| NSF Org: |
CNS Division Of Computer and Network Systems |
| Recipient: |
|
| Initial Amendment Date: | August 17, 2018 |
| Latest Amendment Date: | August 6, 2020 |
| Award Number: | 1823192 |
| Award Instrument: | Standard Grant |
| Program Manager: |
Marilyn McClure
mmcclure@nsf.gov (703)292-5197 CNS Division Of Computer and Network Systems CSE Directorate for Computer and Information Science and Engineering |
| Start Date: | October 1, 2018 |
| End Date: | September 30, 2022 (Estimated) |
| Total Intended Award Amount: | $693,982.00 |
| Total Awarded Amount to Date: | $709,982.00 |
| Funds Obligated to Date: |
FY 2020 = $16,000.00 |
| History of Investigator: |
|
| Recipient Sponsored Research Office: |
1109 GEDDES AVE STE 3300 ANN ARBOR MI US 48109-1015 (734)763-6438 |
| Sponsor Congressional District: |
|
| Primary Place of Performance: |
MI US 48109-1274 |
| Primary Place of
Performance Congressional District: |
|
| Unique Entity Identifier (UEI): |
|
| Parent UEI: |
|
| NSF Program(s): |
Special Projects - CNS, CCRI-CISE Cmnty Rsrch Infrstrc, Secure &Trustworthy Cyberspace |
| Primary Program Source: |
01002021DB NSF RESEARCH & RELATED ACTIVIT |
| Program Reference Code(s): |
|
| Program Element Code(s): |
|
| Award Agency Code: | 4900 |
| Fund Agency Code: | 4900 |
| Assistance Listing Number(s): | 47.070 |
ABSTRACT
Advancing the security of Internet-connected devices and networks entails the detection and understanding of changes in adversarial behavior in real time. Hence, there is a need to develop methodologies and deploy infrastructure that can automatically diagnose macroscopic trends in Internet activity and provide to researchers and security analysts visibility into botnet infections, denial of service attacks, network outages, and malware campaigns.
Network telescopes--networking instrumentation that collects and records unsolicited Internet traffic destined to a routed but unused Internet address space--are one avenue for detecting shifts in global Internet behavior. However, while network telescopes provide a powerful perspective, they have primarily been used for retroactively understanding Internet events. This project will design and deploy new infrastructure to modernize a large academic network telescope in order to offer unique real-time insights into malicious Internet activity and other threats.
This project will introduce a new real-time data processing pipeline to parse incoming traffic and detect individual network events. It will explore emerging data science techniques to identify variations in Internet-wide trends and to produce terse, human-readable summaries of changes in Internet activity. To contextualize these events, this project will integrate external data sources into the processing pipeline including network reputation data, unique patterns of known malware and other security-focused resources (i.e., the Censys search engine). Furthermore, to boost the telescope's usability, this work will build accessible interfaces that would enable researchers to easily ask questions about telescope-detected events.
The infrastructure will be broadly available to Computer and Information Science and Engineering researchers interested in understanding, measuring, modeling and defining Internet's evolution. It builds on Merit Network's decade-long experience in operating large-scale network telescopes in an ethically responsible manner. It will also leverage the expertise of researchers at Stanford University, University of California at San Diego, and Colorado State University. On the educational front, network telescope data can serve as a vehicle for inter-disciplinary training of the future workforce in areas that lie at the intersection of network security, computer systems, data science and engineering. Even at the graduate level, network telescope data analysis remains a relatively unexplored topic; this project will heighten the scientific utility of the data and will provide unique opportunities for educating students with real-world, heterogeneous network security data.
This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.
PUBLICATIONS PRODUCED AS A RESULT OF THIS RESEARCH
Note:
When clicking on a Digital Object Identifier (DOI) number, you will be taken to an external
site maintained by the publisher. Some full text articles may not yet be available without a
charge during the embargo (administrative interval).
Some links on this page may take you to non-federal websites. Their policies may differ from
this site.
PROJECT OUTCOMES REPORT
Disclaimer
This Project Outcomes Report for the General Public is displayed verbatim as submitted by the Principal Investigator (PI) for this award. Any opinions, findings, and conclusions or recommendations expressed in this Report are those of the PI and do not necessarily reflect the views of the National Science Foundation; NSF has not approved or endorsed its content.
A network telescope is a unique cyberinfrastructure that allows cybersecurity researchers and practitioners to study macroscopic Internet-wide events. Network telescopes receive and record network traffic destined to unused Internet address spaces. This "unsolicited" network traffic mainly originates from malicious activities such as denial-of-service attacks, incessant network reconnaissance aiming to identify exploitable weaknesses in network services and critical infrastructure, malware campaigns that attempt to propagate nefarious software into vulnerable devices, misconfigurations, etc. Thus, the data collected by large network telescopes offer cybersecurity analysts germane insights into Internet-wide scanning activities and attack trends, enabling them to obtain rich "threat intelligence" that could be used to inform decisions for the protection of critical infrastructure, organizations and citizens.
This project enabled the complete renewal and redesign of one of the largest network telescopes in the nation. The ORION (Observatory of cyber-Risk Insights and Outages of Networks) network telescope has been re-engineered to obtain the necessary compute, storage and network capacity to handle high volumes of network traffic. More importantly, the ORION network telescope has been engineered to become amenable to processing incoming telescope traffic in near-real-time, extracting meaningful events, labeling the extracted events with useful metadata (e.g., geographic information of the incoming scanning requests), and uploading the annotated events into a cloud-based data warehouse for further efficient processing, analysis, pattern recognition and visualizations.
The renewed ORION infrastructure is empowering new research and development opportunities due to its several desirable features. Its cloud-based data warehousing allows for efficient data integration with other important cybersecurity data streams that are also cloud-based. Further, security researchers are now available to easily process large volumes of longitudinal data in a matter of seconds or minutes. This unprecedented opportunity has enabled the research team to study and quantify, for instance, the impact on network resources imposed by persistent and "aggressive" network scanners, and to observe world-wide trends on voluminous denial-of-service attacks.
ORION's capability for efficient analysis of large swaths of data can be combined with advances in other scientific areas such as the ones in the fields of machine learning and artificial intelligence to unleash the potential for understanding the complex activities observed in network telescopes and for providing rapid responses against future cyber-threats. As an example, aiming at the timely detection of novel (previously unseen) cyber-threats, ORION researchers have designed, developed and prototyped unsupervised machine learning techniques to cluster scanning activities appearing in the network telescope into meaningful groups, and then employed the identified groups to identify statistically significant temporal changes in their behavior.
The educational and workforce development impacts of the ORION infrastructure have also been numerous. The renewed infrastructure allows for ORION datasets to be more easily shareable and more broadly available to the computer science community, hence enabling an array of training and educational opportunities in disciplines that lie at the intersection of networking, cybersecurity, data science, artificial intelligence, statistics and others. The project has offered hands-on experience to a plethora of undergraduate and graduate students at several universities and across multiple disciplines.
Last Modified: 02/02/2023
Modified by: Michael Kallitsis
Please report errors in award information by writing to: awardsearch@nsf.gov.
