SaTC: CORE: Small: Hardening Systems Against Low-Rate DDoS Attacks

SaTC：核心：小型：针对低速率 DDoS 攻击的强化系统

• 批准号: 1815495
• 负责人: Jelena Mirkovic
• 金额: $ 50万
• 依托单位: University of Southern California
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2018
• 资助国家: 美国
• 起止时间: 2018-09-01 至 2021-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1815495&HistoricalAwards=false
• 关键词: SaTC; CORE; Small; Hardening; Systems

Low-rate denial-of-service (LRD) attacks deny access to services by depleting some limited resource at the end host or a network device. This makes the device unable to process legitimate clients' traffic. LRD attacks are very challenging to detect and handle at the network level, since they are very low-rate. It makes the attack traffic a needle in a haystack of legitimate traffic. On the other hand, detecting LRD at the application would require changes to many applications, and would only be effective against specific attack variants. All online services are vulnerable to distributed denial-of-service (DDoS) attacks, and LRD attacks are especially challenging to handle today, because they can be launched from smaller botnets and at lower rates than flooding attacks. This project designs and builds an LRD defense, called Leader, which is application-agnostic and can handle both current and future attack variants with the same mechanism. Leader makes all online services robust against LRD attacks by helping the services smartly manage their resources and identify and neutralize misuse attempts. This in turn improves the security of the entire Internet, as well as the security of our critical infrastructure. Where full mitigation is not possible, the planned approach raises the bar for attackers, by forcing them to recruit large botnets. The project will generate lecture modules and practical exercises to be used in current courses and shared publicly. Leader defense builds profiles that describe how external requests, clients, applications and the entire device use system resources. These profiles, called "connection life stages" contain information about the type and the amount of the resource used, the order in which the use occurs and the time that each chunk of resource is being held. Leader compares instantaneous profiles to baseline profiles at connection, client, application and device level to detect denial of service and identify the resources being affected. Leader further uses connection life stages to perform anomaly detection, which is used for attack diagnostics and mitigation. In rare cases when the profiles do not show anomalous use of resources, or cannot attribute it to specific connections or clients, Leader resorts to offline binary analysis of affected applications. This analysis helps understand how code paths in the application use system resources, and identify possible code changes to increase robustness to LRD attacks. Leader's combination of system, network and application-level monitoring of the patterns of resource use, and the accounting of resource usage per each external service request, is a unique, novel feature. Leader defense is implemented as an operating system (OS) module, and thus protects the deploying device against all LRD attacks at the OS and the application level.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

低率拒绝服务（LRD）攻击通过在最终主机或网络设备上耗尽一些有限的资源来拒绝对服务的访问。这使设备无法处理合法客户的流量。 LRD攻击在网络级别上检测和处理非常具有挑战性，因为它们非常低。它使攻击交通成为合法交通的大麻群中的针头。另一方面，在应用程序中检测LRD将需要更改许多应用程序，并且只能对特定的攻击变体有效。所有在线服务都容易受到分布式拒绝服务（DDOS）的攻击，而LRD攻击尤其具有挑战性，因为它们可以从较小的僵尸网络发射，并且比洪水攻击较低。该项目设计并建立了一个名为Leader的LRD防御，该防御能力不合时宜，可以处理具有相同机制的当前和未来攻击变体。 领导者通过帮助服务智能管理其资源并识别和中和滥用尝试，从而使所有在线服务可抵抗LRD攻击。反过来，这提高了整个Internet的安全性以及我们关键基础架构的安全性。如果不可能进行全面缓解，则计划的方法通过迫使他们招募大型僵尸网络来提高攻击者的标准。该项目将生成讲座模块和实用练习，以在当前课程中使用并公开共享。 Leader Deficent构建了概况，描述了外部请求，客户，应用程序和整个设备使用系统资源的方式。这些概要文件称为“连接生命阶段”，包含有关所使用的资源类型和数量，使用的顺序以及所保留每个资源的时间的信息。领导者将瞬时配置文件与连接，客户端，应用程序和设备级别的基线配置文件进行比较，以检测拒绝服务并确定所影响的资源。领导者进一步使用连接生命阶段来执行异常检测，该检测用于攻击诊断和缓解。在极少数情况下，当配置文件没有显示出对资源的异常使用，或者不能将其归因于特定的连接或客户时，Leader Resorts求助于受影响的应用程序的离线二进制分析。该分析有助于了解应用程序中的代码路径如何使用系统资源，并确定可能的代码更改以增加对LRD攻击的鲁棒性。领导者对资源使用模式的系统，网络和应用程序级别的监视以及每个外部服务请求的资源使用情况的计算是一个独特的新功能。领导者防御是作为操作系统（OS）模块实施的，因此可以保护部署设备免受操作系统和应用程序级别的所有LRD攻击。该奖项反映了NSF的法定任务，并认为值得通过基金会的知识分子优点和更广泛的影响审查标准通过评估来获得支持。