cyber defense technology experimental and evaluation methods

8/9/05 1

Cyber Defense Technology ExperimentalCyber Defense Technology ExperimentalResearch (DETER)Research (DETER)

andandEvaluation Methods for Internet SecurityEvaluation Methods for Internet Security

Technology (EMIST)Technology (EMIST)

Terry V. BenzelTerry V. BenzelInformation Sciences InstituteInformation Sciences Institute

University of Southern CaliforniaUniversity of Southern California

8/9/05 2

DETER + EMIST:DETER + EMIST:BackgroundBackground

• Inadequate wide scale deployment of securitytechnologies– Despite 10+ years investment in network security

research

• Lack of experimental infrastructure– Testing and validation in small to medium-scale

private research labs– Missing objective test data, traffic and metrics

8/9/05 3

DETER+EMIST VisionDETER+EMIST Vision

... to provide the scientific knowledge requiredto enable the development of solutions tocyber security problems of nationalimportance

Through the creation of an experimentalinfrastructure network -- networks, tools,methodologies, and supporting processes --to support national-scale experimentation onresearch and advanced development ofsecurity technologies.

8/9/05 4

Long Term ObjectivesLong Term Objectives

Create reusable library of test technology for conducting realistic,rigorous, reproducible, impartial tests

–For assessing attack impact and defense effectiveness–Test data, test configurations, analysis software, and experiment

automation toolsProvide usage examples and methodological guidance

–Recommendations for selecting (or developing) tests andinterpreting results

–Test cases and results, possibly including benchmarksFacilitate testing of prototypes during development and commercial

products during evaluation

8/9/05 5

DETER Architectural PlanDETER Architectural Plan

• Construct homogeneous emulation clustersbased upon University of Utah’s Emulab

• Implement network services – DNS, BGP• Add containment, security, and usability

features to the software• Add (controlled) hardware heterogeneity• Evaluate usefulness of other testbed

approaches – esp. overlays like Planetlab

8/9/05 6

PC

‘User’Server

PC

Control Network

ISI Cluster

Userfiles

Cisco switch Foundry switch

Node Serial Line Server

'Boss'Server

PC PC

UCB Cluster

Node Serial Line Server

DownloadServer

PowerCont’ler

PowerCont’ler

PC … …

trunk trunk

Control Network

Internet

IPsec

IPsec

User

FW FW

CE

NIC

8/9/05 7

DETER Testbed InfrastructureDETER Testbed Infrastructure

• 201 (139 + 62) PC nodes in 4 types• 9 control plane PC’s• 9 switches for control, experimental, and

administrative purposes• Serial expanders for 201 nodes• Remote power controllers• IPSec tunnel between ISI and U.C. Berkeley

8/9/05 8

Example DETER TopologiesExample DETER Topologies

8/9/05 9

Experimenters WorkshopExperimenters WorkshopSeptember 28, 2005September 28, 2005

• Second workshop– Demonstrations of 6 – 8 current experiments– Working groups on experiments

• DDOS• Worms• Routers

• For information on workshops or testbed use• Email: deterinfo@isi.edu

8/9/05 10

Access to TestbedAccess to Testbed

• Open to community – request via email:deterinfo@isi.edu

• Important addresses:– www.isi.edu/deter– www.isi.deterlab.net– http://emist.ist.psu.edu– www.emulab.net

• Hiring – email tbenzel@isi.edu