. We evaluate performance and fidelity of our tools by replicating results from recently published research. Both tools can be easily configured as per user specifications, facilitate comparison with past research and reduce the barrier to entry for worm research.
Loading Preview
Sorry, preview is currently unavailable. You can download the paper by clicking the button above.