
NSF Org: |
OAC Office of Advanced Cyberinfrastructure (OAC) |
Recipient: |
|
Initial Amendment Date: | August 8, 2016 |
Latest Amendment Date: | May 27, 2021 |
Award Number: | 1642161 |
Award Instrument: | Standard Grant |
Program Manager: |
Rob Beverly
OAC Office of Advanced Cyberinfrastructure (OAC) CSE Directorate for Computer and Information Science and Engineering |
Start Date: | October 1, 2016 |
End Date: | September 30, 2022 (Estimated) |
Total Intended Award Amount: | $999,513.00 |
Total Awarded Amount to Date: | $999,513.00 |
Funds Obligated to Date: |
|
History of Investigator: |
|
Recipient Sponsored Research Office: |
2150 SHATTUCK AVE BERKELEY CA US 94704-1345 (510)666-2900 |
Sponsor Congressional District: |
|
Primary Place of Performance: |
1947 Center St STE 600 Berkeley CA US 94704-4115 |
Primary Place of
Performance Congressional District: |
|
Unique Entity Identifier (UEI): |
|
Parent UEI: |
|
NSF Program(s): | Cybersecurity Innovation |
Primary Program Source: |
|
Program Reference Code(s): |
|
Program Element Code(s): |
|
Award Agency Code: | 4900 |
Fund Agency Code: | 4900 |
Assistance Listing Number(s): | 47.070 |
ABSTRACT
Scientific research requires the free exchange of information and ideas among collaborators worldwide. For this, scientists depend critically on full and open access to the Internet. Yet in today's world, such open access also exposes sites to incessant network attacks like theft of information, parasitic resource consumption, or suffering from (or inadvertently participating in) denial-of-service (DOS) attacks. Some of the most powerful networks today remain particularly hard to defend: the 100G environments and backbones that facilitate modern data-intensive sciences - physics, astronomy, medicine, climate research - prove extremely sensitive to the slightest disturbances. For these networks, traditional enterprise solutions such as firewalls and intrusion detection systems (IDS), remain infeasible as they cannot operate reliably at such high speeds. This project develops a novel, comprehensive framework that integrates software and hardware for the economical protection of critical high-performance science infrastructure.
The project increases the performance of network monitoring by offloading low-level operations from software into hardware, such as switches and computer network interface cards. The project enables network monitoring systems to tie into the hardware offloading being developed. Furthermore, the project expands the capabilities of network monitoring systems to create visibility into science networks, for example, by adding support for the protocols used for high-speed scientific data transfers. It also extends support for responding actively to malicious activity like denial-of-service attacks. This project implements these capabilities in the open-source Bro network security monitor utilized by many NSF-supported organizations nationwide to protect their scientific cyberinfrastructure.
PUBLICATIONS PRODUCED AS A RESULT OF THIS RESEARCH
Note:
When clicking on a Digital Object Identifier (DOI) number, you will be taken to an external
site maintained by the publisher. Some full text articles may not yet be available without a
charge during the embargo (administrative interval).
Some links on this page may take you to non-federal websites. Their policies may differ from
this site.
PROJECT OUTCOMES REPORT
Disclaimer
This Project Outcomes Report for the General Public is displayed verbatim as submitted by the Principal Investigator (PI) for this award. Any opinions, findings, and conclusions or recommendations expressed in this Report are those of the PI and do not necessarily reflect the views of the National Science Foundation; NSF has not approved or endorsed its content.
Scientific research relies on the free, fast exchange of information and ideas between scientists worldwide. Today, they depend on high-speed Internet access to perform their research. The kinds of networks that are used for research are also simultaneously some of the hardest to defend. Research environments typically require fast Internet access with various protocols and use a diverse array of software. Defending these networks from attacks is difficult, and traditional defence mechanism such as firewalls and intrusion detection systems are often not an opinion as they have trouble operating at high speeds without impeding performance.
Zeek (previously known as Bro) is a Network Security Monitoring system that is widely used by educational institutions and by industry to secure their networks. All research performed in this project used or enhanced the abilities of Zeek.
The goal of this project was to explore ways to enhance the state of security protection in Research and Education environments in two ways.
The first thrust of this project examined if it is possible to combine hardware acceleration in network cards together with software network monitoring system. The goal is to offload computationally expensive low-level operations into hardware, so that the software has more time to perform deep analysis task.
The second thrust of this project examined ways in which it is possible to extend the visibility of the Zeek network monitoring system, especially for Research and Education environments.
Over its lifetime, this project performed many activities for both thrusts - the results of which are public. Many of the improvements have been added to Zeek.
For the first thrust, we examined two different hardware platforms, and if we can use them to offload operations from Zeek into the hardware. We implemented prototypes that can offload some parts of state tracking, TCP reassembly, and protocol detection into the hardware - all operations which require a lot of tracking of data. With the hardware platforms that we had access to, performance results were mixed. While we think that the approach is interesting, the complexity of implementing a solution that can use external hardware coupled with limitations of the hardware that we had access to made it hard to discern if there are large advantages to this approach.
On the Zeek development side:
- we improved and updated the code that allows Zeek to communicate with SDN devices
- we developed a real-time algorithm for Zeek to identify frequent items in data streams in a memory efficient manner
- we spent significant effort to improve the performance of Zeek through identifying bottlenecks
Furthermore, we created a large amount of Zeek packages. Some of the packages allow the detection of exploits, or the customization of some Zeek features โ nice notice handling. Others allow for enforcement of usage rules โ which can be especially important for Research and Education networks. We also added some support for extended parsing of encrypted protocols.
Other packages make it much easier to create exact high-level traffic statistics, and extend the statistics automatically created by Zeek. We also created a package that allows to track the packages that are installed on different Linux distributions by looking at their traffic โ this, again, is especially important in Research and Education networks where machines are often not centrally managed. This can, e.g., allow network operators to identify potentially vulnerable machines.
All features mentioned are either part of the current Zeek release, or available via the Zeek package manager.
Last Modified: 02/03/2023
Modified by: Johanna Amann
Please report errors in award information by writing to: awardsearch@nsf.gov.