CT-T: Approaches to Network Defense Proven in Open Scientific Environments

CT-T：在开放科学环境中经过验证的网络防御方法

• 批准号: 0627320
• 负责人: Vern Paxson
• 金额: $ 23.61万
• 依托单位: International Computer Science Institute
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2006
• 资助国家: 美国
• 起止时间: 2006-10-01 至 2009-09-30
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=0627320&HistoricalAwards=false
• 关键词: CT; Approaches; Network; Defense; Proven

Proposal Number: 0627320Panel: P060975PI: Vern Paxson Institution: International Computer Science Institute, University of California, Berkeley Title: CT-T: Approaches to Network Defense Proven in Open Scientific Experiments AbstractThis effort pursues research in network intrusion detection where the research is tied to large-scale operational settings in an exceptionally strong manner. The central component the work builds upon is the "Bro" network intrusion detection system previously developed by the PIs. The PIs participate in Bro's deployment for 24x7 operational cybersecurity monitoring at the Lawrence Berkeley National Laboratory (LBNL), the Berkeley campus of the University of California, and the Technical University of Munich.The theme of the research is to develop advances in technology for security monitoring of network traffic where the approaches are directly grounded in the pragmatics of network security at large institutes. The advances under investigation span a range of themes: (1) developing new ways of detecting attacks (detecting network "triggers" used by automated exploit software and by worms; drawing upon LBNL's immense archive of logs of past network traffic to devise robust anomaly detection algorithms; identifying possibly unknown malware by re-executing suspicious flows against a fully instrumented honeypot system); (2) new approaches to protocol analysis (exploiting dynamic analysis of protocols that avoid identification via standard ports; extending an abstract protocol description language for specifying analyzers that are then compiled into C++ classes); (3) integrating new sources of information into analyses (distributed monitors; flow records; honeynets; historic behavior; host-based context); and (4) addressing challenges in monitoring very high-speed, high-volume links (transparent load-balancing and cluster operation; hardware support for filtering, state management, normalization, and enabling intrusion prevention).

建议编号：0627320面板： P060975 PI：Vern Paxson 机构：国际计算机科学研究所，加州大学伯克利分校 CT-T：开放科学实验中的网络防御方法 AbstractThis的努力追求在网络入侵检测的研究是绑在一个非常强大的方式大规模的操作设置。 这项工作的核心组成部分是由PI先前开发的“Bro”网络入侵检测系统。 这些PI参与了Bro在劳伦斯伯克利国家实验室（LBNL）、加州大学伯克利分校和慕尼黑工业大学的24 x7操作网络安全监控部署。研究的主题是开发网络流量安全监控技术的进步，其中方法直接基于大型研究所的网络安全实用主义。 正在调查的进展跨越了一系列主题：（1）开发检测攻击的新方法（检测自动攻击软件和蠕虫使用的网络“触发器”;利用LBNL过去网络流量日志的巨大档案来设计强大的异常检测算法;通过对完全仪表化的蜜罐系统重新执行可疑流来识别可能未知的恶意软件）;（2）协议分析的新方法（3）将新的信息源集成到分析中;（4）利用对避免通过标准端口识别的协议的动态分析;（5）扩展抽象协议描述语言以指定分析器，然后将分析器编译成C++类（分布式监控器;流记录;蜜网;历史行为;基于主机的上下文）;以及（4）解决监控非常高速、高容量链路的挑战（透明的负载平衡和集群操作;对过滤、状态管理、规范化和启用入侵防御的硬件支持）。