GGrantIndex
← Search

STI: Viable Network Defense for Scientific Research Institutions

$900,000FY2003CSENSF

International Computer Science Institute, Berkeley CA

Investigators

Abstract

Modern science makes heavy use of the Internet for collaborations that draw upon the network in ways far beyond simple uses such as email for discussion and Web access for sharing data in some cases several hundred distinct services. This access also opens the doors to incessant network attacks and research institutes find themselves under growing pressure to place significant restrictions on such access in the form of firewalls, limited permitted applications, and mandatory proxies. These issues threaten to diminish the effectiveness of how modern science is conducted across a broad range of disciplines. A key tool to maintain openness is intrusion detection: detecting in real-time that an attack is underway and, if warranted, initiating a response in order to thwart it. However, there is a world of difference between detecting attackers in a small-scale environment such as a researcher's LAN and doing so at a large scale such as for an entire open site. Both the much higher required performance and the greatly increased traffic diversity present major challenges. But intrusion detection for large, open sites also sees very little in the way of academic research, because of the great difficulties many researchers face in acquiring the necessary access. The PI of this proposal, however, is in a unique position for developing and validating network intrusion detection research at such sites, by virtue of his joint appointment at ICSI and LBNL. LBNL's operational cyber security is centered around use of BRO- the intrusion detection system developed by the PI. The PI has full monitoring access to the Laboratory's network traffic, and participation in the realities of network security at a large institute. In addition, BRO is used operationally at the University of California, Berkeley, where the PI likewise has full monitoring access. The proposed efforts will be firmly grounded in the realities of defending large research institutions. The work will not be abstract; it will validate mechanisms developed against actual in situ attacks and actual operational needs, avoiding the pitfall of devising attractive solutions that fail in practice when actually deployed. The research will be spanning a number of areas: (i) developing new ways of detecting attacks (detecting network "triggers" used by automated exploit software and by worms; attempting to "finger print" users by their keystroke timing; drawing upon LBNL's immense archive of TCP connection summaries to devise robust anomaly detection algorithms); (ii) addressing challenges in monitoring very high-speed, high volume links (distributing monitoring across multiple machines; coordinating monitors with border routers that will "shunt" a portion of the traffic to the monitor and cut through the rest; devising robust mechanisms for dealing with massive traffic floods); and (iii) addressing the realities of managing large-scale security policies (understanding the relationship between individual alerts and the complex policies that lead to them; automatically locating "stale" policy elements no longer relevant). The work will advance development in two key areas: (iv) refining and applying the trace anonymization framework developed in earlier in order to address the major shortcoming in network intrusion detection research of a complete lack of traffic traces that include packet contents; and (v) bringing the BRO software system up to the level of support necessary for it to become the open-source monitoring system of choice for operational deployment at large scientific research institutes.

View original record on NSF Award Search →