Controlled Chaos

 

Connecting state and local government leaders

Homeland Security's R&D branch has been attacking its own test networks to help prevent future cyberattacks.

The Homeland Security Department isn't just about protecting borders and preventing another 9/11. As the research and development arm for DHS, the Science and Technology Directorate has the mission of developing a technological edge that would also help fight terrorism. The office has designated cybersecurity as an area worthy of attention. Not only could the government benefit from greater network security tools, but DHS also expects its work could help protect commercial networks and critical infrastructure.When it comes to network security, DHS has found that studying must come before defending. The agency's Science and Technology Directorate has co-funded, along with the National Science Foundation, two test beds that researchers may use to replicate network attacks. Such test beds may provide the essential tools for fighting tomorrow's computer attacks.The test beds are ideal for running 'risky' code, or viral programs that could propagate out of control and infest all the nodes of a given network. Vendors can test their new products on these networks, and researchers can test their new experimental code.Both test beds are funded jointly by DHS and NSF, under a program called the Cyber Defense Technology Experimental Research project, or DETER. The University of Southern California, University of California at Berkeley and McAfee Inc. of Santa Clara, Calif., manage the test beds.'Our goal is to have a test bed that can run truly live malicious code,' said Terry Benzel, deputy director of the Computer Networks Division at USC's Information Sciences Institute.The test beds were only a first step. The directorate has also funded work to make future network simulations more exact. A related program is gathering real-life samples of data traffic that can be used on the test beds. And a third program is developing a set of metrics that can be used to scientifically determine the effectiveness of various experimental approaches.'The idea is to provide large-scale test beds that emulate a real architecture,' said Annabelle Lee, Science and Technology Directorate portfolio manager for cybersecurity.Lee considers DETER one of the early success stories of DHS' cybersecurity research funding. The cybersecurity portfolio has a modest budget: $18 million for fiscal 2005 and a proposed 2006 budget of $16.7 million. Lee's office takes lists of prioritized requirements from other DHS directorates, most notably the National Cyber Security Division and the National Communication System, and forges them into areas of interest for which DHS will fund new research.Live since March 2004, the DETER test beds have already hosted a number of experiments. There may be 15 to 20 experiments running at one time, Benzel said. One project simulated how the Slammer worm affects network behavior. Another tested a software prototype that could detect and redirect distributed denial-of-service attacks.In many ways, it was this experiment that validated the need for a large-scale test bed, Benzel said. Historically, researchers have set up smaller test beds, with maybe a dozen nodes, to work out network security problems. Distributed denial-of-service attacks, however, involve hundreds or thousands of computers.Each test bed is contained in a single room. Researchers can either visit the facilities and conduct experiments, or run them remotely over the Internet. There is a 72-node cluster at USC, while another 32-node cluster operates at Berkeley.DETER uses software called Emulab, a network simulation platform developed by the University of Utah. The networks themselves employ a combination of computers, including IBM Netfinity servers and Sun Microsystems Sun Fire machines. Each rack-mounted computer has five Ethernet cards. Four are used to represent separate nodes and a fifth is set up as an out-of-band port to control the machine. The nodes themselves connect to different Ethernet switches depending on location (a Cisco 6509 switch at USC and a Foundry Fast Iron 1500 switch at Berkeley).At the beginning of each experiment, the user picks from a list of scripts that model different network environments. The Emulab software loads the operating system onto the nodes and carves out virtual local area networks for testing. The computers themselves can be set up as routers, to generate traffic, or as end-user systems.One of the most difficult challenges was configuring the test beds to make them accessible over the Internet, Benzel said. Allowing researchers to run experiments remotely was a desirable feature, yet the design team had to ensure that any potentially damaging code run on the test beds could not jump over onto the Internet.According to George Kesidis, one of the principal investigators on the project, 'It is a doubled-edged sword. You want to make it quarantined from the Internet, but you don't want everyone to fly to [USC] in order to use it.' So the design team included an intermediary machine that can be tapped over the Internet, in which the experiments can use a Secure Shell session to connect to experimental nodes.DETER has been just one part of DHS' efforts to simulate realistic network traffic and the attacks that plague it. The program has successfully established the hardware and supporting software required for large-scale experimentation. But its development immediately sparked additional avenues of R&D. Researchers needed to know what standard metrics are required to gauge the effectiveness of possible mitigation efforts. And how do you simulate normal day-to-day traffic on an experimental network?DHS found that neither concern was addressed adequately in the commercial sector. So the agency, again in conjunction with NSF, funded two additional projects to tackle these issues.To address the first set of concerns, the Evaluation Methods for Internet Security Technology (EMIST) program is developing a set of scientifically rigorous testing frameworks. It will look for ways to run test bed experiments so that they will be scientifically repeatable and correlate with actual, real-world conditions.In order to develop such metrics, the program itself has been a pioneering user of DETER. This project is carried out by the coalition of academic institutions and commercial companies.'We're discovering problems with the test bed so when we open it up to a much wider community of experimenters, they won't discover these problems,' said Kesidis, who, in addition to his work on DETER, is one of the principal investigators on EMIST.One area that could use some standardization, for instance, is the amount and type of background traffic experienced every day by a network.'Previously, each researcher defined their own way of seeding the experiment. Now EMIST provides a common interface to a common set of tools so we can all see common types of experiments in the same way,' Benzel said.A third program, Protected Repository for Defense of Infrastructure against Cyber Threats, or PREDICT, also addresses this issue.This effort is collecting 'a set of data sets and actual network data that can be used by DETER to test tools and software,' Lee said. The data sets are being obtained from Internet service providers and telecommunications companies. These data sets can be used to model, or even replicate, data packet traffic on the test beds, which then can be subjected to attacks and prototype defense measures.DHS is hoping that, taken together, DETER, EMIST and PREDICT will provide a solid base for better understanding network security. Even building the test beds, testing tools and simulation data sets can lead researchers to think about the nature of future threats. After all, they must build tools that can be useful in the years to come.'How do you rigorously test defenses without coming up with new attacks?' Kesidis said. 'Along the way, we're debating what the true threats of the future are.'

DHS co-funded an experimental test bed at Berkeley.

Terry Benzel with a similar network at USC.

Homeland Security's R&D branch has been attacking its own test networks to help prevent future cyberattacks.













The setup



















Complementary research











Traffic standards














Where the money goes: How DHS funds cybersecurity research

'What we try to do is stimulate areas of particular importance to DHS and the government,' said Annabelle Lee, the Homeland Security Department Science and Technology Directorate's portfolio manager for cybersecurity.

As portfolio manager, Lee is the person who leads strategic planning'deciding where to invest money and setting program requirements and metrics.

The cybersecurity portfolio's limited budget'$18 million for this fiscal year and $16.7 million proposed for 2006'encourages efficiency. Lee said DHS R&D efforts should not overlap with the considerable advanced work that is already being done in the commercial sector, by companies that make money providing security products, such as Symantec Corp. of Cupertino, Calif.

'We are very careful as to what we fund, so we can get the most from our dollars. Obviously we don't want to fund a capability that is already available,' Lee said.
Lee's office takes lists of prioritized requirements from other DHS directorates, most notably the National Cyber Security Division and the National Communication System. The Secret Service also submits a wish list.

Once the needs are defined and funding is in place, the office then solicits research help through a number of different means. One is the Small Business Innovative Research program. Another is a new, as yet unnamed program to help assess and distribute new security products and tools.

But the chief method of disseminating R&D funds is through broad area announcements. Winners of the 2004 solicitations were recently announced through the Homeland Security Advanced Projects Agency. BAAs can fund either the development of new technologies, the development of a prototype or a technology that is 12 months away from completion. Topic areas include vulnerability discovery, remediation and prevention, security of operational systems, wireless security (at the behest of the Secret Service), critical infrastructure protection, network attack forensics and methods to protect against identity theft. Participants include academic researchers, small start-up companies and even established vendors that want to take part in research opportunities.

Of course, simply developing the technology is not enough to guard against threats. Each BAA proposal has to include a description of the efforts for commercializing the technology in question.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.