Collaborative Research: CICI: Secure and Resilient Architecture: S3D: A New SDN-Based Security Framework for the Science DMZ

合作研究：CICI：安全和弹性架构：S3D：用于科学 DMZ 的新的基于 SDN 的安全框架

• 批准号: 1642129
• 负责人: Guofei Gu
• 金额: $ 35万
• 依托单位: Texas A&M Engineering Experiment Station
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2016
• 资助国家: 美国
• 起止时间: 2016-11-01 至 2021-10-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1642129&HistoricalAwards=false
• 关键词: Collaborative; Research; CICI; Secure; Resilient

The Science DMZ (SDMZ) is a key foundational element in building state-of-the-art scientific research infrastructure. The SDMZ is a portion of the network, built at the campus or laboratory's edge, that is designed such that the equipment, configuration, and security policies are optimized for high-performance scientific applications rather than for general-purpose business systems or enterprise computing. SDMZs are increasingly being implemented by research agencies, campuses and national labs. In order to improve the throughput of scientific research data, NSF has funded many Science DMZ implementations on campuses by upgrading research network connectivity and encouraging installation of a SDMZ. However, the SDMZ has characteristics that separate it as a unique ecosystem which cannot simply adopt existing enterprise and cloud based network security technologies and policies. This project designs and prototypes an integrated Software Defined Network (SDN) security framework for managing data-intensive science applications utilizing the Science DMZ (SDMZ) model. It offers one of the first demonstrations of how fine-grained security controls can co-exist within a high performance data-intensive network. This project produces significant advancements in the trustworthiness and reliability of large-scale data-intensive scientific research infrastructures.This project evaluates the current state of the SDMZ security architecture, then identifies the current shortcomings in its existing security services. The new proposed framework: 1) defines fine-grained network flow controls using dynamically deployable security services that are migratable and science-application aware; 2) defines a new class of network privilege management policies that can revoke or divert flows that violate SDMZ policies or that differ from user-defined, application-specific usage expectations; 3) establishes high-performance virtual circuits that enable data intensive applications to register and fast-path their authenticated flows across the SDMZ. Furthermore, this project introduces a unified security policy engine to dramatically simplify the control of the above three services. The policy engine offers a valuable and user-friendly abstraction to meet the domain-specific needs of the SDMZ.

科学DMZ（SDMZ）是建立最先进的科学研究基础设施的关键基础要素。 SDMZ是在校园或实验室边缘建造的网络的一部分，其设计为使设备，配置和安全策略已针对高性能科学应用优化，而不是用于通用商业系统或企业计算。 SDMZ越来越多地由研究机构，校园和国家实验室实施。为了改善科学研究数据的吞吐量，NSF通过升级研究网络的连接并鼓励安装SDMZ，为校园中的许多科学DMZ实施提供了资金。但是，SDMZ具有将其分为独特的生态系统的特征，不能简单地采用现有的企业和基于云的网络安全技术和策略。该项目设计和原型是使用科学DMZ（SDMZ）模型管理数据密集型科学应用程序的集成软件定义网络（SDN）安全框架。它提供了第一个证明，以表明如何在高性能数据密集型网络中共存细粒度的安全控制。该项目在大规模数据密集型科学研究基础架构的可信度和可靠性方面产生了重大进步。本项目评估了SDMZ安全体系结构的当前状态，然后确定了现有安全服务中当前的缺点。新提出的框架：1）使用动态可部署的安全服务定义细颗粒的网络流量控制，这些安全服务是可迁移且科学应用的； 2）定义一类新的网络特权管理策略，可以撤销或转移违反​​SDMZ策略或与用户定义的，特定于应用程序的使用期望值不同的流动； 3）建立高性能的虚拟电路，以使数据密集型应用程序在SDMZ上注册并快速path其身份验证的流量。此外，该项目推出了统一的安全策略引擎，以极大地简化上述三个服务的控制。该策略引擎提供了有价值且用户友好的抽象，以满足SDMZ的特定领域需求。

项目成果

Towards Fine-grained Network Security Forensics and Diagnosis in the SDN Era

• DOI: 10.1145/3243734.3243749
• 发表时间: 2018-10
• 期刊: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security
• 作者: Haopei Wang;Guangliang Yang;Phakpoom Chinprutthiwong;Lei Xu;Yangyong Zhang;G. Gu

Unexpected Data Dependency Creation and Chaining: A New Attack to SDN

• DOI: 10.1109/sp40000.2020.00017
• 发表时间: 2020-05
• 期刊: 2020 IEEE Symposium on Security and Privacy (SP)
• 作者: Feng Xiao;Jinquan Zhang;Jianwei Huang;G. Gu;Dinghao Wu;Peng Liu

Realtime DDoS Defense Using COTS SDN Switches via Adaptive Correlation Analysis

通过自适应相关分析使用 COTS SDN 交换机进行实时 DDoS 防御

• DOI: 10.1109/tifs.2018.2805600
• 发表时间: 2018-07-01
• 期刊: IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY
• 影响因子: 6.8
• 作者: Zheng, Jing;Li, Qi;Wu, Jianping
• 通讯作者: Wu, Jianping

Control Plane Reflection Attacks in SDNs: New Attacks and Countermeasures

• DOI: 10.1007/978-3-030-00470-5_8
• 发表时间: 2018-09
• 作者: Menghao Zhang;Guanyu Li;Lei Xu;J. Bi;G. Gu;Jia-Ju Bai

vNIDS: Towards Elastic Security with Safe and Efficient Virtualization of Network Intrusion Detection Systems

• DOI: 10.1145/3243734.3243862
• 发表时间: 2018-10
• 期刊: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security
• 作者: Hongda Li;Hongxin Hu;G. Gu;Gail-Joon Ahn;Fuqiang Zhang