Award Abstract # 1642134
Collaborative Research: CICI: Secure and Resilient Architecture: NetSecOps -- Policy-Driven, Knowledge-Centric, Holistic Network Security Operations Architecture

NSF Org: OAC
Office of Advanced Cyberinfrastructure (OAC)
Recipient: UNIVERSITY OF KENTUCKY RESEARCH FOUNDATION, THE
Initial Amendment Date: August 22, 2016
Latest Amendment Date: July 31, 2019
Award Number: 1642134
Award Instrument: Standard Grant
Program Manager: Rob Beverly
OAC
 Office of Advanced Cyberinfrastructure (OAC)
CSE
 Directorate for Computer and Information Science and Engineering
Start Date: September 1, 2016
End Date: August 31, 2021 (Estimated)
Total Intended Award Amount: $499,925.00
Total Awarded Amount to Date: $515,925.00
Funds Obligated to Date: FY 2016 = $499,925.00
FY 2019 = $16,000.00
History of Investigator:
  • James Griffioen (Principal Investigator)
    griff@netlab.uky.edu
  • Jane Hayes (Co-Principal Investigator)
  • Vernon Bumgardner (Co-Principal Investigator)
Recipient Sponsored Research Office: University of Kentucky Research Foundation
500 S LIMESTONE
LEXINGTON
KY  US  40526-0001
(859)257-9420
Sponsor Congressional District: 06
Primary Place of Performance: University of Kentucky Research Foundation
500 S Limestone 109 Kinkead Hall
Lexington
KY  US  40526-0001
Primary Place of Performance
Congressional District:
06
Unique Entity Identifier (UEI): H1HYA8Z1NTM5
Parent UEI:
NSF Program(s): Cybersecurity Innovation
Primary Program Source: 01001617DB NSF RESEARCH & RELATED ACTIVIT
01001920DB NSF RESEARCH & RELATED ACTIVIT
Program Reference Code(s): 9150, 9251
Program Element Code(s): 802700
Award Agency Code: 4900
Fund Agency Code: 4900
Assistance Listing Number(s): 47.070

ABSTRACT

Network infrastructure at University campuses is complex and sophisticated, often supporting a mix of enterprise, academic, student, research, and healthcare data, each having its own distinct security, privacy, and priority policies. Securing this complex and highly dynamic environment is extremely challenging, particularly since campus infrastructures are increasingly under attack from malicious actors on the Internet and (often unknowingly) internal campus devices. Different parts of the campus have very different policies and regulations that govern its treatment of sensitive data (e.g., private student/employee information, health care data, financial transactions, etc.). Furthermore, data-intensive scientific research traffic often requires exceptions to normal security policies, resulting in ad-hoc solutions that bypass standard operational procedures and leave both the scientific workflow and the campus as a whole vulnerable to attack. In short, state-of-the-art campus security operations still heavily rely on human domain experts to interpret high level policy documents, implement those policies through low-level mechanisms, create exceptions to accommodate scientific workflows, interpret reports and alerts, and be able to react to security events in near real time on a 24-by-7 basis.

This project addresses these challenges through a collaborative research effort, called NetSecOps (Network Security Operations), that assists information technology (IT) security teams by automating many of the operational tasks that are tedious, error-prone, and otherwise problematic in current campus networks. NetSecOps is policy-driven in that the framework encodes high-level human-readable policies into systematic policy specifications that drive the actual configuration and operation of the infrastructure. NetSecOps is knowledge-centric in that the framework captures data, information, and knowledge about the infrastructure in a central knowledge store that informs and guides IT operational tasks. The proposed NetSecOps architecture has the following unique capabilities: (1) the ability to capture campus network security policies systematically; (2) the ability to create new fine-grained network control abstractions that leverage existing security capabilities and emerging software defined networks (SDN) to implement security policies, including policies related to both scientific workflows and IT domains; (3) the ability to implement policy traceability tools that verify whether these network abstractions maintain the integrity of the high-level policies; (4) the ability to implement knowledge-discovery tools that enable reasoning across data from existing security point-solutions, including security monitoring tools and authentication and authorization frameworks; and (5) the ability to automatically adjust the network's security posture based on detected security events. Research results and tools from the project will be released into the public domain allowing academic institutions to utilize the resources as part of their best-practice IT security operations.

PUBLICATIONS PRODUCED AS A RESULT OF THIS RESEARCH

Note:  When clicking on a Digital Object Identifier (DOI) number, you will be taken to an external site maintained by the publisher. Some full text articles may not yet be available without a charge during the embargo (administrative interval).

Some links on this page may take you to non-federal websites. Their policies may differ from this site.

(Showing: 1 - 10 of 16)
Chitre, Bhushan and Huffman Hayes, Jane and Dekhtyar, Alexander "Second-Guessing in Tracing Tasks Considered Harmful?" International Working Conference on Requirements Engineering: Foundation for Software Quality REFSQ 2018: Requirements Engineering: Foundation for Software Quality , 2018 10.1007/978-3-319-77243-1_6 Citation Details
Dekhtyar, Alex "Automating Requirements Traceability: Two Decades of Learning from KDD" IEEE International Conference on Requirements Engineering , 2018 Citation Details
Farrar, David and Huffman Hayes, Jane "A Comparison of Stemming Techniques in Tracing" Proceedings of the 10th International Workshop on Software and System Traceability (SST'19) at the International Conference on Software Engineering , 2019 Citation Details
Griffioen, James and Fei, Zongming and Rivera, Sergio and Chappell, Jacob and Hayashida, Mami and Shi, Pinyi and Carpenter, Charles and Song, Yongwook and Chitre, Bhushan and Nasir, Hussamuddin and Calvert, Kenneth L. "Leveraging SDN to Enable Short-Term On-Demand Security Exceptions" 5TH IEEE/IFIP Workshop on Security for Emerging Distributed Network Technologies (DISSECT 2019) , 2019 Citation Details
Hayashida, Mami and Rivera, Sergio and Griffioen, James and Fei, Zongming and Song, Yongwook "Debugging SDN in HPC Environments" PEARC '18 Proceedings of the Practice and Experience on Advanced Research Computing , 2018 10.1145/3219104.3229277 Citation Details
Hayes, Jane Huffman and Payne, Jared and Leppelmeier, Mallory "Toward Improved Artificial Intelligence in Requirements Engineering: Metadata for Tracing Datasets" 2019 IEEE 27th International Requirements Engineering Conference Workshops (REW) , 2019 10.1109/REW.2019.00052 Citation Details
Huffman Hayes, Jane "The REquirements TRacing On target (RETRO).NET Dataset" IEEE International Conference on Requirements Engineering (RE) 2018 , 2018 Citation Details
Huffman Hayes, Jane "Towards Improved Network Security Requirements and Policy: Domain-Specific Completeness Analysis via Topic Modeling" 2020 IEEE 28th International Requirements Engineering Conference Workshops (REW) , 2020 https://doi.org/10.1109/AIRE51212.2020.00019 Citation Details
Kalim, Albert "Multi-user Input in Determining Answer Sets (MIDAS)" IEEE International Conference on Requirements Engineering (RE) 2018 , 2018 Citation Details
Payne, Jared and Huffman Hayes, Jane "University of Kentucky TraceLab Component Similarity Matrix Voting Merge" Proceedings of the 10th International Workshop on Software and System Traceability (SST'19) at the International Conference on Software Engineering , 2019 Citation Details
Rivera, Sergio and Fei, Zongming and Griffioen, James "POLANCO: Enforcing Natural Language Network Policies" 2020 29th International Conference on Computer Communications and Networks (ICCCN) , 2020 https://doi.org/10.1109/ICCCN49398.2020.9209748 Citation Details
(Showing: 1 - 10 of 16)

PROJECT OUTCOMES REPORT

Disclaimer

This Project Outcomes Report for the General Public is displayed verbatim as submitted by the Principal Investigator (PI) for this award. Any opinions, findings, and conclusions or recommendations expressed in this Report are those of the PI and do not necessarily reflect the views of the National Science Foundation; NSF has not approved or endorsed its content.

University campus networks have become highly complex infrastructure that must support and span academic, research, enterprise, and often healthcare environments, each of which has its own set of requirements and usage, security, privacy, and priority policies.  Designing, operating, and monitoring complex and dynamically changing campus network infrastructure in a way that ensures the university's policies are being correctly implemented and enforced has become a major challenge for campuses.  The set of network policies that must be implemented and then constantly monitored and enforced by the network vary widely depending on the types of devices and (sensitive) data being handled by the network (e.g., student records, employee information, financial transactions, healthcare data, educational materials, and research data and publications).  Moreover, the translation of high level policy documents into low level network configurations that enforce those policies typically relies on human expertise and manual translation.  To complicate matters, network operators must often deal with policy exceptions such as allowing authorized data-intensive scientific research traffic to bypass policy enforcement points to achieve better performance.

The Network Security Operations project (NetSecOps) explored ways to automate tasks associated with enforcing campus network policies -- tasks that have historically been manual, tedious, and error-prone.  In particular, we developed ways to automate the translation of human-readable policy documents into network configurations used to enforce those policies.  We also developed techniques to trace and evaluate whether the human-readable policies were being correctly translated to network configurations.  Furthermore, we developed techniques to check if the network traffic traversing campus networks contains traffic that violates network policies.  We also developed support for policy exceptions that allow authorized traffic to bypass policy enforcement points.  The resulting techniques enhance the ability of network operators to keep today's complex network infrastructures secure and compliant with documented policies.

To enable automatic translation of network policy documents into network configurations that enforce those policies, we developed a new network policy language similar to natural language, but one that can be automatically translated by a computer into software defined network configurations that control the network's behavior. We showed how our new human-readable network policy language, which utilizes features from business rule-based management systems, can automatically translate common network security policies into network configurations that enforce those policies.  In a related effort, we demonstrated the ability to use legacy router features to control network traffic and enforce network policies, enabling use with older networks.

To ensure that the policies specified in network policy documents are being correctly implemented by the network, we leveraged traceability techniques used to track software requirements from specification to implementation.  Building on existing traceability systems, we developed components that can identify important policy artifacts (e.g., words/phrases) in policy documents such as acceptable use policies (AUPs) and trace them to their associated mapping in the network configuration, checking for consistency between the policy and network configuration.  We collected example policies from a wide range of institutions and used them to drive our development and to evaluate various methods for mapping/tracing artifacts to determine the best techniques.

To further improve policy enforcement, we developed techniques to check that the traffic seen traversing the network does not violate network policies.  Building on recent advances in big data collection and analysis, we developed fine-grained network monitoring capabilities that can collect detailed network traffic and state information from today's large-scale campus networks.  The (big) data collected can then be efficiently processed and searched using questions (queries) that directly correspond to network policy statements that look for traffic that violates network policies.

Because network policy enforcement often requires careful examination of all network traffic traversing the policy enforcement point, these policy checkpoints can become bottlenecks to high speed networking.  Consequently, some applications such as data-intensive science applications will often require an exception to the network policies in order to achieve the desired network performance.  To address this need, we developed the ability for users to request on-demand policy exceptions from the network.  By allowing trusted users, or their applications, to inform the network about the nature of their communication, the network can grant an exception and offer these users better service by routing traffic around policy enforcement points, effectively bypassing performance bottlenecks.

The project's findings were disseminated in papers and presentations at various conferences and workshops. Overall the project provided new insights into the shortcomings of existing network security policies as well as the challenges of mapping policies to network mechanisms that enforce those policies, and it produced new techniques to address these challenges.


Last Modified: 01/10/2022
Modified by: James N Griffioen

Please report errors in award information by writing to: awardsearch@nsf.gov.

Print this page

Back to Top of page