The objective of this collaborative project is to develop a public repository of practical security exercises for undergraduate curriculum. These exercises involve students in hands-on security experiments, demonstrating realistic threats and defenses. They provide active learning opportunities in computer security curriculum which has been typically taught using passive learning methods. The exercises are hosted on the shared, public and free DETER testbed at the lead institution, University of Southern California; the remaining four collaborating institutions, including Colorado State University, University of California Los Angeles, Lehigh University, and the University of North Carolina at Charlotte offer a unique and diverse experience in security education and research.
The setup of each exercise is fully automated with tools for customization of exercises; accompanied by detailed guidelines about common pitfalls; and supported by experiment health management to send students automated alerts when their experiment is not configured properly. The DETER testbed contains several traffic generation, visualization and experiment monitoring tools which allow students to work at a high-level via a simple GUI interaction as well as at low-level, command-line activities.
The project delivers portable, shared and publicly accessible exercises available from anywhere, at any time, making it more accessible than having to share a computer lab or requiring a complex physical setup. This project has a potential to reach a large number institutions via outreach activities such as tutorials at security conferences; workshops, and the DETER newsletter.
Computer and Network Security are very dynamic fields, with new threats and defenses appearing daily. Yet many security courses are taught in an old-fashioned way, with lectures and textbooks. This results in well- but narrowly-educated and poorly trained professionals. It also reduces retention in these fields and in Computer Science in general, because passive student participation harms their motivation. In this project we generated a major leap in security education by developing a public repository of practical security exercises to accompany relevant college courses. This repository resides at: http://education.deterlab.net. We seeded the repository with 15 exercises developed by us (five co-PIs from five different universities), covering diverse security concepts. We also used the exercises in our classes and promoted their use among colleagues in our field. These exercises closely involve students in hands-on security experiments, demonstrating popular threats and defenses. The exercises are based on the shared, public and free DeterLab testbed, hosted at the lead institution -- USC Information Sciences Institute, which specializes in supporting security experiments. Practical security exercises are often very complex to develop, set up and debug, which acts as deterrent for many faculty members to their adoption. We devoted special attention to developing exercises that are easily adopted by teachers who lack practical experimentation or system administration experience. The setup of each exercise was automated, with key concepts described in detail, and accompanied by a teacher manual to help with troubleshooting. Since all exercises run on the same platform where they were developed -- DeterLab -- we rarely had issues when an exercise would not generate an expected behavior. For these rare events, and for events where teachers and students had problems obtaining resources on the testbed or performing some experimental tasks we had a dedicated support person they could email and get help. This support was cruicial to retain our educational users. We have further undertaken significant work (not funded by this grant) on improving DeterLab's software so it would better support educational activities. This included modification of access control rules so students could work individually or in groups, while their work is protected from other students. It also included transfer of some administrative privileges from DeterLab operations staff to course instructors to help them troubleshoot student problems. The exercises we developed saw wide adoption by our colleagues. The number of courses that use DeterLab per semester increased 10 times since our work started. We had tens of new project leaders (course instructors) who came to testbed only becaue they wanted to use our educational materials. We received very positive feedback from teachers and students and saw repeated use of the testbed and the educational materials by the same teachers in multiple courses and multiple semesters. As a side effect our collection of security exercises also serves as nice startup material for new DeterLab research users, who try them out to get the feel for what the testbed can do. While our project has ended, our educational portal and materials continue to grow and impact students and teachers worldwide. We are further in the process of connecting with other educators that developed hands-on security exercises for other platforms (non-DeterLab) and are creating a portal that would catalogue all these efforts at http://handsonsecurity.org
