| NSF Org: |
CNS Division Of Computer and Network Systems |
| Recipient: |
|
| Initial Amendment Date: | September 25, 2008 |
| Latest Amendment Date: | May 5, 2011 |
| Award Number: | 0831245 |
| Award Instrument: | Continuing Grant |
| Program Manager: |
Ralph Wachter
rwachter@nsf.gov (703)292-8950 CNS Division Of Computer and Network Systems CSE Directorate for Computer and Information Science and Engineering |
| Start Date: | October 1, 2008 |
| End Date: | September 30, 2014 (Estimated) |
| Total Intended Award Amount: | $366,899.00 |
| Total Awarded Amount to Date: | $500,000.00 |
| Funds Obligated to Date: |
FY 2009 = $243,101.00 FY 2011 = $150,000.00 |
| History of Investigator: |
|
| Recipient Sponsored Research Office: |
104 AIRPORT DR STE 2200 CHAPEL HILL NC US 27599-5023 (919)966-3411 |
| Sponsor Congressional District: |
|
| Primary Place of Performance: |
104 AIRPORT DR STE 2200 CHAPEL HILL NC US 27599-5023 |
| Primary Place of
Performance Congressional District: |
|
| Unique Entity Identifier (UEI): |
|
| Parent UEI: |
|
| NSF Program(s): |
CYBER TRUST, TRUSTWORTHY COMPUTING |
| Primary Program Source: |
01000910DB NSF RESEARCH & RELATED ACTIVIT 01001112DB NSF RESEARCH & RELATED ACTIVIT |
| Program Reference Code(s): |
|
| Program Element Code(s): |
|
| Award Agency Code: | 4900 |
| Fund Agency Code: | 4900 |
| Assistance Listing Number(s): | 47.070 |
ABSTRACT
Layer-8 attacks (e.g., spam and phishing) are launched from a malicious service platform, e.g., botnet, which consists of a large number of infected machines (or bots). Such an attack platform relies on lower-layer network services to achieve efficiency, robustness, and stealth in communication and attack activities. These services include look-up (e.g., DNS), hosting (e.g., Web servers), and transport (e.g., BGP).
The main research goals and approaches of the CLEANSE project are:
1. Control-plane monitoring. Much of the infrastructure for mounting layer-8 attacks involves abuse of the control plane in core network services (e.g., DNS and BGP).
The CLEANSE project develops control-plane anomaly detection sensors that are distributed, online, and real-time.
2. Data-plane monitoring. The project develops new and general network anomaly detection algorithms based on traffic sampling and clustering for monitoring high-speed traffic.
3. Improved security auditing capabilities. The CLEANSE project develops packet "tagging/tainting" techniques to enable tracking and clustering of network traffic flows (e.g., that are generated by the same bot program). The project also develops improved traffic sampling capabilities that are attack-aware and distributed network-wide.
By focusing on monitoring of core network services, the CLEANSE framework can detect future layer-8 attacks and new forms of large-scale malware infections. The project also creates educational contents, including new textbooks and on-line course materials, which directly benefit from the research activities. The CLEANSE project team also work with industry partners (including the ISPs) to organize focused workshops that bring together researchers from academia and practitioners from the industry/ISP, government, and law enforcement agencies to foster the exchange of ideas, data, and technologies.
PUBLICATIONS PRODUCED AS A RESULT OF THIS RESEARCH
Note:
When clicking on a Digital Object Identifier (DOI) number, you will be taken to an external
site maintained by the publisher. Some full text articles may not yet be available without a
charge during the embargo (administrative interval).
Some links on this page may take you to non-federal websites. Their policies may differ from
this site.
PROJECT OUTCOMES REPORT
Disclaimer
This Project Outcomes Report for the General Public is displayed verbatim as submitted by the Principal Investigator (PI) for this award. Any opinions, findings, and conclusions or recommendations expressed in this Report are those of the PI and do not necessarily reflect the views of the National Science Foundation; NSF has not approved or endorsed its content.
Application attacks on the Internet, such as email and blog spam,
phishing, and click fraud, manipulate network applications to
victimize users. Such attacks rely on network services to efficiently
and stealthily coordinate attack activities. Infected computers often
use look-up services to locate the command-and-control servers and
receive instructions. Hosting services allow the storage and exchange
of attack-related data (e.g., malware or stolen information),
analogous to the use of "drop sites" in the physical world. Finally,
malware takes advantage of protocols to connect to intended victims.
Such attacks therefore often result in observable service violations
and anomalies because the activities of infected computers are
different from normal user activity.
This project developed a better understanding of how current and
future attacks might be launched and detected. In particular, we
sought to identify the basic network services that are necessary for
large-scale attacks, and developed new analysis and detection
algorithms and infrastructures to monitor these service activities to
detect and predict attacks.
Much of the research at UNC focused on the Domain Name System (DNS),
which is a globally distributed collection of "name servers" and
associated protocols for mapping user-friendly domain names (e.g.,
"nytimes.com") to the Internet Protocol (IP) addresses used to route
packets to/from their websites.
- A growing trend in optimizing the speed of web browsers is to
prefetch DNS resolutions for domains in hyperlinks, in case the user
clicks on one. We showed that if left unchecked, DNS prefetching
could lead to new security and privacy abuses.
- The importance of domain names for resale, serving ad content, or
launching malware has contributed to the rise of questionable
practices in acquiring them. Our accomplishments included one of the
first comprehensive studies of abusive domain-registration practices.
We explored ways to automatically generate high-quality domain names
related to current events to measure domain "front running" by
registrars and "speculation" by others.
- We studied techniques for detecting algorithmically generated
domains (AGDs) that are automatically generated to minimize collisions
with others. Although such domains are used by malware to thwart
defenses, they are also used for benign purposes. The rise of these
benign applications negatively impacts the ability to accurately
classify malicious AGDs. We studied current uses of and existing
detection mechanisms for AGDs, and then developed better techniques
for identifying infected computers using AGDs.
Outside the context of DNS specifically, we also developed
technologies and explored threats relevant to Internet defense:
- A requirement in some types of Internet monitoring is repeatedly
probing some set of targets over time. While some probers exercise
restraint to limit collateral damage of their probing, the literature
is rife with examples of what many might consider egregious practices.
We developed efficient probing algorithms and tools to more
responsibly manage probing.
- Due to existing router support for collecting network traffic
summaries called flow records, there is increasing attention being
devoted to performing network anomaly detection using flow records.
We explored the limits of analysis using flow records for security
purposes, by investigating to what extent an attacker who compromises
machines in an enterprise, for example, can perform his activities in
a way that is undetectable in...
Please report errors in award information by writing to: awardsearch@nsf.gov.
