Constantin Serban

TimeSync: enabling scalable, high-fidelity hybrid network emulation

In this paper, we discuss a time synchronization approach to the time divergence problem in hybrid network emulation. Such emulation comprises primarily a discrete-event simulated network and virtual machines that send and receive traffic through the simulated network. For slower than real-time network simulations, the rate of time advance on virtual machines (real time) is faster than that of the discrete-event time. Consequently, packet transmission latency and other metrics in such hybrid network emulations will be distorted. As a result, e.g., TCP sessions between virtual machines may unduly time out. To address this problem, we have developed TimeSync, which tracks discrete-event simulation time to control time advance on virtual machines for slower than real time simulations so that time perception in the hybrid network emulation system is synchronized. We describe how TimeSync works and present our experimental evaluation and analysis.

TimeSync: Virtual time for scalable, high-fidelity hybrid network emulation

Hybrid network emulation (HNE) comprises a discrete event simulated network and virtual machines that send and receive traffic through the simulated network. It allows testing network applications rather than their models on simulated target networks, particularly mobile wireless networks. Scalability of this test approach is hindered by the time divergence problem: for complex, large-scale simulations, discrete event simulation time advances slower than real time, distorting packet propagation characteristics. To address this problem, we developed TimeSync, a system that uses discrete event simulation time to control and synchronize time advance on virtual machines for large-scale hybrid network emulation. In this paper, we describe how TimeSync controls and synchronizes time perception in hybrid network emulation between simulator and virtual machines, and present experimental results.

CyberVAN: A Cyber Security Virtual Assured Network testbed

In this paper we describe CyberVAN, a Cyber Security Virtual Assured Network testbed. CyberVAN enables speedy and flexible setup of high-fidelity cyber security scenarios to evaluate the effectiveness of both novel existing cyber technologies. CyberVAN provides many features needed by cyber security researchers, developers and practitioners alike, and can be used for both verification and validation purposes. We provide an overview of CyberVANs functionality and a blueprint of the envisioned roadmap. Currently CyberVAN is available to ARL Cyber Security CRA (Collaborative Research Alliance) members. It is being used to evaluate CRA-developed cyber defense technologies and assess their applicability to the military strategic and tactical network environments.

ACyDS: An adaptive cyber deception system

In this paper we describe ACyDS, an adaptive cyber deception system. ACyDS provides a unique virtual network view to each host in an enterprise network. That is, a hosts view of its network, including subnet topology and IP address assignments of reachable hosts and servers, does not reflect physical network configurations and is different than the view of any other host in the network. ACyDS generates network views with the desired properties dynamically; it also changes every hosts network view on-the-fly. ACyDSs deception approach (i) deters reconnaissance if an intruder has compromised a host in the network, (ii) prevents collusion if multiple hosts have been compromised, and (iii) increases the likelihood and confidence of detecting the presence of intruders.

Towards network invariant fault diagnosis in MANETs via statistical modeling: The global strength of local weak decisions

Due to its obvious importance, fault detection and localization is a well-studied problem in communication networks, as attested by the many techniques designed to address this problem. The inherent variability, limited component reliability, and constrained resources of MANETs (Mobile Ad hoc Networks) make the problem not just more important, but also critical. Practical development and deployment considerations imply that fault detection and localization methods must i) avoid relying on overly detailed models of network protocols and traffic assumptions and instead rely on actual cross-layer measurements/observations, and ii) be applicable across different network scales and topologies with minimum adjustments. This paper demonstrates the feasibility of such goals, and proposes an important and as yet unexplored approach to fault management in MANETs: network-invariant fault detection, localization and diagnosis with limited knowledge of the underlying network and traffic models. We show how fault management methods can be derived by observing statistical network/traffic measurements in one network, and subsequently applied to other networks with satisfactory performance. We demonstrate that a carefully designed but widely applicable set of local and weak global indicators of faults can be efficiently aggregated to produce highly sensitive and specific methods that perform well when applied to MANETs with varying sizes, topologies, and traffic matrices.

TREND: Trust estimation system for wireless networks via multi-pronged detection

We describe a system developed for the DARPA Wireless Network Defense (WND) program for detecting attacks against the control plane at the link and network layers in a mobile ad hoc network. The goal of our system is for each node to independently assess the trustworthiness of other nodes in its neighborhood, and to disseminate these assessments to other nodes. We have developed a cross-layer invariant-based technique for detecting control plane attacks that exploits the readily observable nature of the wireless medium. Nodes listen to the transmissions of other nodes in their neighborhood and compare their observed behavior with expected behavior. Opinions formed by nodes are shared with other nodes and are combined at each node to form a consolidated opinion about other nodes in the network. We tested our approach in a realistic environment using a high fidelity ns-2 simulation of a 50-node scenario provided by ARL and running 802.11 and OLSR that included multiple subnets, realistic tactical traffic, wireless channels and ranges, propagation models, and variations of mobility. We injected a wide range of attacks and a varied number of attackers, with attacks that included a randomized and variable number of false advertisements for the above protocols as well as malicious forwarding behaviors with varying drop rates, with and without colluding attackers. Our results show that we exceeded all of the WND metrics, namely: (i) We achieved a detection rate of greater than 95% for all attacks; (ii) Probability of false alarms <;0.0005%; (iii) Additional network overhead due to reliability estimation <;1% of network capacity.

Testing android devices for tactical networks: A hybrid emulation testbed approach

Commercial cellular phones, such as Android-based smart phones, are being introduced into the U.S. military battlefield. The use of such devices in the military contexts, however, often assumes different networking structures (e.g., mobile ad hoc networks) and uses different communication paradigms (e.g., IP multicast) than the commercial deployment. Testing Android-based applications for military scenarios using tethered military radios is laborious and expensive with respect to both time and resources. A laboratory testbed allowing for such testing at high fidelity is therefore much desired at both development and testing stages, prior to actual field tests such as the ongoing Network Integration Evaluation (NIE) events. This paper describes a hybrid emulation testbed approach that enables the creation of a laboratory test environment for testing military applications using both real and emulated Android devices under customizable and repeatable network scenarios. We present multiple approach variations that were designed to overcome the issues and constraints associated with different test needs.

Building an operation support system for a fast reconfigurable network experimentation testbed

We discuss in this paper the emerging need for an operation support system to support fast, reconfigurable, time-shared testbeds. We articulate the needs for building an operation support system for such testbeds in order to provide better utilization of testbed resources, enable testers to closely examine and analyze tests, streamline the process of test setup and execution, as well as enhance the efficacy of tests and the throughput of the testbed. In addition, the progress that we have made so far, our current research and development road map, along with foreseeable research challenges are also discussed.

TITAN: Integrated network management in tactical mobile ad hoc networks

Network management represents one of the most challenging activities in tactical mobile ad hoc networks due to the need for rapid planning and configuration to support a given mission, in the face of large variability in wireless network performance and unpredictable conditions. Traditionally, independent tools, such as network planning and configuration, fault and performance management, and middleware have been designed to provide comprehensive network management capabilities. However, the lack of any integration between these tools often results in sub-optimal or conflicting network actions, conducting to inadequate network performance. More importantly, state of the art network management tools do not incorporate the mission intent into autonomous network management activities. This paper describes the TITAN (Tactical Information Technologies for Assured Networks) NM (Network Manager), an integrated network management tool that orchestrates and coordinates its actions such that network planning, configuration, fault response and performance adaptation take place seamlessly and coherently, on the basis of the mission intent. This ensures optimized network operations that achieve the intent of the mission. We present performance evaluation results for the TITAN NM in field experiments performed during C4ISR 2011 On-The-Move exercises at Fort Dix, NJ.

Stealth migration: Hiding virtual machines on the network

Live virtual machine (VM) migration is commonly used for enabling dynamic resource or fault management, or for load balancing in datacenters or cloud platforms. A service hosted by a VM may also be migrated to prevent its visibility to an external adversary who may seek to disrupt its operation by launching a DDoS attack against it. We first show that current systems cannot adequately hide a VM migration from an external adversary. The key reason for this is that a migration typically manifests a traffic pattern with distinguishable statistical properties. We introduce two new attacks that can allow an adversary to effectively track a migration in progress, by leveraging observations of these properties. As our primary contribution, we design and implement a stealth migration framework that causes migration traffic to be indistinguishable from regular Internet traffic, with a negligible latency overhead of approximately 0.37 seconds, on average.