Stephen Schwab

Experience with DETER: a testbed for security research

The DETER testbed is shared infrastructure designed for medium-scale repeatable experiments in computer security, especially those experiments that involve malicious code. The testbed provides unique resources and a focus of activity for an open community of academic, industry, and government researchers working toward better defenses against malicious attacks on our networking infrastructure, especially critical infrastructure. This paper presents our experience with the deployment and operation of the testbed, highlights some of the research conducted on the testbed, and discusses our plans for continued development, expansion, and replication of the testbed facility

An OS interface for active routers

This paper describes an operating system (OS) interface for active routers. This interface allows code loaded into active routers to access the routers memory, communication, and computational resources on behalf of different packet flows. In addition to motivating and describing the interface, the paper also reports our experiences implementing the interface in three different OS environments: Scout, the OSKit, and the esokernel.

The DETER project: Advancing the science of cyber security experimentation and test

Since 2004, the DETER Cybersecurity Testbed Project has worked to create the necessary infrastructure — facilities, tools, and processes-to provide a national resource for experimentation in cyber security. The next generation of DETER envisions several conceptual advances in testbed design and experimental research methodology, targeting improved experimental validity, enhanced usability, and increased size, complexity, and diversity of experiments. This paper outlines the DETER projects status and current R&D directions.

Towards user-centric metrics for denial-of-service measurement

To date, the measurement of user-perceived degradation of quality of service during denial of service (DoS) attacks remained an elusive goal. Current approaches mostly rely on lower level traffic measurements such as throughput, utilization, loss rate, and latency. They fail to monitor all traffic parameters that signal service degradation for diverse applications, and to map application quality-of-service (QoS) requirements into specific parameter thresholds. To objectively evaluate an attacks impact on network services, its severity and the effectiveness of a potential defense, we need precise, quantitative and comprehensive DoS impact metrics that are applicable to any test scenario. We propose a series of DoS impact metrics that measure the QoS experienced by end users during an attack. The proposed metrics consider QoS requirements for a range of applications and map them into measurable traffic parameters with acceptable thresholds. Service quality is derived by comparing measured parameter values with corresponding thresholds, and aggregated into a series of appropriate DoS impact metrics. We illustrate the proposed metrics using extensive live experiments, with a wide range of background traffic and attack variants. We successfully demonstrate that our metrics capture the DoS impact more precisely than the measures used in the past.

DDoS Benchmarks and Experimenter's Workbench for the DETER Testbed

While the DETER testbed provides a safe environment and basic tools for security experimentation, researchers face a significant challenge in assembling the testbed pieces and tools into realistic and complete experimental scenarios. In this paper, we describe our work on developing a set of sampled and comprehensive benchmark scenarios, and a workbench for experiments involving denial-of-service (DoS) attacks. The benchmark scenarios are developed by sampling features of attacks, legitimate traffic and topologies from the real Internet. We have also developed a measure of DoS impact on network services to evaluate the severity of an attack and the effectiveness of a proposed defense. The benchmarks are integrated with the testbed via the experimenters workbench - a collection of traffic generation tools, topology and defense library, experiment control scripts and a graphical user interface. Benchmark scenarios provide inputs to the workbench, bypassing the users selection of topology and traffic settings, and leaving her only with the task of selecting a defense, its configuration and deployment points. Jointly, the benchmarks and the experimenters workbench provide an easy, point-and-click environment for DoS experimentation and defense testing.

The Network Testbed Mapping Problem

The Network Testbed Mapping Problem is the problem of mapping an emulated network into a test cluster such as Emulab or DETER. In this paper, we demonstrate that the Network Testbed Mapping Problem is \({\mathcal NP}\)-complete when there is constrained bandwidth between cluster switches. We demonstrate that the problem is trivial when bandwidth is unconstrained, and note that a number of new proposals for data center networking have removed this barrier. Finally, we consider new heuristics in the bandwidth-limited case.

Methodologies and metrics for the testing and analysis of distributed denial of service attacks and defenses

In this paper, we describe our ongoing efforts to develop methodologies and metrics for the testing and analysis of distributed denial of service (DDoS) attacks and defenses as part of the Evaluation Methods for Internet Security Technologies (EMIST) project funded by the Department of Homeland Security (DHS) and the National Science Foundation (NSF). The EMIST project in turn makes use of the Cyber Defense technology Experimental Research (DETER) network. DETER is an experimental network test bed built to support national-scale experimentation of security research and technologies. Our objective is to advance the state of the art in the testing, analysis and assessment of DDoS attacks and defenses. To enable this, we are designing a canonical experimentation methodology to guide an experimenter in systematically defining and conducting evaluations. We are also developing a metrics framework to go hand-in-hand with the canonical experimentation methodology. We also describe the results and lessons learnt from initial DDoS experiments using our floodwatch defense technology.

AMP: experiences with building an exokernel-based platform for active networking

This paper summarizes and discusses the AMP project. The goal was to develop the OS infrastructure upon which an active network could be built. The AMP platform provides active code with efficient and controlled access to physical resources and provides separation between concurrent active flows.

Improving VPN performance over multiple access links

To improve the performance of VPN connections we investigate how the bandwidth of multiple access links can be aggregated with inverse multiplexing to create a single, higher capacity logical communication link. But achieving the maximum possible aggregated TCP throughput becomes extremely challenging if the underlying links either use different technologies (e.g., DSL, cable modem) or suffer different or time-varying communication characteristics (e.g., available bandwidth, packet loss rate). To maximize VPN throughput we have constructed a system that combines two distinct innovations. First, we continuously measure the communication characteristics of the underlying component links in our aggregate and dynamically assign packets to each link in proportion to its available capacity. Second, we modify TCP congestion control across the inverse-multiplexed access hop to avoid rate decreases normally initiated by the delayed acknowledgments often triggered when using legacy TCP on multiple heterogeneous paths. We describe the systempsilas implementation, the test environment we built on Emulab, and show that when access links form the communication bottleneck in the end-to-end connection we can significantly increase VPN performance over conventional approaches.

DETERLab and the DETER Project

This chapter describes the DETER Project and its centerpiece facility DETERLab. DETERLab is a large-scale, shared, and open modeling, emulation, and experimentation facility for networked systems, developed and operated as a national resource for cyber-security experimentation. The Project itself has three major components: