NeTS-NBD: Automatic Validation, Optimization, and Adaptation of Distributed Firewalls for Network Performance and Security
NeTS-NBD:分布式防火墙的自动验证、优化和适应,以实现网络性能和安全
基本信息
- 批准号:0520320
- 负责人:
- 金额:$ 40万
- 依托单位:
- 依托单位国家:美国
- 项目类别:Standard Grant
- 财政年份:2005
- 资助国家:美国
- 起止时间:2005-09-01 至 2009-08-31
- 项目状态:已结题
- 来源:
- 关键词:
项目摘要
As the Internet becomes an essential part of our everyday computing and communication infrastructure, it has also grown to be a complex distributed system that is hard to characterize. There have been numerous studies on network topology, IP-reachability, and routing dynamics to analyze end-to-end packet forwarding performance. However, there is very little systematic investigation into the influence of other packet transformations that happen along the path, e.g., firewalls, packet filtering, and quality-of-service mapping. Among these, firewalls are ubiquitous as they become indispensable security defense mechanisms used in business and enterprise networks. Just as router mis-configurations can lead to unpredictable routing problems, misconfigured firewalls may fail to enforce the intended security policies, or may incur high packet processing delay. Unfortunately, firewall configuration for a large, complex enterprise network is a demanding and error-prone task, even for experienced administrators. Firewalls can be distributed in many parts of the network or across layers (IP-layer filtering versus application-layer solutions) to cooperatively achieve a global, network-wide policy. As distributed firewall rules are concatenated, it becomes extremely difficult to predict the resulting end-to-end behavior and whether it meets the higher-level security policy.Intellectual merit: In this project, the principal investigators (PIs) propose to develop a unified framework for policy-checking, optimization, and auto-reconfiguration of distributed firewalls. This research will provide novel analysis, design techniques, and tools to better protect our critical information infrastructures from attacks. The PIs will explore providing consistent and efficient security protection for an enterprise that may have geographically distributed business networks served by different local Internet Service Providers. They adopt an inter-disciplinary technical approach that leverages multi-way communications among the three PIs with expertise in networking, security, and programming languages and compilers areas to design an integrated solution. In particular, the PIs propose a systematic treatment of the problem by casting it as a static program analysis question, exploiting well-established and rigorous techniques from the area of programming languages and compilers. The PIs will pursue the following closely related tasks:Policy Validation for Security: The PIs first classify all possible policy anomalies (including both inconsistency and inefficiency) in firewall configurations. They will model firewalls as finite-state transition systems and apply symbolic model checking techniques on these finite-state representations to detect both intra-firewall and inter-firewall policy anomalies. The policy validation method consists of two phases. First, they perform control-flow analysis and identify all possible flow paths. Second, they perform data-flow analysis and check for anomalies on every path. Identifying most intra-firewall and inter-firewall anomalies can be accomplished in one traversal. The processing results of each path are further used to identify inter-path misconfigurations.Policy Optimization for Performance: In a typical firewall setting, a packet is compared against a list of rules sequentially until the packet matches a rule. Firewalls with complex rule sets can cause significant delays on network traffic and therefore becomes a bottleneck (especially in high-speed networks) and an attractive target for DoS attacks. Therefore, it is important to optimize packet filtering to provide network Quality of Service (QoS) requirement. In addition, the total number of rules configured and the order of rules also play major roles in the load and efficiency of a firewall. The PIs approach this problem by representing filtering rules as binary decision diagrams (BDDs) and generating "optimal filter rule sets" from the internal BDD representation. They also apply dataflow analysis to hoist same or similar rules from different paths to a common location to reduce traffic. They will leverage the underlying network topology, routing, and traffic distribution information in the optimization step to improve the efficiency of firewall checking, which enhances packet-forwarding performance. The key advantage of this approach is the ability to pro-actively prevent vulnerabilities in firewalls since static analysis can be applied before the actual deployment of firewalls.Broader Impacts: The proposed research efforts will help system and network administrators to configure networked systems more securely and efficiently. The educational component, which is directed at both undergraduate and graduate students, complements the research activities. Research results will be incorporated into new and existing courses. The PIs will actively participate in UC Davis' minority outreach programs to recruit students from underrepresented groups into science and engineering. In addition, firewall configuration tools developed in the project will be distributed for teaching
随着互联网成为我们日常计算和通信基础设施的重要组成部分,它也已发展成为一个复杂的分布式系统,很难描述。已经有许多关于网络拓扑、IP可达性和路由动态的研究来分析端到端分组转发性能。然而,对沿着路径发生的其他分组变换的影响的系统调查非常少,例如,防火墙、包过滤和服务质量映射。其中,防火墙无处不在,因为它们成为商业和企业网络中不可或缺的安全防御机制。正如路由器错误配置可能导致不可预测的路由问题,错误配置的防火墙可能无法执行预期的安全策略,或可能导致高数据包处理延迟。不幸的是,即使对于经验丰富的管理员来说,为大型复杂的企业网络配置防火墙也是一项要求很高且容易出错的任务。防火墙可以分布在网络的许多部分或跨层(IP层过滤与应用层解决方案),以协作实现全局的网络范围的策略。由于分布式防火墙规则是串联的,它变得非常难以预测产生的端到端的行为,以及它是否符合更高级别的安全policy.Intellectual优点:在这个项目中,主要研究人员(PI)建议开发一个统一的框架,用于分布式防火墙的策略检查,优化和自动重新配置。这项研究将提供新的分析,设计技术和工具,以更好地保护我们的关键信息基础设施免受攻击。该等专业人员将探讨如何为企业提供一致及有效的保安保障,因为该等企业的业务网络可能分布于不同地区,由不同的本地互联网服务供应商提供服务。他们采用跨学科的技术方法,利用三个具有网络、安全和编程语言及编译器领域专业知识的PI之间的多路通信来设计集成解决方案。特别是,PI提出了一个系统的处理问题,铸造它作为一个静态的程序分析问题,利用良好的和严格的技术,从该地区的编程语言和编译器。PI将执行以下密切相关的任务:安全策略验证:PI首先对防火墙配置中所有可能的策略异常(包括不一致和效率低下)进行分类。他们将防火墙建模为有限状态转换系统,并在这些有限状态表示上应用符号模型检查技术来检测防火墙内和防火墙间的策略异常。策略验证方法包括两个阶段。首先,它们执行控制流分析并识别所有可能的流路径。其次,它们执行数据流分析并检查每条路径上的异常。识别大多数防火墙内和防火墙间的异常可以在一次遍历中完成。每个路径的处理结果进一步用于识别路径间的错误配置。性能策略优化:在典型的防火墙设置中,将数据包与规则列表进行顺序比较,直到数据包与规则匹配。具有复杂规则集的防火墙可能会导致网络流量的显著延迟,因此成为瓶颈(特别是在高速网络中)和DoS攻击的有吸引力的目标。因此,优化包过滤以提供网络服务质量(QoS)要求是重要的。此外,配置的规则总数和规则顺序也对防火墙的负载和效率起着重要作用。PI通过将过滤规则表示为二元决策图(BDD)并从内部BDD表示中生成“最优过滤规则集”来解决这个问题。他们还应用了Cashlow分析,将相同或相似的规则从不同的路径提升到一个共同的位置,以减少流量。它们将在优化步骤中利用底层网络拓扑、路由和流量分布信息来提高防火墙检查的效率,从而增强数据包转发性能。这种方法的主要优点是能够主动预防防火墙中的漏洞,因为静态分析可以在实际部署防火墙之前应用。更广泛的影响:拟议的研究工作将帮助系统和网络管理员更安全和有效地配置网络系统。教育部分,这是针对本科生和研究生,补充研究活动。研究成果将纳入新的和现有的课程。PI将积极参与加州大学戴维斯分校的少数民族外展计划,从代表性不足的群体中招募学生进入科学和工程领域。此外,本项目开发的防火墙配置工具将分发用于教学
项目成果
期刊论文数量(0)
专著数量(0)
科研奖励数量(0)
会议论文数量(0)
专利数量(0)
数据更新时间:{{ journalArticles.updateTime }}
{{
item.title }}
{{ item.translation_title }}
- DOI:
{{ item.doi }} - 发表时间:
{{ item.publish_year }} - 期刊:
- 影响因子:{{ item.factor }}
- 作者:
{{ item.authors }} - 通讯作者:
{{ item.author }}
数据更新时间:{{ journalArticles.updateTime }}
{{ item.title }}
- 作者:
{{ item.author }}
数据更新时间:{{ monograph.updateTime }}
{{ item.title }}
- 作者:
{{ item.author }}
数据更新时间:{{ sciAawards.updateTime }}
{{ item.title }}
- 作者:
{{ item.author }}
数据更新时间:{{ conferencePapers.updateTime }}
{{ item.title }}
- 作者:
{{ item.author }}
数据更新时间:{{ patent.updateTime }}
Chen-Nee Chuah其他文献
The Joint Optimization of Online Traffic Matrix Measurement and Traffic Engineering For Software-Defined Networks
软件定义网络的在线流量矩阵测量和流量工程联合优化
- DOI:
10.1109/tnet.2019.2957008 - 发表时间:
2020-02 - 期刊:
- 影响因子:0
- 作者:
Xiong Wang;Qi Deng;Jing Ren;Mehdi Malboubi;Sheng Wang;Shizhong Xu;Chen-Nee Chuah - 通讯作者:
Chen-Nee Chuah
Inter-domain collaborative routing (IDCR): Server selection for optimal client performance
- DOI:
10.1016/j.comcom.2011.04.002 - 发表时间:
2011-09-15 - 期刊:
- 影响因子:
- 作者:
Martin O. Nicholes;Chen-Nee Chuah;S. Felix Wu;Biswanath Mukherjee - 通讯作者:
Biswanath Mukherjee
RED-BL: Evaluating dynamic workload relocation for data center networks
- DOI:
10.1016/j.comnet.2014.07.001 - 发表时间:
2014-10-29 - 期刊:
- 影响因子:
- 作者:
Muhammad Saqib Ilyas;Saqib Raza;Chao-Chih Chen;Zartash Afzal Uzmi;Chen-Nee Chuah - 通讯作者:
Chen-Nee Chuah
Software defined network inference with evolutionary optimal observation matrices
- DOI:
10.1016/j.comnet.2017.09.001 - 发表时间:
2017-12-24 - 期刊:
- 影响因子:
- 作者:
Mehdi Malboubi;Yanlei Gong;Zijun Yang;Xiong Wang;Chen-Nee Chuah;Puneet Sharma - 通讯作者:
Puneet Sharma
254 Social determinants of health improves prediction for postpartum readmissions due to preeclampsia
- DOI:
10.1016/j.ajog.2023.11.276 - 发表时间:
2024-01-01 - 期刊:
- 影响因子:
- 作者:
Lihong Mo;Shivam RaiSharma;Nimerta Sandhu;Herman L. Hedriana;Zahabiya H. Chithiwala;Anna Curtin;Chen-Nee Chuah - 通讯作者:
Chen-Nee Chuah
Chen-Nee Chuah的其他文献
{{
item.title }}
{{ item.translation_title }}
- DOI:
{{ item.doi }} - 发表时间:
{{ item.publish_year }} - 期刊:
- 影响因子:{{ item.factor }}
- 作者:
{{ item.authors }} - 通讯作者:
{{ item.author }}
{{ truncateString('Chen-Nee Chuah', 18)}}的其他基金
NeTS: Medium: Collaborative Research: Towards Building Time Capsule for Online Social Activities
NeTS:媒介:协作研究:为在线社交活动构建时间胶囊
- 批准号:
1302691 - 财政年份:2013
- 资助金额:
$ 40万 - 项目类别:
Standard Grant
NeTS: Small: Beating the Odds in Traffic Measurements/Detection with Optimal Online Learning and Adaptive Policies
NeTS:小型:通过最佳在线学习和自适应策略克服流量测量/检测中的困难
- 批准号:
1321115 - 财政年份:2013
- 资助金额:
$ 40万 - 项目类别:
Standard Grant
Student Travel Support for the 2010 Internet Measurement Conference
2010 年互联网测量会议的学生旅行支持
- 批准号:
1047631 - 财政年份:2010
- 资助金额:
$ 40万 - 项目类别:
Standard Grant
NeTS: Medium: Collaborative Research: Towards Versatile and Programmable Measurement Architecture for Future Networks
NeTS:媒介:协作研究:面向未来网络的多功能和可编程测量架构
- 批准号:
0905273 - 财政年份:2009
- 资助金额:
$ 40万 - 项目类别:
Standard Grant
Student Travel Support for the 2009 Internet Measurement Conference
2009 年互联网测量会议学生旅行支持
- 批准号:
0943095 - 财政年份:2009
- 资助金额:
$ 40万 - 项目类别:
Standard Grant
Collaborative Research: CT-ISG: Accurate Sampling of the Internet for Effective Anomaly Detection
合作研究:CT-ISG:准确的互联网采样以实现有效的异常检测
- 批准号:
0716831 - 财政年份:2007
- 资助金额:
$ 40万 - 项目类别:
Continuing Grant
CAREER: Robust, Stable and Secure Routing via a vertically integrated monitoring and introspection system
职业:通过垂直集成的监控和自省系统实现稳健、稳定和安全的路由
- 批准号:
0238348 - 财政年份:2003
- 资助金额:
$ 40万 - 项目类别:
Standard Grant
相似国自然基金
效应因子NBD在菰黑粉菌侵染中的作用机制
- 批准号:
- 批准年份:2022
- 资助金额:30 万元
- 项目类别:青年科学基金项目
ABCC2基因NBD区突变影响MRP2亚细胞定位及降解在Dubin-Johnson综合征中的致病作用及机制
- 批准号:82000543
- 批准年份:2020
- 资助金额:24.0 万元
- 项目类别:青年科学基金项目
基于三维打印Sr-CaS/NBD多肽缓释微球支架材料修复感染性骨缺损的实验研究
- 批准号:81601911
- 批准年份:2016
- 资助金额:18.0 万元
- 项目类别:青年科学基金项目
炎症刺激下NBD多肽对成骨细胞分化作用的机制研究
- 批准号:81272052
- 批准年份:2012
- 资助金额:70.0 万元
- 项目类别:面上项目
基于量子点/NBD荧光比率的高灵敏、高通量功能寡糖筛选和构效关系评估体系构建及其应用
- 批准号:31201384
- 批准年份:2012
- 资助金额:25.0 万元
- 项目类别:青年科学基金项目
TAT-NBD及ERK通路防治胆红素神经毒性的研究
- 批准号:81200459
- 批准年份:2012
- 资助金额:21.0 万元
- 项目类别:青年科学基金项目
相似海外基金
Identification of NBD-labeled peptides by using photo irradiation-induced NBD loss
利用光照射引起的 NBD 损失鉴定 NBD 标记肽
- 批准号:
17K01956 - 财政年份:2017
- 资助金额:
$ 40万 - 项目类别:
Grant-in-Aid for Scientific Research (C)
Characterization of the NOD2 NBD domain and role in chronic inflammation
NOD2 NBD 结构域的表征及其在慢性炎症中的作用
- 批准号:
8795675 - 财政年份:2011
- 资助金额:
$ 40万 - 项目类别:
Characterization of the NOD2 NBD domain and role in chronic inflammation
NOD2 NBD 结构域的表征及其在慢性炎症中的作用
- 批准号:
8142539 - 财政年份:2011
- 资助金额:
$ 40万 - 项目类别:
Studies of SUR NBD and L0 Linker Interactions
SUR NBD 和 L0 连接子相互作用的研究
- 批准号:
415637-2011 - 财政年份:2011
- 资助金额:
$ 40万 - 项目类别:
University Undergraduate Student Research Awards
Characterization of the NOD2 NBD domain and role in chronic inflammation
NOD2 NBD 结构域的表征及其在慢性炎症中的作用
- 批准号:
8261858 - 财政年份:2011
- 资助金额:
$ 40万 - 项目类别:
Characterization of the NOD2 NBD domain and role in chronic inflammation
NOD2 NBD 结构域的表征及其在慢性炎症中的作用
- 批准号:
8698281 - 财政年份:2011
- 资助金额:
$ 40万 - 项目类别:
Characterization of the NOD2 NBD domain and role in chronic inflammation
NOD2 NBD 结构域的表征及其在慢性炎症中的作用
- 批准号:
8402119 - 财政年份:2011
- 资助金额:
$ 40万 - 项目类别:
Evaluation of NBD Peptides as an Adjunct Therapy for the Treatment of Non-Hodgkin
NBD 肽作为辅助疗法治疗非霍奇金病的评价
- 批准号:
8006050 - 财政年份:2010
- 资助金额:
$ 40万 - 项目类别:
NeTS-NBD: Dynamic Carrier-Assisted Routing in Mobile Networks
NeTS-NBD:移动网络中的动态运营商辅助路由
- 批准号:
0946922 - 财政年份:2009
- 资助金额:
$ 40万 - 项目类别:
Continuing Grant