Presentation is loading. Please wait.

Presentation is loading. Please wait.

ESVT: A Toolkit Facilitating Use of DETER Lunquan Li, Jiwu Jing, Peng Liu, TJ, Jisheng, George Kesidis, David Miller Penn State University September 28,

Published byMagdalen Hensley Modified over 8 years ago

Similar presentations

Presentation on theme: "ESVT: A Toolkit Facilitating Use of DETER Lunquan Li, Jiwu Jing, Peng Liu, TJ, Jisheng, George Kesidis, David Miller Penn State University September 28,"— Presentation transcript:

1 ESVT: A Toolkit Facilitating Use of DETER Lunquan Li, Jiwu Jing, Peng Liu, TJ, Jisheng, George Kesidis, David Miller Penn State University September 28, 2005 Newport Beach, CA

2 2 Motivation Specific testbeds need specific tools –EMIST tools are DETER specific Tools are a vehicle to make the evaluation methods developed by EMIST available to experimenters EMIST tools make DETER experiments easier EMIST tools save the experimenters’ time and energy Experimenter EMIST tools General purpose tools DETER

3 3 EMIST Tool Effort  PSU ESVT toolkit  UCD NTGC network traffic generation and control tool  ICSI/PSU worm scale-down equations  UCD emulated worm attack generation tool  PSU KMSim Slammer-like attack generator  SRI/UCD worm simulation tools  UCD XML worm specification tool  UCD BGP routing data viz tool  PSU NTD traffic data mining tool  Purdue scriptable event system  Purdue sys info logging tool  SPARTA/McAfee DDOS trace analysis and viz scripts  Purdue data analysis and viz scripts

4 4 ESVT: Status  ESVT 1.0 -- May 2004  Windows platform  C++  User manual  Sample DETER experiment package  ESVT 2.0 -- May 2005  34,494 lines of C++ code  ESVT made open source in July 2005 Download  http://emist.ist.psu.edu ESVT 1.0 Executable: 70 times ESVT 2.0 Executable: 26 times ESVT 2.0 Source code: 12 times Downloads:

5 5 EMIST Tool Design Space Pre-ExecutionPost-ExecutionExecution -- Draw topology -- Import topology -- Configure a node -- Setup virtualization -- Generate TCL scripts -- Setup meters -- Upload programs -- Setup trace logger -- Configure bandwidth, latency, etc. -- Specify attacks -- etc. -- Attack injectors -- Background traffic generators -- Replay trace data -- Trace logger -- Event logger -- Meters -- Virtual nodes -- Internet interface simulator -- Event coordination -- Conf. tracking -- Pause, reconfigure, resume -- etc. -- Trace analysis (scripts) -- Visualization -- Traffic data mining -- Data aggregation -- Animation, replay -- Database integration -- User-defined views -- TCPDUMP2Netflow -- Analysis workflow learning -- etc.

6 6 ESVT Overview Pre-ExecutionPost-ExecutionExecution -- Draw topology -- Import topology -- Configure a node -- Setup virtualization -- Generate TCL scripts -- Configure bandwidth, latency, etc. -- Specify attacks -- Attack packet injectors* (KMSim) -- Trace logger* -- Virtual nodes* -- Internet interface simulator* -- Visualization -- Traffic data mining* -- Data aggregation -- Animation, replay -- Database integration -- User-defined views -- TCPDUMP2Netflow * To be integrated. -- May 2004: Version 1.0 -- May 2005: Version 2.0

7 Step 1. Setup the experiment using ESVT Step 2. Setup the DETER environment Step 3. Run the experiment on DETER Step 4. Visualize the results using ESVT - EMIST topology specification in TCL - Virtual sub-network nodes - Internet interface - Normal & vulnerable nodes - Bandwidth, latency, addresses, OS - Other auxiliary TCL scripts - Worm program - Traffic generator program - Internet interface program - Virtual node program - Normal node program - Vulnerable node program - TCPDUMP setup - EMULAB GUI can be used here - Worm propagation snapshots - Worm propagation animation - Link traffic bar chart (dynamic) - Worm replay

8 8 Year 3 Themes of ESVT BGP ESVT Integration –Integrate ESVT into the broader SEW (Security Experimenter’s Workbench) concept –Integrate NTD and other trace audit tools into ESVT Support PREDIT –Use ESVT to help experimenters understand the characteristics of various DHS data sets

9 9 ESVT Screenshots Demo: this afternoon

10 10 The topology of the worm experiment done by Nick Weaver et al. in 2004.

11 11 Enterprise topology: 925 hosts, 70 switches, 7 routers router Internet Interface Host Switch

12 12 A topology imported from GT-ITM format.

13 13 Node configuration in a zoomed-in topology.

14 14 A TCL script generated by ESVT: support virtualization; set up trace loggers; set up the Internet interface; etc. set lan70 [$ns make-lan "$n(969) $n(978) " 100Mb 0ms] #--Total Switch: 3, Computer: 58, Susceptible ones: 1. set link969 [$ns duplex-link $n(979) $n(977) 100Mb 0ms DropTail] # Running programs section tb-set-node-startcmd $n(902) "/proj/worm/e1k/scripts/run_virtual n-902-lan3 160" tb-set-node-startcmd $n(903) "/proj/worm/e1k/scripts/run_virtual n-903-lan4 160" tb-set-node-startcmd $n(936) "/proj/worm/e1k/scripts/run_virtual n-936-lan37 160“ …….. tb-set-node-startcmd $n(943) "/proj/worm/e1k/scripts/run_virtual n-943-lan44 160" tb-set-node-startcmd $n(945) "/proj/worm/e1k/scripts/run_tcp 945 160" tb-set-node-startcmd $n(946) "/proj/worm/e1k/scripts/run_virtual n-946-lan47 160" tb-set-node-startcmd $n(969) "/proj/worm/e1k/scripts/run_virtual n-969-lan70 160" tb-set-node-startcmd $n(972) "/proj/worm/e1k/scripts/run_tcp 972 160" tb-set-node-startcmd $n(973) "/proj/worm/e1k/scripts/run_tcp 973 160" tb-set-node-startcmd $n(974) "/proj/worm/e1k/scripts/run_tcp 974 160“ …… tb-set-node-startcmd $n(978) "/proj/worm/e1k/scripts/run_tcp 978 160" tb-set-node-startcmd $n(979) "/proj/worm/e1k/scripts/run_internet 979 160" $ns rtproto Static $ns run #network address/prefix 10.1.1.1/16 #node & virtual node map file #n-#### TYPE(B/I/V/R) S/N #####(GUI node index) #####(Last segment of IP) n-902 V N 29 254 n-902 V N 27 253 n-902 V N 32 252 n-902 V N 36 251 n-902 V N 38 250 n-902 V N 40 249 n-902 V N 43 248

15 15 -- Use a SQL query to instrument a network-wide traffic view. -- MySQL database integration. -- Support both TCPDUMP and NetFlow formats.

16 16 Data sources for link visualization are defined by a SQL query

17 17 User-defined link visualization: options to define views

18 18 Sample visualization output. Click on any plot will zoom-in and show further details.

19 19 Animation: the network event replay toolbar with a pop-up link traffic chart.

20 20 BGP ESVT – the first shot.

21 21 Questions?

22 22 PSU KMSim Slammer-like Attack Generator KMSim is a simulation code, consisting of coupled Kermack-McKendrick epidemic equations, to model the spread of a bandwidth-limited, randomly scanning Internet worm Benefit: a family of worms can be flexibly simulated by tuning few parameters

23 23 PSU NTD Traffic Data Mining Tool This tool can detect the significant clusters, i.e., clusters whose traffic is greater than a threshold (either in terms of packet number or bytes) –Cluster definition: source IP, destination IP, source port, destination port or protocol NTD is an efficient implementation of that described by Estan et al. in SIGCOMM ’03 NTD is offline A tool for efficient mining of the multidimensional traffic cluster hierarchy for digesting, visualization, and modeling

24 24 EMIST Tool Effort  ICSI/PSU worm scale-down equations  PSU ESVT toolkit*  PSU KMSim Slammer-like attack generator*  PSU NTD traffic data mining tool*  Purdue scriptable event system*  Purdue sys info logging tool*  Purdue data analysis and viz scripts*  SPARTA/McAfee DDOS trace analysis and viz scripts  SRI/UCD worm simulation tools  UCD emulated worm attack generation tool  UCD NTGC network traffic generation and control tool  UCD XML worm specification tool  UCD BGP routing data viz tool  * Officially released

25 25 Purdue Scriptable Event System During a DETER experiment, many events may happen –time events, cmd events, etc. Although local event response can be pre-programmed on a single test machine, synchronized event response among a set of test machines cannot be pre- programmed This tool allows runtime coordinated event response via a coordinator-participant model Each test machine can run a participant stub that communicates with the coordinator to report events and receive response instructions The global event response plan can be flexibly scripted by the experimenter

26 26 Purdue Sys Info Logging Tool This tool logs system level statistics associated with a certain network interface timestamp, bytes_per_sec, pack_per_sec, bytes_per_sec_up, pack_per_sec_up, memtotal, memused, uptime, idletime, established TCP connections, half open TCP connections, TCPSlowStartRetrans count, TCPAbortOnTimeout count, errs on the device drivers, drops on the device drivers

27 27 UCD Emulated Worm Attack Generation All nodes host a worm generation daemon. Nodes wait for worm attack “instructions”. Propagation behavior of worm is varied by varying the “instructions”. An XML specification of worm propagation serves as the instructions.

28 28 UCD Network Traffic Generation and Control (NTGC) Raw trace 1 Raw trace n ………………… Traffic Analyzer Reconstruct TCP connections Generate flow data Merge traces Timestamp normalization Connection Data Flow Data Traffic Filter Filtering Address Remapping Scale up/ down Duplicate Remove Address Remapping rules. Topology file Configuration File Generator

Download ppt "ESVT: A Toolkit Facilitating Use of DETER Lunquan Li, Jiwu Jing, Peng Liu, TJ, Jisheng, George Kesidis, David Miller Penn State University September 28,"

Similar presentations

INTRODUCTION TO SIMULATION WITH OMNET++ José Daniel García Sánchez ARCOS Group – University Carlos III of Madrid.

INTRODUCTION TO SIMULATION WITH OMNET++ José Daniel García Sánchez ARCOS Group – University Carlos III of Madrid.
1 The ns-2 Network Simulator H Plan: –Discuss discrete-event network simulation –Discuss ns-2 simulator in particular –Demonstration and examples: u Download,

1 The ns-2 Network Simulator H Plan: –Discuss discrete-event network simulation –Discuss ns-2 simulator in particular –Demonstration and examples: u Download,
Ns-2 tutorial Karthik Sadasivam Banuprasad Samudrala CSCI 5931 Network Security Instructor : Dr. T. Andrew Yang.

Ns-2 tutorial Karthik Sadasivam Banuprasad Samudrala CSCI 5931 Network Security Instructor : Dr. T. Andrew Yang.
11 Modelnet Emulation environment for wide-area systems

11 Modelnet Emulation environment for wide-area systems
The Challenges of Repeatable Experiment Archiving – Lessons from DETER Stephen Schwab SPARTA, Inc. d.b.a. Cobham Analytic Solutions May 25, 2010.

The Challenges of Repeatable Experiment Archiving – Lessons from DETER Stephen Schwab SPARTA, Inc. d.b.a. Cobham Analytic Solutions May 25, 2010.
FLAME: A Flow-level Anomaly Modeling Engine

FLAME: A Flow-level Anomaly Modeling Engine
Monitoring a Large-Scale Network: Selecting the Right Tool Sayadur Rahman United International University & Network Manager, Financial Service.

Monitoring a Large-Scale Network: Selecting the Right Tool Sayadur Rahman United International University & Network Manager, Financial Service.
1 Virtual Machine Resource Monitoring and Networking of Virtual Machines Ananth I. Sundararaj Department of Computer Science Northwestern University July.

1 Virtual Machine Resource Monitoring and Networking of Virtual Machines Ananth I. Sundararaj Department of Computer Science Northwestern University July.
Katz, Stoica F04 EECS 122 Introduction to Computer Networks (Fall 2003) Network simulator 2 (ns-2) Department of Electrical Engineering and Computer Sciences.

Katz, Stoica F04 EECS 122 Introduction to Computer Networks (Fall 2003) Network simulator 2 (ns-2) Department of Electrical Engineering and Computer Sciences.
1 Experiments and Tools for DDoS Attacks Roman Chertov, Sonia Fahmy, Rupak Sanjel, Ness Shroff Center for Education and Research in Information Assurance.

1 Experiments and Tools for DDoS Attacks Roman Chertov, Sonia Fahmy, Rupak Sanjel, Ness Shroff Center for Education and Research in Information Assurance.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Inferring the Topology and Traffic Load of Parallel Programs in a VM environment Ashish Gupta Resource Virtualization Winter Quarter Project.

Inferring the Topology and Traffic Load of Parallel Programs in a VM environment Ashish Gupta Resource Virtualization Winter Quarter Project.
1 Sonia Fahmy Ness Shroff Students: Roman Chertov Rupak Sanjel Center for Education and Research in Information Assurance and Security (CERIAS) Purdue.

1 Sonia Fahmy Ness Shroff Students: Roman Chertov Rupak Sanjel Center for Education and Research in Information Assurance and Security (CERIAS) Purdue.
Inferring the Topology and Traffic Load of Parallel Programs in a VM environment Ashish Gupta Peter Dinda Department of Computer Science Northwestern University.

Inferring the Topology and Traffic Load of Parallel Programs in a VM environment Ashish Gupta Peter Dinda Department of Computer Science Northwestern University.
COEN 252: Computer Forensics Router Investigation.

COEN 252: Computer Forensics Router Investigation.
The OSI Model A layered framework for the design of network systems that allows communication across all types of computer systems regardless of their.

The OSI Model A layered framework for the design of network systems that allows communication across all types of computer systems regardless of their.
Virtual LANs. VLAN introduction VLANs logically segment switched networks based on the functions, project teams, or applications of the organization regardless.

Virtual LANs. VLAN introduction VLANs logically segment switched networks based on the functions, project teams, or applications of the organization regardless.
EstiNet Network Simulator & Emulator 2014/06/03 602430017 尉遲仲涵.

EstiNet Network Simulator & Emulator 2014/06/ 尉遲仲涵.
Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau (20086034) Lee Shirly (20095815) Ong Ivy (20095040)

Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau ( ) Lee Shirly ( ) Ong Ivy ( )
Edge Based Cloud Computing as a Feasible Network Paradigm(1/27) Edge-Based Cloud Computing as a Feasible Network Paradigm Joe Elizondo and Sam Palmer.

Edge Based Cloud Computing as a Feasible Network Paradigm(1/27) Edge-Based Cloud Computing as a Feasible Network Paradigm Joe Elizondo and Sam Palmer.

Similar presentations

Ads by Google