Collaborative Research: CICI: Secure and Resilient Architecture: NetSecOps -- Policy-Driven, Knowledge-Centric, Holistic Network Security Operations Architecture

合作研究：CICI：安全和弹性架构：NetSecOps——策略驱动、以知识为中心、整体网络安全运营架构

• 批准号: 1642134
• 负责人: James Griffioen
• 金额: $ 49.99万
• 依托单位: University of Kentucky Research Foundation
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2016
• 资助国家: 美国
• 起止时间: 2016-09-01 至 2021-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1642134&HistoricalAwards=false
• 关键词: Collaborative; Research; CICI; Secure; Resilient

Network infrastructure at University campuses is complex and sophisticated, often supporting a mix of enterprise, academic, student, research, and healthcare data, each having its own distinct security, privacy, and priority policies. Securing this complex and highly dynamic environment is extremely challenging, particularly since campus infrastructures are increasingly under attack from malicious actors on the Internet and (often unknowingly) internal campus devices. Different parts of the campus have very different policies and regulations that govern its treatment of sensitive data (e.g., private student/employee information, health care data, financial transactions, etc.). Furthermore, data-intensive scientific research traffic often requires exceptions to normal security policies, resulting in ad-hoc solutions that bypass standard operational procedures and leave both the scientific workflow and the campus as a whole vulnerable to attack. In short, state-of-the-art campus security operations still heavily rely on human domain experts to interpret high level policy documents, implement those policies through low-level mechanisms, create exceptions to accommodate scientific workflows, interpret reports and alerts, and be able to react to security events in near real time on a 24-by-7 basis.This project addresses these challenges through a collaborative research effort, called NetSecOps (Network Security Operations), that assists information technology (IT) security teams by automating many of the operational tasks that are tedious, error-prone, and otherwise problematic in current campus networks. NetSecOps is policy-driven in that the framework encodes high-level human-readable policies into systematic policy specifications that drive the actual configuration and operation of the infrastructure. NetSecOps is knowledge-centric in that the framework captures data, information, and knowledge about the infrastructure in a central knowledge store that informs and guides IT operational tasks. The proposed NetSecOps architecture has the following unique capabilities: (1) the ability to capture campus network security policies systematically; (2) the ability to create new fine-grained network control abstractions that leverage existing security capabilities and emerging software defined networks (SDN) to implement security policies, including policies related to both scientific workflows and IT domains; (3) the ability to implement policy traceability tools that verify whether these network abstractions maintain the integrity of the high-level policies; (4) the ability to implement knowledge-discovery tools that enable reasoning across data from existing security point-solutions, including security monitoring tools and authentication and authorization frameworks; and (5) the ability to automatically adjust the network's security posture based on detected security events. Research results and tools from the project will be released into the public domain allowing academic institutions to utilize the resources as part of their best-practice IT security operations.

大学校园中的网络基础设施复杂而复杂，通常支持企业、学术、学生、研究和医疗保健数据的混合，每个数据都有自己独特的安全、隐私和优先级策略。保护这种复杂且高度动态的环境极具挑战性，特别是因为校园基础设施越来越多地受到互联网上恶意行为者和（通常是在不知不觉中）校园内部设备的攻击。校园的不同部分有非常不同的政策和法规来管理敏感数据的处理（例如，私人学生/员工信息、医疗保健数据、金融交易等）。此外，数据密集型的科研流量通常需要例外的正常安全策略，导致临时解决方案绕过标准操作流程，使科研工作流程和校园作为一个整体容易受到攻击。简而言之，最先进的校园安全操作仍然严重依赖于人类领域专家来解释高级政策文件，通过低级机制实施这些政策，创建例外以适应科学工作流程，解释报告和警报，并能够在24 × 7的基础上近乎实时地对安全事件做出反应。该项目通过一项名为NetSecOps（网络安全运营）的合作研究工作来解决这些挑战，该项目帮助信息技术（IT）安全团队将当前校园网中繁琐、容易出错和其他问题的许多操作任务自动化。NetSecOps是策略驱动的，因为该框架将高级的人类可读策略编码为驱动基础设施的实际配置和操作的系统策略规范。NetSecOps是以知识为中心的，因为该框架在通知和指导IT操作任务的中央知识存储中捕获有关基础设施的数据、信息和知识。提出的NetSecOps架构具有以下独特的功能：(1)能够系统地捕获校园网安全策略；(2)创建新的细粒度网络控制抽象的能力，利用现有的安全功能和新兴的软件定义网络（SDN）来实施安全策略，包括与科学工作流和IT领域相关的策略；(3)实施策略可追溯性工具的能力，这些工具可以验证这些网络抽象是否保持高层策略的完整性；(4)实现知识发现工具的能力，这些工具能够从现有的安全点解决方案（包括安全监控工具和身份验证和授权框架）中进行数据推理；(5)根据检测到的安全事件自动调整网络安全态势的能力。该项目的研究成果和工具将发布到公共领域，允许学术机构利用这些资源作为其最佳实践IT安全操作的一部分。

项目成果

POLANCO: Enforcing Natural Language Network Policies

POLANCO：执行自然语言网络政策

• DOI: 10.1109/icccn49398.2020.9209748
• 发表时间: 2020
• 期刊: 2020 29th International Conference on Computer Communications and Networks (ICCCN
• 作者: Rivera, Sergio;Fei, Zongming;Griffioen, James
• 通讯作者: Griffioen, James

Towards Improved Network Security Requirements and Policy: Domain-Specific Completeness Analysis via Topic Modeling

提高网络安全要求和策略：通过主题建模进行特定领域的完整性分析

• DOI: 10.1109/aire51212.2020.00019
• 发表时间: 2020
• 期刊: 2020 IEEE 28th International Requirements Engineering Conference Workshops (REW
• 作者: Huffman Hayes, Jane

Dynamically Creating Custom SDN High-Speed Network Paths for Big Data Science Flows

为大数据科学流程动态创建自定义 SDN 高速网络路径

• DOI: 10.1145/3093338.3104155
• 发表时间: 2017
• 期刊: Practice & Experience in Advanced Research Computing Conference (PEARC 2017
• 作者: Rivera, Sergio;Hayashida, Mami;Griffioen, James;Fei, Zongming
• 通讯作者: Fei, Zongming

Multi-user Input in Determining Answer Sets (MIDAS)

确定答案集中的多用户输入 (MIDAS)

• 发表时间: 2018
• 期刊: IEEE International Conference on Requirements Engineering (RE
• 作者: Kalim, Albert

Automating Requirements Traceability: Two Decades of Learning from KDD

自动化需求可追溯性：从 KDD 中学习的两个十年

• 发表时间: 2018
• 期刊: IEEE International Conference on Requirements Engineering
• 作者: Dekhtyar, Alex