1. INTERNET SIMULATOR Jelena Mirkovic USC Information Sciences Institute sunshine@isi.edu

2. Two pieces of the puzzle – Internet map – different sources – Computational models – Simulation engine Open-source, modular – Users can replace pieces Simulation at customizable granularity – Speed vs scale, problem-dependent, zoom-in function My experience – Custom Internet simulators for IP spoofing and worm research 2

3. Evaluate all spoofing filtering defenses These associate a source IP with some feature to detect spoofing – Previous hop, secret key, marks placed by routers … Model the Internet, calculate number of all (source, target, spoofed address) that are filtered No need to model attackss That depends: – Many hosts may have the same previous hop to filter – route diversity, route changes and host distribution – Route diversity depends on filter location – topology – Any address can be spoofed – need Internet-wide data [1] “Comparative Evaluation of Spoofing Defenses,” J. Mirkovic and E. Kissel, IEEE Transactions on Dependable and Secure Computing, 2009.

4. How accurate must a model be? – Assuming random topology/routing/filter placement, uniform host distribution = extremely low effectiveness Realistic sources produce much better results 6 months for the eval framework, 3 more years to get the sources right - 6x the overhead

5. We wanted to study collaborative worm defenses: – When I’m infected I tell my friends what to filter We decided to model the following in PAWS [2]: – Internet topology at the AS level – Conn. and AS size, routing – Log-normal distribution of vulnerable hosts – Worm-specific scanning strategy (RNG, scan size) – Limited link bandwidth (inter-AS, access) – Legitimate cross-traffic and its response to congestion (TCP) This required lot of data collection/aggregation and guesswork - Especially for routing, host distribution, link bw and legitimate traffic [2] “A Realistic Simulation of Internet-Scale Events,” S. Wei and J. Mirkovic, Proc. of the Create-Net International Conference on Performance Evaluation Methodologies and Tools (VALUETOOLS), 2006.

7. How accurate must a model be? Lessons learned from our experience: - 2 years to do the simulation right and the field has moved on – we never developed the worm defense

8. Internet map + simulator There’s a lot of data about the Internet – Multiple sources, multiple data types and resolutions We need a way to suck this data into ONE model of the Internet where user can select - “Age” of the Internet – time of data collection - Sources to be combined - What to do for missing data This model should either interface with popular simulators or be coupled with a simulator of its own - For this scale, the simulator must be distributed and its level of details must be customizable - Standardization of evaluation, easy portability

9. Data about Internet is incomplete in each dimension – Each data source should have some way to estimate how far it is from reality and possibly compensate for it Data about Internet is huge - Distributed simulation - Emulation at this scale is too hard and unnecessary - Missing data - Tolerate or guess? Users should choose - E. g., extrapolate from existing data - Anonymized data - Guess, users should choose how - E. g., random guess, multiple trials

10. Simulating only necessary events leads to great speedup: - In our work: 136-CPU core running PDNS and GTNetS matched with 8 common PCs - Fidelity/details are specific to research questions - May be able to come up with a standard for an area of research - Users must be able to customize this - Interaction between simulation and the model must also be specified

11. ns-3 seems promising: - It’s better to start from a widely used simulator than to develop one from scratch - ns-3 corrects lots of deficiencies found in ns-2 - Easily extensible, detailed simulation of network events, lots of tools for post-processing Work needed: - Significant revision to support “variable granularity” simulations and Internet model interaction – must be able to drop pieces of code selectively - A separate, large chunk of code to model the Internet Downsides: - Two-language code base, sometimes hell to debug

12. Need a set of distributed machines: - Research testbeds such as Emulab and DETER seem like a good choice - Usually have shared file system, useful for initialization files - Usually have dedicated links between nodes of high capacity and low delay - Any institution can build its own mini-testbed, all code for this is open-source Each user needs his own copy of the code: - So he can customize it accordingly - There could be a centralized repository for the map where the most popular data sources are integrated

13. The core of the code should be developed by a single team: - Ability to create unified maps from disparate sources - Ability to selectively simulate events at chosen granularity - Interaction between the simulator and the map - Some straightforward “guesswork” techniques Customizations of map/simulator for specific problems should be contributed by the user community: - Open-source model, like ns-2 - Code contributed by experts for specific problems

14. I’d love to hear your questions and comments! Jelena Mirkovic, sunshine@isi.edusunshine@isi.edu