Collaborative Research: CT-L: CLEANSE: Cross-Layer Large-Scale Efficient Analysis of Network Activities to SEcure the Internet

合作研究：CT-L：CLEANSE：跨层大规模有效分析网络活动以保护互联网安全

• 批准号: 0831174
• 负责人: Michael Bailey
• 金额: $ 23.1万
• 依托单位: Regents of the University of Michigan - Ann Arbor
• 依托单位国家: 美国
• 项目类别: Continuing Grant
• 财政年份: 2008
• 资助国家: 美国
• 起止时间: 2008-10-01 至 2012-09-30
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=0831174&HistoricalAwards=false
• 关键词: Collaborative; Research; CT; CLEANSE; Cross

Layer-8 attacks (e.g., spam and phishing) are launched from a malicious service platform, e.g., botnet, which consists of a large number of infected machines (or bots). Such an attack platform relies on lower-layer network services to achieve efficiency, robustness, and stealth in communication and attack activities. These services include look-up (e.g., DNS), hosting (e.g., Web servers), and transport (e.g., BGP).The main research goals and approaches of the CLEANSE project are: 1. Control-plane monitoring. Much of the infrastructure for mounting layer-8 attacks involves abuse of the control plane in core network services (e.g., DNS and BGP).The CLEANSE project develops control-plane anomaly detection sensors that are distributed, online, and real-time. 2. Data-plane monitoring. The project develops new and general network anomaly detection algorithms based on traffic sampling and clustering for monitoring high-speed traffic. 3. Improved security auditing capabilities. The CLEANSE project develops packet "tagging/tainting" techniques to enable tracking and clustering of network traffic flows (e.g., that are generated by the same bot program). The project also develops improved traffic sampling capabilities that are attack-aware and distributed network-wide.By focusing on monitoring of core network services, the CLEANSE framework can detect future layer-8 attacks and new forms of large-scale malware infections. The project also creates educational contents, including new textbooks and on-line course materials, which directly benefit from the research activities. The CLEANSE project team also work with industry partners (including the ISPs) to organize focused workshops that bring together researchers from academia and practitioners from the industry/ISP, government, and law enforcement agencies to foster the exchange of ideas, data, and technologies.

第8层攻击（例如，垃圾邮件和网络钓鱼）是从恶意服务平台发起的，例如，僵尸网络，由大量受感染的机器（或僵尸程序）组成。这种攻击平台依赖于较低层的网络服务来实现通信和攻击活动的高效性、鲁棒性和隐蔽性。这些服务包括查找（例如，DNS）、托管（例如，Web服务器）和传输（例如，CLEANSE项目的主要研究目标和方法是： 1.控制平面监控用于实施第8层攻击的大部分基础设施都涉及核心网络服务中控制平面的滥用（例如，CLEANSE项目开发分布式、在线和实时的控制平面异常检测传感器。 2.数据平面监控。该项目开发了新的和通用的网络异常检测算法的流量采样和聚类的基础上监测高速流量。 3.改进的安全审核功能。CLEANSE项目开发了分组“标记/污染”技术，以实现对网络业务流的跟踪和聚类（例如，由相同的机器人程序生成）。该项目还开发了改进的流量采样功能，这些功能具有攻击感知能力和分布式网络范围。通过专注于核心网络服务的监控，CLEANSE框架可以检测未来的第8层攻击和新形式的大规模恶意软件感染。该项目还创建教育内容，包括新教科书和在线课程材料，这些都直接受益于研究活动。CLEANSE项目小组还与行业伙伴（包括ISP）合作，组织重点研讨会，将学术界的研究人员和行业/ISP、政府和执法机构的从业人员聚集在一起，促进思想、数据和技术的交流。