CT-ISG: Modeling, Estimation, and Defense against Network Attacks
University Of Massachusetts Amherst, Amherst MA
Investigators
Abstract
The easy access and wide usage of the Internet makes it a prime target and conduit for malicious activities. It constitutes a critical infrastructure in the economic and social fabric of, not only our nation, but the developed and, increasingly, the developing world. Recently, the Internet has become a powerful mechanism for propagating malicious software programs. These have been designed to annoy (e.g., deface web pages), spread misinformation (e.g., false news reports or stock quotes), deny service (e.g., corrupt hard disks), steal financial information (e.g., VISA card numbers), enable remote login (e.g., Trojan horses), etc. Moreover, they have been used to disrupt normal operations within the Internet itself. Furthermore, the potential for significant network disruptions is extremely high. It is well known that a single misconfigured BGP router on April 25th, 1997 effectively shut down most of the major Internet backbones for up to two hours, unleashing a sequence of cascading failures. If an accidentally misconfigured router can wreak such havoc, one can only imagine what a carefully orchestrated attack can produce in the way of disruptions. Although malicious activities have appeared on many occasions, to date there appears to be no well-defined methodology for predicting their behavior and the damage that they can cause. This proposal describes research aimed at developing sound mathematically-based methodologies that can be used to better understand the characteristics of different network attacks, and to detect and estimate their parameters. More specifically, the proposed research will focus on the following areas. o Mathematical models of network attacks. The researcher will develop a modelling methodology based on fluid models and networked Markov chains (NMCs). These models will be used to answer questions such as: how does network topology affect the spread of an Internet worm? What conditions must an attack meet to be considered virulent (severe)? o Detection and parameter estimation. The researchers will develop detection and parameter estimation techniques for different types of monitors, based on the exponential growth trend in the early stage of the network attacks, with fluid models and point process models, respectively. They will also develop "hypothesis testing" based detection methods and study the performance and the impact in the defense strategies. Furthermore, the analysis methodology produced by this research will have broad applicability in the design and analysis of failure and attack scenarios in large complex man made systems such as the power grid. Intellectual Merit: This project will generate new techniques for studying and detecting different network attacks (e.g., worms, email viruses, BGP infrastructure attacks). Furthermore, the project will enhance our understanding of how failures can propagate throughout a large distributed system like the Internet, and, more generally, large man-made systems. Broader Impact: The project integrates research and education of graduate and undergraduate students through the close interaction and mentoring of students by project faculty. We will also seek international involvement with Universities in Brazil in the form of joint courses/seminars.
View original record on NSF Award Search →