Layer-8 attacks (e.g., spam and phishing) are launched from a malicious service platform, e.g., botnet, which consists of a large number of infected machines (or bots). Such an attack platform relies on lower-layer network services to achieve efficiency, robustness, and stealth in communication and attack activities. These services include look-up (e.g., DNS), hosting (e.g., Web servers), and transport (e.g., BGP).

The main research goals and approaches of the CLEANSE project are:

1. Control-plane monitoring. Much of the infrastructure for mounting layer-8 attacks involves abuse of the control plane in core network services (e.g., DNS and BGP). The CLEANSE project develops control-plane anomaly detection sensors that are distributed, online, and real-time.

2. Data-plane monitoring. The project develops new and general network anomaly detection algorithms based on traffic sampling and clustering for monitoring high-speed traffic.

3. Improved security auditing capabilities. The CLEANSE project develops packet "tagging/tainting" techniques to enable tracking and clustering of network traffic flows (e.g., that are generated by the same bot program). The project also develops improved traffic sampling capabilities that are attack-aware and distributed network-wide.

By focusing on monitoring of core network services, the CLEANSE framework can detect future layer-8 attacks and new forms of large-scale malware infections. The project also creates educational contents, including new textbooks and on-line course materials, which directly benefit from the research activities. The CLEANSE project team also work with industry partners (including the ISPs) to organize focused workshops that bring together researchers from academia and practitioners from the industry/ISP, government, and law enforcement agencies to foster the exchange of ideas, data, and technologies.

Project Report

Botnets—or large number of infected machines under the control of an attacker--- are the primary vehicle by which attacker launch attacks on today's Internet. As botnets become more sophisticated and develop new methods for concealing their behavior, it is imperative that we develop the next-generation defenses and deploy them in practice. We explore two aspects of these defenses in this work, proactive and reactive botnet defenses. Botnet research is often reactive in nature, with a focus exclusively on the detection and mitigation of botnet activities. In contrast, one of our contributions in this grant has been on measures for preventing botnet infections. Acknowledging that any preventative behavior (e.g., policy enforcement, patching) is inherently a balance between the risk of an activity and the cost to mitigate the risk of that activity, we have focused our efforts on building more effective models of risk assessment. In particular, we have developed novel methods for analyzing the impact of a patch by inspecting a software system and its patch using a combination of static control flow analysis, dynamic execution traces, and ranking heuristics. Further, we have examined techniques for building more accurate and less costly inventories of vulnerable hosts and services within a network by automatically inferring interesting changes in the context or posture of a network. Although the primary value of our work is in addressing prevention of Botnet infections, when the prevention of Botnet infection fails, one of necessity turns to detection and mitigation mechanisms. Another value of this grant has been in enhancing the state of the art in detection and mitigation of botnets. We have enlightened operators as to which network anomaly detection methods work better under which scenarios and have shown the design considerations that affect the detection performance of various algorithms. In both cases the goal our work has been to equip defenders with better information so that they might create a environments where it is significantly more difficult for attackers in infect large numbers of hosts and maintain their botnets after infection. Our work has resulted in several peer reviewed publications including work in Cybersecurity Applications & Technology Conference For Homeland Security, International Symposium on Recent Advances in Intrusion Detection, IEEE International Conference on Dependable Systems and Networks, IEEE International Conference on Computer Communications, and Workshop on Hot Topics in Operating Systems. This grant has supported four Ph.D. Students, One master's student, and provided research opportunities for one undergraduate student.

Agency
National Science Foundation (NSF)
Institute
Division of Computer and Network Systems (CNS)
Application #
0831174
Program Officer
Ralph Wachter
Project Start
Project End
Budget Start
2008-10-01
Budget End
2012-09-30
Support Year
Fiscal Year
2008
Total Cost
$281,000
Indirect Cost
Name
University of Michigan Ann Arbor
Department
Type
DUNS #
City
Ann Arbor
State
MI
Country
United States
Zip Code
48109