
NSF Org: |
OAC Office of Advanced Cyberinfrastructure (OAC) |
Recipient: |
|
Initial Amendment Date: | August 22, 2016 |
Latest Amendment Date: | July 31, 2019 |
Award Number: | 1642134 |
Award Instrument: | Standard Grant |
Program Manager: |
Rob Beverly
OAC Office of Advanced Cyberinfrastructure (OAC) CSE Directorate for Computer and Information Science and Engineering |
Start Date: | September 1, 2016 |
End Date: | August 31, 2021 (Estimated) |
Total Intended Award Amount: | $499,925.00 |
Total Awarded Amount to Date: | $515,925.00 |
Funds Obligated to Date: |
FY 2019 = $16,000.00 |
History of Investigator: |
|
Recipient Sponsored Research Office: |
500 S LIMESTONE LEXINGTON KY US 40526-0001 (859)257-9420 |
Sponsor Congressional District: |
|
Primary Place of Performance: |
500 S Limestone 109 Kinkead Hall Lexington KY US 40526-0001 |
Primary Place of
Performance Congressional District: |
|
Unique Entity Identifier (UEI): |
|
Parent UEI: |
|
NSF Program(s): | Cybersecurity Innovation |
Primary Program Source: |
01001920DB NSF RESEARCH & RELATED ACTIVIT |
Program Reference Code(s): |
|
Program Element Code(s): |
|
Award Agency Code: | 4900 |
Fund Agency Code: | 4900 |
Assistance Listing Number(s): | 47.070 |
ABSTRACT
Network infrastructure at University campuses is complex and sophisticated, often supporting a mix of enterprise, academic, student, research, and healthcare data, each having its own distinct security, privacy, and priority policies. Securing this complex and highly dynamic environment is extremely challenging, particularly since campus infrastructures are increasingly under attack from malicious actors on the Internet and (often unknowingly) internal campus devices. Different parts of the campus have very different policies and regulations that govern its treatment of sensitive data (e.g., private student/employee information, health care data, financial transactions, etc.). Furthermore, data-intensive scientific research traffic often requires exceptions to normal security policies, resulting in ad-hoc solutions that bypass standard operational procedures and leave both the scientific workflow and the campus as a whole vulnerable to attack. In short, state-of-the-art campus security operations still heavily rely on human domain experts to interpret high level policy documents, implement those policies through low-level mechanisms, create exceptions to accommodate scientific workflows, interpret reports and alerts, and be able to react to security events in near real time on a 24-by-7 basis.
This project addresses these challenges through a collaborative research effort, called NetSecOps (Network Security Operations), that assists information technology (IT) security teams by automating many of the operational tasks that are tedious, error-prone, and otherwise problematic in current campus networks. NetSecOps is policy-driven in that the framework encodes high-level human-readable policies into systematic policy specifications that drive the actual configuration and operation of the infrastructure. NetSecOps is knowledge-centric in that the framework captures data, information, and knowledge about the infrastructure in a central knowledge store that informs and guides IT operational tasks. The proposed NetSecOps architecture has the following unique capabilities: (1) the ability to capture campus network security policies systematically; (2) the ability to create new fine-grained network control abstractions that leverage existing security capabilities and emerging software defined networks (SDN) to implement security policies, including policies related to both scientific workflows and IT domains; (3) the ability to implement policy traceability tools that verify whether these network abstractions maintain the integrity of the high-level policies; (4) the ability to implement knowledge-discovery tools that enable reasoning across data from existing security point-solutions, including security monitoring tools and authentication and authorization frameworks; and (5) the ability to automatically adjust the network's security posture based on detected security events. Research results and tools from the project will be released into the public domain allowing academic institutions to utilize the resources as part of their best-practice IT security operations.
PUBLICATIONS PRODUCED AS A RESULT OF THIS RESEARCH
Note:
When clicking on a Digital Object Identifier (DOI) number, you will be taken to an external
site maintained by the publisher. Some full text articles may not yet be available without a
charge during the embargo (administrative interval).
Some links on this page may take you to non-federal websites. Their policies may differ from
this site.
PROJECT OUTCOMES REPORT
Disclaimer
This Project Outcomes Report for the General Public is displayed verbatim as submitted by the Principal Investigator (PI) for this award. Any opinions, findings, and conclusions or recommendations expressed in this Report are those of the PI and do not necessarily reflect the views of the National Science Foundation; NSF has not approved or endorsed its content.
University campus networks have become highly complex infrastructure that must support and span academic, research, enterprise, and often healthcare environments, each of which has its own set of requirements and usage, security, privacy, and priority policies. Designing, operating, and monitoring complex and dynamically changing campus network infrastructure in a way that ensures the university's policies are being correctly implemented and enforced has become a major challenge for campuses. The set of network policies that must be implemented and then constantly monitored and enforced by the network vary widely depending on the types of devices and (sensitive) data being handled by the network (e.g., student records, employee information, financial transactions, healthcare data, educational materials, and research data and publications). Moreover, the translation of high level policy documents into low level network configurations that enforce those policies typically relies on human expertise and manual translation. To complicate matters, network operators must often deal with policy exceptions such as allowing authorized data-intensive scientific research traffic to bypass policy enforcement points to achieve better performance.
The Network Security Operations project (NetSecOps) explored ways to automate tasks associated with enforcing campus network policies -- tasks that have historically been manual, tedious, and error-prone. In particular, we developed ways to automate the translation of human-readable policy documents into network configurations used to enforce those policies. We also developed techniques to trace and evaluate whether the human-readable policies were being correctly translated to network configurations. Furthermore, we developed techniques to check if the network traffic traversing campus networks contains traffic that violates network policies. We also developed support for policy exceptions that allow authorized traffic to bypass policy enforcement points. The resulting techniques enhance the ability of network operators to keep today's complex network infrastructures secure and compliant with documented policies.
To enable automatic translation of network policy documents into network configurations that enforce those policies, we developed a new network policy language similar to natural language, but one that can be automatically translated by a computer into software defined network configurations that control the network's behavior. We showed how our new human-readable network policy language, which utilizes features from business rule-based management systems, can automatically translate common network security policies into network configurations that enforce those policies. In a related effort, we demonstrated the ability to use legacy router features to control network traffic and enforce network policies, enabling use with older networks.
To ensure that the policies specified in network policy documents are being correctly implemented by the network, we leveraged traceability techniques used to track software requirements from specification to implementation. Building on existing traceability systems, we developed components that can identify important policy artifacts (e.g., words/phrases) in policy documents such as acceptable use policies (AUPs) and trace them to their associated mapping in the network configuration, checking for consistency between the policy and network configuration. We collected example policies from a wide range of institutions and used them to drive our development and to evaluate various methods for mapping/tracing artifacts to determine the best techniques.
To further improve policy enforcement, we developed techniques to check that the traffic seen traversing the network does not violate network policies. Building on recent advances in big data collection and analysis, we developed fine-grained network monitoring capabilities that can collect detailed network traffic and state information from today's large-scale campus networks. The (big) data collected can then be efficiently processed and searched using questions (queries) that directly correspond to network policy statements that look for traffic that violates network policies.
Because network policy enforcement often requires careful examination of all network traffic traversing the policy enforcement point, these policy checkpoints can become bottlenecks to high speed networking. Consequently, some applications such as data-intensive science applications will often require an exception to the network policies in order to achieve the desired network performance. To address this need, we developed the ability for users to request on-demand policy exceptions from the network. By allowing trusted users, or their applications, to inform the network about the nature of their communication, the network can grant an exception and offer these users better service by routing traffic around policy enforcement points, effectively bypassing performance bottlenecks.
The project's findings were disseminated in papers and presentations at various conferences and workshops. Overall the project provided new insights into the shortcomings of existing network security policies as well as the challenges of mapping policies to network mechanisms that enforce those policies, and it produced new techniques to address these challenges.
Last Modified: 01/10/2022
Modified by: James N Griffioen
Please report errors in award information by writing to: awardsearch@nsf.gov.