TWC: TTP Option: Small: Collaborative: Scalable Techniques for Better Situational Awareness: Algorithmic Frameworks and Large-Scale Empirical Analyses

TWC：TTP 选项：小型：协作：可扩展技术以实现更好的态势感知：算法框架和大规模实证分析

• 批准号: 1421703
• 负责人: Fabian Monrose
• 金额: $ 49.2万
• 依托单位: University of North Carolina at Chapel Hill
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2014
• 资助国家: 美国
• 起止时间: 2014-09-01 至 2017-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1421703&HistoricalAwards=false
• 关键词: TWC; TTP; Option; Small; Collaborative

Attacks on computer networks are an all too familiar event, leaving operators with little choice but to deploy a myriad of monitoring devices to ensure dependable and stable service on the networks they operate. However, as networks grow bigger and faster, staying ahead of the constant deluge of attack traffic is becoming increasingly difficult. A case in point is the attacks on enterprise name servers that interact with the Domain Name System (DNS). These name servers are critical infrastructure, busily translating human readable domain names to IP addresses. DNS is a hotbed of malicious activity, and when properly monitored, it can offer invaluable information about network attacks and malicious activity.This project furthers our collective understanding of the growing abuse of enterprise name servers whereby infected clients (bots) use automated domain-name generation algorithms to bypass network defenses. More specifically, a framework for accurately identifying bots upon seeing only a handful of unique lookups is developed based on sequential hypothesis testing. The integration of NetFlow records, with novel their indexing data-structures, delivers even deeper insight into aberrant traffic. A live deployment of the system demonstrates the utility of this approach and provides the opportunity for interactively querying the recorded forensic information.

对计算机网络的攻击是司空见惯的事件，运营商别无选择，只能部署大量监控设备，以确保他们运营的网络提供可靠和稳定的服务。然而，随着网络规模的扩大和速度的加快，在持续的攻击流量洪流中保持领先变得越来越困难。一个恰当的例子是对与域名系统(DNS)交互的企业名称服务器的攻击。这些域名服务器是关键的基础设施，忙于将人类可读的域名转换为IP地址。DNS是恶意活动的温床，如果监控得当，它可以提供有关网络攻击和恶意活动的宝贵信息。这个项目加深了我们对企业名称服务器日益被滥用的集体理解，受感染的客户端(Bot)使用自动域名生成算法来绕过网络防御。更具体地说，基于顺序假设检验开发了一种框架，用于在仅看到少量唯一查找时准确地识别机器人。NetFlow记录与其新颖的索引数据结构的集成，使您能够更深入地了解异常流量。该系统的现场部署展示了这一方法的效用，并提供了以交互方式查询记录的法医信息的机会。