ESVT: A Toolkit Facilitating Use of DETER Lunquan Li, Jiwu Jing, Peng Liu, TJ, Jisheng, George Kesidis, David Miller Penn State University September 28,

Slides:

Advertisements

Similar presentations

INTRODUCTION TO SIMULATION WITH OMNET++ José Daniel García Sánchez ARCOS Group – University Carlos III of Madrid.

Advertisements

1 The ns-2 Network Simulator H Plan: –Discuss discrete-event network simulation –Discuss ns-2 simulator in particular –Demonstration and examples: u Download,

Ns-2 tutorial Karthik Sadasivam Banuprasad Samudrala CSCI 5931 Network Security Instructor : Dr. T. Andrew Yang.

11 Modelnet Emulation environment for wide-area systems

The Challenges of Repeatable Experiment Archiving – Lessons from DETER Stephen Schwab SPARTA, Inc. d.b.a. Cobham Analytic Solutions May 25, 2010.

FLAME: A Flow-level Anomaly Modeling Engine

Monitoring a Large-Scale Network: Selecting the Right Tool Sayadur Rahman United International University & Network Manager, Financial Service.

1 Virtual Machine Resource Monitoring and Networking of Virtual Machines Ananth I. Sundararaj Department of Computer Science Northwestern University July.

Katz, Stoica F04 EECS 122 Introduction to Computer Networks (Fall 2003) Network simulator 2 (ns-2) Department of Electrical Engineering and Computer Sciences.

1 Experiments and Tools for DDoS Attacks Roman Chertov, Sonia Fahmy, Rupak Sanjel, Ness Shroff Center for Education and Research in Information Assurance.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

Inferring the Topology and Traffic Load of Parallel Programs in a VM environment Ashish Gupta Resource Virtualization Winter Quarter Project.

1 Sonia Fahmy Ness Shroff Students: Roman Chertov Rupak Sanjel Center for Education and Research in Information Assurance and Security (CERIAS) Purdue.

Inferring the Topology and Traffic Load of Parallel Programs in a VM environment Ashish Gupta Peter Dinda Department of Computer Science Northwestern University.

COEN 252: Computer Forensics Router Investigation.

The OSI Model A layered framework for the design of network systems that allows communication across all types of computer systems regardless of their.

Virtual LANs. VLAN introduction VLANs logically segment switched networks based on the functions, project teams, or applications of the organization regardless.

EstiNet Network Simulator & Emulator 2014/06/ 尉遲仲涵.

Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau ( ) Lee Shirly ( ) Ong Ivy ( )

Edge Based Cloud Computing as a Feasible Network Paradigm(1/27) Edge-Based Cloud Computing as a Feasible Network Paradigm Joe Elizondo and Sam Palmer.

Simulation and Emulation with NCTUns

—————————— CACI Products Company - ——————————————————— COMNET III —————————————— 4-1 DAY 4 - Advanced Topics Import & Export Options.

CRON: Cyber-infrastructure for Reconfigurable Optical Networks PI: Seung-Jong Park, co-PI: Rajgopal Kannan GRA: Cheng Cui, Lin Xue, Praveenkumar Kondikoppa,

Penetration Testing Security Analysis and Advanced Tools: Snort.

Lecture 2 TCP/IP Protocol Suite Reference: TCP/IP Protocol Suite, 4 th Edition (chapter 2) 1.

Redes Inalámbricas Máster Ingeniería de Computadores 2008/2009 Tema 7.- CASTADIVA PROJECT Performance Evaluation of a MANET architecture.

1 PSU worm modeling and emulation project George Kesidis CSE and EE Depts CSE Center for Networking and Security Industry Day, Wed.

1. 2 Device management refers to the IDS Sensor's ability to dynamically reconfigure the filters and access control lists (ACL) on a router, switch, and.

Copyright MCL-Technologies v MCL-Collection MCL-Link.

Honeypot and Intrusion Detection System

A Metadata Based Approach For Supporting Subsetting Queries Over Parallel HDF5 Datasets Vignesh Santhanagopalan Graduate Student Department Of CSE.

A Virtual Honeypot Framework Author: Niels Provos Published in: CITI Report 03-1 Presenter: Tao Li.

©2010 John Wiley and Sons Chapter 12 Research Methods in Human-Computer Interaction Chapter 12- Automated Data Collection.

Scalable Analysis of Distributed Workflow Traces Daniel K. Gunter and Brian Tierney Distributed Systems Department Lawrence Berkeley National Laboratory.

NetFlow: Digging Flows Out of the Traffic Evandro de Souza ESnet ESnet Site Coordinating Committee Meeting Columbus/OH – July/2004.

Firewall Technologies Prepared by: Dalia Al Dabbagh Manar Abd Al- Rhman University of Palestine

1 The Internet and Networked Multimedia. 2 Layering  Internet protocols are designed to work in layers, with each layer building on the facilities provided.

UCDavis Computer Security Lab Collaborative End-host Worm Defense Experiment Senthil Cheetanceri, Denys Ma, Allen Ting, Jeff Rowe, Karl Levitt UC Davis.

Network Simulator-2 Sandeep singla 1998A2A7540. NS-2 A discrete event simulator Focused on modeling network protocols –Wired, wireless –TCP,UDP,unicast,multicast.

1 Network Simulator Tutorial. 2 Network Simulation * Motivation: Learn fundamentals of evaluating network performance via simulation Overview: fundamentals.

Chapter 5: Implementing Intrusion Prevention

© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.

EMIST DDoS Experimental Methodology Alefiya Hussain January 31, 2006.

Topics Network topology Virtual LAN Port scanners and utilities Packet sniffers Weak protocols Practical exercise.

Lecture 12: Reconfigurable Systems II October 20, 2004 ECE 697F Reconfigurable Computing Lecture 12 Reconfigurable Systems II: Exploring Programmable Systems.

Network Sniffer Anuj Shah Advisor: Dr. Chung-E Wang Department of Computer Science.

Shivkumar Kalyanaraman Rensselaer Polytechnic Institute 1 Based upon slides from Jay Lepreau, Utah Emulab Introduction Shiv Kalyanaraman

Source Controller software Ianos Schmidt The University of Iowa.

Computer Simulation of Networks ECE/CSC 777: Telecommunications Network Design Fall, 2013, Rudra Dutta.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.

+ Routing Concepts 1 st semester Objectives  Describe the primary functions and features of a router.  Explain how routers use information.

Chapter 1 Database Access from Client Applications.

T EST T OOLS U NIT VI This unit contains the overview of the test tools. Also prerequisites for applying these tools, tools selection and implementation.

Level 1-2 Trigger Data Base development Current status and overview Myron Campbell, Alexei Varganov, Stephen Miller University of Michigan August 17, 2000.

CS 283Computer Networks Spring 2013 Instructor: Yuan Xue.

@Yuan Xue CS 283Computer Networks Spring 2011 Instructor: Yuan Xue.

Deterlab Tutorial CS 285 Network Security. What is Deterlab? Deterlab is a security-enhanced experimental infrastructure (based on Emulab) that supports.

Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Access Control Lists Accessing the WAN – Chapter 5.

Fermilab Scientific Computing Division Fermi National Accelerator Laboratory, Batavia, Illinois, USA. Off-the-Shelf Hardware and Software DAQ Performance.

Interaction and Animation on Geolocalization Based Network Topology by Engin Arslan.

Virtual Local Area Networks (VLANs) Part I

NOX: Towards an Operating System for Networks

Lec 5 Layers Computer Networks Al-Mustansiryah University

Chapter 4: Access Control Lists (ACLs)

Introduction An introduction to the software and organization of the Internet Lab.

Karthik Sadasivam Banuprasad Samudrala

Pong: Diagnosing Spatio-Temporal Internet Congestion Properties

Presentation transcript:

ESVT: A Toolkit Facilitating Use of DETER Lunquan Li, Jiwu Jing, Peng Liu, TJ, Jisheng, George Kesidis, David Miller Penn State University September 28, 2005 Newport Beach, CA

2 Motivation Specific testbeds need specific tools –EMIST tools are DETER specific Tools are a vehicle to make the evaluation methods developed by EMIST available to experimenters EMIST tools make DETER experiments easier EMIST tools save the experimenters’ time and energy Experimenter EMIST tools General purpose tools DETER

3 EMIST Tool Effort  PSU ESVT toolkit  UCD NTGC network traffic generation and control tool  ICSI/PSU worm scale-down equations  UCD emulated worm attack generation tool  PSU KMSim Slammer-like attack generator  SRI/UCD worm simulation tools  UCD XML worm specification tool  UCD BGP routing data viz tool  PSU NTD traffic data mining tool  Purdue scriptable event system  Purdue sys info logging tool  SPARTA/McAfee DDOS trace analysis and viz scripts  Purdue data analysis and viz scripts

4 ESVT: Status  ESVT May 2004  Windows platform  C++  User manual  Sample DETER experiment package  ESVT May 2005  34,494 lines of C++ code  ESVT made open source in July 2005 Download  ESVT 1.0 Executable: 70 times ESVT 2.0 Executable: 26 times ESVT 2.0 Source code: 12 times Downloads:

5 EMIST Tool Design Space Pre-ExecutionPost-ExecutionExecution -- Draw topology -- Import topology -- Configure a node -- Setup virtualization -- Generate TCL scripts -- Setup meters -- Upload programs -- Setup trace logger -- Configure bandwidth, latency, etc. -- Specify attacks -- etc. -- Attack injectors -- Background traffic generators -- Replay trace data -- Trace logger -- Event logger -- Meters -- Virtual nodes -- Internet interface simulator -- Event coordination -- Conf. tracking -- Pause, reconfigure, resume -- etc. -- Trace analysis (scripts) -- Visualization -- Traffic data mining -- Data aggregation -- Animation, replay -- Database integration -- User-defined views -- TCPDUMP2Netflow -- Analysis workflow learning -- etc.

6 ESVT Overview Pre-ExecutionPost-ExecutionExecution -- Draw topology -- Import topology -- Configure a node -- Setup virtualization -- Generate TCL scripts -- Configure bandwidth, latency, etc. -- Specify attacks -- Attack packet injectors* (KMSim) -- Trace logger* -- Virtual nodes* -- Internet interface simulator* -- Visualization -- Traffic data mining* -- Data aggregation -- Animation, replay -- Database integration -- User-defined views -- TCPDUMP2Netflow * To be integrated. -- May 2004: Version May 2005: Version 2.0

Step 1. Setup the experiment using ESVT Step 2. Setup the DETER environment Step 3. Run the experiment on DETER Step 4. Visualize the results using ESVT - EMIST topology specification in TCL - Virtual sub-network nodes - Internet interface - Normal & vulnerable nodes - Bandwidth, latency, addresses, OS - Other auxiliary TCL scripts - Worm program - Traffic generator program - Internet interface program - Virtual node program - Normal node program - Vulnerable node program - TCPDUMP setup - EMULAB GUI can be used here - Worm propagation snapshots - Worm propagation animation - Link traffic bar chart (dynamic) - Worm replay

8 Year 3 Themes of ESVT BGP ESVT Integration –Integrate ESVT into the broader SEW (Security Experimenter’s Workbench) concept –Integrate NTD and other trace audit tools into ESVT Support PREDIT –Use ESVT to help experimenters understand the characteristics of various DHS data sets

9 ESVT Screenshots Demo: this afternoon

10 The topology of the worm experiment done by Nick Weaver et al. in 2004.

11 Enterprise topology: 925 hosts, 70 switches, 7 routers router Internet Interface Host Switch

12 A topology imported from GT-ITM format.

13 Node configuration in a zoomed-in topology.

14 A TCL script generated by ESVT: support virtualization; set up trace loggers; set up the Internet interface; etc. set lan70 [$ns make-lan "$n(969) $n(978) " 100Mb 0ms] #--Total Switch: 3, Computer: 58, Susceptible ones: 1. set link969 [$ns duplex-link $n(979) $n(977) 100Mb 0ms DropTail] # Running programs section tb-set-node-startcmd $n(902) "/proj/worm/e1k/scripts/run_virtual n-902-lan3 160" tb-set-node-startcmd $n(903) "/proj/worm/e1k/scripts/run_virtual n-903-lan4 160" tb-set-node-startcmd $n(936) "/proj/worm/e1k/scripts/run_virtual n-936-lan37 160“ …….. tb-set-node-startcmd $n(943) "/proj/worm/e1k/scripts/run_virtual n-943-lan44 160" tb-set-node-startcmd $n(945) "/proj/worm/e1k/scripts/run_tcp " tb-set-node-startcmd $n(946) "/proj/worm/e1k/scripts/run_virtual n-946-lan47 160" tb-set-node-startcmd $n(969) "/proj/worm/e1k/scripts/run_virtual n-969-lan70 160" tb-set-node-startcmd $n(972) "/proj/worm/e1k/scripts/run_tcp " tb-set-node-startcmd $n(973) "/proj/worm/e1k/scripts/run_tcp " tb-set-node-startcmd $n(974) "/proj/worm/e1k/scripts/run_tcp “ …… tb-set-node-startcmd $n(978) "/proj/worm/e1k/scripts/run_tcp " tb-set-node-startcmd $n(979) "/proj/worm/e1k/scripts/run_internet " $ns rtproto Static $ns run #network address/prefix /16 #node & virtual node map file #n-#### TYPE(B/I/V/R) S/N #####(GUI node index) #####(Last segment of IP) n-902 V N n-902 V N n-902 V N n-902 V N n-902 V N n-902 V N n-902 V N

15 -- Use a SQL query to instrument a network-wide traffic view. -- MySQL database integration. -- Support both TCPDUMP and NetFlow formats.

16 Data sources for link visualization are defined by a SQL query

17 User-defined link visualization: options to define views

18 Sample visualization output. Click on any plot will zoom-in and show further details.

19 Animation: the network event replay toolbar with a pop-up link traffic chart.

20 BGP ESVT – the first shot.

21 Questions?

22 PSU KMSim Slammer-like Attack Generator KMSim is a simulation code, consisting of coupled Kermack-McKendrick epidemic equations, to model the spread of a bandwidth-limited, randomly scanning Internet worm Benefit: a family of worms can be flexibly simulated by tuning few parameters

23 PSU NTD Traffic Data Mining Tool This tool can detect the significant clusters, i.e., clusters whose traffic is greater than a threshold (either in terms of packet number or bytes) –Cluster definition: source IP, destination IP, source port, destination port or protocol NTD is an efficient implementation of that described by Estan et al. in SIGCOMM ’03 NTD is offline A tool for efficient mining of the multidimensional traffic cluster hierarchy for digesting, visualization, and modeling

24 EMIST Tool Effort  ICSI/PSU worm scale-down equations  PSU ESVT toolkit*  PSU KMSim Slammer-like attack generator*  PSU NTD traffic data mining tool*  Purdue scriptable event system*  Purdue sys info logging tool*  Purdue data analysis and viz scripts*  SPARTA/McAfee DDOS trace analysis and viz scripts  SRI/UCD worm simulation tools  UCD emulated worm attack generation tool  UCD NTGC network traffic generation and control tool  UCD XML worm specification tool  UCD BGP routing data viz tool  * Officially released

25 Purdue Scriptable Event System During a DETER experiment, many events may happen –time events, cmd events, etc. Although local event response can be pre-programmed on a single test machine, synchronized event response among a set of test machines cannot be pre- programmed This tool allows runtime coordinated event response via a coordinator-participant model Each test machine can run a participant stub that communicates with the coordinator to report events and receive response instructions The global event response plan can be flexibly scripted by the experimenter

26 Purdue Sys Info Logging Tool This tool logs system level statistics associated with a certain network interface timestamp, bytes_per_sec, pack_per_sec, bytes_per_sec_up, pack_per_sec_up, memtotal, memused, uptime, idletime, established TCP connections, half open TCP connections, TCPSlowStartRetrans count, TCPAbortOnTimeout count, errs on the device drivers, drops on the device drivers

27 UCD Emulated Worm Attack Generation All nodes host a worm generation daemon. Nodes wait for worm attack “instructions”. Propagation behavior of worm is varied by varying the “instructions”. An XML specification of worm propagation serves as the instructions.

28 UCD Network Traffic Generation and Control (NTGC) Raw trace 1 Raw trace n ………………… Traffic Analyzer Reconstruct TCP connections Generate flow data Merge traces Timestamp normalization Connection Data Flow Data Traffic Filter Filtering Address Remapping Scale up/ down Duplicate Remove Address Remapping rules. Topology file Configuration File Generator