TC: Medium: Collaborative Research: Tracking Adversarial Behavior in Distributed Systems with Secure Networked Provenance

TC：中：协作研究：通过安全网络来源跟踪分布式系统中的对抗行为

• 批准号: 1065130
• 负责人: Andreas Haeberlen
• 金额: $ 84.58万
• 依托单位: University of Pennsylvania
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2011
• 资助国家: 美国
• 起止时间: 2011-09-01 至 2017-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1065130&HistoricalAwards=false
• 关键词: TC; Medium; Collaborative; Research; Tracking

Operators of networks and distributed systems often find themselves needing to answer a diagnostic or forensic question -- some part of the system is found to be in an unexpected state, and the operators must decide whether the state is legitimate or a symptom of a clandestine attack. In such cases, it would be useful to ask the system for an 'explanation' of the observed state. In the absence of attacks, emerging network provenance techniques can construct such explanations by constructing a chain of events that links the observed state to its root causes. However, an attacker can cause the nodes under his control to forge or suppress information and thus produce a plausible (but incorrect) explanation. As a result, the operators may fail to notice the attack.This research develops secure network provenance techniques that can provide useful explanations even when the system is under attack by a powerful adversary. The project (i) substantially extends and generalizes the concept of network provenance by adding capabilities needed in a forensic setting; (ii) develops techniques for securely storing provenance without any trusted components; (iii) designs methods for efficiently querying secure provenance; (iv) introduces methods for protecting the confidentiality of provenance; and (v) evaluates these techniques in the context of concrete applications.The project's theme of provenance and forensics is integrated with Penn's new undergraduate program in Market and Social Systems Engineering. It will provide forensics support for a wide variety of distributed applications, including emerging cloud applications upon which critical infrastructure may soon be based.

网络和分布式系统的运营商经常发现自己需要回答一个诊断或取证问题-系统的某个部分被发现处于意外状态，运营商必须决定该状态是合法的还是秘密攻击的症状。在这种情况下，要求系统对观察到的状态进行“解释”将是有用的。在没有攻击的情况下，新兴的网络起源技术可以通过构建一系列事件来构建这样的解释，这些事件将观察到的状态与其根本原因联系起来。然而，攻击者可以使其控制下的节点伪造或隐藏信息，从而产生一个看似合理（但不正确）的解释。因此，运营商可能无法注意到的attack.This研究开发安全的网络起源技术，可以提供有用的解释，即使当系统受到攻击的一个强大的对手。该项目（一）通过增加法医环境所需的能力，大大扩展和推广了网络来源的概念;（二）开发了在没有任何可信组件的情况下安全存储来源的技术;（三）设计了有效查询安全来源的方法;（四）采用了保护来源机密性的方法;以及（v）在具体应用的背景下评估这些技术。该项目的起源和取证主题与宾夕法尼亚大学新的市场和社会系统工程本科课程相结合。它将为各种分布式应用程序提供取证支持，包括可能很快成为关键基础设施基础的新兴云应用程序。