Real-world security policies invariably involve questions of ``who'' and ``what''--who are the principals, what data are they seeking to access, and so forth. By contrast, the present-day Internet architecture concerns itself primarily with issues of ``how'' and ``where''-- what are the protocols by which a data item is delivered and to which topological endpoints. This inherent dissonance of purpose makes Internet security a bolt-on affair---with abstract access control policies pushed off to be implemented by particular applications or mapped onto the poor approximations provided by network-level abstractions (e.g., network firewalls). Moreover, these imperfect mechanisms are themselves attacked with impunity since today's Internet architecture provides a functional anonymity that insulates attackers from any meaningful liability.
This project is developing two key architectural capabilities--host attribution (which physical machine sent a packet) and data provenance (what is the ``origin'' of the data contained within a packet)--to enable the direct expression of a wide-range of security policies. Moreover, these properties are being implemented in a fashion that mandates their use (in a strong sense) by the network, but manages to preserve end-user privacy. The PIs are focusing on two key applications in this work: forensic trace-back and attribution for the purpose of attack deterrence, and defensive data-exfiltration to place precise controls over what kinds of data may move across a network.
Broader Impacts: This research is developing key architectural components to improve the level of security and assurance available to network services. In addition, the PIs are initiating a dialogue among both researchers and network operators about critical policy aspects of network security. In particular, information about the sources of both normal and attack traffic that must be safeguarded according to some policy.
