Collaborative Research: CICI: Secure and Resilient Architecture: SciGuard: Building a Security Architecture for Science DMZ Based on SDN and NFV Technologies

合作研究：CICI：安全和弹性架构：SciGuard：基于SDN和NFV技术构建科学DMZ安全架构

• 批准号: 2128607
• 负责人: Hongxin Hu
• 金额: $ 49.98万
• 依托单位: SUNY at Buffalo
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2021
• 资助国家: 美国
• 起止时间: 2021-04-01 至 2022-03-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2128607&HistoricalAwards=false
• 关键词: Collaborative; Research; CICI; Secure; Resilient

As data-intensive science becomes the norm in many fields of science, high-performance data transfer is rapidly becoming a standard cyberinfrastructure requirement. To meet this requirement, an increasingly large number of university campuses have deployed Science DMZs. A Science DMZ is a portion of the network, built at or near the edge of the campus or laboratory's network, that is designed such that the equipment, configuration, and security policies are optimized for high-performance scientific applications rather than for general-purpose computing. This project develops a secure and resilient architecture called SciGuard that addresses the security challenges and the inherent weaknesses in Science DMZs. SciGuard is based on two emerging networking paradigms, Software-Defined Networking (SDN) and Network Function Virtualization (NFV), both of which enable the granularity, flexibility and elasticity needed to secure Science DMZs. Two core security functions, an SDN firewall application and a virtual Intrusion Detection System (IDS), coexist in SciGuard for protecting Science DMZs. The SDN firewall application is a software-based, in-line security function running atop the SDN controller. It can scale well without bypassing the firewall using per-flow/per-connection network traffic processing. It is also separated from the institutional hardware-based firewalls to enforce tailored security policies for the science-only traffic sent to Science DMZs. The virtual IDS is an NFV-based, passive security function, which can be quickly instantiated and elastically scaled to deal with attack traffic variations in Science DMZs, while significantly reducing both equipment and operational costs. In addition to these functions, the researchers also design a cloud-based federation mechanism for SciGuard to support security policy automatic testing and security intelligence sharing. The new mechanisms developed in this project are robust, scalable, low cost, easily managed, and optimally provisioned, therefore substantially enhancing the security of Science DMZs. This research encourages the diversity of students involved in the project by active recruitment of women and other underrepresented groups for participation in the project. The project has substantial involvement of graduate students in research, and trains promising undergraduate students in the implementation and experiments of the proposed approach. Moreover, the project enhances academic curricula by integrating the research findings into new and existing courses.

随着数据密集型科学成为许多科学领域的常态，高性能数据传输正在迅速成为标准的网络基础设施要求。为了满足这一要求，越来越多的大学校园部署了科学DMZ。科学DMZ是网络的一部分，建立在校园或实验室网络的边缘或附近，其设计是为了使设备、配置和安全策略针对高性能科学应用而不是通用计算进行优化。该项目开发了一个名为SciGuard的安全和弹性架构，解决了科学DMZ中的安全挑战和固有弱点。SciGuard基于两种新兴的网络模式，软件定义网络（SDN）和网络功能虚拟化（NFV），这两种模式都可以实现保护科学DMZ所需的粒度，灵活性和弹性。两个核心安全功能，SDN防火墙应用程序和虚拟入侵检测系统（IDS），共存于SciGuard中，用于保护科学DMZ。SDN防火墙应用程序是在SDN控制器上运行的基于软件的在线安全功能。它可以很好地扩展，而无需绕过防火墙使用每个流/每个连接的网络流量处理。 它还与机构基于硬件的防火墙分离，以针对发送到科学DMZ的仅科学流量实施定制的安全策略。虚拟IDS是一种基于NFV的被动安全功能，可以快速实例化和弹性扩展，以应对Science DMZ中的攻击流量变化，同时显著降低设备和运营成本。除了这些功能，研究人员还为SciGuard设计了一个基于云的联邦机制，以支持安全策略自动测试和安全情报共享。该项目中开发的新机制是强大的，可扩展的，低成本的，易于管理的，并优化配置，因此大大提高了科学DMZ的安全性。这项研究通过积极招募妇女和其他代表性不足的群体参与该项目，鼓励参与该项目的学生的多样性。该项目有大量的研究生参与研究，并培养有前途的本科生在实施和实验所提出的方法。此外，该项目通过将研究成果纳入新的和现有的课程，加强了学术课程。

项目成果

Understanding and Detecting Remote Infection on Linux-based IoT Devices

• DOI: 10.1145/3488932.3517423
• 发表时间: 2022-05
• 期刊: Proceedings of the 2022 ACM on Asia Conference on Computer and Communications Security
• 作者: Hongda Li;Qiqing Huang;Fei Ding;Hongxin Hu;Long Cheng;G. Gu;Ziming Zhao

Measuring the Effectiveness of Privacy Policies for Voice Assistant Applications

• DOI: 10.1145/3427228.3427250
• 发表时间: 2020-07
• 期刊: Proceedings of the 36th Annual Computer Security Applications Conference
• 作者: Song Liao;Christin Wilson;Long Cheng;Hongxin Hu;Huixing Deng

Teaching SDN Security Using Hands-on Labs in CloudLab

使用 CloudLab 中的动手实验室教授 SDN 安全性

• 发表时间: 2020
• 期刊: Journal of the Colloquium for Information System Security Education
• 作者: Yuan, Xiaohong;Liu, Zhipeng;Park, Younghee;Hu, Hongxin;Li, Hongda
• 通讯作者: Li, Hongda

Building a Security OS With Software Defined Infrastructure

使用软件定义基础设施构建安全操作系统

• DOI: 10.1145/3124680.3124720
• 发表时间: 2017
• 期刊: Proceedings of the 8th Asia-Pacific Workshop on Systems
• 作者: Gu, Guofei;Hu, Hongxin;Keller, Eric;Lin, Zhiqiang;Porter, Donald E.
• 通讯作者: Porter, Donald E.

On the Safety and Efficiency of Virtual Firewall Elasticity Control

虚拟防火墙弹性控制的安全性和高效性

• 发表时间: 2017
• 期刊: 24th Network and Distributed System Security Symposium (NDSS 2017
• 作者: Juan Deng, Hongda Li