II-EN: High-Performance Network Monitoring Infrastructure For Research in a Large-Scale Operational Environment

II-EN：用于大规模运营环境研究的高性能网络监控基础设施

• 批准号: 0855125
• 负责人: Robin Sommer
• 金额: $ 20.79万
• 依托单位: International Computer Science Institute
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2009
• 资助国家: 美国
• 起止时间: 2009-08-01 至 2011-07-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=0855125&HistoricalAwards=false
• 关键词: II; EN; Performance; Network; Monitoring

This award is funded under the American Recovery and Reinvestment Act of 2009 (Public Law 111-5).Developing security monitoring to robustly protect large sites against Internet attacks presents exceptionally difficult research challenges. There is a world of difference between detecting attackers in a small-scale environment such as a departmental LAN (as is often used for evaluation of academic studies) and doing so at the scale of a large site. Algorithms that work fine in the presence of a modicum of background traffic can be rendered completely useless when faced with two orders of magnitude more background traffic, for reasons of both performance and false positives induced by the much greater diversity. The overall objective of this proposal is to greatly enhance our UC Berkeley infrastructure that monitors the campus border traffic in order to facilitate the continuation of security research tied to the operational requirements of one of the largest academic network environments in the country. The proposed new cluster will serve as a powerful research platform for many future studies, providing unprecedented capabilities for analyzing a large-scale operational network in depth. Furthermore, on a technical level it will allow the principal investigators (PIs) to systematically assess the scalability of the our clusterized approach to larger network loads and determine what is required to provide in-depth monitoring capabilities for other environments. Intellectual merit: Intellectual Merit: The instrumentation infrastructure supported by this proposal will serve as the key enabler for a range of research otherwise not possible to undertake at an equivalent scale. These span: (1) detection algorithms that operate robustly in the presence of highly diverse background traffic, (2) indepth semantic analysis of the very broad range of modern network applications, (3) efficient recording of high-volume traffic streams for forensic analysis, (4) scalability assessment of clustering and multicore techniques for achieving high performance monitoring, and (5) ties with the UC Berkeley cybersecurity staff leading to investigation of new research problems that arise when deploying network defenses operationally. Broader impact: The ability to richly monitor large traffic streams in real-time has major implications for Internet security, as it is a key component for securing large Internet sites. This effort will enable a range of research directly grounded in the operations of a high-performance, high-volume site, a type of environment only very lightly addressed in the field due to its significant logistical and technical difficulties. The monitoring system will realize an order of magnitude more power for such analysis than to our knowledge any existing deployment provides. As such, it will serve not only as a platform for network security research at scales previously unattainable, but also as an exemplar for how others can construct and operate such systems. Thus, this effort has the potential both to enable new discoveries regarding protecting high-volume network environments, and to facilitate the broader use of such technology for better securing and operating high-speed networks. Finally, the infrastructure from this grant will provide doctoral students with an unparalleled opportunity for undertaking research in an environment unmatched by any other in the field.

该奖项由 2009 年美国复苏和再投资法案（公法 111-5）资助。开发安全监控以强有力地保护大型网站免受互联网攻击提出了异常艰巨的研究挑战。在部门 LAN（通常用于评估学术研究）等小规模环境中检测攻击者与在大型站点范围内检测攻击者之间存在天壤之别。由于性能和更大的多样性引起的误报，在存在少量背景流量的情况下运行良好的算法在面对多两个数量级的背景流量时可能会变得完全无用。该提案的总体目标是大大增强我们监控校园边界流量的加州大学伯克利分校基础设施，以促进与美国最大的学术网络环境之一的运营要求相关的安全研究的持续进行。拟议的新集群将作为许多未来研究的强大研究平台，为深入分析大规模运营网络提供前所未有的能力。此外，在技术层面上，它将允许主要研究人员 (PI) 系统地评估我们的集群方法对更大网络负载的可扩展性，并确定为其他环境提供深度监控功能所需的条件。智力优点： 智力优点：该提案支持的仪器基础设施将成为一系列研究的关键推动者，否则不可能以同等规模进行。这些涵盖：(1) 在存在高度多样化的背景流量的情况下稳健运行的检测算法，(2) 对非常广泛的现代网络应用进行深入的语义分析，(3) 有效记录大量流量以进行取证分析，（4）用于实现高性能监控的集群和多核技术的可扩展性评估，以及（5）与加州大学伯克利分校网络安全人员的联系，导致对部署网络防御操作时出现的新研究问题进行调查。更广泛的影响：实时丰富地监控大流量的能力对互联网安全具有重大影响，因为它是保护大型互联网站点的关键组成部分。这项工作将使一系列研究直接扎根于高性能、高容量站点的运行，这种环境由于其重大的后勤和技术困难而在现场很少得到解决。据我们所知，监控系统将实现比任何现有部署提供的分析能力高一个数量级的能力。因此，它不仅将成为以前无法​​达到的规模的网络安全研究平台，而且还将成为其他人如何构建和运营此类系统的典范。因此，这项工作有可能在保护大容量网络环境方面取得新的发现，并促进此类技术的更广泛使用，以更好地保护和运营高速网络。最后，这笔赠款的基础设施将为博士生提供无与伦比的机会，让他们在该领域其他任何人都无法比拟的环境中进行研究。