Award Abstract # 1739025
CICI: CE: Improving the Security of a Science DMZ

NSF Org: OAC
Office of Advanced Cyberinfrastructure (OAC)
Recipient: UNIVERSITY OF CALIFORNIA, DAVIS
Initial Amendment Date: June 28, 2017
Latest Amendment Date: August 4, 2018
Award Number: 1739025
Award Instrument: Standard Grant
Program Manager: Rob Beverly
OAC  Office of Advanced Cyberinfrastructure (OAC)
CSE  Directorate for Computer and Information Science and Engineering
Start Date: October 1, 2017
End Date: September 30, 2021 (Estimated)
Total Intended Award Amount: $738,094.00
Total Awarded Amount to Date: $754,094.00
Funds Obligated to Date: FY 2017 = $738,094.00
FY 2018 = $16,000.00
History of Investigator:
  • Matt Bishop (Principal Investigator)
     mabishop@ucdavis.edu
  • Dipak Ghosal (Co-Principal Investigator)
  • Viji Murali (Co-Principal Investigator)
Recipient Sponsored Research Office: University of California-Davis
 1850 RESEARCH PARK DR STE 300
 DAVIS
 CA  US  95618-6153
(530)754-7700
Sponsor Congressional District: 04
Primary Place of Performance: University of California-Davis
 1 Shields Ave
 Davis
 CA  US  95616-8562
Primary Place of Performance
Congressional District:		 04
Unique Entity Identifier (UEI): TX2DAGQPENZ5
Parent UEI:
NSF Program(s): Cybersecurity Innovation
Primary Program Source: 01001718DB NSF RESEARCH & RELATED ACTIVIT
01001819DB NSF RESEARCH & RELATED ACTIVIT
Program Reference Code(s): 9251
Program Element Code(s): 802700
Award Agency Code: 4900
Fund Agency Code: 4900
Assistance Listing Number(s): 47.070

ABSTRACT

The term "big science" refers to science that involves massive amounts of data. Moving this data through ordinary networks is very slow, in part because the amount of data is more than ordinary networks are designed to handle, and in part because of the checking that network security mechanisms perform. The "science DMZ" (DeMilitarized Zone) is a special network designed to move massive amounts of data very quickly. The need to do so results in compromises affecting security; checking is done on entry, and only for the first part of the connection. If the connection is suspicious, it is blocked; otherwise, it is allowed through. This project extends the checking by sampling the data in the connection throughout the lifetime of the connection. Then, if something suspicious is detected in the samples, appropriate action can be taken. A second goal of this project is to determine what procedural or technical actions are most effective when malicious flows are detected. The final goal is to determine how to speed up the security analysis so the impact on the throughput is both minimal and acceptable. The overall goal is to secure the science DMZ network without sacrificing speed.

More specifically, on a science DMZ, large amounts of data are moved, making it very difficult to secure, so data is sampled only when a connection starts and is analyzed without blocking the connection. If the analysis shows it is malicious, a filter rule is added to the router to drop packets in that connection. This project samples not just at the beginning, but at various times while the connection is active. If something malicious starts during the connection, it can be detected. What to do when suspicious flows are identified is less clear; the project will examine both technical and procedural methods, for example slowing down the flow to where it can be analyzed thoroughly, and then if indeed malicious, provide information to the Chief Information Security Officer?s (CISO) office to enable them to take action. If the flow is not malicious (i.e., a false positive, confirmed by the more detailed analysis), the rate reduction will cease. A key question is how to reduce the time needed for the sampling analysis. Part of this project is to examine how to speed up intrusion detection systems by using GPUs in order to do a quicker analysis.

PUBLICATIONS PRODUCED AS A RESULT OF THIS RESEARCH

Note:  When clicking on a Digital Object Identifier (DOI) number, you will be taken to an external site maintained by the publisher. Some full text articles may not yet be available without a charge during the embargo (administrative interval).

Some links on this page may take you to non-federal websites. Their policies may differ from this site.

Gegan, Ross and Perry, Brian and Ghosal, Dipak and Bishop, Matt "Insider Attack Detection for Science DMZs Using System Performance Data" 2020 IEEE Conference on Communications and Network Security (CNS) , 2020 https://doi.org/10.1109/CNS48642.2020.9162260 Citation Details
Singer, Abe and Bishop, Matt "Trust-Based Security; Or, Trust Considered Harmful" Proceedings of the 2020 New Security Paradigms Workshop , 2020 https://doi.org/10.1145/3442167.3442179 Citation Details
Gegan, Ross and Mao, Christina and Ghosal, Dipak and Bishop, Matt and Peisert, Sean "Anomaly Detection for Science DMZs Using System Performance Data" 2020 International Conference on Computing, Networking and Communications , 2020 https://doi.org/10.1109/ICNC47757.2020.9049695 Citation Details
Bishop, Matt "A Design for a Collaborative Make-the-Flag Exercise" Proceedings of the 11th IFIP WG 11.8 World Conference on Information Security Education , 2018 https://doi.org/10.1007/978-3-319-99734-6_1 Citation Details

PROJECT OUTCOMES REPORT

Disclaimer

This Project Outcomes Report for the General Public is displayed verbatim as submitted by the Principal Investigator (PI) for this award. Any opinions, findings, and conclusions or recommendations expressed in this Report are those of the PI and do not necessarily reflect the views of the National Science Foundation; NSF has not approved or endorsed its content.

This project has three main outcomes. A Science DMZ is a very fast network that carries very large amounts of data. It is a specialized network, not a general-purpose one. Because of the need for speed, conventional security mechanisms would slow down the traffic, thereby defeating the purpose of the Science DMZ. We looked at ways to improve the security of this type of network.


First, we looked at the network traffic for a Science DMZ. Data flowing into a Science DMZ goes to a computer called a data transfer node (DTN), and then onto the Science DMZ. We compared statistics of the transmission of scientific data with interactive sessions (which should never occur), and found we could distinguish the latter from the former.
Next, we asked how someone could send data out of the Science DMZ without being detected. We thought that encoding the interactive traffic as scientific data, and sending that out, would defeat detection mechanisms. We tried this, with remote commands being embedded in PDF files, and it worked. While we did not develop a detection scheme, knowing this attack is possible alerts security personnel to it.


Finally, we looked at a specialized type of networking in common use with Science DMZs; it is called software-defined networking (SDN). It routes messages using a programmable system that is controlled by another system (the controller). When a message arrives at the router, if it does not know where to send it, it forwards the message to the controller. That tells the router how to forward it. We established that one could detect whether a router had one controller, or more than one. We also developed ways to prevent this attack.


Last Modified: 03/03/2022
Modified by: Matt Bishop

Please report errors in award information by writing to: awardsearch@nsf.gov.

Print this page

Back to Top of page

Top