Collaborative Research: CICI: Secure and Resilient Architecture: NetSecOps - Policy-Driven, Knowledge-Centric, Holistic Network Security Operations Architecture

协作研究：CICI：安全和弹性架构：NetSecOps - 策略驱动、以知识为中心的整体网络安全运营架构

• 批准号: 1642158
• 负责人: Jacobus VAN DER MERWE
• 金额: $ 49.99万
• 依托单位: University of Utah
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2016
• 资助国家: 美国
• 起止时间: 2016-09-01 至 2020-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1642158&HistoricalAwards=false
• 关键词: Collaborative; Research; CICI; Secure; Resilient

Network infrastructure at University campuses is complex and sophisticated, often supporting a mix of enterprise, academic, student, research, and healthcare data, each having its own distinct security, privacy, and priority policies. Securing this complex and highly dynamic environment is extremely challenging, particularly since campus infrastructures are increasingly under attack from malicious actors on the Internet and (often unknowingly) internal campus devices. Different parts of the campus have very different policies and regulations that govern its treatment of sensitive data (e.g., private student/employee information, health care data, financial transactions, etc.). Furthermore, data-intensive scientific research traffic often requires exceptions to normal security policies, resulting in ad-hoc solutions that bypass standard operational procedures and leave both the scientific workflow and the campus as a whole vulnerable to attack. In short, state-of-the-art campus security operations still heavily rely on human domain experts to interpret high level policy documents, implement those policies through low-level mechanisms, create exceptions to accommodate scientific workflows, interpret reports and alerts, and be able to react to security events in near real time on a 24-by-7 basis.This project addresses these challenges through a collaborative research effort, called NetSecOps (Network Security Operations), that assists information technology (IT) security teams by automating many of the operational tasks that are tedious, error-prone, and otherwise problematic in current campus networks. NetSecOps is policy-driven in that the framework encodes high-level human-readable policies into systematic policy specifications that drive the actual configuration and operation of the infrastructure. NetSecOps is knowledge-centric in that the framework captures data, information, and knowledge about the infrastructure in a central knowledge store that informs and guides IT operational tasks. The proposed NetSecOps architecture has the following unique capabilities: (1) the ability to capture campus network security policies systematically; (2) the ability to create new fine-grained network control abstractions that leverage existing security capabilities and emerging software defined networks (SDN) to implement security policies, including policies related to both scientific workflows and IT domains; (3) the ability to implement policy traceability tools that verify whether these network abstractions maintain the integrity of the high-level policies; (4) the ability to implement knowledge-discovery tools that enable reasoning across data from existing security point-solutions, including security monitoring tools and authentication and authorization frameworks; and (5) the ability to automatically adjust the network?s security posture based on detected security events. Research results and tools from the project will be released into the public domain allowing academic institutions to utilize the resources as part of their best-practice IT security operations.

大学校园的网络基础设施复杂而复杂，通常支持企业、学术、学生、研究和医疗保健数据的混合，每种数据都有自己独特的安全、隐私和优先级策略。 保护这种复杂且高度动态的环境极具挑战性，特别是因为校园基础设施越来越多地受到互联网上的恶意攻击者和（通常在不知不觉中）内部校园设备的攻击。校园的不同部分有非常不同的政策和法规来管理其敏感数据的处理（例如，私人学生/雇员信息、健康护理数据、金融交易等）。此外，数据密集型科学研究流量通常需要正常安全策略的例外情况，导致临时解决方案绕过标准操作程序，使科学工作流程和整个校园都容易受到攻击。简而言之，最先进的校园安全操作仍然严重依赖人类领域专家来解释高级政策文件，通过低级机制实施这些政策，创建例外以适应科学工作流程，解释报告和警报，并能够在24 x 7的基础上以接近真实的时间对安全事件做出反应。称为NetSecOps（网络安全操作），通过自动化当前园区网络中繁琐、容易出错和存在其他问题的许多操作任务来帮助信息技术（IT）安全团队。NetSecOps是策略驱动的，因为该框架将高级人类可读策略编码为系统策略规范，以驱动基础设施的实际配置和操作。NetSecOps是以知识为中心的，因为该框架在中央知识存储中捕获有关基础架构的数据、信息和知识，从而通知和指导IT操作任务。所提出的NetSecOps架构具有以下独特的功能：（1）系统地捕获校园网络安全策略的能力;（2）创建新的细粒度网络控制抽象的能力，这些抽象利用现有的安全功能和新兴的软件定义网络（SDN）来实现安全策略，包括与科学工作流和IT领域相关的策略;（3）实现验证这些网络抽象是否保持高级策略的完整性的策略跟踪工具的能力;（4）实现知识发现工具的能力，该知识发现工具使得能够从现有安全点解决方案跨数据进行推理，包括安全监视工具以及认证和授权框架;以及（5）自动调整网络的能力？的安全状态。该项目的研究成果和工具将被发布到公共领域，使学术机构能够利用这些资源作为其最佳实践IT安全操作的一部分。

项目成果

WASPP: Workflow Automation for Security Policy Procedures

WASPP：安全策略程序的工作流程自动化

• DOI: 10.23919/cnsm46954.2019.9012707
• 发表时间: 2019
• 期刊: 15th International Conference on Network and Service Management (CNSM
• 作者: Quinn, Ren;Holguin, Nico;Poster, Ben;Roach, Corey;Van der Merwe, Jacobus
• 通讯作者: Van der Merwe, Jacobus

Toward Classifying Unknown Application Traffic

• 发表时间: 2018
• 作者: Ryan Baker;Ren Quinn

Deepstitch: Deep Learning for Cross-Layer Stitching in Microservices

Deepstitch：微服务中跨层拼接的深度学习

• DOI: 10.1145/3429885.3429965
• 发表时间: 2020
• 期刊: WOC'20: Proceedings of the 2020 6th International Workshop on Container Technologies and Container Clouds
• 作者: Li, Richard;Du, Min;Chang, Hyunseok;Mukherjee, Sarit;Eide, Eric
• 通讯作者: Eide, Eric

eZTrust: Network-Independent Zero-Trust Perimeterization for Microservices

eZTrust：微服务的网络独立零信任边界化

• DOI: 10.1145/3314148.3314349
• 发表时间: 2019
• 期刊: Proceedings of the 2019 ACM Symposium on SDN Research
• 作者: Zaheer, Zirak;Chang, Hyunseok;Mukherjee, Sarit;Van der Merwe, Jacobus
• 通讯作者: Van der Merwe, Jacobus