Layer-8 attacks (e.g., spam and phishing) are launched from a malicious service platform, e.g., botnet, which consists of a large number of infected machines (or bots). Such an attack platform relies on lower-layer network services to achieve efficiency, robustness, and stealth in communication and attack activities. These services include look-up (e.g., DNS), hosting (e.g., Web servers), and transport (e.g., BGP).
The main research goals and approaches of the CLEANSE project are:
1. Control-plane monitoring. Much of the infrastructure for mounting layer-8 attacks involves abuse of the control plane in core network services (e.g., DNS and BGP). The CLEANSE project develops control-plane anomaly detection sensors that are distributed, online, and real-time.
2. Data-plane monitoring. The project develops new and general network anomaly detection algorithms based on traffic sampling and clustering for monitoring high-speed traffic.
3. Improved security auditing capabilities. The CLEANSE project develops packet "tagging/tainting" techniques to enable tracking and clustering of network traffic flows (e.g., that are generated by the same bot program). The project also develops improved traffic sampling capabilities that are attack-aware and distributed network-wide.
By focusing on monitoring of core network services, the CLEANSE framework can detect future layer-8 attacks and new forms of large-scale malware infections. The project also creates educational contents, including new textbooks and on-line course materials, which directly benefit from the research activities. The CLEANSE project team also work with industry partners (including the ISPs) to organize focused workshops that bring together researchers from academia and practitioners from the industry/ISP, government, and law enforcement agencies to foster the exchange of ideas, data, and technologies.
This project emphasizes development of systems and algorithms towardan effective detection framework for securing the Internet againstlarge-scale and coordinated layer-8 attacks, and in particular,development of monitoring systems that can effectively detectnetwork and host services used in large-scale attacks. The research results described below were conducted by SRI summerstudents under the supervision of PIs Vinod Yegneswaran and Phil Porras.The highlights include four notable conference papers, all led by graduatestudents. In the first project year (2008-2009), our contributions`included the development and evaluation of a network failure analysissystem (called NetFuse) for detecting embedded enterprise botnets.This work was led by Zhaosheng Zhu, a Northwestern graduate studentand summer intern at SRI, and resulted in a SecureComm 2009 paper. In the second project year (2009-2010), our contributions include thedevelopment and evaluation of a host monitoring system (called BLADE)for detecting and preventing drive-by download attacks. The system was developed developed by Long Lu, a graduate student researcher from Georgia Tech who was an intern at SRI, and led to a paper published at ACM CCS 2010. In the third project year (2010-2011) our accomplishmentsincluded development of PathCutter,a new framework for preventing XSS attacks insocial web networks. This work was led by Yinzhi Cao, a Northwesterngraduate student and summer intern at SRI, leading to a paper at NDSS 2012. In the fourth and final project years (2011-2013), we collaboratedwith Hongyu Gao, another Northwestern graduate student and SRI summerintern, on measurement and analysis of a unique database of global DNSresolver data. Our objective in conducting this analysis wastwo-fold: (i) revalidating old findings on DNS resolver behaviorfrom a new and global dataset and (ii) explore opportunities foreffective mining of this data to solve network security problems (in particular malware) using both supervised and unsupervised means. A paper summarizing our findings was published in ACM SIGCOMM 2012.
