TC: Small: Data Driven Analysis of Security Attacks in Large Scale Systems

TC：小型：大规模系统中的数据驱动安全攻击分析

• 批准号: 1018503
• 负责人: Zbigniew Kalbarczyk
• 金额: $ 50万
• 依托单位: University of Illinois at Urbana-Champaign
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2010
• 资助国家: 美国
• 起止时间: 2010-09-01 至 2014-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1018503&HistoricalAwards=false
• 关键词: TC; Small; Data; Driven; Analysis

Despite sophisticated monitoring tools for runtime detection of intruders and techniques designed to protect computing systems from a wide range of attacks, attackers continually penetrate even well-protected systems. Attack data from real, large-scale production environments (National Center for Supercomputing Applications (NCSA) at Illinois, in this work) are used as a basis for characterizing and modeling attacker behavior and for uncovering deficiencies of the monitoring infrastructure. Increased understanding of attacks arising from these analysis and modeling activities significantly contributes to improvements in secure systems analysis and design. The analyses uncover new and realistic attack scenarios that can guide the design of enhancements to improve system protection against malicious activities at every level. Understanding real attack patterns and classes through detailed forensics pinpoints the open holes in a network/system and characterizes attacker behavior. In-depth study of the data allows investigating actions and intentions of the attacker, and creates a foundation for the design of an automated tool to assist in data collection, analysis, and response. The size and variety of the data enable a flexible framework to be developed that can incorporate insights gained from attacks yet unseen.This research produces sound methods for automated (semi-automated) analysis of large populations of data on security attacks and develops tools to facilitate the analysis and detection. The goals are to understand the attack patterns, establish comprehensive models to capture attacker behavior, and use the models to enable development of techniques for rapid detection of malicious tampering with the system.

尽管有用于运行时检测入侵者的复杂监视工具和旨在保护计算系统免受广泛攻击的技术，但攻击者甚至不断渗透保护良好的系统。来自真实的大规模生产环境（在这项工作中，位于伊利诺伊州的国家超级计算应用中心（NCSA））的攻击数据被用作表征和建模攻击者行为以及发现监控基础设施的缺陷的基础。对这些分析和建模活动所产生的攻击的理解的增加显著有助于安全系统分析和设计的改进。这些分析揭示了新的和现实的攻击场景，可以指导增强功能的设计，以提高系统对各个级别的恶意活动的保护。通过详细的取证来了解真实的攻击模式和类别，从而查明网络/系统中的漏洞，并描述攻击者的行为。对数据的深入研究可以调查攻击者的行为和意图，并为设计自动化工具以协助数据收集，分析和响应奠定基础。数据的规模和多样性使开发一个灵活的框架，可以将从攻击中获得的见解纳入其中。这项研究为自动（半自动）分析大量安全攻击数据提供了可靠的方法，并开发了便于分析和检测的工具。其目标是了解攻击模式，建立全面的模型来捕获攻击者的行为，并使用模型，使技术的快速检测恶意篡改系统的发展。