TWC: TTP Option: Small: Collaborative: Scalable Techniques for Better Situational Awareness: Algorithmic Frameworks and Large-Scale Empirical Analyses

TWC：TTP 选项：小型：协作：可扩展技术以实现更好的态势感知：算法框架和大规模实证分析

• 批准号: 1421747
• 负责人: Angelos Stavrou
• 金额: $ 17.49万
• 依托单位: George Mason University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2014
• 资助国家: 美国
• 起止时间: 2014-09-01 至 2017-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1421747&HistoricalAwards=false
• 关键词: TWC; TTP; Option; Small; Collaborative

Attacks on computer networks are an all too familiar event, leaving operators with little choice but to deploy a myriad of monitoring devices to ensure dependable and stable service on the networks they operate. However, as networks grow bigger and faster, staying ahead of the constant deluge of attack traffic is becoming increasingly difficult. A case in point is the attacks on enterprise name servers that interact with the Domain Name System (DNS). These name servers are critical infrastructure, busily translating human readable domain names to IP addresses. DNS is a hotbed of malicious activity, and when properly monitored, it can offer invaluable information about network attacks and malicious activity.This project furthers our collective understanding of the growing abuse of enterprise name servers whereby infected clients (bots) use automated domain-name generation algorithms to bypass network defenses. More specifically, a framework for accurately identifying bots upon seeing only a handful of unique lookups is developed based on sequential hypothesis testing. The integration of NetFlow records, with novel their indexing data-structures, delivers even deeper insight into aberrant traffic. A live deployment of the system demonstrates the utility of this approach and provides the opportunity for interactively querying the recorded forensic information.

对计算机网络的攻击是一个太熟悉的事件，让运营商别无选择，只能部署无数的监控设备，以确保他们运营的网络上的可靠和稳定的服务。然而，随着网络变得越来越大、越来越快，在不断泛滥的攻击流量中保持领先变得越来越困难。一个很好的例子是对与域名系统（DNS）交互的企业名称服务器的攻击。这些名称服务器是关键的基础设施，忙于将人类可读的域名转换为IP地址。DNS是恶意活动的温床，如果得到适当的监控，它可以提供有关网络攻击和恶意活动的宝贵信息。这个项目进一步加深了我们对企业名称服务器日益增长的滥用的集体理解，受感染的客户端（机器人）使用自动域名生成算法绕过网络防御。更具体地说，基于顺序假设检验开发了一个框架，用于在仅看到少数独特查找时准确识别机器人。NetFlow记录与其新颖的索引数据结构的集成提供了对异常流量的更深入的洞察。该系统的现场部署演示了这种方法的实用性，并提供了交互式查询记录的法医信息的机会。