CICI: RSSD:Massive Internal System Traffic Research Analysis and Logging

CICI：RSSD：大规模内部系统流量研究分析和记录

• 批准号: 2232819
• 负责人: Alexander Merck
• 金额: $ 60万
• 依托单位: Duke University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2022
• 资助国家: 美国
• 起止时间: 2022-11-01 至 2025-10-31
• 项目状态: 未结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2232819&HistoricalAwards=false
• 关键词: CICI; RSSD; Massive; Internal; System

This project creates a dataset (the MISTRAL Dataset) for cybersecurity researchers and network operators to use in identifying threats and thereby better protect research-related resources. The sources of data contained in the Dataset reflect actual network activity to and from several scientific applications and their related cyberinfrastructure. These data are safely captured, securely stored and accessible through authorized access to associated cybersecurity researchers for in the purpose of detecting abnormal or malicious activities that could represent threats to the identified science applications and cyberinfrastructure. Because the data are collected continuously and through automated means, the MISTRAL Dataset provides a realistic and relevant characterization of threats over time. The project also produces a public version of the Dataset.The MISTRAL project encompasses an Infrastructure, the Dataset and a set of proof-of-concept analytic endeavors. The Infrastructure includes a data storage pipeline for handling an estimated 1TB/day of data stored on-premises and/or in the cloud, a reference monitoring framework, and tools for collecting, analyzing, and sharing the data and relevant metadata that characterize both north-south (Internet-facing) and east-west (lateral) data flows. The Dataset consists of safely captured domain science workflow behavior using production network flows (e.g., source/destination IP, port, protocol, date/time, number, and size of connections) and data centers and research labs, as well as supplemental data from DNS, authentication logs, intrusion detection alerts and other security event alerts (e.g., threat intelligence data detailing Indicators of Compromise). The initial proof-of-concept analytics comprise various researcher and student (graduate and undergraduate course project) data analysis efforts to devise techniques for detecting abnormal or malicious activity or to study that activity; these collaborators also test the MISTRAL environment and Dataset to recommend refinement of the Infrastructure and the data collection process.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

该项目为网络安全研究人员和网络运营商创建了一个数据集（MISTRAL数据集），用于识别威胁，从而更好地保护研究相关资源。数据集中所载数据的来源反映了若干科学应用及其相关网络基础设施之间的实际网络活动。这些数据被安全地捕获，安全地存储，并通过授权访问相关的网络安全研究人员进行访问，以检测可能对已识别的科学应用和网络基础设施构成威胁的异常或恶意活动。由于数据是通过自动化手段连续收集的，MISTRAL数据集提供了一个现实和相关的威胁特征。MISTRAL项目包括一个基础设施、数据集和一系列概念验证分析工作。 该基础设施包括一个数据存储管道，用于处理估计每天1 TB的本地和/或云中存储的数据，一个参考监控框架，以及用于收集、分析和共享数据和相关元数据的工具，这些数据和元数据表征了南北（面向互联网）和东西（横向）数据流。数据集由使用生产网络流安全捕获的领域科学工作流行为组成（例如，源/目的地IP、端口、协议、日期/时间、数量和连接大小）和数据中心和研究实验室，以及来自DNS的补充数据、认证日志、入侵检测警报和其他安全事件警报（例如，威胁情报数据，详细说明妥协指标）。 最初的概念验证分析包括各种研究人员和学生（研究生和本科课程项目）数据分析工作，旨在设计检测异常或恶意活动或研究该活动的技术;这些合作者还测试MISTRAL环境和数据集，以建议改进基础设施和数据收集流程。该奖项反映了NSF的法定使命，并被认为值得通过使用基金会的知识价值和更广泛的影响审查标准进行评估。