STI: Viable Network Defense for Scientific Research Institutions

STI：科研机构可行的网络防御

• 批准号: 0334088
• 负责人: Vern Paxson
• 金额: $ 90万
• 依托单位: International Computer Science Institute
• 依托单位国家: 美国
• 项目类别: Continuing Grant
• 财政年份: 2003
• 资助国家: 美国
• 起止时间: 2003-11-01 至 2007-10-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=0334088&HistoricalAwards=false
• 关键词: STI; Viable; Network; Defense; Scientific

Modern science makes heavy use of the Internet for collaborations that draw upon the network in ways far beyond simple uses such as email for discussion and Web access for sharing data in some cases several hundred distinct services. This access also opens the doors to incessant network attacks and research institutes find themselves under growing pressure to place significant restrictions on such access in the form of firewalls, limited permitted applications, and mandatory proxies. These issues threaten to diminish the effectiveness of how modern science is conducted across a broad range of disciplines. A key tool to maintain openness is intrusion detection: detecting in real-time that an attack is underway and, if warranted, initiating a response in order to thwart it. However, there is a world of difference between detecting attackers in a small-scale environment such as a researcher's LAN and doing so at a large scale such as for an entire open site. Both the much higher required performance and the greatly increased traffic diversity present major challenges. But intrusion detection for large, open sites also sees very little in the way of academic research, because of the great difficulties many researchers face in acquiring the necessary access.The PI of this proposal, however, is in a unique position for developing and validating network intrusion detection research at such sites, by virtue of his joint appointment at ICSI and LBNL. LBNL's operational cyber security is centered around use of BRO- the intrusion detection system developed by the PI. The PI has full monitoring access to the Laboratory's network traffic, and participation in the realities of network security at a large institute. In addition, BRO is used operationally at the University of California, Berkeley, where the PI likewise has full monitoring access. The proposed efforts will be firmly grounded in the realities of defending large research institutions. The work will not be abstract; it will validate mechanisms developed against actual in situ attacks and actual operational needs, avoiding the pitfall of devising attractive solutions that fail in practice when actually deployed. The research will be spanning a number of areas: (i) developing new ways of detecting attacks (detecting network "triggers" used by automated exploit software and by worms; attempting to "finger print" users by their keystroke timing; drawing upon LBNL's immense archive of TCP connection summaries to devise robust anomaly detection algorithms); (ii) addressing challenges in monitoring very high-speed, high volume links (distributing monitoring across multiple machines; coordinating monitors with border routers that will "shunt" a portion of the traffic to the monitor and cut through the rest; devising robust mechanisms for dealing with massive traffic floods); and (iii) addressing the realities of managing large-scale security policies (understanding the relationship between individual alerts and the complex policies that lead to them; automatically locating "stale" policy elements no longer relevant). The work will advance development in two key areas: (iv) refining and applying the trace anonymization framework developed in earlier in order to address the major shortcoming in network intrusion detection research of a complete lack of traffic traces that include packet contents; and (v) bringing the BRO software system up to the level of support necessary for it to become the open-source monitoring system of choice for operational deployment at large scientific research institutes.

现代科学大量利用互联网进行协作，其利用网络的方式远远超出了简单的用途，例如用于讨论的电子邮件和用于共享数据的网络访问，在某些情况下还有数百种不同的服务。这种访问也为持续不断的网络攻击打开了大门，研究机构发现自己面临着越来越大的压力，需要以防火墙、有限允许的应用程序和强制代理的形式对此类访问进行严格限制。这些问题可能会降低现代科学在广泛学科中开展的有效性。 保持开放性的一个关键工具是入侵检测：实时检测正在进行的攻击，如果有必要，则启动响应以阻止攻击。然而，在小规模环境（例如研究人员的 LAN）中检测攻击者与在大规模环境（例如整个开放站点）中检测攻击者之间存在天壤之别。更高的性能要求和大大增加的流量多样性都带来了重大挑战。但大型、开放站点的入侵检测在学术研究中也很少见，因为许多研究人员在获得必要的访问权限方面面临着巨大的困难。然而，该提案的 PI 由于在 ICSI 和 LBNL 的联合任命，在开发和验证此类站点的网络入侵检测研究方面处于独特的地位。 LBNL 的运营网络安全以 BRO（由 PI 开发的入侵检测系统）的使用为中心。 PI可以全面监控实验室的网络流量，并参与大型研究所的网络安全实践。此外，BRO 还在加州大学伯克利分校投入使用，PI 同样拥有完全的监控访问权限。拟议的努力将牢牢扎根于保卫大型研究机构的现实。这项工作不会是抽象的；它将验证针对实际原位攻击和实际操作需求而开发的机制，避免设计有吸引力的解决方案但在实际部署时却失败的陷阱。该研究将涵盖多个领域：（i）开发检测攻击的新方法（检测自动漏洞软件和蠕虫使用的网络“触发器”；尝试通过击键时间“指纹”用户；利用劳伦斯伯克利国家实验室庞大的 TCP 连接摘要档案来设计强大的异常检测算法）； (ii) 解决监控超高速、大容量链路方面的挑战（跨多台机器分布监控；协调监控器与边界路由器，将一部分流量“分流”到监控器并切断其余流量；设计强大的机制来处理大规模流量洪流）； (iii) 解决管理大规模安全策略的现实问题（了解单个警报与导致这些警报的复杂策略之间的关系；自动定位不再相关的“过时”策略元素）。这项工作将推动两个关键领域的发展：（iv）完善和应用早期开发的跟踪匿名化框架，以解决网络入侵检测研究中完全缺乏包括数据包内容的流量跟踪的主要缺点； (v) 将 BRO 软件系统提升到必要的支持水平，使其成为大型科研机构运行部署的首选开源监控系统。