SDI-CSCS: Collaborative Research: S2OS: Enabling Infrastructure-Wide Programmable Security with SDI

SDI-CSCS：协作研究：S2OS：通过 SDI 实现基础设施范围内的可编程安全性

• 批准号: 1700499
• 负责人: Hongxin Hu
• 金额: $ 40万
• 依托单位: Clemson University
• 依托单位国家: 美国
• 项目类别: Continuing Grant
• 财政年份: 2017
• 资助国家: 美国
• 起止时间: 2017-09-01 至 2021-04-30
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1700499&HistoricalAwards=false
• 关键词: SDI; CSCS; Collaborative; Research; S2OS

Traditionally, many of our critical systems have been developed with security as a reactive add-on, rather than a by default design. As a result, existing security mechanisms are often fragmented, hard to configure or verify, which makes it difficult to defend against various cyber attacks. This project will build the "holy grail" for enterprise/cloud/data-center security management with software-defined infrastructure (SDI): a unified framework for security and management of disparate resources, ranging from processes to storage to networking. Cloud computing is now an essential part of our national cyberinfrastructure; the proposed work will lower the total cost of ownership for clouds - further unlocking economic and environmental benefits - as well as improving the security of today's clouds.This project proposes S2OS (SDI-defined Security Operating System), which abstracts security capabilities and primitives at both the host Operating System (OS) and network levels and offers an easy-to-use and programmable security model for monitoring and dynamically securing applications. This project will explore new techniques to transparently compose software into a unified enterprise, even if the individual pieces were never explicitly designed to inter-operate, similar in a way a traditional operating system managing various hardware resources for upper-layer user applications. Further, this project will contribute new ways to leverage global information for making effective local security management decisions. Finally, this project enables new innovations in programming dynamic, host-network coordinated, and intelligent security applications to protect the entire infrastructure.This project will make significant contributions to how enterprise, data centers and cloud computing are securely built and managed. The project's PIs will engage in educational and outreach activities to train the next generation talent. In particular, the PIs plan to integrate the interdisciplinary research ideas into courses spanning networking, systems and security. The project will also actively encourage participation from underrepresented groups and transfer technology to industry partners.

传统上，我们的许多关键系统都是将安全性作为响应式附加组件开发的，而不是默认设计。因此，现有的安全机制往往是碎片化的，难以配置或验证，这使得难以抵御各种网络攻击。该项目将通过软件定义基础设施（SDI）构建企业/云/数据中心安全管理的“圣杯”：一个统一的安全和管理不同资源的框架，从流程到存储再到网络。云计算现在是我们国家网络基础设施的重要组成部分；拟议的工作将降低云的总拥有成本——进一步释放经济和环境效益——并提高当今云的安全性。该项目提出了S2OS （sdi定义的安全操作系统），它抽象了主机操作系统（OS）和网络级别的安全功能和原语，并提供了一个易于使用和可编程的安全模型，用于监控和动态保护应用程序。这个项目将探索新的技术，以透明地将软件组合成一个统一的企业，即使单个部分从未明确设计为互操作，类似于传统操作系统为上层用户应用程序管理各种硬件资源的方式。此外，该项目将为利用全球信息制定有效的本地安全管理决策提供新的方法。最后，该项目实现了动态编程、主机-网络协调和智能安全应用程序的创新，以保护整个基础设施。该项目将为企业、数据中心和云计算的安全构建和管理做出重大贡献。该项目的pi将参与教育和推广活动，以培养下一代人才。特别是，pi计划将跨学科的研究理念整合到跨越网络、系统和安全的课程中。该项目还将积极鼓励代表性不足的群体参与，并将技术转让给工业伙伴。

项目成果

Poseidon: Mitigating Volumetric DDoS Attacks with Programmable Switches

Poseidon：利用可编程开关缓解容量 DDoS 攻击

• DOI: 10.14722/ndss.2020.24007
• 发表时间: 2020
• 期刊: the 27th Network and Distributed System Security Symposium (NDSS 2020
• 作者: Zhang, M.;Li, G.;Wang, S.;Liu, C.;Chen, A.;Hu, H.;Gu, G.;Li, Q.;Xu, M.;Wu, J.
• 通讯作者: Wu, J.

Towards Efficient Traffic Monitoring for Science DMZ with Side-Channel based Traffic Winnowing

利用基于侧信道的流量风选实现科学 DMZ 的高效流量监控

• DOI: 10.1145/3180465.3180474
• 发表时间: 2018
• 期刊: ACM International Workshop on Security in Software Defined Networks and Network Function Virtualization
• 作者: Li, Hongda;Zhang, Fuqiang;Yu, Lu;Oakley, Jon;Hu, Hongxin;Brooks, Richard R.
• 通讯作者: Brooks, Richard R.

vNIDS: Towards Elastic Security with Safe and Efficient Virtualization of Network Intrusion Detection Systems

• DOI: 10.1145/3243734.3243862
• 发表时间: 2018-10
• 期刊: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security
• 作者: Hongda Li;Hongxin Hu;G. Gu;Gail-Joon Ahn;Fuqiang Zhang

When NFV Meets ANN: Rethinking Elastic Scaling for ANN-based NFs

• DOI: 10.1109/icnp.2019.8888133
• 发表时间: 2019-10
• 期刊: 2019 IEEE 27th International Conference on Network Protocols (ICNP)
• 作者: Menghao Zhang;Jia-Ju Bai;Guanyu Li;Zili Meng;Hongda Li;Hongxin Hu;Mingwei Xu

Interpreting Deep Learning-Based Networking Systems

• DOI: 10.1145/3387514.3405859
• 发表时间: 2019-10
• 期刊: Proceedings of the Annual conference of the ACM Special Interest Group on Data Communication on the applications, technologies, architectures, and protocols for computer communication
• 作者: Zili Meng;Minhu Wang;Jia-Ju Bai;Mingwei Xu;Hongzi Mao;Hongxin Hu