基于容器的轻量级工业控制系统网络安全测试床研究

针对现有工业控制系统(ICS)测试床部署成本高、网络拓扑简单固定、难以共享等问题,提出了一种基于容器的轻量级ICS网络安全测试床构建方法。该方法将田纳西—伊斯曼过程模型及其控制算法分别封装为两类Docker容器镜像,根据Web图形化界面绘制工业控制网络拓扑,自动配置容器接口并连接成仿真工控网络,最终实现具有真实的工业控制网络数据流的ICS网络安全测试床。实验结果表明,该方法仅需要较少的系统资源,就可快速实现给定网络拓扑的测试环境,支持多种网络攻击测试,相比于其他ICS测试床,具有更好的资源使用、加载速度和可移植性,有利于ICS网络安全的测试、研究和教学工作。     

A SCADA testbed for investigating cyber security vulnerabilities in critical infrastructures

Supervisory Control and Data Acquisition (SCADA) systems are widely used in critical infrastructures such as water distribution networks, electricity generation and distribution plants, oil refineries, nuclear plants, and public transportation systems. However, the increased use of standard protocols and interconnectivity has exposed SCADA systems for potential cyber-attacks. In recent years, the cyber-security of SCADA systems has become a hot issue for governments, industrial sectors and academic community. Recently some security solutions have been proposed to secure SCADA systems. However, due to the critical nature of SCADA systems, evaluation of such proposed solutions on real system is im-practical. In this paper, we proposed an easily scalable and reconfigurable virtual SCADA security testbed, which can be used for developing and evaluating SCADA specific security solutions. With Distributed Denial of Service (DDoS) and false data injection attack scenarios, we demonstrated how attackers could disrupt the normal operation of SCADA systems. Experimental results show that, the pro-posed testbed can be effectively used for cyber security assessment and vulner-ability investigation on SCADA systems. One of the outcomes of this work is a labeled dataset, which can be used by researchers in the area of SCADA security.     

TACIoT: multidimensional trust-aware access control system for the Internet of Things

Internet of Things environments are comprised of heterogeneous devices that are continuously exchanging information and being accessed ubiquitously through lossy networks. This drives the need of a flexible, lightweight and adaptive access control mechanism to cope with the pervasive nature of such global ecosystem, ensuring, at the same time, reliable communications between trusted devices. To fill this gap, this paper proposes a flexible trust-aware access control system for IoT (TACIoT), which provides an end-to-end and reliable security mechanism for IoT devices, based on a lightweight authorization mechanism and a novel trust modelthat has been specially devised for IoT environments. TACIoT extends traditional access control systems by taking into account trust values which are based on reputation, quality of service, security considerations and devices’ social relationships. TACIoT has been implemented and evaluated successfully in a real testbed for constrained and non-constrained IoT devices.     

Design and implementation of the OFELIA FP7 facility: The European OpenFlow testbed

The growth of the Internet in terms of number of devices, the number of networks associated to each device and the mobility of devices and users makes the operation and management of the Internet network infrastructure a very complex challenge. In order to address this challenge, innovative solutions and ideas must be tested and evaluated in real network environments and not only based on simulations or laboratory setups.OFELIA is an European FP7 project and its main objective is to address the aforementioned challenge by building and operating a multi-layer, multi-technology and geographically distributed Future Internet testbed facility, where the network itself is precisely controlled and programmed by the experimenter using the emerging OpenFlow technology. This paper reports on the work done during the first half of the project, the lessons learned as well as the key advantages of the OFELIA facility for developing and testing new networking ideas.An overview on the challenges that have been faced on the design and implementation of the testbed facility is described, including the OFELIA Control Framework testbed management software. In addition, early operational experience of the facility since it was opened to the general public, providing five different testbeds or islands, is described.     

Physics-based simulation for manual robot guidance—An eRobotics approach

Manual robot guidance is an intuitive approach to teach robots with human's skills in the loop. It is particularly useful to manufacturers because of its high flexibility and low programming effort. However, manual robot guidance requires compliance control that is generally not available in position-controlled industrial robots. We address this issue from a simulation-driven approach. We systematically capture the interactive dynamic behavior of intelligent robot manipulators within physics-based virtual testbeds, regardless of the type of application. On this basis, we develop structures to equip and employ simulated robots with motion control capabilities that include soft physical interaction control driven in real-time with real external guidance forces. We then transfer the virtual compliant behavior of the simulated robots to their physical counterparts to enable manual guidance. The simulator provides assistance to operators through timely and insightful robot monitoring, as well as meaningful performance indexes. The testbed allows us to swiftly assess guidance within numerous interaction scenarios. Experimental case studies illustrate the practical usefulness of the symbiotic transition between 3D simulation and reality, as pursued by the eRobotics framework to address challenging issues in industrial automation.     

广域大规模实验平台设计和研究

针对互联网实验床的特点,本文分析了传统互联网实验床的成功经验和不足,基于可扩展、可隔离和真实性三个基本原则,设计了一个新的广域大规模实验平台.该平台基于层次性结构,不同区域的节点设备形成自治的设备集群,每个集群通过管理节点进行管理和互联,接受中心管理器的统一管理.实验平台通过VLAN为实验提供隔离的网络环境,基于虚拟化技术为实验提供隔离的资源,并提供持久数据存储空间方便实验存储和共享数据.     

The FEDERICA infrastructure and experience

The European Commission co-funded project FEDERICA started in 2008 with the objective to support Future Internet research and experimentation. The project created a Europe-wide infrastructure based on virtualization in wired networks and computing elements, offering fully configurable and controllable virtual testbeds as a service to researchers. This article reviews the architecture, its deployment and current active status, usage experience, including virtual resource reproducibility and elaborates on challenges for Future Internet testbed support facilities.     

Enabling iterative development and reproducible evaluation of network protocols

Over the last two decades several efforts have been made to provide adequate experimental environments, aiming to ease the development of new network protocols and applications. These environments range from network simulators providing a highly controllable evaluation conditions, to live testbeds providing realistic evaluation environment. While these different approaches foster network development in different ways, there is no simple way to gradually transit from one to another, or to combine their strengths to suit particular evaluation needs. We believe that enabling a gradual transition from a pure simulated environment to a pure realistic one, where the researcher can decide which aspects of the environment are realistic and which are controllable, allows improving network solutions by simplifying the problem analysis and resolution.In this paper, we propose a new network experimentation framework where simulated and real components can be arbitrarily combined to build custom test environments, allowing refining and improving new protocols and applications implementations by gradually increasing the level of realism of the evaluation environment. Moreover, we present a testbed architecture specifically adapted to support the proposed concept, and discuss the design choices we made based on our previous experience in the area of network testbeds. These choices address key issues in network testbed development, such as ease of experimentation, experiment reproducibility, and testbed federation, to enable scaling the size of experiments beyond what a single testbed would allow.     

Some aspects of dynamic 3D representation and control of industrial processes via the Internet

In our research we examine and use 3D representation of industrial processes, for example the novel methods of Incremental Sheet Forming. We also test 3D imaging methods on our industrial robot solving the Rubik's Cube. We have created 3D models of our robots and their environment in our laboratory to examine the behavior of different industrial processes both in the real, and in the 3D virtual environment. We have connected the 3D model with the real system with which we could extend the features of our robots with some services that exits in the virtual space. We have also established synchronized connections of the real and virtual systems, which enables us to control the real robots and machines from its 3D model via the Internet.     

Development of a fractional order based MIMO controller for high dynamic engine testbeds

Testbed are used to tune and assess automotive engines. As more High Dynamic (HD) scenarios need to be simulated, the testbeds require Multi Input Multi Output (MIMO) and robust control systems. A cooperation involving a major testbed manufacturer and two university laboratories was therefore set up. This paper presents the Control-System Design (CSD) methodology developed from system identification to the design and assessment of the MIMO robust controller for a HD testbed coupled with a spark-ignition engine. It is specially highlighted how the entire process has been automated and simplified and how the fractional order based MIMO CRONE CSD has been parameterized to obtain the best performance. Experimental results show that the proposed fractional order based MIMO control system is able to improve robustness and decoupling.     

An approach to experimental evaluation of real-time fault-tolerantdistributed computing schemes

A test-based approach to the evaluation of fault-tolerant distributed-computing schemes is discussed. The approach is based on experimental incorporation of system structuring and design techniques into real-time distributed computing testbeds centered around tightly coupled microcomputer networks. The effectiveness of this approach has been experimentally confirmed. Primary advantages of the testbed-based approach include the relatively high accuracy of the data obtained on timing and logical complexity, as well as the relatively high degree of assurance that can be obtained on the practical effectiveness of the scheme evaluated. Various design issues encountered in the course of establishing the basic microcomputer network testbed facilities are discussed, along with their augmentation to support some experiments. The shortcomings of the testbeds that have been recognized are also discussed together with the desired extensions of the testbeds. Some of the desired extensions are beyond the state-of-the-art in microcomputer network implementation     

DRAGON-Lab—Next generation internet technology experiment platform

Testbed technology is very important in the development of the Internet. Similar to the present internet, next generation internet also starts from testbed. There are two kinds of testbeds, testbed networks like CNGI-CERNET2, Internet2, Geant; testbed systems like PlanetLab, NS2. DRAGON-Lab can be viewed as both testbed network and testbed system. DRAGON-Lab is an independent AS （autonomous system） and connected to multiple real networks. On the other hand, DRAGON-Lab integrates many resources of its own, partners＇ and internet＇s, so as to provide open service. DRAGON-Lab has a large scale, provides open service, supports remote visualized experiments and programmable experiments. More details will be introduced in this paper.     

Active Vibration Control of Flexible Robots Using Virtual Spring-damper Systems

When using robots for heavy loads and huge operating ranges, elastic deformations of the links have to be taken into account during modeling and controller design. Whereas for conventional rigid multilink industrial robots modeling can schematically be done by standard techniques, it is a massive problem to obtain an accurate analytic model for multilink flexible robots. But an accurate analytic model is essential for most modern controller design techniques, and modeling errors can lead to instability of the controlled system due to spillover since the eigenvalues of the system are only slightly damped. A new approach to active damping control for flexible robots is presented in this paper where the actuators act like virtual spring-damper-systems. As the spring-damper-element is a passive energy dissipative device, it will never destabilize the system and thus the control concept will be very insensitive to modeling errors. Basically, the two parameters, spring stiffness and damping constant of this system, are arbitrary and model independent. To satisfy performance requirements they are adjusted using knowledge of the system model. The more it is known about the system model, the better these parameters may be adjusted. The new input of the controlled system is a virtual variation of the spring base. The paper illustrates this technique with the help of a simple and easy to model one link flexible robot which is also available as a real laboratory testbed.     

A multiagent dynamic interaction testbed: Theoretic framework, system architecture and experimentation

Recent research on Distributed Artificial Intelligence(DAI)has focused upon agents‘ interaction in Multiagent System.sThis paper presents a text understanding oriented multiagent dynamic interaction testbed(TUMIT);the theoretic framework based upon game theory,the free-market-like system marchitecture,and experimentation on TUMIT.Unlike other DAI testbeds,TUMIT views different text understanding(TU)methods as different“computational resources”,and makes agents choose different TU paths and computational resources according to the resouce information on the bulletins in their hostcomputer.Therefore,in TUMIT,task allocation is wholly distributed.This makes TUMIT work like a “free market”.In such a system,agents‘choices and resource load may oscillate.It is shown theoretically and experimentally that if agents use multi-level of “history information”,their behavior will tend to converge to a Nash equilibrium situation;and that if agents use “fecall-forget” strategy on “history information”,the convergence can be accelerated and the agents can acclimate themselves to changed environment.Compared with other DAI testbeds,TUMIT is more distributed,and the agents in TUMIT are more adaptive to the dynamic environment.     

主动网络试验床仿真环境ANTB-Sim

为了解决主动网络试验床存在的问题，开发了一个主动网络试验床仿真环境ANTB-Sim．它扩展了网络仿真器J-Sim，在运行过程中动态替换Javasocket的默认实现，从而能直接运行用Java开发的主动网络原型系统，而主动信包则在仿真网络中传输．实验表明：ANTB-Sim克服了主动网络试验床的不足，同时主动网络也可以比较稳定地运行于ANTB-Sim之上．     

Cooperative multi-agent system for an assembly robotics cell

A multi-agent system architecture is described and justified for the sake of its application to an assembly robotics testbed. A blackboard-based agent using a GoalBlackboard/DataBlackboard facility for intra (not inter) agent communication and including knowledge about all the agent's community, is presented as well as its main functionality. Coordination of different agents dynamically playing the roles either of organizers or respondents may lead to the use of either negotiation or client/server protocols for cooperation. Also come cooperative strategies and involved knowledge have been studied, classified and implemented in the robotics testbed enabling a sophisticated agent behavior both in terms of cooperation and local control. A real testbed, whose agents are briefly presented here, working with real-time constraints, has already been implemented and tested in our laboratory.     

Experimentation on end-to-end performance aware algorithms in the federated environment of the heterogeneous PlanetLab and NITOS testbeds

The constantly increasing diversity of the infrastructure used to deliver Internet services to the end user has created a demand for experimental network facilities featuring heterogeneous resources. Therefore, federation of existing network testbeds has been identified as a key goal in the testbed community, leading to a recent activity burst in this research field. In this paper, we present a federation scheme that was built during the Onelab 2 EU project. This scheme federates the NITOS wireless testbed with the wired PlanetLab Europe testbed, allowing researchers to access and use heterogeneous experimental facilities under an integrated environment. The usefulness of the resulting federated facility is demonstrated through the testing of an implemented end-to-end delay aware association scheme proposed for wireless mesh networks. We present extensive experiments under both wired congestion and wireless channel contention conditions that demonstrate the effectiveness of the proposed approach in realistic settings. The experiments are also reproduced in a well-established network simulator and a comparative study between the results obtained in the realistic and simulated environments is presented. Both the architectural building blocks that enable the federation of the testbeds and the execution of the experiment on combined resources, as well as the important insights obtained from the experimental results are described and analyzed, pointing out the importance of integrated experimental facilities for the design and development of the Future Internet.     

战术互联网拓扑试验床研究

本文旨在探讨战术互联网拓扑试验床在组建自组织战术互联网问题上的应用潜力,为国内相关研究提供借鉴. 文章主要介绍了美国战术互联网拓扑试验的起源、内涵和主要研究领域,详细阐述了战术互联网拓扑试验床的含义,并分析了两种典型战术互联网试验床―即插即用试验床和MIO试验床及各自的应用领域. 在此基础上,分析了战术互联网拓扑试验床的服务体系架构. 最后,对多个研究小组提出的自组织战术互联网研究方案的内容及成果进行了归纳总结.     

Using virtual environments for the assessment of cybersecurity issues in IoT scenarios

Internet of Things (IoT) has been forecast as the next main evolution in the field of Information and Communication Technology. Recent studies confirm a steep and constant increase of the diffusion of smart objects, which are capable to interact with the real world and to communicate and gather information autonomously through Internet connections. In the rush of devising and releasing to the market the next killer application for the IoT domain, critical issues regarding the cybersecurity risks are currently overlooked. Because security, like most software qualities, is not an orthogonal requirement, i.e. one that can be satisfied by adding some features at any development stage, this is going to have a very costly impact, potentially leading to failure, on the technologies currently developed for the IoT domain. In order to cope adequately with such issues, IoT applications need to be designed to be secure since their inception and suitable security assessment tools should be made available. This paper describes an approach based on the exploitation of virtual environments and agent-based simulation for the evaluation of cybersecurity solutions for the next generation of IoT applications in realistic scenarios. The effectiveness of the approach is shown by considering a concrete case study involving the cooperation of real and virtual smart devices inside a virtualized scenario where security issues are first evaluated and then handled.