CICI: Secure and Resilient Architecture: Effective and Economical Protection for High-Performance Research and Education Networks

CICI：安全和弹性架构：为高性能研究和教育网络提供有效且经济的保护

• 批准号: 1642161
• 负责人: Johanna Amann
• 金额: $ 99.95万
• 依托单位: International Computer Science Institute
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2016
• 资助国家: 美国
• 起止时间: 2016-10-01 至 2022-09-30
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1642161&HistoricalAwards=false
• 关键词: CICI; Secure; Resilient; Architecture; Effective

Scientific research requires the free exchange of information and ideas among collaborators worldwide. For this, scientists depend critically on full and open access to the Internet. Yet in today's world, such open access also exposes sites to incessant network attacks like theft of information, parasitic resource consumption, or suffering from (or inadvertently participating in) denial-of-service (DOS) attacks. Some of the most powerful networks today remain particularly hard to defend: the 100G environments and backbones that facilitate modern data-intensive sciences - physics, astronomy, medicine, climate research - prove extremely sensitive to the slightest disturbances. For these networks, traditional enterprise solutions such as firewalls and intrusion detection systems (IDS), remain infeasible as they cannot operate reliably at such high speeds. This project develops a novel, comprehensive framework that integrates software and hardware for the economical protection of critical high-performance science infrastructure.The project increases the performance of network monitoring by offloading low-level operations from software into hardware, such as switches and computer network interface cards. The project enables network monitoring systems to tie into the hardware offloading being developed. Furthermore, the project expands the capabilities of network monitoring systems to create visibility into science networks, for example, by adding support for the protocols used for high-speed scientific data transfers. It also extends support for responding actively to malicious activity like denial-of-service attacks. This project implements these capabilities in the open-source Bro network security monitor utilized by many NSF-supported organizations nationwide to protect their scientific cyberinfrastructure.

科学研究需要全世界合作者之间的信息和思想的自由交流。为此，科学家们关键地依赖于对互联网的全面和开放的访问。然而，在当今世界，这种开放访问也使站点暴露在不断的网络攻击之下，例如信息盗窃、寄生资源消耗或遭受（或无意中参与）拒绝服务（DOS）攻击。如今，一些最强大的网络仍然特别难以防御：100G环境和骨干网络促进了现代数据密集型科学——物理学、天文学、医学、气候研究——被证明对最轻微的干扰极其敏感。对于这些网络，传统的企业解决方案（如防火墙和入侵检测系统（IDS））仍然不可行，因为它们无法在如此高的速度下可靠地运行。该项目开发了一种新颖、全面的框架，将软件和硬件集成在一起，为关键的高性能科学基础设施提供经济保护。该项目通过将低级操作从软件卸载到硬件（如交换机和计算机网络接口卡）来提高网络监控的性能。该项目使网络监控系统能够与正在开发的硬件卸载相结合。此外，该项目扩展了网络监测系统的能力，例如通过增加对用于高速科学数据传输的协议的支持，从而创建科学网络的可见性。它还扩展了对主动响应恶意活动（如拒绝服务攻击）的支持。该项目在开放源代码的Bro网络安全监视器中实现了这些功能，该监视器被全国许多nsf支持的组织用于保护其科学网络基础设施。

项目成果

Viable Protection of High-Performance Networks through Hardware/Software Co-Design

通过硬件/软件协同设计对高性能网络提供可行的保护

• DOI: 10.1145/3040992.3041003
• 发表时间: 2017
• 期刊: Proceedings of the ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization
• 作者: Amann, Johanna;Sommer, Robin
• 通讯作者: Sommer, Robin