Automated Discovery for Emulytics

Sandia has an extensive background in cybersecurity research and is currently extending its state-of-the-art modeling via emulation capability. However, a key part of Sandia's modeling methodology is the discovery and specification of the information-system under study, and the ability to recreate that specification with the highest fidelity possible in order to extrapolate meaningful results. This work details a method to conduct information system discovery and develop tools to enable the creation of high-fidelity emulation models that can be used to enable assessment of our infrastructure information system security posture and potential system impacts that could result from cyber threats. The outcome are a set of tools and techniques to go from network discovery of operational systems to emulating complex systems. As a concrete usecase, we have applied these tools and techniques at Supercomputing 2016 to model SCinet, the world's largest research network. This model includes five routers and nearly 10,000 endpoints which we have launched in our emulation platform.

[1]  Irfan Habib,et al.  Virtualization with KVM , 2008 .

[2]  Y. Ebihara Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies , 2000, Proceedings IEEE INFOCOM 2000. Conference on Computer Communications. Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies (Cat. No.00CH37064).

[3]  Jon Postel,et al.  Internet Control Message Protocol , 1981, RFC.

[4]  Dongho Kim,et al.  Experience with DETER: a testbed for security research , 2006, 2nd International Conference on Testbeds and Research Infrastructures for the Development of Networks and Communities, 2006. TRIDENTCOM 2006..

[5]  Bogdan M. Wilamowski,et al.  The Transmission Control Protocol , 2005, The Industrial Information Technology Handbook.

[6]  Robin Berthier,et al.  Nfsight: netflow-based network awareness tool , 2010 .

[7]  Gordon Fyodor Lyon,et al.  Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning , 2009 .

[8]  Vincent E. Urias,et al.  Emulytics? at Sandia National Laboratories. , 2015 .

[9]  Eric Eide,et al.  Introducing CloudLab: Scientific Infrastructure for Advancing Cloud Architectures and Applications , 2014, login Usenix Mag..

[10]  Khaled Harfoush,et al.  Efficient Estimation of More Detailed Internet IP Maps , 2007, 2007 IEEE International Conference on Communications.

[11]  Ramesh Govindan,et al.  Heuristics for Internet map discovery , 2000, Proceedings IEEE INFOCOM 2000. Conference on Computer Communications. Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies (Cat. No.00CH37064).

[12]  Jelena Mirkovic,et al.  DEW: Distributed Experiment Workflows , 2018, CSET @ USENIX Security Symposium.

[13]  David C. Plummer,et al.  Ethernet Address Resolution Protocol: Or Converting Network Protocol Addresses to 48.bit Ethernet Address for Transmission on Ethernet Hardware , 1982, RFC.

[14]  Mike Hibler,et al.  Large-scale Virtualization in the Emulab Network Testbed , 2008, USENIX ATC.

[15]  Martín Casado,et al.  The Design and Implementation of Open vSwitch , 2015, NSDI.

[16]  Ralph E. Droms,et al.  Dynamic Host Configuration Protocol , 1993, RFC.

[17]  Ratul Mahajan,et al.  Measuring ISP topologies with Rocketfuel , 2004, IEEE/ACM Transactions on Networking.

[18]  Yifan Li,et al.  VisFlowConnect: netflow visualizations of link relationships for security situational awareness , 2004, VizSEC/DMSEC '04.

[19]  Fabrice Bellard,et al.  QEMU, a Fast and Portable Dynamic Translator , 2005, USENIX ATC, FREENIX Track.

[20]  Ailton Akira Shinoda,et al.  Using Mininet for emulation and prototyping Software-Defined Networks , 2014, 2014 IEEE Colombian Conference on Communications and Computing (COLCOM).