OAC Core: Enhancing Network Security by Implementing an ML Malware Detection and Classification Scheme in P4 Programmable Data Planes and SmartNICs

OAC 核心：通过在 P4 可编程数据平面和智能网卡中实施 ML 恶意软件检测和分类方案来增强网络安全

• 批准号: 2403360
• 负责人: Jorge Crichigno
• 金额: $ 60万
• 依托单位: University of South Carolina at Columbia
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2024
• 资助国家: 美国
• 起止时间: 2024-07-01 至 2027-06-30
• 项目状态: 未结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2403360&HistoricalAwards=false
• 关键词: OAC; Core; Enhancing; Network; Security

Malware attacks represent significant threats to organizations, which use a variety of approaches to protect against them. Examples include intrusion detection systems, intrusion prevention systems, and other security systems that run on general-purpose computers. Such schemes perform "deep packet inspection" (DPI), a process by which a security device protecting an organization thoroughly examines incoming traffic and alerts administrators about suspicious activities. While DPI may be effective in some scenarios, it requires significant processing. Furthermore, if the organization receives a high volume of traffic from the Internet, DPI may not keep up with the traffic and may only inspect a fraction of it. Additionally, the inspection may not be conducted in real-time and may only detect the malware after the attack.This project proposes to leverage the capability of P4 programmable data plane (PDP) switches and smartNICs to perform DPI. The project has four objectives. 1) Develop a malware detection and classification application running on PDPs, operating at line rate. The application will perform DPI of Domain Name System (DNS) packets, preventing malware from communicating with the corresponding C2 server. Traffic will be monitored in real-time, and functions commonly executed on general-purpose CPUs will be offloaded to PDPs. The plan includes analyzing DNS data, characterizing traffic patterns, and feeding such information to a machine learning (ML) algorithm. The ML algorithm will detect and classify malware according to their family (e.g., trojan, backdoor, ransomware). 2) Develop a malware detection and classification application running on a SmartNIC, for encrypted DNS packets. Research will be conducted to perform feature extraction for malware generating such packets. An ML algorithm will use the features to detect and classify the malware. 3) Develop a control application that shares threat intelligence and avoids malware propagation. As PDP switches and smartNIC detect malware, they share the threat intelligence with a centralized controller. 4) Expand the eX-IoT platform to fingerprint, store, and index newly detected and classified malware. The eX-IoT platform is a real-time platform for fingerprinting compromised devices on the Internet. The prototype running on PDPs and smart NICs will be built with open-source components available to the community, and the developed knowledge will be disseminated by synthesizing it as virtual lab libraries for courses and self-paced learning. The libraries will be distributed to colleges and universities. Finally, tutorials on malware detection and PDPs will be organized with organizations such as Internet2 and FABRIC.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

恶意软件攻击代表了对组织的重大威胁，这些威胁使用各种方法来防止它们。示例包括入侵检测系统，入侵预防系统以及其他通用计算机运行的安全系统。这样的方案执行“深度数据包检查”（DPI），该过程通过该过程彻底检查了组织的安全设备，可以彻底检查流量，并向管理员发出可疑活动。虽然DPI在某些情况下可能有效，但需要进行大量处理。此外，如果该组织从Internet获得大量流量，DPI可能无法跟上流量，并且只能检查其中的一小部分。此外，检查可能不会实时进行，并且只能在攻击后检测到恶意软件。本项目建议利用P4可编程数据平面（PDP）开关和智能努力的功能来执行DPI。该项目有四个目标。 1）开发在PDP上运行的恶意软件检测和分类应用程序，以行速率运行。该应用程序将执行域名系统（DNS）数据包的DPI，以防止恶意软件与相应的C2服务器进行通信。流量将进行实时监控，并且在通用CPU上通常执行的功能将被卸载到PDPS。该计划包括分析DNS数据，表征流量模式，并将此类信息提供给机器学习（ML）算法。 ML算法将根据其家人（例如Trojan，Backdoor，勒索软件）检测和分类恶意软件。 2）为加密的DNS数据包开发在智能NIC上运行的恶意软件检测和分类应用程序。将进行研究，以执行用于生成此类数据包的恶意软件的功能提取。 ML算法将使用这些功能来检测和对恶意软件进行分类。 3）开发一个共享威胁情报并避免恶意软件传播的控制应用程序。随着PDP开关和智能检测恶意软件，他们与集中式控制器共享威胁智能。 4）将前iot平台扩展到指纹，存储和索引新检测和分类恶意软件。前iot平台是一个实时平台，用于在Internet上指纹识别设备。在PDP和Smart NIC上运行的原型将使用社区可用的开源组件构建，并且将通过将其综合为课程和自行车学习的虚拟实验室库来传播开发的知识。图书馆将分发给大学。最后，有关恶意软件检测和PDP的教程将与Internet2和Fabric这样的组织组织。该奖项反映了NSF的法定任务，并且使用基金会的知识分子优点和更广泛的影响评估标准，被认为值得通过评估来提供支持。