LegoTG: Modular Traffic Generation for Realistic Experimentation


Traffic generation plays an integral part of cyber-security defense testing in network testbeds. Generating just any traffic is easy, but generating realistic traffic is hard. The key reason for this is that "realistic" means different things to different people. The definition of realism depends on the use of the traffic in testing, but all existing traffic generators have a fixed definition of realism that users cannot change.

This project will build a traffic generator whose definition of realism can be fully specified by a user. The generator will consist of three parts:

Key Insight

The key novelty of this approach lies in the customizable definition of realism that the generator will support. By allowing users to specify their own reality dimensions this project's traffic generation tool will be generic enough to meet the evaluation needs of any cyber security researcher.

Further,integration of the traffic generation from models and traffic replay in a single tool is novel; existing tools support only one of these generation approaches. Finally, the tool will support traffic generation at application, transport or network level while existing tools support it only at one select level.

The proposed work will advance cyber-security defense research by supporting rigorous and realistic evaluation of its products. It will do that by both fitting researchers' needs and by being extremely portable and easy to deploy and use. Because users will be able to customize the definition of realism as they desire, the evaluation will properly stress the cyber-security defenses and its results will be predictive of the defenses performance in real deployment. The traffic generator's capabilities to both generate traffic from learned models and to replay it from network logs enable a wide range of testing strategies and support thorough exploration of problem space. Better evaluation strategies will lead to better cyber-security defenses. The project will integrate our traffic generator with the DETER testbed for cyber security experimentation.


LegoTG software consists of three main parts:
  1. The LegoTG Orchestrator (TGOrchestrator)
  2. Software tools which carry out various parts of traffic generation. These tools can be anything commandline-based, such as popular tools (like tcpreplay, tcpdump), tools created through the LegoTG project (like mimic) or custom made tools.
  3. Block Interface Files (BIFs). Each tool used in the generation process is wrapped by a BIF. The BIF tells the LegoTG Orchestrator how to install, setup, run and stop the tool.

TGOrchestrator Downloads

Latest Version

BIFs and Tools

Currently BIFs are available on DETERLab in /share/LegoTG/TGBlock_Library along with custom software.


The ExFiles used in our 2015 CNERT workshop paper can be found here.
This material is based upon work supported by the National Science Foundation under Grant No. 1127388. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the National Science Foundation.