SaTC: CORE: Small: Hardening Systems Against Low-Rate DDoS Attacks

SaTC：核心：小型：针对低速率 DDoS 攻击的强化系统

• 批准号: 1815495
• 负责人: Jelena Mirkovic
• 金额: $ 50万
• 依托单位: University of Southern California
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2018
• 资助国家: 美国
• 起止时间: 2018-09-01 至 2021-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1815495&HistoricalAwards=false
• 关键词: SaTC; CORE; Small; Hardening; Systems

Low-rate denial-of-service (LRD) attacks deny access to services by depleting some limited resource at the end host or a network device. This makes the device unable to process legitimate clients' traffic. LRD attacks are very challenging to detect and handle at the network level, since they are very low-rate. It makes the attack traffic a needle in a haystack of legitimate traffic. On the other hand, detecting LRD at the application would require changes to many applications, and would only be effective against specific attack variants. All online services are vulnerable to distributed denial-of-service (DDoS) attacks, and LRD attacks are especially challenging to handle today, because they can be launched from smaller botnets and at lower rates than flooding attacks. This project designs and builds an LRD defense, called Leader, which is application-agnostic and can handle both current and future attack variants with the same mechanism. Leader makes all online services robust against LRD attacks by helping the services smartly manage their resources and identify and neutralize misuse attempts. This in turn improves the security of the entire Internet, as well as the security of our critical infrastructure. Where full mitigation is not possible, the planned approach raises the bar for attackers, by forcing them to recruit large botnets. The project will generate lecture modules and practical exercises to be used in current courses and shared publicly. Leader defense builds profiles that describe how external requests, clients, applications and the entire device use system resources. These profiles, called "connection life stages" contain information about the type and the amount of the resource used, the order in which the use occurs and the time that each chunk of resource is being held. Leader compares instantaneous profiles to baseline profiles at connection, client, application and device level to detect denial of service and identify the resources being affected. Leader further uses connection life stages to perform anomaly detection, which is used for attack diagnostics and mitigation. In rare cases when the profiles do not show anomalous use of resources, or cannot attribute it to specific connections or clients, Leader resorts to offline binary analysis of affected applications. This analysis helps understand how code paths in the application use system resources, and identify possible code changes to increase robustness to LRD attacks. Leader's combination of system, network and application-level monitoring of the patterns of resource use, and the accounting of resource usage per each external service request, is a unique, novel feature. Leader defense is implemented as an operating system (OS) module, and thus protects the deploying device against all LRD attacks at the OS and the application level.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

低速率拒绝服务（LRD）攻击通过耗尽终端主机或网络设备上的某些有限资源来拒绝对服务的访问。这使得设备无法处理合法客户端的流量。LRD攻击在网络级别检测和处理非常具有挑战性，因为它们的速率非常低。它使攻击流量成为合法流量的大海捞针。另一方面，在应用程序中检测LRD将需要对许多应用程序进行更改，并且仅对特定的攻击变体有效。所有在线服务都容易受到分布式拒绝服务（DDoS）攻击，而LRD攻击在今天尤其具有挑战性，因为它们可以从较小的僵尸网络发起，并且比洪水攻击的速率更低。该项目设计并构建了一个名为Leader的LRD防御，它与应用程序无关，可以用相同的机制处理当前和未来的攻击变体。 Leader通过帮助服务智能管理其资源并识别和消除滥用尝试，使所有在线服务都能抵御LRD攻击。这反过来又提高了整个互联网的安全性，以及我们关键基础设施的安全性。在无法完全缓解的情况下，计划中的方法通过迫使攻击者招募大型僵尸网络来提高攻击者的门槛。该项目将产生用于当前课程并公开分享的授课模块和实践练习。Leader Defense构建描述外部请求、客户端、应用程序和整个设备如何使用系统资源的配置文件。这些配置文件称为“连接生命阶段”，包含有关所使用资源的类型和数量、使用发生的顺序以及每个资源块被占用的时间的信息。Leader在连接、客户端、应用程序和设备级别将即时配置文件与基线配置文件进行比较，以检测拒绝服务并识别受影响的资源。Leader还使用连接生命周期阶段来执行异常检测，用于攻击诊断和缓解。在极少数情况下，当配置文件没有显示资源的异常使用，或者无法将其归因于特定的连接或客户端时，Leader会对受影响的应用程序进行离线二进制分析。此分析有助于了解应用程序中的代码路径如何使用系统资源，并识别可能的代码更改以提高对LRD攻击的鲁棒性。Leader将系统、网络和应用程序级别的资源使用模式监控与每个外部服务请求的资源使用会计相结合，是一个独特的新颖功能。Leader Defense作为一个操作系统（OS）模块实现，从而保护部署设备免受OS和应用程序级别的所有LRD攻击。该奖项反映了NSF的法定使命，并通过使用基金会的知识价值和更广泛的影响审查标准进行评估，被认为值得支持。