SaTC: CORE: Small: Hardening Systems Against Low-Rate DDoS Attacks

SaTC：核心：小型：针对低速率 DDoS 攻击的强化系统

• 批准号: 1815495
• 负责人: Jelena Mirkovic
• 金额: $ 50万
• 依托单位: University of Southern California
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2018
• 资助国家: 美国
• 起止时间: 2018-09-01 至 2021-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1815495&HistoricalAwards=false
• 关键词: SaTC; CORE; Small; Hardening; Systems

Low-rate denial-of-service (LRD) attacks deny access to services by depleting some limited resource at the end host or a network device. This makes the device unable to process legitimate clients' traffic. LRD attacks are very challenging to detect and handle at the network level, since they are very low-rate. It makes the attack traffic a needle in a haystack of legitimate traffic. On the other hand, detecting LRD at the application would require changes to many applications, and would only be effective against specific attack variants. All online services are vulnerable to distributed denial-of-service (DDoS) attacks, and LRD attacks are especially challenging to handle today, because they can be launched from smaller botnets and at lower rates than flooding attacks. This project designs and builds an LRD defense, called Leader, which is application-agnostic and can handle both current and future attack variants with the same mechanism. Leader makes all online services robust against LRD attacks by helping the services smartly manage their resources and identify and neutralize misuse attempts. This in turn improves the security of the entire Internet, as well as the security of our critical infrastructure. Where full mitigation is not possible, the planned approach raises the bar for attackers, by forcing them to recruit large botnets. The project will generate lecture modules and practical exercises to be used in current courses and shared publicly. Leader defense builds profiles that describe how external requests, clients, applications and the entire device use system resources. These profiles, called "connection life stages" contain information about the type and the amount of the resource used, the order in which the use occurs and the time that each chunk of resource is being held. Leader compares instantaneous profiles to baseline profiles at connection, client, application and device level to detect denial of service and identify the resources being affected. Leader further uses connection life stages to perform anomaly detection, which is used for attack diagnostics and mitigation. In rare cases when the profiles do not show anomalous use of resources, or cannot attribute it to specific connections or clients, Leader resorts to offline binary analysis of affected applications. This analysis helps understand how code paths in the application use system resources, and identify possible code changes to increase robustness to LRD attacks. Leader's combination of system, network and application-level monitoring of the patterns of resource use, and the accounting of resource usage per each external service request, is a unique, novel feature. Leader defense is implemented as an operating system (OS) module, and thus protects the deploying device against all LRD attacks at the OS and the application level.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

低速率拒绝服务攻击（Low-rate denial-of-service， LRD）是一种通过消耗终端主机或网络设备上有限的资源来拒绝用户访问服务的攻击。这将导致设备无法处理合法客户端的流量。在网络级别检测和处理LRD攻击非常具有挑战性，因为它们的发生率非常低。它使攻击流量成为合法流量大海捞针。另一方面，在应用程序中检测LRD将需要对许多应用程序进行更改，并且只对特定的攻击变体有效。所有在线服务都容易受到分布式拒绝服务（DDoS）攻击的攻击，而LRD攻击在今天尤其具有挑战性，因为它们可以从较小的僵尸网络发起，并且比洪水攻击的速率更低。该项目设计并构建了一个LRD防御，称为Leader，它与应用程序无关，可以用相同的机制处理当前和未来的攻击变体。Leader通过帮助服务巧妙地管理其资源，识别和消除误用企图，使所有在线服务都能抵御LRD攻击。这反过来又提高了整个互联网的安全性，以及我们关键基础设施的安全性。在无法完全缓解的情况下，计划中的方法会迫使攻击者招募大型僵尸网络，从而提高攻击者的门槛。该项目将生成讲座模块和实践练习，用于当前课程并公开分享。领导者防御构建描述外部请求、客户端、应用程序和整个设备如何使用系统资源的配置文件。这些配置文件称为“连接生命阶段”，其中包含有关所使用资源的类型和数量、使用的顺序以及每个资源块被占用的时间的信息。Leader将瞬时配置文件与连接、客户端、应用程序和设备级别的基线配置文件进行比较，以检测拒绝服务并识别受影响的资源。Leader进一步使用连接生命周期阶段执行异常检测，用于攻击诊断和缓解。在极少数情况下，当配置文件没有显示资源的异常使用，或者不能将其归因于特定的连接或客户端时，Leader会对受影响的应用程序进行脱机二进制分析。此分析有助于理解应用程序中的代码路径如何使用系统资源，并识别可能的代码更改，以增加对LRD攻击的健壮性。Leader结合了系统、网络和应用程序级别的资源使用模式监控，以及对每个外部服务请求的资源使用情况进行核算，这是一个独特的、新颖的功能。Leader防御作为操作系统模块实现，保护部署设备免受来自操作系统和应用层的所有LRD攻击。该奖项反映了美国国家科学基金会的法定使命，并通过使用基金会的知识价值和更广泛的影响审查标准进行评估，被认为值得支持。