OAC Core: Enhancing Network Security by Implementing an ML Malware Detection and Classification Scheme in P4 Programmable Data Planes and SmartNICs

OAC 核心：通过在 P4 可编程数据平面和智能网卡中实施 ML 恶意软件检测和分类方案来增强网络安全

• 批准号: 2403360
• 负责人: Jorge Crichigno
• 金额: $ 60万
• 依托单位: University of South Carolina at Columbia
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2024
• 资助国家: 美国
• 起止时间: 2024-07-01 至 2027-06-30
• 项目状态: 未结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2403360&HistoricalAwards=false
• 关键词: OAC; Core; Enhancing; Network; Security

Malware attacks represent significant threats to organizations, which use a variety of approaches to protect against them. Examples include intrusion detection systems, intrusion prevention systems, and other security systems that run on general-purpose computers. Such schemes perform "deep packet inspection" (DPI), a process by which a security device protecting an organization thoroughly examines incoming traffic and alerts administrators about suspicious activities. While DPI may be effective in some scenarios, it requires significant processing. Furthermore, if the organization receives a high volume of traffic from the Internet, DPI may not keep up with the traffic and may only inspect a fraction of it. Additionally, the inspection may not be conducted in real-time and may only detect the malware after the attack.This project proposes to leverage the capability of P4 programmable data plane (PDP) switches and smartNICs to perform DPI. The project has four objectives. 1) Develop a malware detection and classification application running on PDPs, operating at line rate. The application will perform DPI of Domain Name System (DNS) packets, preventing malware from communicating with the corresponding C2 server. Traffic will be monitored in real-time, and functions commonly executed on general-purpose CPUs will be offloaded to PDPs. The plan includes analyzing DNS data, characterizing traffic patterns, and feeding such information to a machine learning (ML) algorithm. The ML algorithm will detect and classify malware according to their family (e.g., trojan, backdoor, ransomware). 2) Develop a malware detection and classification application running on a SmartNIC, for encrypted DNS packets. Research will be conducted to perform feature extraction for malware generating such packets. An ML algorithm will use the features to detect and classify the malware. 3) Develop a control application that shares threat intelligence and avoids malware propagation. As PDP switches and smartNIC detect malware, they share the threat intelligence with a centralized controller. 4) Expand the eX-IoT platform to fingerprint, store, and index newly detected and classified malware. The eX-IoT platform is a real-time platform for fingerprinting compromised devices on the Internet. The prototype running on PDPs and smart NICs will be built with open-source components available to the community, and the developed knowledge will be disseminated by synthesizing it as virtual lab libraries for courses and self-paced learning. The libraries will be distributed to colleges and universities. Finally, tutorials on malware detection and PDPs will be organized with organizations such as Internet2 and FABRIC.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

恶意软件攻击是对组织的重大威胁，组织使用各种方法来防范它们。例子包括入侵检测系统、入侵防御系统和其他在通用计算机上运行的安全系统。这种方案执行“深度数据包检测”（DPI），这是一个保护组织的安全设备彻底检查传入流量并向管理员发出可疑活动警报的过程。虽然DPI在某些情况下可能是有效的，但它需要大量的处理。此外，如果组织从互联网接收大量流量，DPI可能无法跟上流量，只能检测其中的一小部分。此外，检测可能无法实时进行，只能在攻击后检测恶意软件。本项目建议利用P4可编程数据平面（PDP）交换机和智能交换机的功能来执行DPI。该项目有四个目标。1)开发一个运行在PDP上的恶意软件检测和分类应用程序，以线速运行。该应用程序将执行域名系统（DNS）数据包的DPI，防止恶意软件与相应的C2服务器通信。流量将被实时监控，通常在通用CPU上执行的功能将被卸载到PDP。该计划包括分析DNS数据，描述流量模式，并将这些信息提供给机器学习（ML）算法。ML算法将根据恶意软件的家族（例如，木马、后门、勒索软件）。2)开发一个运行在SmartNIC上的恶意软件检测和分类应用程序，用于加密的DNS数据包。将进行研究，以执行特征提取恶意软件生成这样的数据包。ML算法将使用这些特征来检测和分类恶意软件。3)开发一个控制应用程序，共享威胁情报并避免恶意软件传播。当PDP交换机和smartNIC检测到恶意软件时，它们会与集中控制器共享威胁情报。4)扩展eX-IoT平台，对新检测到的恶意软件进行指纹识别、存储和索引。eX-IoT平台是一个实时平台，用于对互联网上的受损设备进行指纹识别。运行在PDP和智能手机上的原型将使用社区可用的开源组件构建，开发的知识将通过将其合成为虚拟实验室图书馆进行传播，用于课程和自定进度的学习。这些图书馆将分发给各学院和大学。最后，将与Internet 2和FABRIC等组织一起组织有关恶意软件检测和PDP的教程。该奖项反映了NSF的法定使命，并通过使用基金会的知识价值和更广泛的影响审查标准进行评估，被认为值得支持。