NSF-BSF: SaTC: CORE: Small: Prevention, Detection and Mitigation for Secure Interdomain Routing

NSF-BSF：SaTC：CORE：小型：安全域间路由的预防、检测和缓解

• 批准号: 2247810
• 负责人: Amir Herzberg
• 金额: $ 59.98万
• 依托单位: University of Connecticut
• 依托单位国家: 美国
• 项目类别: Continuing Grant
• 财政年份: 2023
• 资助国家: 美国
• 起止时间: 2023-07-01 至 2026-06-30
• 项目状态: 未结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2247810&HistoricalAwards=false
• 关键词: NSF; BSF; SaTC; CORE; Small

The Border Gateway Protocol (BGP) is the glue that connects hundreds of thousands of autonomous systems into the global Internet infrastructure. From its inception, BGP however has no built-in security mechanisms. This vulnerability has been abused for myriad attacks, many causing large-scale network disruptions and catastrophic financial loss. Extensive efforts on securing BGP have led to the current increasing deployment of mechanisms for authenticating and validating route origins. As a result, simple prefix hijacks are expected to become less effective. While this is encouraging, attackers can adopt many other forms of more sophisticated attacks, e.g., path manipulation attacks and route leaks, which can be extremely damaging. While many prevention techniques have been proposed by academia, industry and standardization organizations, none of them has been actively deployed , partly because of insufficient attention paid to deployment challenges. This NSF-BSF project aims to develop effective and deployable solutions to significantly improve BGP security. In addition, this project incorporates research outcome in course development and provides research opportunities to underrepresented students. This project takes a multi-pronged approach to improve BGP security. First, it develops effective and deployable strategies to prevent attacks to BGP. Th proposed techniques aim to finally overcome the long-standing obstacle of deploy-ability by combining significantly better security under partial deployment with significantly lower overhead. Second, this project develops a detect-then-prevent service that is broadly applicable to many types of attacks, including 'hidden' and 'stealthy' attacks that are difficult to prevent directly. In the same time the approaches will keep the defense resilient to new classes of attacks that purposely mislead and abuse the detection service. Third, this project develops automated mitigation techniques, with a novel on-demand route origin authorization design, and outsourced-mitigations leveraging content delivery networks and overlay networks. Last, this project significantly advances the state-of-the-art of inter-domain routing security evaluation, by developing accurate and flexible open-source simulation tools and formal analysis mechanisms.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

边界网关协议（BGP）是将数十万个自治系统连接到全球互联网基础设施的粘合剂。然而，从一开始，BGP就没有内置的安全机制。该漏洞已被滥用于无数攻击，许多攻击造成大规模网络中断和灾难性的财务损失。在保护BGP安全方面的广泛努力已经导致当前越来越多地部署用于认证和验证路由源的机制。因此，简单的前缀劫持预计将变得不那么有效。虽然这是令人鼓舞的，但攻击者可以采用许多其他形式的更复杂的攻击，例如，路径操纵攻击和路由泄漏，这可能是非常有害的。虽然学术界、工业界和标准化组织提出了许多预防技术，但没有一项得到积极部署，部分原因是对部署方面的挑战重视不够。该NSF-BSF项目旨在开发有效且可部署的解决方案，以显着提高BGP安全性。此外，该项目将研究成果纳入课程开发中，并为代表性不足的学生提供研究机会。 该项目采取多管齐下的方法来提高BGP安全性。首先，它制定了有效的和可部署的策略，以防止攻击BGP。 所提出的技术的目的是最终克服长期存在的障碍，部署能力相结合的显着更好的安全性下的部分部署显着降低开销。其次，该项目开发了一种检测然后预防服务，广泛适用于许多类型的攻击，包括难以直接预防的“隐藏”和“隐形”攻击。与此同时，这些方法将使防御系统能够抵御故意误导和滥用检测服务的新型攻击。第三，该项目开发了自动缓解技术，具有新颖的按需路由源授权设计，以及利用内容交付网络和覆盖网络的外包缓解。最后，该项目通过开发准确、灵活的开源仿真工具和正式分析机制，显著推进了域间路由安全评估的最新技术水平。该奖项反映了NSF的法定使命，并通过使用基金会的智力价值和更广泛的影响审查标准进行评估，被认为值得支持。