The Evaluation Methods for Internet Security Technology (EMIST) project was a collaboration among the organizations with the first wave of research users of the DETER testbed, which has since evolved into DeterLab. Starting in March 2004, EMIST was funded by NSF, DHS, and DARPA to pursue cyber-security research with the testbed, and to collabroate with the DETER project on the development of testbed capabilities -- in essence, the first user group, working closely with DETER to project feedback on testbed capabilities as DETER built and operated the testbed as experimental infrastructure for EMIST and other security researchers.
The EMIST team of researchers were from Penn State, UC Davis, Purdue, ICSI, McAfee, Sparta, and SRI, and included experts in security, networking, data analysis, software engineering, and operating systems, all committed to developing testing frameworks and methodologies for cyber security.
The general objective of EMIST was to develop thorough, realistic, and scientifically rigorous testing frameworks and methodologies for particular classes of network attacks and defense mechanisms. These testing frameworks were adapted for different kinds of experimental approaches, including simulators such as NS, emulation facilities such as the DETER testbed, and both small and large testbeds of real hardware, including: attack scenarios; attack simulators; generators for topology and background traffic; data sets derived from live traffic; and tools to monitor and summarize test results. These frameworks allowed researchers to experiment with a variety of parameters representing the network environment, attack behaviors, and the configuration of the mechanisms under test conditions.
These frameworks and methodologies were being validated through experiments on the DETER testbed. The validation involved tests on representative network defense mechanisms, including intrusion detection systems (IDSs), automated attack traceback mechanisms, traffic rate-limiting to control DDoS attacks, and mechanisms to detect large-scale worm attacks. DDOS, worms, and routing security had distint research teams working on projects within EMIST.
1. DDoS Experiments using DETER
One of the objectives of EMIST was to improve the state of scientific knowledge about distributed denial-of-service (DDoS) defense to accelerate the development of better DDoS defense technologies. DDoS experiments improved the understanding of the dynamics and effects of DDoS attacks on complex networks, and provided techniques for analyzing the effectiveness of DDoS defense technologies in defending such networks. The EMIST team's DDoS experiments included studies of several different defensive technologies using commercial software, open source software, and research prototypes to investigate questions regarding the configuration, conduct, methodology and analysis of DDoS defense evaluation in a rigorous setting.
2. Worm Behavior Experiments using DETER
The EMIST worm team focused its research and experimentation on techniques for modeling Internet-scale events related to worm propagation. In this undertaking, scale-down was a critical component, and the team experiment with, tested, and developed a number of scale-down approaches later used by other researchers.
3. Routing Infrastructure Experiments using DETER
The EMIST routing team focused their efforts on BGP routing attacks. They evaluated the ability of several security mechanisms (such as Whisper/Listen, SBGP, and SoBGP) to defend the Internet routing infrastructure against malicious attacks. These experiments demonstrated two types of BGP attacks: OASC (Origin AS Changes) and DDP (Differential Damping Penalty). The experiments provided data that was be used to compare the strength, weakness, performance, and effectiveness of several proposed approaches to handle attacks toward the routing infrastructure.