Ted Faber

The DETER project: Advancing the science of cyber security experimentation and test

Since 2004, the DETER Cybersecurity Testbed Project has worked to create the necessary infrastructure — facilities, tools, and processes-to provide a national resource for experimentation in cyber security. The next generation of DETER envisions several conceptual advances in testbed design and experimental research methodology, targeting improved experimental validity, enhanced usability, and increased size, complexity, and diversity of experiments. This paper outlines the DETER projects status and current R&D directions.

The ASP EE: an active network execution environment

This paper describes the ASP Execution Environment (EE), a prototype general-purpose active network execution environment that initiates and controls the execution of Java-based active applications. Features of the ASP EE include support for persistent active applications, fine-grained network I/O control, security, resource protection and timing services.

Current Developments in DETER Cybersecurity Testbed Technology

From its inception in 2004, the DETER testbed facility has provided effective, dedicated experimental resources and expertise to a broad range of academic, industrial and government researchers. Now, building on knowledge gained, the DETER developers and community are moving beyond the classic “testbed” model and towards the creation and deployment of fundamentally transformational cybersecurity research methodologies. This paper discusses underlying rationale, together with initial design and implementation, of key technical concepts that drive these transformations.

Achieving faster access to satellite link bandwidth

TCP with Van Jacobson congestion control (VJCC) is known to have poor performance over large bandwidth-delay product paths. Long delay paths, in particular, can display very poor behavior with VJCC slowly probing to acquire available capacity. TCP performance enhancing proxies (PEPs) constitute one mechanism for ameliorating poor VJCC end-to-end performance by splitting TCP connections around a long-delay link or network, and using alternate congestion control dynamics across the troublesome portion. Previous congestion control techniques for use over satellite links have typically constituted either tweaks to the Van Jacobson algorithms, Vegas-style congestion control or disabling congestion control altogether in favor of a manual send-rate. This paper analyzes results from measurements of a new congestion control mechanism, the explicit Control protocol or XCP, between PEPs with a simulated geosynchronous satellite link in the path. We show that connections using an XCP PEP acquire their share of expensive satellite bandwidth up to 70 times faster than end-to-end TCP with VJCC.

A federated experiment environment for emulab-based testbeds

We describe an architecture for creating experimental environments across multiple cooperating Emulab-based testbeds, called the DETER Federation Architecture (DFA). The system uses cooperative resource allocation and multiple-level testbed access to create a cohesive environment for experimentation. Testbeds that contribute resources continue to exert their own resource allocation and access policies. The architecture is designed to scale. We describe a prototype implementation.

DETERLab and the DETER Project

This chapter describes the DETER Project and its centerpiece facility DETERLab. DETERLab is a large-scale, shared, and open modeling, emulation, and experimentation facility for networked systems, developed and operated as a national resource for cyber-security experimentation. The Project itself has three major components:

Authorization and Access Control: ABAC

GENI’s goal of wide-scale collaboration on infrastructure owned by independent and diverse stakeholders stresses current access control systems to the breaking point. Challenges not well addressed by current systems include, at minimum, support for distributed identity and policy management, correctness and auditability, and approachability. The Attribute Based Access Control (ABAC) system [1, 2] is an attribute-based authorization system that combines attributes using a simple reasoning system to provide authorization that (1) expresses delegation and other authorization models efficiently and scalably; (2) provides auditing information that includes both the decision and reasoning; and (3) supports multiple authentication frameworks as entry points into the attribute space. The GENI project has taken this powerful theoretical system and matured it into a form ready for practical use.

Enabling Collaborative Research for Security and Resiliency of Energy Cyber Physical Systems

The University of Illinois at Urbana Champaign (Illinois), Pacific Northwest National Labs (PNNL), and the University of Southern California Information Sciences Institute (USC-ISI) consortium is working toward providing tools and expertise to enable collaborative research to improve security and resiliency of cyber physical systems. In this extended abstract we discuss the challenges and the solution space. We demonstrate the feasibility of some of the proposed components through a wide-area situational awareness experiment for the power grid across the three sites.