DETER Project History

The DETER project grew out of early work funded by Dr. Douglas Maughan, then at DARPA, for work at Network Associates Labs to study and define the objectives and requirements for a large scale DDoS testbed. The resulting report, “Justification and Requirements for a National DDoS Defense Technology Evaluation Facility,” laid the basis for definition of the key objectives for the DETER project:

  • Design, build, and operate a network testbed specifically to support security research: DeterLab;
  • Catalog software tools to help create, monitor, and analyze complex security experiments in DeterLab;
  • Facilitate the creation of a collaborative community of security researchers, in particular the EMIST project.

The DETER project was funded jointly by two government agencies—the National Science Foundation (NSF) and by the U.S. Department of Homeland Security Advanced Research Projects Agency (HSARPA)—over the period of 2003 – 2007. The partners in the DETER project were USC’s Information Sciences Institute (USC-ISI), UC Berkeley, and Sparta, Inc.

Initial Phase

The first phase of DETER Project history was the 2003 – 2004 time frame in which the core efforts were focused on the following tasks:

  1. Assembling the network and physical resources for the lab;
  2. Integrating network testbed operations software;
  3. Employing initial use of relevant existing tools;
  4. Collaborating with EMIST researchers on defining and developing the controls and user interfaces for experimenters.

The testbed became operational in March 2004. The first DETER Community Workshop was held in November 2004, with focused working groups on the topic, “Using DETER for DDoS Experimentation, Worm Experimentation, and  Routing Experimentation.” Other milestones for the initial phase of the DETER project were several important refereed publications on work by DeterLab experimenters:

  • Cyber defense technology networking and evaluation, R. Bajcsy, T. Benzel, M. Bishop, B. Braden, C. Brodley, S. Fahmy, S. Floyd, W. Hardaker, A. Joseph, G. Kesidis, K. Levitt, B. Lindell, P. Liu, D. Miller, R. Mundy, C. Neuman, R. Ostrenga, V. Paxson, P. Porras, C. Rosenberg, J. D. Tygar, S. Sastry, D. Sterne, and S. F. Wu. In Communications of the ACM, Special Issue on Emerging Technologies for Homeland Security, Vol. 47, Issue 3, pp. 58-61, March 2004.
  • A hybrid quarantine defense, P. Porras, L. Briesemeister, K. Levitt, J. Rowe, K. Skinner, and Y.-C. A. Ting, In Proceedings of ACM WORM, Washington, DC, Oct. 29, 2004.
  • Combining visual and automated data mining for near-real-time anomaly detection and analysis in BGP, S.T. Teoh, K. Zhang, S.-M. Tseng, K.-L. Ma, and S. F. Wu, In Proceedings of ACM VizSEC/DMSEC-04, Washington, DC, Oct. 29, 2004.
  • Preliminary results using scale-down to explore worm dynamics, N. Weaver, I. Hamadeh, G. Kesidis, and V. Paxson. In Proceedings of the 2004 ACM workshop Workshop on Rapid Malcode, pp. 65-72, 2004.

Second Phase

DETER’s second phase was the natural outgrowth of the first phase, with the maturing of the DeterLab facility, and the researcher community growing beyond the initial EMIST-funded scientists based at Penn State, McAfee Research, ICSI, Purdue, SPARTA Inc., SRI International, and UC Davis. The breadth of activity greatly increased:

  • Continuing EMIST research included work on DDoS defense, worm propagation, and BGP routing attacks.
  • New researchers’ work included worm defense, malware analysis, and network intrusion prevention.
  • Both DETER researchers and community collaborators work on research topics in the technology for supporting and enabling cyber-security research work with such topics as experiment automation, benchmarking, scaling via hypervisor usage, malware containment, and the initial work on federation, which is now a central component of DeterLab technology.

The research directions and efforts in each area were often not only collaborative with one another, but they also resulted in contributions to the experimenter infrastructure and tools available in DeterLab, including the following: a network traffic generator from UC Davis; a worm simulator from University of Delaware; and DDoS defense benchmarks from a research team from four institutions. These research and collaboration activities continued through the end of initial DETER Project contract in 2007, and they included work on community building and testbed hardware extensions funded by the NSF DECCOR project.

Milestones for the second phase of the DETER project included publication of DETER-enabled research papers by researchers from over 40 institutions, and the first DETER researcher to be granted a Ph.D. for work performed with DeterLab — Carrie Gates — as part of an increase in university-based use of DeterLab:

  • Cyber defense technology networking and evaluation, R. Bajcsy, T. Benzel, M. Bishop, B. Braden, C. Brodley, S. Fahmy, S. Floyd, W. Hardaker, A. Joseph, G. Kesidis, K. Levitt, B. Lindell, P. Liu, D. Miller, R. Mundy, C. Neuman, R. Ostrenga, V. Paxson, P. Porras, C. Rosenberg, J. D. Tygar, S. Sastry, D. Sterne, and S. F. Wu. In Communications of the ACM, Special Issue on Emerging Technologies for Homeland Security, Vol. 47, Issue 3, pp. 58-61, March 2004.
  • A hybrid quarantine defense, P. Porras, L. Briesemeister, K. Levitt, J. Rowe, K. Skinner, and Y.-C. A. Ting, In Proceedings of ACM WORM, Washington, DC, Oct. 29, 2004.
  • Combining visual and automated data mining for near-real-time anomaly detection and analysis in BGP, S.T. Teoh, K. Zhang, S.-M. Tseng, K.-L. Ma, and S. F. Wu, In Proceedings of ACM VizSEC/DMSEC-04, Washington, DC, Oct. 29, 2004.
  • Preliminary results using scale-down to explore worm dynamics, N. Weaver, I. Hamadeh, G. Kesidis, and V. Paxson. In Proceedings of the 2004 ACM Workshop on Rapid Malcode, pp. 65-72, 2004.

Third Phase

The next phase of DETER’s growth was in 2008 – 2010, with DHS’s DIPLOMAT and DoD DIRECT contracts, including further extension of DeterLab and the launch of DeterLab’s first-generation experimenter workbench, SEER. With the technological maturity achieved in this phase and the experience gained from supporting over 1000 researcher team members, the stage was set for DETER Project activities to focus increasingly on research and development in the areas of cyber-security experimentation methodology, infrastructure, tools, and other extensions to both the underlying resources of DeterLab and the methods of using DeterLab for scientific experimentation.

Current DETER Project Activity

The DETER project is now in its fourth phase, with the DETECT contract and a focus on the current research program, as well as community-building in both scientific and educational users of DeterLab facilities.

Since DeterLab’s inception, over 2000 users have tested experiments. In 2010, 33 new technologies and a total of 74 technologies were tested. In GFY Q2 (Jan – March 2011), 66 different technologies were the focus of experimentation. Recent work by DeterLab researchers has included analysis of data-center network activity structures, anomaly detection, and analysis of botnets and their botmaster-control activity.