OAC Core: Enhancing Network Security by Implementing an ML Malware Detection and Classification Scheme in P4 Programmable Data Planes and SmartNICs

OAC 核心：通过在 P4 可编程数据平面和智能网卡中实施 ML 恶意软件检测和分类方案来增强网络安全

• 批准号: 2403360
• 负责人: Jorge Crichigno
• 金额: $ 60万
• 依托单位: University of South Carolina at Columbia
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2024
• 资助国家: 美国
• 起止时间: 2024-07-01 至 2027-06-30
• 项目状态: 未结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2403360&HistoricalAwards=false
• 关键词: OAC; Core; Enhancing; Network; Security

Malware attacks represent significant threats to organizations, which use a variety of approaches to protect against them. Examples include intrusion detection systems, intrusion prevention systems, and other security systems that run on general-purpose computers. Such schemes perform "deep packet inspection" (DPI), a process by which a security device protecting an organization thoroughly examines incoming traffic and alerts administrators about suspicious activities. While DPI may be effective in some scenarios, it requires significant processing. Furthermore, if the organization receives a high volume of traffic from the Internet, DPI may not keep up with the traffic and may only inspect a fraction of it. Additionally, the inspection may not be conducted in real-time and may only detect the malware after the attack.This project proposes to leverage the capability of P4 programmable data plane (PDP) switches and smartNICs to perform DPI. The project has four objectives. 1) Develop a malware detection and classification application running on PDPs, operating at line rate. The application will perform DPI of Domain Name System (DNS) packets, preventing malware from communicating with the corresponding C2 server. Traffic will be monitored in real-time, and functions commonly executed on general-purpose CPUs will be offloaded to PDPs. The plan includes analyzing DNS data, characterizing traffic patterns, and feeding such information to a machine learning (ML) algorithm. The ML algorithm will detect and classify malware according to their family (e.g., trojan, backdoor, ransomware). 2) Develop a malware detection and classification application running on a SmartNIC, for encrypted DNS packets. Research will be conducted to perform feature extraction for malware generating such packets. An ML algorithm will use the features to detect and classify the malware. 3) Develop a control application that shares threat intelligence and avoids malware propagation. As PDP switches and smartNIC detect malware, they share the threat intelligence with a centralized controller. 4) Expand the eX-IoT platform to fingerprint, store, and index newly detected and classified malware. The eX-IoT platform is a real-time platform for fingerprinting compromised devices on the Internet. The prototype running on PDPs and smart NICs will be built with open-source components available to the community, and the developed knowledge will be disseminated by synthesizing it as virtual lab libraries for courses and self-paced learning. The libraries will be distributed to colleges and universities. Finally, tutorials on malware detection and PDPs will be organized with organizations such as Internet2 and FABRIC.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

恶意软件攻击对组织构成重大威胁，组织使用多种方法来防范恶意软件攻击。示例包括入侵检测系统、入侵防御系统以及在通用计算机上运行的其他安全系统。此类方案执行“深度数据包检查”(DPI)，保护组织的安全设备通过该过程彻底检查传入流量并向管理员发出可疑活动警报。虽然 DPI 在某些情况下可能有效，但它需要大量处理。此外，如果组织从 Internet 接收大量流量，DPI 可能无法跟上流量，并且可能只检查其中的一小部分。此外，检查可能不会实时进行，并且只能在攻击后检测恶意软件。该项目建议利用 P4 可编程数据平面 (PDP) 交换机和 smartNIC 的功能来执行 DPI。该项目有四个目标。 1) 开发在 PDP 上运行、以线速运行的恶意软件检测和分类应用程序。该应用程序将对域名系统 (DNS) 数据包执行 DPI，防止恶意软件与相应的 C2 服务器进行通信。流量将被实时监控，通常在通用 CPU 上执行的功能将被卸载到 PDP。该计划包括分析 DNS 数据、表征流量模式以及将此类信息输入机器学习 (ML) 算法。机器学习算法将根据恶意软件家族（例如木马、后门、勒索软件）对恶意软件进行检测和分类。 2) 开发在 SmartNIC 上运行的恶意软件检测和分类应用程序，用于加密的 DNS 数据包。将进行研究以对生成此类数据包的恶意软件进行特征提取。机器学习算法将使用这些功能来检测和分类恶意软件。 3) 开发共享威胁情报并避免恶意软件传播的控制应用程序。当 PDP 交换机和 smartNIC 检测到恶意软件时，它们会与集中控制器共享威胁情报。 4) 扩展 eX-IoT 平台以对新检测到和分类的恶意软件进行指纹识别、存储和索引。 eX-IoT 平台是一个实时平台，用于对互联网上受感染设备进行指纹识别。在 PDP 和智能 NIC 上运行的原型将使用社区可用的开源组件构建，开发的知识将通过将其综合为用于课程和自定进度学习的虚拟实验室库来传播。这些图书馆将分发给学院和大学。最后，有关恶意软件检测和 PDP 的教程将与 Internet2 和 FABRIC 等组织一起组织。该奖项反映了 NSF 的法定使命，并通过使用基金会的智力优点和更广泛的影响审查标准进行评估，被认为值得支持。