Collaborative Research: SaTC: CORE: Medium: ONSET: Optics-enabled Network Defenses for Extreme Terabit DDoS Attacks

协作研究：SaTC：核心：中：ONSET：针对极端太比特 DDoS 攻击的光学网络防御

• 批准号: 2132639
• 负责人: Vyas Sekar
• 金额: $ 40万
• 依托单位: Carnegie-Mellon University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2022
• 资助国家: 美国
• 起止时间: 2022-01-01 至 2025-12-31
• 项目状态: 未结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2132639&HistoricalAwards=false
• 关键词: Collaborative; Research; SaTC; CORE; Medium

Distributed Denial of Service (DDoS) attacks continue to present a clear and imminent danger to critical network infrastructures. DDoS attacks have increased in sophistication with advanced strategies to continuously adapt (e.g., changing threat postures dynamically) and induce collateral damage (i.e., higher latency and loss for legitimate traffic). Furthermore, advanced attacks may also employ reconnaissance (e.g., mapping the network to find bottleneck links) to target the network infrastructure itself. In light of these trends, state-of-art defenses (e.g., advanced scrubbing, emerging software-defined defenses, and programmable switching hardware) have fundamental shortcomings. This project will develop a new framework, referred to as "Optics-enabled In-Network defenSe for Extreme Terabit DDoS attacks" (ONSET). The framework makes a case for new dimensions of defense agility that can programmatically control the topology of the network (in addition to the processing behavior) to tackle advanced and future attacks. The project will facilitate the use of optical technologies as an exciting visual medium for engaging K-12 students via suitable channels for dissemination. The project will also result in new course materials at the intersection of optical networking, software-defined networking, and network security to enable students to become domain experts in this emerging problem space. The project will take an interdisciplinary approach spanning security, optics, systems, and networks, to address fundamental challenges along three thrusts: (1) novel "data plane" solutions to rapidly reconfigure the wavelengths and switches and new capabilities in programmable switches to rapidly identify malicious vs. benign traffic at line rate; (2) novel "control plane" orchestration mechanisms for scalable resource management algorithms and coordinated control across optical networking and programmable switches; and (3) new "northbound application programming interfaces (APIs)" to express novel defenses to combat current and future DDoS attacks (e.g., with reconnaissance). This project will develop a new framework, referred to as "Optics-enabled In-Network defenSe for Extreme Terabit DDoS attacks" (ONSET). The research efforts will result in end-to-end prototypes using open-source and standardized interfaces to demonstrate the novel defense capabilities of ONSET. The efficacy of ONSET will be evaluated using pilot studies on operational networks to create a roadmap to practical deployment, using real testbeds and large-scale simulations. The project outcomes will be released as open-source software tools, models, and simulation frameworks that will inform industry and academic work.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

分布式拒绝服务(DDoS)攻击继续对关键网络基础设施构成明显且迫在眉睫的危险。DDoS攻击通过不断适应(例如，动态更改威胁态势)和引发附带损害(即，合法流量的更长延迟和损失)的高级策略而变得更加复杂。此外，高级攻击还可以使用侦察(例如，绘制网络以查找瓶颈链路)来瞄准网络基础设施本身。鉴于这些趋势，最先进的防御(例如，高级擦洗、新兴的软件定义防御和可编程交换硬件)存在根本缺陷。该项目将开发一种新的框架，称为“针对极端太比特DDoS攻击的光纤启用的网络内防御”(STARM)。该框架提出了防御敏捷性的新维度，可以通过编程控制网络的拓扑(除了处理行为)，以应对高级和未来的攻击。该项目将促进使用光学技术作为一种令人兴奋的视觉媒介，通过适当的传播渠道吸引K-12学生。该项目还将编写光网络、软件定义网络和网络安全交叉领域的新课程材料，使学生能够成为这一新兴问题领域的专家。该项目将采取跨越安全、光纤、系统和网络的跨学科方法，以应对三个方面的根本挑战：(1)新颖的“数据面”解决方案，用于快速重新配置波长和交换机，以及可编程交换机的新功能，用于快速识别线速恶意流量和良性流量；(2)新颖的“控制面”协调机制，用于可扩展的资源管理算法以及跨光网络和可编程交换机的协调控制；以及(3)新的“北向应用编程接口(API)”，用于表达抗击当前及未来DDoS攻击(例如通过侦察)的新颖防御能力。该项目将开发一种新的框架，称为“针对极端太比特DDoS攻击的光纤启用的网络内防御”(STARM)。这些研究工作将产生使用开源和标准化接口的端到端原型，以展示STARM的新颖防御能力。将通过对作战网络的试点研究，使用真实的试验床和大规模模拟，评估START的疗效，以创建实际部署的路线图。项目成果将以开源软件工具、模型和模拟框架的形式发布，为工业和学术工作提供信息。该奖项反映了NSF的法定使命，并通过使用基金会的智力优势和更广泛的影响审查标准进行评估，被认为值得支持。