Collaborative Research: CICI: Secure and Resilient Architecture: NetSecOps -- Policy-Driven, Knowledge-Centric, Holistic Network Security Operations Architecture

合作研究：CICI：安全和弹性架构：NetSecOps——策略驱动、以知识为中心、整体网络安全运营架构

• 批准号: 1642134
• 负责人: James Griffioen
• 金额: $ 49.99万
• 依托单位: University of Kentucky Research Foundation
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2016
• 资助国家: 美国
• 起止时间: 2016-09-01 至 2021-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1642134&HistoricalAwards=false
• 关键词: Collaborative; Research; CICI; Secure; Resilient

Network infrastructure at University campuses is complex and sophisticated, often supporting a mix of enterprise, academic, student, research, and healthcare data, each having its own distinct security, privacy, and priority policies. Securing this complex and highly dynamic environment is extremely challenging, particularly since campus infrastructures are increasingly under attack from malicious actors on the Internet and (often unknowingly) internal campus devices. Different parts of the campus have very different policies and regulations that govern its treatment of sensitive data (e.g., private student/employee information, health care data, financial transactions, etc.). Furthermore, data-intensive scientific research traffic often requires exceptions to normal security policies, resulting in ad-hoc solutions that bypass standard operational procedures and leave both the scientific workflow and the campus as a whole vulnerable to attack. In short, state-of-the-art campus security operations still heavily rely on human domain experts to interpret high level policy documents, implement those policies through low-level mechanisms, create exceptions to accommodate scientific workflows, interpret reports and alerts, and be able to react to security events in near real time on a 24-by-7 basis.This project addresses these challenges through a collaborative research effort, called NetSecOps (Network Security Operations), that assists information technology (IT) security teams by automating many of the operational tasks that are tedious, error-prone, and otherwise problematic in current campus networks. NetSecOps is policy-driven in that the framework encodes high-level human-readable policies into systematic policy specifications that drive the actual configuration and operation of the infrastructure. NetSecOps is knowledge-centric in that the framework captures data, information, and knowledge about the infrastructure in a central knowledge store that informs and guides IT operational tasks. The proposed NetSecOps architecture has the following unique capabilities: (1) the ability to capture campus network security policies systematically; (2) the ability to create new fine-grained network control abstractions that leverage existing security capabilities and emerging software defined networks (SDN) to implement security policies, including policies related to both scientific workflows and IT domains; (3) the ability to implement policy traceability tools that verify whether these network abstractions maintain the integrity of the high-level policies; (4) the ability to implement knowledge-discovery tools that enable reasoning across data from existing security point-solutions, including security monitoring tools and authentication and authorization frameworks; and (5) the ability to automatically adjust the network's security posture based on detected security events. Research results and tools from the project will be released into the public domain allowing academic institutions to utilize the resources as part of their best-practice IT security operations.

大学校园的网络基础设施复杂而精密，通常支持企业、学术、学生、研究和医疗保健数据的混合，每个数据都有自己独特的安全、隐私和优先级策略。 确保这种复杂且高度动态的环境的安全极具挑战性，特别是因为园区基础设施越来越多地受到互联网上的恶意行为者和（通常在不知不觉中）内部园区设备的攻击。校园的不同部分有非常不同的政策和法规来管理敏感数据的处理（例如，私人学生/员工信息、医疗保健数据、金融交易等）。此外，数据密集型科学研究流量通常需要对正常安全策略进行例外处理，从而导致临时解决方案绕过标准操作程序，并使科学工作流程和整个校园都容易受到攻击。简而言之，最先进的校园安全运营仍然严重依赖人类领域专家来解释高级策略文件，通过低级机制实施这些策略，创建例外以适应科学工作流程，解释报告和警报，并能够以 24×7 的方式近乎实时地对安全事件做出反应。该项目通过名为 NetSecOps（网络安全操作）的协作研究工作来解决这些挑战，该工作通过自动化许多工作来帮助信息技术 (IT) 安全团队的操作任务是当前校园网络中存在繁琐、容易出错等问题。 NetSecOps 是策略驱动的，因为该框架将高级人类可读策略编码为系统策略规范，以驱动基础设施的实际配置和操作。 NetSecOps 以知识为中心，因为该框架在中央知识存储中捕获有关基础设施的数据、信息和知识，通知和指导 IT 操作任务。所提出的NetSecOps架构具有以下独特功能：（1）系统捕获校园网络安全策略的能力； (2) 创建新的细粒度网络控制抽象的能力，利用现有的安全功能和新兴的软件定义网络 (SDN) 来实施安全策略，包括与科学工作流程和 IT 领域相关的策略； (3) 能够实施策略可追溯工具，验证这些网络抽象是否保持高级策略的完整性； (4) 实施知识发现工具的能力，这些工具能够对现有安全点解决方案的数据进行推理，包括安全监控工具以及身份验证和授权框架； (5)根据检测到的安全事件自动调整网络安全态势的能力。该项目的研究成果和工具将发布到公共领域，允许学术机构利用这些资源作为其最佳实践 IT 安全运营的一部分。

项目成果

Multi-user Input in Determining Answer Sets (MIDAS)

确定答案集中的多用户输入 (MIDAS)

• 发表时间: 2018-01
• 期刊: IEEE International Conference on Requirements Engineering (RE
• 作者: Kalim; Albert
• 通讯作者: Albert

University of Kentucky TraceLab Component Similarity Matrix Voting Merge

肯塔基大学 TraceLab 组件相似性矩阵投票合并

• 发表时间: 2019-05
• 期刊: Proceedings of the 10th International Workshop on Software and System Traceability (SST'19
• 作者: Payne, Jared;Huffman Hayes, Jane
• 通讯作者: Huffman Hayes, Jane

A Comparison of Stemming Techniques in Tracing

追踪中的词干技术比较

• 发表时间: 2019-05
• 期刊: Proceedings of the 10th International Workshop on Software and System Traceability (SST'19
• 作者: Farrar, David;Huffman Hayes, Jane
• 通讯作者: Huffman Hayes, Jane

Checking Network Security Policy Violations via Natural Language Questions

通过自然语言问题检查网络安全策略违规情况

• DOI: 10.1109/icccn52240.2021.9522325
• 发表时间: 2021-07
• 期刊: 2021 International Conference on Computer Communications and Networks (ICCCN
• 作者: Shi, Pinyi;Song, Yongwook;Fei, Zongming;Griffioen, James
• 通讯作者: Griffioen, James

Expressing and Managing Network Policies for Emerging HPC Systems

表达和管理新兴 HPC 系统的网络策略

• DOI: 10.1145/3332186.3333045
• 发表时间: 2019-07
• 期刊: Practice and Experience in Advanced Research Computing on Rise of the Machines (learning
• 作者: Rivera, Sergio;Griffioen, James;Fei, Zongming;Hayes, Jane Huffman
• 通讯作者: Hayes, Jane Huffman