Collaborative Research: NeTS: JUNO3: Leveraging Heterogeneous Programmable Data Planes for Security and Privacy of Cellular Networks, 5G & Beyond

合作研究：NetS：JUNO3：利用异构可编程数据平面实现蜂窝网络、5G 的安全和隐私

• 批准号: 2210380
• 负责人: Timothy Wood
• 金额: $ 22.5万
• 依托单位: George Washington University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2022
• 资助国家: 美国
• 起止时间: 2022-09-01 至 2025-08-31
• 项目状态: 未结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2210380&HistoricalAwards=false
• 关键词: Collaborative; Research; NeTS; JUNO3; Leveraging

Securing “5G and beyond” cellular networks is critical to support the growing traffic from mobile and IoT devices. Significant parts of the cellular network infrastructure are being implemented on software-based environments. The shift to a disaggregated, virtualized cellular core network may result in an increased attack surface and greater vulnerability. Slow attacks, which attempt to avoid notice, can be damaging as they cannot be easily detected, and generally require the memory and computational capacity of end-host security middleboxes to detect or prevent them. Likewise, attackers seeking to violate user-privacy by eavesdropping on communication, cannot be easily prevented, especially at large scale. These threats leave both cellular users and operators vulnerable to attacks. This joint US-Japan project seeks to provide strong security monitoring and privacy protection solutions that exploit the high speed of programmable switches, the increased capabilities of programmable network interface cards, and the memory/computational capacity of end-host servers. By leveraging the strengths of each of these data plane components, the project will develop an efficient and performant cellular network security solution. To achieve this goal, this joint US-Japan project will pursue technical tasks that will be collaboratively pursued by the PIs based in the US and Japan. First, the team will design a heterogeneous data plane framework that cohesively combines multiple data plane devices for network function processing. The approach will use a collaborative filtering system, where most of the traffic is processed only by high-speed programmable switches that can easily extract aggregated, coarse-grained metrics. Suspicious traffic will be redirected to programmable network interface cards, or the host as necessary, for further inspection and metrics collection. Second, the project will develop real-time monitoring of cellular traffic, leveraging the cellular core network as a key vantage point. Monitoring at the cellular core can not only effectively detect and thwart data plane-based attacks, but also those on the control plane. It is in the unique position of being able to correlate between data and control plane state to further improve upon existing approaches to detect security attacks. Finally, the project will design privacy protection mechanisms that ensure anonymity of users in the face of fingerprinting attacks. The approach will leverage traffic morphing techniques that leverage the entire range of capabilities of a multi-tier, programmable, heterogeneous data plane framework, to enable high-speed operation. The proposed techniques will have significant societal impact by providing strong threat prevention and privacy preservation for cellular network users and their traffic.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

确保“ 5G及以后”的蜂窝网络对于支持移动设备和物联网设备的流量不断增长至关重要。基于软件的环境正在实施蜂窝网络基础架构的重要部分。向分解，虚拟化的细胞核网络的转变可能会导致攻击表面增加和更大的脆弱性。试图避免通知的缓慢攻击可能会造成损害，因为它们无法轻易检测到它们，并且通常需要终端安全中间箱的内存和计算能力来检测或防止它们。同样，试图通过窃听通信来违反用户私人的攻击者不容易预防，尤其是在大规模上。这些威胁使蜂窝用户和操作员都容易受到攻击。该联合美国联合项目旨在提供强大的安全监控和隐私保护解决方案，以利用可编程开关的高速，可编程网络接口卡的增加功能以及最终主机服务器的内存/计算能力。通过利用每个数据平面组件的优势，该项目将开发出高效且性能的蜂窝网络安全解决方案。为了实现这一目标，该联合的美国 - 日本项目将追求由美国和日本的PIS共同追求的技术任务。首先，团队将设计一个异质数据平面框架，该框架将多个数据平面设备结合在一起，用于网络功能处理。该方法将使用协作过滤系统，在该系统中，大多数流量仅通过高速可编程开关来处理，该开关可以轻松提取聚合的粗粒度指标。可疑流量将被重定向到可编程网络接口卡或必要的主机，以进行进一步的检查和指标收集。其次，该项目将开发对蜂窝流量的实时监视，利用蜂窝核网络作为关键有利位置。在细胞芯处进行监测不仅可以有效检测和阻止数据平面的攻击，还可以在控制平面上进行监测。它的独特位置是能够在数据和控制平面状态之间关联以进一步改善现有方法检测安全攻击的方法。最后，该项目将设计隐私保护机制，以确保面对指纹攻击的用户匿名。该方法将利用多层，可编程，异构数据平面框架的整个功能范围来利用流量变形技术，以实现高速操作。拟议的技术将通过为蜂窝网络使用者及其流量提供强大的威胁预防和隐私保护，从而产生重大的社会影响。该奖项反映了NSF的法定任务，并使用基金会的知识分子优点和更广泛的影响审查标准，被认为是通过评估而被视为珍贵的支持。