Using an Emulation Testbed for Operational Cyber Security Exercises

  • Christos Siaterlis
  • Andres Perez-Garcia
  • Marcelo Masera
Conference paper
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 367)


The detection, coordination and response capabilities of critical infrastructure operators ultimately determine the economic and societal impact of infrastructure disruptions. Operational cyber security exercises are an important element of preparedness activities. Emulation testbeds are a promising approach for conducting multi-party operational cyber exercises. This paper demonstrates how an Emulab-based testbed can be adapted to meet the requirements of operational exercises and human-in-the-loop testing. Three key aspects are considered: (i) enabling secure and remote access by multiple participants; (ii) supporting voice communications during exercises by simulating a public switched telephone network; and (iii) providing exercise moderators with a feature-rich monitoring interface. An exercise scenario involving a man-in-the-middle attack on the Border Gateway Protocol (BGP) is presented to demonstrate the utility of the emulation testbed.


Cyber security exercises network security emulation testbed 


  1. 1.
    W. Adams, E. Gavas, T. Lacey and S. Leblanc, Collective views of the NSA/CSS cyber defense exercise on curricula and learning objectives, Proceedings of the Second Conference on Cyber Security Experimentation and Test, p. 2, 2009.Google Scholar
  2. 2.
    European Commission, Protecting Europe from Large Scale Cyber-Attacks and Disruptions: Enhancing Preparedness, Security and Resilience, COM(2009) 149, Brussels, Belgium ( cy/nis/docs/comm_ciip/comm_en.pdf), 2009.Google Scholar
  3. 3.
    Federal Emergency Management Agency, Homeland Security Exercise and Evaluation Program (HSEEP), Washington, DC ( Scholar
  4. 4.
    Flux Research Group, Emulab bibliography, School of Computing, University of Utah, Salt Lake City, Utah ( Scholar
  5. 5.
    Flux Research Group, Emulab – Network Emulation Testbed, School of Computing, University of Utah, Salt Lake City, Utah ( Scholar
  6. 6.
    C. Hepner and E. Zmijewski, Defending against BGP man-in-the-middle attacks, presented at the Black Hat DC Conference, 2009.Google Scholar
  7. 7.
    H. Jones, Network Weathermap ( Scholar
  8. 8.
    K. Lahey, R. Braden and K. Sklower, Experiment isolation in a secure cluster testbed, Proceedings of the Conference on Cyber Security Experimentation and Test, 2008.Google Scholar
  9. 9.
    Y. Li, M. Liljenstam and J. Liu, Real-time security exercises on a realistic interdomain routing experiment platform, Proceedings of the Twenty-Third Workshop on Principles of Advanced and Distributed Simulation, pp. 54–63, 2009.Google Scholar
  10. 10.
    M. Liljenstam, J. Liu, D. Nicol, Y. Yuan, G. Yan and C. Grier, RINSE: The real-time immersive network simulation environment for network security exercises (extended version), Simulation, vol. 82(1), pp. 43–59, 2006.CrossRefGoogle Scholar
  11. 11.
    J. Mirkovic, A. Hussain, S. Fahmy, P. Reiher and R. Thomas, Accurately measuring denial of service in simulation and testbed experiments, IEEE Transactions on Dependable and Secure Computing, vol. 6(2), pp. 81–95, 2009.CrossRefGoogle Scholar
  12. 12.
    J. Mirkovic, P. Reiher, C. Papadopoulos, A. Hussain, M. Shepard, M. Berg and R. Jung, Testing a collaborative DDoS defense in a red team/blue team exercise, IEEE Transactions on Computers, vol. 57(8), pp. 1098–1112, 2008.MathSciNetCrossRefGoogle Scholar
  13. 13.
    R. Ostrenga and P. Walczak, Application of DETER in large-scale cyber security exercises, Proceedings of the DETER Community Workshop, 2006.Google Scholar
  14. 14.
    RIPE Network Coordination Center, YouTube hijacking: A RIPE NCC RIS case study, Amsterdam, The Netherlands (, 2008.Google Scholar
  15. 15.
    B. Sangster, T. O’Connor, T. Cook, R. Fanelli, E. Dean, W. Adams, C. Morrell and G. Conti, Toward instrumenting network warfare competitions to generate labeled datasets, Proceedings of the Second Conference on Cyber Security Experimentation and Test, p. 9, 2009.Google Scholar
  16. 16.
    S. Schwab, B. Wilson, C. Ko and A. Hussain, SEER: A security experimentation environment for DETER, Proceedings of the DETER Community Workshop, p. 2, 2007.Google Scholar
  17. 17.
    R. Stapleton-Gray, Inter-network operations center dial-by-ASN (INOC-DBA), A resource for the network operator community, Proceedings of the Cybersecurity Applications and Technology Conference for Homeland Security, pp. 181–185, 2009.CrossRefGoogle Scholar
  18. 18.
    The White House, The National Strategy to Secure Cyberspace, Washington, DC ( 2003.Google Scholar
  19. 19.
    A. Turner, Tcpreplay ( Scholar
  20. 20.
    B. White, J. Lepreau, L. Stoller, R. Ricci, S. Guruprasad, M. Newbold, M. Hibler, C. Barb and A. Joglekar, An integrated experimental environment for distributed systems and networks, Proceedings of the Fifth Symposium on Operating Systems Design and Implementation, pp. 255–270, 2002.CrossRefGoogle Scholar

Copyright information

© IFIP International Federation for Information Processing 2011

Authors and Affiliations

  • Christos Siaterlis
    • 1
  • Andres Perez-Garcia
    • 1
  • Marcelo Masera
    • 2
  1. 1.Institute for the Protection and Security of the CitizenJoint Research Centre of the European CommissionIspraItaly
  2. 2.Energy Security UnitInstitute for Energy, Joint Research CentrePettenThe Netherlands

Personalised recommendations