Collaborative Research: NeTS: JUNO3: Leveraging Heterogeneous Programmable Data Planes for Security and Privacy of Cellular Networks, 5G & Beyond

合作研究：NetS：JUNO3：利用异构可编程数据平面实现蜂窝网络、5G 的安全和隐私

• 批准号: 2210380
• 负责人: Timothy Wood
• 金额: $ 22.5万
• 依托单位: George Washington University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2022
• 资助国家: 美国
• 起止时间: 2022-09-01 至 2025-08-31
• 项目状态: 未结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2210380&HistoricalAwards=false
• 关键词: Collaborative; Research; NeTS; JUNO3; Leveraging

Securing “5G and beyond” cellular networks is critical to support the growing traffic from mobile and IoT devices. Significant parts of the cellular network infrastructure are being implemented on software-based environments. The shift to a disaggregated, virtualized cellular core network may result in an increased attack surface and greater vulnerability. Slow attacks, which attempt to avoid notice, can be damaging as they cannot be easily detected, and generally require the memory and computational capacity of end-host security middleboxes to detect or prevent them. Likewise, attackers seeking to violate user-privacy by eavesdropping on communication, cannot be easily prevented, especially at large scale. These threats leave both cellular users and operators vulnerable to attacks. This joint US-Japan project seeks to provide strong security monitoring and privacy protection solutions that exploit the high speed of programmable switches, the increased capabilities of programmable network interface cards, and the memory/computational capacity of end-host servers. By leveraging the strengths of each of these data plane components, the project will develop an efficient and performant cellular network security solution. To achieve this goal, this joint US-Japan project will pursue technical tasks that will be collaboratively pursued by the PIs based in the US and Japan. First, the team will design a heterogeneous data plane framework that cohesively combines multiple data plane devices for network function processing. The approach will use a collaborative filtering system, where most of the traffic is processed only by high-speed programmable switches that can easily extract aggregated, coarse-grained metrics. Suspicious traffic will be redirected to programmable network interface cards, or the host as necessary, for further inspection and metrics collection. Second, the project will develop real-time monitoring of cellular traffic, leveraging the cellular core network as a key vantage point. Monitoring at the cellular core can not only effectively detect and thwart data plane-based attacks, but also those on the control plane. It is in the unique position of being able to correlate between data and control plane state to further improve upon existing approaches to detect security attacks. Finally, the project will design privacy protection mechanisms that ensure anonymity of users in the face of fingerprinting attacks. The approach will leverage traffic morphing techniques that leverage the entire range of capabilities of a multi-tier, programmable, heterogeneous data plane framework, to enable high-speed operation. The proposed techniques will have significant societal impact by providing strong threat prevention and privacy preservation for cellular network users and their traffic.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

确保“5G及以上”蜂窝网络的安全对于支持移动和物联网设备日益增长的流量至关重要。蜂窝网络基础设施的大部分都是在基于软件的环境中实施的。向分散的、虚拟化的蜂窝核心网络的转变可能会导致更大的受攻击面和更大的脆弱性。试图躲避注意的缓慢攻击可能是破坏性的，因为它们不容易被检测到，并且通常需要终端主机安全中间盒的内存和计算能力来检测或防止它们。同样，试图通过窃听通信来侵犯用户隐私的攻击者也不容易阻止，特别是在大规模情况下。这些威胁使手机用户和运营商都容易受到攻击。这一美日联合项目旨在提供强大的安全监控和隐私保护解决方案，利用可编程开关的高速、可编程网络接口卡的增强功能以及终端主机服务器的内存/计算能力。通过利用每个数据平面组件的优势，该项目将开发高效且性能卓越的蜂窝网络安全解决方案。为了实现这一目标，这个美日联合项目将执行由美国和日本的私人投资机构合作完成的技术任务。首先，该团队将设计一个异类数据平面框架，将多个数据平面设备紧密结合在一起进行网络功能处理。该方法将使用协作过滤系统，其中大部分流量仅由高速可编程交换机处理，这些交换机可以轻松提取聚合的粗粒度指标。可疑流量将被重定向至可编程网络接口卡或主机(如有必要)，以进行进一步检查和指标收集。其次，该项目将利用蜂窝核心网络作为关键优势，开发对蜂窝流量的实时监控。在蜂窝核心进行监控不仅可以有效地检测和阻止基于数据平面的攻击，而且还可以检测和阻止控制平面上的攻击。它处于能够在数据和控制平面状态之间关联的独特位置，以进一步改进现有的检测安全攻击的方法。最后，该项目将设计隐私保护机制，确保用户在面临指纹攻击时的匿名性。该方法将利用流量变形技术，该技术利用多层、可编程的异类数据平面框架的所有功能，以实现高速运营。建议的技术将产生重大的社会影响，为蜂窝网络用户及其流量提供强大的威胁防御和隐私保护。该奖项反映了NSF的法定使命，并通过使用基金会的智力优势和更广泛的影响审查标准进行评估，被认为值得支持。