Award Abstract # 1642161
CICI: Secure and Resilient Architecture: Effective and Economical Protection for High-Performance Research and Education Networks

NSF Org: OAC
Office of Advanced Cyberinfrastructure (OAC)
Recipient: INTERNATIONAL COMPUTER SCIENCE INSTITUTE
Initial Amendment Date: August 8, 2016
Latest Amendment Date: May 27, 2021
Award Number: 1642161
Award Instrument: Standard Grant
Program Manager: Rob Beverly
OAC
 Office of Advanced Cyberinfrastructure (OAC)
CSE
 Directorate for Computer and Information Science and Engineering
Start Date: October 1, 2016
End Date: September 30, 2022 (Estimated)
Total Intended Award Amount: $999,513.00
Total Awarded Amount to Date: $999,513.00
Funds Obligated to Date: FY 2016 = $999,513.00
History of Investigator:
  • Johanna Amann (Principal Investigator)
    johanna@icir.org
  • Michael Dopheide (Co-Principal Investigator)
  • Robin Sommer (Former Co-Principal Investigator)
Recipient Sponsored Research Office: International Computer Science Institute
2150 SHATTUCK AVE
BERKELEY
CA  US  94704-1345
(510)666-2900
Sponsor Congressional District: 12
Primary Place of Performance: International Computer Science Institute
1947 Center St STE 600
Berkeley
CA  US  94704-4115
Primary Place of Performance
Congressional District:
12
Unique Entity Identifier (UEI): GSRMP1QCXU74
Parent UEI:
NSF Program(s): Cybersecurity Innovation
Primary Program Source: 01001617DB NSF RESEARCH & RELATED ACTIVIT
Program Reference Code(s): 9102
Program Element Code(s): 802700
Award Agency Code: 4900
Fund Agency Code: 4900
Assistance Listing Number(s): 47.070

ABSTRACT

Scientific research requires the free exchange of information and ideas among collaborators worldwide. For this, scientists depend critically on full and open access to the Internet. Yet in today's world, such open access also exposes sites to incessant network attacks like theft of information, parasitic resource consumption, or suffering from (or inadvertently participating in) denial-of-service (DOS) attacks. Some of the most powerful networks today remain particularly hard to defend: the 100G environments and backbones that facilitate modern data-intensive sciences - physics, astronomy, medicine, climate research - prove extremely sensitive to the slightest disturbances. For these networks, traditional enterprise solutions such as firewalls and intrusion detection systems (IDS), remain infeasible as they cannot operate reliably at such high speeds. This project develops a novel, comprehensive framework that integrates software and hardware for the economical protection of critical high-performance science infrastructure.

The project increases the performance of network monitoring by offloading low-level operations from software into hardware, such as switches and computer network interface cards. The project enables network monitoring systems to tie into the hardware offloading being developed. Furthermore, the project expands the capabilities of network monitoring systems to create visibility into science networks, for example, by adding support for the protocols used for high-speed scientific data transfers. It also extends support for responding actively to malicious activity like denial-of-service attacks. This project implements these capabilities in the open-source Bro network security monitor utilized by many NSF-supported organizations nationwide to protect their scientific cyberinfrastructure.

PUBLICATIONS PRODUCED AS A RESULT OF THIS RESEARCH

Note:  When clicking on a Digital Object Identifier (DOI) number, you will be taken to an external site maintained by the publisher. Some full text articles may not yet be available without a charge during the embargo (administrative interval).

Some links on this page may take you to non-federal websites. Their policies may differ from this site.

Amann, Johanna and Sommer, Robin "Viable Protection of High-Performance Networks through Hardware/Software Co-Design" Proceedings of the ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization , 2017 10.1145/3040992.3041003 Citation Details

PROJECT OUTCOMES REPORT

Disclaimer

This Project Outcomes Report for the General Public is displayed verbatim as submitted by the Principal Investigator (PI) for this award. Any opinions, findings, and conclusions or recommendations expressed in this Report are those of the PI and do not necessarily reflect the views of the National Science Foundation; NSF has not approved or endorsed its content.

Scientific research relies on the free, fast exchange of information and ideas between scientists worldwide. Today, they depend on high-speed Internet access to perform their research. The kinds of networks that are used for research are also simultaneously some of the hardest to defend. Research environments typically require fast Internet access with various protocols and use a diverse array of software. Defending these networks from attacks is difficult, and traditional defence mechanism such as firewalls and intrusion detection systems are often not an opinion as they have trouble operating at high speeds without impeding performance.

Zeek (previously known as Bro) is a Network Security Monitoring system that is widely used by educational institutions and by industry to secure their networks. All research performed in this project used or enhanced the abilities of Zeek.

The goal of this project was to explore ways to enhance the state of security protection in Research and Education environments in two ways.

The first thrust of this project examined if it is possible to combine hardware acceleration in network cards together with software network monitoring system. The goal is to offload computationally expensive low-level operations into hardware, so that the software has more time to perform deep analysis task.

The second thrust of this project examined ways in which it is possible to extend the visibility of the Zeek network monitoring system, especially for Research and Education environments.

Over its lifetime, this project performed many activities for both thrusts - the results of which are public. Many of the improvements have been added to Zeek.

For the first thrust, we examined two different hardware platforms, and if we can use them to offload operations from Zeek into the hardware. We implemented prototypes that can offload some parts of state tracking, TCP reassembly, and protocol detection into the hardware - all operations which require a lot of tracking of data. With the hardware platforms that we had access to, performance results were mixed. While we think that the approach is interesting, the complexity of implementing a solution that can use external hardware coupled with limitations of the hardware that we had access to made it hard to discern if there are large advantages to this approach.

On the Zeek development side:

  • we improved and updated the code that allows Zeek to communicate with SDN devices
  • we developed a real-time algorithm for Zeek to identify frequent items in data streams in a memory efficient manner
  • we spent significant effort to improve the performance of Zeek through identifying bottlenecks

Furthermore, we created a large amount of Zeek packages. Some of the packages allow the detection of exploits, or the customization of some Zeek features โ€“ nice notice handling. Others allow for enforcement of usage rules โ€“ which can be especially important for Research and Education networks. We also added some support for extended parsing of encrypted protocols.

Other packages make it much easier to create exact high-level traffic statistics, and extend the statistics automatically created by Zeek. We also created a package that allows to track the packages that are installed on different Linux distributions by looking at their traffic โ€“ this, again, is especially important in Research and Education networks where machines are often not centrally managed. This can, e.g., allow network operators to identify potentially vulnerable machines.

All features mentioned are either part of the current Zeek release, or available via the Zeek package manager.


Last Modified: 02/03/2023
Modified by: Johanna Amann

Please report errors in award information by writing to: awardsearch@nsf.gov.

Print this page

Back to Top of page