The objective of this research is to design a series of security enhancements at the network layer to defend Internet services against malicious attacks. The approach integrates protocol design at the network layer with hardware design at the physical layer. The proposed approach has the potential to deliver effective, low-cost, and easy-to-upgrade solutions to secure the next-generation Internet.
With respect to intellectual merit, the research addresses the opportunity to improve security at the network layer, while most recent advances in security have focused on the transport and application layers. The research also considers the integration of protocol design at the network layer with hardware implementation at the physical layer. The proposed enhancements are co-developed and co-deployed at the network and physical layers, with the goal of high efficiency. The research focuses on the judicious integration of software and hardware techniques to resolve the challenges of providing effective network security with efficient hardware support.
With respect to the potential for broader impact, this research can serve as a catalyst for the large-scale deployment of effective and robust security services on the Internet, offering a high level of reliability for future security services. The approach to developing security techniques simultaneously across different layers has the potential to provoke more basic research in this area. The project also focuses on integrating education and research activities through enhancing undergraduate and graduate courses on network security and very large-scale integrated (VLSI) circuit design.
This project is motivated by the urgent need for development and deployment of security enhancements at the network layer to detect and defend against malicious attacks. Our proposed research focuses on the judicious integration of software and hardware techniques to resolve the challenges, which are unique requirements of network-layer security mechanisms. Providing security at the network layer is bene?cial to both higher and lower layer protocols. The security services at the network-layer are transparent to applications, implying that applications can obtain these security services without any changes. We have designed and implemented a robust mechanism to detect network anomalies in a timely manner. The core of our detection is based on inherent network protocol behaviors, instead of traffic behaviors, and employs the Hellinger distance method for detecting network anomalies. To make the detection mechanism insensitive to site and traffic pattern, a dynamic threshold is used, thus making the detection mechanism robust, more generally applicable, and its deployment much easier. A hardware reloading technique using reconfigurable hardware for both anomaly detection and defense have been developed, leading to high hardware efficiency. We have designed a fast packet filter, called swift, for high performance packet capture on commercial off-the-shelf hardware. The key features of the Swift include (1) extremely low filter update latency for dynamic packet filtering, and (2) Gbps high-speed packet processing. Based on complex instruction set computer (CISC) instruction set architecture (ISA), Swift achieves the former with an instruction set design that avoids the need for compilation and security checking, and the latter by mainly utilizing SIMD (single instruction, multiple data). We have implemented Swift in the Linux 2.6 kernel for both i386 and x86 64 architectures and extensively evaluated its dynamic and static filtering performance on multiple machines with different hardware setups. We have proposed an innovative approach of human observational proofs (HOPs), which is non-interactive for continuous bot detection. HOPs differentiate bots from human users by passively monitoring observational behaviors that are difficult for bots to perform in a human-like manner. Our proposed detection system includes two major components: (1) an entropy classifier and (2) a neural network classifier. Utilizing the characteristics of message time and size, the entropy classifier measures the complexity of information flows and then classifies them as bots or humans. In contrast, the neural network classifier is mainly based on human behavioral biometrics like mouse movement for detection. The two classifiers complement each other in bot detection. We have developed efficient algorithms, methodologies, and prototypes of the proposed detection system and evaluate their effectiveness through live experiments. With this NSF grant support, we have published 12 papers in top conferences and leading journals. Three Ph.D. students have been supported by this NSF grant in the past four years. Two of them won the Distinguished Ph.D. Dissertation Award and one of them won the Stephen K. Park Graduate Research Award. Moreover, two undergraduate students have been supported by the REU for conducting summer research in this project. One of them won the Stephen K. Park Undergraduate Scholarship Award.
