When cybersecurity researchers sit down to run experiments on a network, they have a few choices in terms of the approach they can take. One option is to actually build a physical network by taking computers and routers and cables and attaching everything together, which is very realistic but expensive and generally not scalable. Another approach is to use simulated experiments, which are based on mathematical models of computers and their interactions. These simulations are generally low-cost and scalable. However, because they are based on models, their accuracy and realism are limited to the accuracy of the models, which is often not sufficient for the study of specific vulnerabilities in software packages, which is what many researchers are focused on.
An alternative method, emulation, allows researchers to create multiple virtual machines to construct a full computer network on a single computer, cutting back on physical resources, but still providing many of the benefits of using a real system. Emulation allows researchers to choose which system components will be mathematically modeled and which components will be actually implemented, balancing the appropriate levels of accuracy, realism and scalability for each experimentation. These emulated environments can be rather time-consuming to set up, however, and they don’t allow for easy editing of the virtual machines and their properties.
Faced with these challenges, a team of researchers at Florida Institute of Technology, including Research Associate Troy Toggweiler, CSE master’s student Evan Stoner, Associate Professor and Director of the Harris Institute for Assured Information Marco Carvalho, and Research Professor Thomas Eskridge, have developed VINE, or Virtual Infrastructure for Network Emulation. This system helps users build large-scale emulated testbeds, so they can run their experiments without having to focus on the mechanisms required for creating the emulated environment, speeding the process up considerably compared with setting up a traditional physical network. “Something that would normally take — if you had a real machine and had to install software and all that — anywhere from thirty minutes to two hours, we can do in two minutes,” Toggweiler said.
VINE also allows users to edit and make changes to their network components easily. “Say you have a testbed and you want to try something on it, but then you decide you want to have a different operating system,” Stoner said. “To tear those ten machines down and set them up in VINE is a really trivial operation, instead of you having to go in there and figure out where it is and take it down.”
Another important and unique feature of VINE is its integrated behavior system, which generates realistic network traffic for the user to interact with. “You can have all these systems running, but if they’re not actually generating traffic that is realistic — something you might see every day in a real enterprise — it’s not going to be worth studying,” Stoner said. “So we’ve got this set of behavior models that respond and adapt as a human would.”
The distinguishing characteristic of VINE’s behavior system is that it is mission-oriented and adaptable. So, for example, if someone wants to send a file to someone else, that’s their mission. There are many ways this can be accomplished – via email, over FTP, or through other file-sharing systems. If, during the course of the experiment, an attacker takes down the email service, the user can still complete their mission by using another method to send the file. “A huge part about what we have is adaptability,” Stoner said. “A lot of the existing solutions have a static approach to how they do things. They have a set list of tasks and if one of those things fails, they consider the whole mission failed. This is, of course, not realistic because humans adapt and find a way to get things done, even when their infrastructure starts to fail.” This adaptability also extends to the users or processes attacking the network. “As users continue their mission in the midst of network attacks, VINE allows us to model how the threat may respond to that and change attack strategies, making much more realistic experiments,” explained Eskridge.
Another thing the team focused on when developing VINE is the ability to share and re-create experiments to test hypotheses. “In the last few years the Government has sponsored large-scale emulation environments for cyber defense research such as GINI and CyberRange. This is a very positive trend, but there is still a gap between the ability to build emulation and the ability to quickly and efficiently rigorous experiments,” said Carvalho. “Part of the scientific method entails not only the constructions of hypothesis, but the ability to design and execute experiments to properly test them. In cyber defense this often requires very complex experiments involving the co-evolution of adversaries (i.e. attackers and defenders). VINE was designed to help facilitate that process, providing a high-fidelity and highly configurable cyber emulation environment that can be automated and integrated with mission-driven experiments. VINE is extensively used in our projects in support to both rigorous experimentations, and capability demonstrations.”
Stoner echoed how important it is to help bring rigor to cybersecurity research. “The verifiability of experiments is something that is really big in the traditional sciences, and not as popular in cybersecurity, but I think one of the new efforts is to make things repeatable and verifiable, because otherwise you’re kind of dealing with a subjective assessment of your network and your attacks and defenses,” he said. “If we have the real, concrete data, which VINE also helps us generate – the behavior system generates solid data to look at – you can say, ‘Look, I experienced a 20% reduction in outage when I had this defense running.’”
The benefits of VINE for doing cybersecurity research are even being recognized on a national level; this spring, the team won second place in the 8th Annual National Security Innovation Competition in Colorado Springs, Colo. The competition is sponsored by the National Homeland Defense Foundation and is designed as a one-of-a-kind venue to link college students conducting cutting-edge research on concepts and technologies intended to meet national security capability needs, with government and industry customers.
Carvalho emphasizes that this has really been a team effort. “The students and the research staff of the Harris Institute for Assured Information have done a great job in extending the infrastructure to connect VINE to a cloud environment,” he said. “They have also greatly improved the user interfaces to configure and monitor the emulation environment; it was great to see the student’s involvement and initiative in the project. Other critical components to the infrastructure have been designed and developed by the faculty, often in collaboration with other organization and government sponsors.”
Currently, VINE is being used primarily as a capability for cybersecurity research and experimentation, but could be used in education and training in the future. On the university level, where students are learning basic concepts of how networks function, they’re able to create simple networks and watch how traffic moves through it, without having to have an elaborate, expensive physical network. “I could start running traffic on there and I could have humans interacting and working with it,” Stoner said. “I could automate some sort of attacker and then train a human to defend against it – putting up defenses, managing firewall rules, things like that.”
Carvalho agreed that VINE would make a good educational tool. “While at the moment we are primarily focused on VINE’s research applications, I fully anticipate us leveraging the framework to design and deliver new hands-on security classes for our students both on campus and online,” he said.
Ultimately, the ability to use VINE for cybersecurity research means better, faster experiments and more preparation in defending against possible attacks. This is important for the average person, who accesses a lot of secure, personal information through networks.