Collaborative Research: SaTC: CORE: Medium: ONSET: Optics- enabled Network Defenses for Extreme Terabit DDoS Attacks

协作研究：SaTC：核心：中：ONSET：针对极端太比特 DDoS 攻击的光学网络防御

• 批准号: 2132651
• 负责人: Ramakrishnan Durairajan
• 金额: $ 40万
• 依托单位: University of Oregon Eugene
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2022
• 资助国家: 美国
• 起止时间: 2022-01-01 至 2025-12-31
• 项目状态: 未结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2132651&HistoricalAwards=false
• 关键词: Collaborative; Research; SaTC; CORE; Medium

Distributed Denial of Service (DDoS) attacks continue to present a clear and imminent danger to critical network infrastructures. DDoS attacks have increased in sophistication with advanced strategies to continuously adapt (e.g., changing threat postures dynamically) and induce collateral damage (i.e., higher latency and loss for legitimate traffic). Furthermore, advanced attacks may also employ reconnaissance (e.g., mapping the network to find bottleneck links) to target the network infrastructure itself. In light of these trends, state-of-art defenses (e.g., advanced scrubbing, emerging software-defined defenses, and programmable switching hardware) have fundamental shortcomings. This project will develop a new framework, referred to as "Optics-enabled In-Network defenSe for Extreme Terabit DDoS attacks" (ONSET). The framework makes a case for new dimensions of defense agility that can programmatically control the topology of the network (in addition to the processing behavior) to tackle advanced and future attacks. The project will facilitate the use of optical technologies as an exciting visual medium for engaging K-12 students via suitable channels for dissemination. The project will also result in new course materials at the intersection of optical networking, software-defined networking, and network security to enable students to become domain experts in this emerging problem space. The project will take an interdisciplinary approach spanning security, optics, systems, and networks, to address fundamental challenges along three thrusts: (1) novel "data plane" solutions to rapidly reconfigure the wavelengths and switches and new capabilities in programmable switches to rapidly identify malicious vs. benign traffic at line rate; (2) novel "control plane" orchestration mechanisms for scalable resource management algorithms and coordinated control across optical networking and programmable switches; and (3) new "northbound application programming interfaces (APIs)" to express novel defenses to combat current and future DDoS attacks (e.g., with reconnaissance). This project will develop a new framework, referred to as "Optics-enabled In-Network defenSe for Extreme Terabit DDoS attacks" (ONSET). The research efforts will result in end-to-end prototypes using open-source and standardized interfaces to demonstrate the novel defense capabilities of ONSET. The efficacy of ONSET will be evaluated using pilot studies on operational networks to create a roadmap to practical deployment, using real testbeds and large-scale simulations. The project outcomes will be released as open-source software tools, models, and simulation frameworks that will inform industry and academic work.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

分布式拒绝服务（DDOS）攻击继续对关键网络基础设施构成明显而迫在眉睫的危险。 DDOS攻击的复杂性增加了，以不断适应（例如，动态变化威胁姿势）并造成附带损害（即合法流量的延迟和损失）。此外，高级攻击也可以采用侦察（例如，映射网络以找到瓶颈链接）来针对网络基础架构本身。鉴于这些趋势，最先进的防御能力（​​例如，高级擦洗，新兴软件定义的防御和可编程的切换硬件）具有根本的缺点。该项目将开发一个新的框架，称为“极端Terabit DDOS攻击的网络内部防御”（发作）。该框架为防御敏捷性的新维度提供了一个例子，该维度可以通过编程方式控制网络的拓扑（除了处理行为之外），以应对高级和未来的攻击。该项目将促进光学技术用作令人兴奋的视觉媒介，以通过合适的渠道传播K-12学生。该项目还将在光学网络，软件定义的网络和网络安全的交集中产生新的课程材料，以使学生能够成为这个新兴问题领域的领域专家。该项目将采用跨学科的方法，涵盖安全性，光学，系统和网络，以解决三个推力的基本挑战：（1）新颖的“数据平面”解决方案，以快速重新配置可编程开关中的波长和开关以及新功能，以快速识别恶意交通，以识别以线的态度和良性流量； （2）用于可扩展资源管理算法和跨光学网络和可编程开关的可扩展资源管理算法和协调控制的新颖的“控制平面”编排机制； （3）新的“ Northbound应用程序编程接口（API）”来表达新颖的防御能力，以打击当前和未来的DDOS攻击（例如，侦察）。该项目将开发一个新的框架，称为“极端Terabit DDOS攻击的网络内部防御”（发作）。研究工作将导致使用开源和标准化界面的端到端原型，以证明发作的新型防御能力。使用操作网络的试点研究将对发作的功效进行评估，以使用实际的测试床和大规模模拟来创建实用部署的路线图。该项目成果将作为开源软件工具，模型和模拟框架发布，这些框架将为行业和学术工作提供依据。该奖项反映了NSF的法定任务，并使用基金会的知识分子优点和更广泛的影响审查标准，认为值得通过评估来获得支持。

项目成果

Improving Scalability in Traffic Engineering via Optical Topology Programming

• DOI: 10.1109/tnsm.2023.3335898
• 发表时间: 2024-04
• 期刊: IEEE Transactions on Network and Service Management
• 影响因子: 5.3
• 作者: Matthew Nance-Hall;P. Barford;Klaus-Tycho Foerster;Ramakrishnan Durairajan

Dynamic Scheduling of Approximate Telemetry Queries

• 发表时间: 2022
• 作者: Chris Misa;Walt O'Connor;Ramakrishnan Durairajan;R. Rejaie;Walter Willinger

DynATOS+: A Network Telemetry System for Dynamic Traffic and Query Workloads

• 期刊: IEEE/ACM Transactions on Networking
• 作者: Chris Misa;Ramakrishnan Durairajan;R. Rejaie