GGrantIndex
← Search

CICI: CE: Improving the Security of a Science DMZ

$754,094FY2017CSENSF

University Of California-Davis, Davis CA

Investigators

Abstract

The term "big science" refers to science that involves massive amounts of data. Moving this data through ordinary networks is very slow, in part because the amount of data is more than ordinary networks are designed to handle, and in part because of the checking that network security mechanisms perform. The "science DMZ" (DeMilitarized Zone) is a special network designed to move massive amounts of data very quickly. The need to do so results in compromises affecting security; checking is done on entry, and only for the first part of the connection. If the connection is suspicious, it is blocked; otherwise, it is allowed through. This project extends the checking by sampling the data in the connection throughout the lifetime of the connection. Then, if something suspicious is detected in the samples, appropriate action can be taken. A second goal of this project is to determine what procedural or technical actions are most effective when malicious flows are detected. The final goal is to determine how to speed up the security analysis so the impact on the throughput is both minimal and acceptable. The overall goal is to secure the science DMZ network without sacrificing speed. More specifically, on a science DMZ, large amounts of data are moved, making it very difficult to secure, so data is sampled only when a connection starts and is analyzed without blocking the connection. If the analysis shows it is malicious, a filter rule is added to the router to drop packets in that connection. This project samples not just at the beginning, but at various times while the connection is active. If something malicious starts during the connection, it can be detected. What to do when suspicious flows are identified is less clear; the project will examine both technical and procedural methods, for example slowing down the flow to where it can be analyzed thoroughly, and then if indeed malicious, provide information to the Chief Information Security Officer?s (CISO) office to enable them to take action. If the flow is not malicious (i.e., a false positive, confirmed by the more detailed analysis), the rate reduction will cease. A key question is how to reduce the time needed for the sampling analysis. Part of this project is to examine how to speed up intrusion detection systems by using GPUs in order to do a quicker analysis.

View original record on NSF Award Search →