Stefan Savage - US grants

Proposal number: CCR-0311690

Title: Quantitative Network Security Analysis

PIs: David Moore, Geoffrey M. Voelker, Stefan Savage

The research investigates the following questions: how does the nature of
large-scale Internet security threats change over time, how effective
are attackers at compromising services, and how well do existing
security countermeasures provide a meaningful defense against these
threats in practice?

This requires the development of a combination of network analysis
techniques and network measurement infrastructure to analyze these
threats. In particular, this project has three specific goals. First,
our prototype measurement infrastructure will be re-engineered to
provide real-time analysis about current Internet-wide security
anomalies. This will allow for active measurements to characterize the
impact of attacks, the presence and effectiveness of security
countermeasures and patches, and to better correlate this data with
other sources of network measurement data. Second, tracking these
events on a long-term basis allows extraction of trends in the
prevalence, make-up, and staging of large-scale Internet attacks.
Creating this kind of longitudinal dataset is essential for
understanding the evolution of the threats and vulnerabilities being
exploited. Finally, while there has been initial validation of results
concerning large-scale homogenous attacks, it is an open question how
well these techniques can be used for also observing smaller or highly
skewed attack distributions. This research will evaluate the resolution
of techniques by comparing with smaller scale monitors and direct
measurements on individual networks. Together these efforts will
produce the first meaningful datasets about large-scale network attacks
on the Internet. It is hoped that this data will ultimately have impact
beyond the individual results of this research, and will change the way
network security decisions are made.

In the future, in the digital fabric, computing elements will be distinguished by their networked bandwidth, compute and data capabilities, and of course their particular input/output capabilities (e.g. graphical displays, cameras, GPS, laser range-finding, etc.). These elements will be knit into large scale distributed applications and resource pools - together an entity increasingly known as the "computational grid". The key capabilities of a "Grid" element will be determined largely by their communication and input/output capabilities.

We propose a research infrastructure (FWGrid) that enables research in innovative and radically new applications, systems and system architectures, and the emerging technical and even social use of systems and services built for technology environment of the future. The key aspects of this infrastructure are:
o highly capable mobile image/video capture and display devices (to interact with the world)
o high bandwidth wireless 100-500 Mbps (to tightly couple mobile elements to high capability resources),
o rich wired networks of 10-100Gbps (move and aggregate data and computation without limit), and
o distributed clusters with large compute (teraflops) and data (10's of terabytes) capabilities (to power the infrastructure).

Broader Impact: FWGrid will enable us to explore with real systems and users, radical new applications, novel application structures, system architecture, resource management policies, innovative algorithms, as well as system management. It will fundamentally enhance undergraduate and graduate education and all activities of the department. Because FWGrid will be a "living laboratory", we will gain access to real users and actual workloads. FWGrid models the world of five years hence, where widespread high bandwidth wireless, extreme wired (fiber) bandwidth, and plentiful wired computing and data resource are the norm. FWGrid will be used to support a wide variety of research, ranging from low-level network measurement and analysis, to grid middleware and modeling, to application-oriented middleware and new distributed application architecture and finally to higher level applications using rich image and video - both off and on line.

FWGrid will have a transformative impact on the department, accelerating our growth into experimental computer science, continuing the transform and broaden both undergraduate and graduate education, providing a modern Grid infrastructure on which to perform research experiments, but one that also extends to wireless and peer-to-peer computing/storage. Because of the fortuitous timing with respect to our new CSE building, the infrastructure will have a deep impact on the department's educational, research, and social environment. It will support experimental research, multi-faculty and multi-disciplinary collaborative research and education. FWGrid will form a nexus for systems research within the department, and couple all of us to researchers on the campus, to SDSC and CalIT2, the metropolitan area, and wide area at high bandwidth. This will enable innumerable shared experiments and collaboration. In short, it will couple us to the future at high speed.

Collaborative Research: Cybertrust Center for Internet Epidemiology and Defenses

Stefan Savage, University of California - San Diego
Vern Paxson, International Computer Science Institute

Award 0433668

Abstract

The combination of widespread software homogeneity and the Internet's unrestricted communication model creates an ideal climate for infectious, self-propagating pathogens - "worms" and "viruses" - with each new generation of outbreaks demonstrating increasing speed, virulence, and sophistication. The Center for Internet Epidemiology and Defenses aims to address twin fundamental needs: to better understand the behavior and limitations of Internet epidemics, and to develop systems that can automatically defend against new outbreaks in real-time.

Understanding the scope and emergent behavior of Internet-scale worms seen in the wild constitutes a new science termed "Internet epidemiology". To gain visibility into pathogens propagating across the global Internet, the Center is pursuing the construction and operation of a distributed "network telescope" of unprecedented scale. The telescope in turn feeds a "honeyfarm" collection of vulnerable "honeypot" servers whose infection serves to indicate the presence of an Internet-scale worm.

To then fight worms once detected, the Center works on developing mechanisms for deriving "signatures" of a worm's activity and disseminating these to worm suppression devices deployed throughout the global network.

Finally, the Center strives to ground its research in the potentially thorny, but highly relevant, "real-world" issues of informing the development of legal frameworks in terms of the appropriate use of anti-worm technologies and their applications for providing forensic evidence; and enabling the development of actuarial models for quantifying exposure to aggregate risk and liability from Internet epidemics, critical for supporting the emerging cyber-insurance industry.

Research in network security to date focuses largely on defenses---mechanisms that impede the activities of an adversary. Practical security, however, requires a balance between defense and deterrence. While defenses may block current attacks, without a meaningful risk of being caught adversaries are free to continue their attacks with impunity. Deterrence is usually predicated on effective means of attribution---tying an individual to an action. In the physical world attribution is achieved through forensic evidence, but constructing such evidence is uniquely challenging on the Internet.

This project is developing a novel architectural primitive---private attribution, based on group signatures--that allows any network element to verify that a packet was sent by a member of a given group. Importantly, however, actually attributing the packet to a particular group member requires the participation of a set of trusted authorities, thereby ensuring the privacy of individual senders. In addition, this work explores content-based inverse firewalls that can inspect the content of traffic leaving a secured network, ensuring that sensitive information is kept within an enterprise. Approved data can then be labeled by the inspecting firewall, providing an audit trail should concerns arise.

Broader Impacts: This research is developing a key architectural component to improve the level of security and assurance available to network services. In addition, the PIs are initiating a dialogue among both researchers and network operators about critical policy aspects of network security. In particular, information about the sources of both normal and attack traffic that must be safeguarded according to some policy.

Real-world security policies invariably involve questions of ``who'' and ``what''--who are the principals, what data are they seeking to access, and so forth. By contrast, the present-day Internet architecture concerns itself primarily with issues of ``how'' and ``where''-- what are the protocols by which a data item is delivered and to which topological endpoints. This inherent dissonance of purpose makes Internet security a bolt-on affair---with abstract access control policies pushed off to be implemented by particular applications or mapped onto the poor approximations provided by network-level abstractions (e.g., network firewalls). Moreover, these imperfect mechanisms are themselves attacked with impunity since today's Internet architecture provides a functional anonymity that insulates attackers from any meaningful liability.

This project is developing two key architectural capabilities--host attribution (which physical machine sent a packet) and data provenance (what is the ``origin'' of the data contained within a packet)--to enable the direct expression of a wide-range of security policies. Moreover, these properties are being implemented in a fashion that mandates their use (in a strong sense) by the network, but manages to preserve end-user privacy. The PIs are focusing on two key applications in this work: forensic trace-back and attribution for the purpose of attack deterrence, and defensive data-exfiltration to place precise controls over what kinds of data may move across a network.

Broader Impacts: This research is developing key architectural components to improve the level of security and assurance available to network services. In addition, the PIs are initiating a dialogue among both researchers and network operators about critical policy aspects of network security. In particular, information about the sources of both normal and attack traffic that must be safeguarded according to some policy.

Computer security is a field in which defenses are pitted against adversaries. Thus, it is critical to understand the capabilities and motivations of the adversary if one is to plan effective defenses. However, modern Internet-based attacks are largely driven by economic factors that are only understood in the abstract. While we know that it is sufficiently cheap to compromise Internet hosts that large-scale botnets have become a compelling platform for launching attacks, we simply do not understand the scale of the revenue that that such activities bring in. While we understand that billions of spam e-mails are sent per day, the conversion rate of this spam ? the probability that a sent message will result in a ?sale? ? is largely unknown. Absent such information it is difficult to reason about the structural nature of the conflict between attackers and defenders.

Traditionally, obtaining information about the critical economic factors in Internet attacks is difficult because such information is only visible to the attacker themselves. Our research is focused on sidestepping this issue by infiltrating the technical infrastructure ? the botnets themselves ? used by Internet miscreants. Our technique, called ?distribution infiltration? provides a means to directly quantify key aspects of spam and phishing campaigns as well as to measure the impact of defenses on an economic footing (i.e., their impact on the profitability of e-crime). Our research will both refine these methodologies and produce concrete data for developing economic-based threat models of computer security.

This project is developing and validating rigorous models of several central problems in the design of the Internet and its applications, which can be viewed as evolving distributed systems composed of software agents employing some algorithmic process. In these systems, one can predict the outcome of a particular task as a function of a set of input variables: the agent communication pattern, individual incentives, and algorithmic strategy---aspects that have previously been studied in isolation, but rarely in concert. The PIs are developing an analytic framework that explicitly accounts for both network structure and agent incentives. By considering simple tasks like information diffusion, search, and leader election, they will construct a theory that can be applied to practical problems such as Internet routing, congestion control, and reputation systems.

Intellectual Merit:
This project brings together a team of researchers with backgrounds spanning economics, algorithms, and networking to develop a unified approach to complex social networking that captures both network structure and agent incentives through a rigorous algorithmic framework. This project employs several research methodologies including human-subject experimentation, algorithm design, economic analysis, and large-scale simulation.

Broader Impact:
The multidisciplinary approach of this project promises to lead to a comprehensive understanding of the effect of network structure and agent incentives in networks. The project is training graduate and undergraduate students in the skills necessary to deal with social networks, which are emerging as a fundamental underpinning of many applications. The PIs are designing two new courses based upon the research conducted in the project.

Modern automobiles are no longer mere mechanical devices; they are pervasively monitored and controlled by dozens of digital computers coordinated via internal vehicular networks and bridged to external networks as well. While this transformation has driven major advancements in efficiency, safety and convenience, it has also introduced a broad range of new potential risks. In this effort, we are evaluating these risks by experimentally mapping the attack surface of the modern automobile, identifying architectural security and privacy vulnerabilities, and developing new defense methodologies that can provide safety within the rubric of the existing automotive design ecosystem.

This project seeks to quantify the frequency, duration, causes, and impact of faults across a variety of network classes. Unlike previous efforts that have relied on substantial special-purpose instrumentation and monitoring infrastructure, the PIs are conducting their analysis using only commonly available data sources, such as device logs and configuration records maintained by network operations staff. In this way, they hope not only to provide concrete data regarding the particular networks being evaluated, but to define a repeatable methodology that can be employed by other researchers and even commercial operators to assess the reliability of other networks. Through partnerships with an academic backbone network (CENIC), an enterprise network services company (Hewlett-Packard), and large-scale Web services provider (Microsoft), the PIs have obtained access to device logs, operational maintenance records, and configuration information for a significant number of real networks.

Concretely, this project is working to deliver a fault analysis methodology based on readily available data like device logs, configuration information, and operator records such as email lists and trouble tickets; comparative studies regarding the differing failure characteristics of wide-area, enterprise, and data center networks; and a generative model of network faults that can be used to evaluate the suitability and efficacy of different applications and protocols to various network designs.

Broader Impact: In addition to these concrete technical contributions, the broader impacts of this project include the potential to cause network operators to reconsider how current networks are designed to make them less likely to fail, or to fail in more straightforward and easily manageable ways. Moreover, the research effort is imparting onto the next generation of computer scientists the skills necessary to assess, analyze, and model the performance characteristics of operational networks. This project supports two graduate students who assist the PIs in conducting the described work, and receive significant exposure to commercial network environments through industrial internships.

This project tackles the social and economic elements of Internet security: how the motivations and interactions of attackers, defenders, and users shape the threats we face, how they evolve over time, and how they can best be addressed. While security is a phenomenon mediated by the technical workings of computers and networks, it is ultimately a conflict driven by economic and social issues that merit a commensurate level of scrutiny. Today's online attackers are commonly profit-seeking, and the implicit social networks that link them together play a critical role in fostering the innovation and the efficiency underlying cybercrime markets. Further, the socio-economic lens can provide vital insights not only for understanding attackers, but victims too. Today's consumers, corporations, and governments make large investments in security technology with little understanding of their ultimate return-on-investment. And the ease with which we adopt online personas and relationships has created a collective blind spot that attackers exploit all-too-easily.

Grappling with these socio-economic dimensions is of fundamental importance for achieving a secure future information infrastructure, and developing a sound understanding of them requires research grounded in empiricism. Accordingly, the project has four key components: (1) pursue in-depth empirical analyses of a range of online criminal activities; (2) map out the evolving attacker ecosystem that preys on online social networks, and the extent to which unsafe online behavior is itself adopted and transmitted; (3) study how relationships among these criminals are established, maintained, and evolve over time; and (4) measure the efficacy of today's security interventions, both in the large and at the level of individual users. Across all of these efforts, the aim is to identify bottleneck elements where interventions might most effectively undermine entire ecosystems of abusive and criminal activities. Consequently, this research has the potential to dramatically benefit society by undermining entire cybercrime ecosystems: disrupting underground activities, infrastructure, and social networks through strategic intervention. The work will also create numerous educational opportunities, including undergraduate and graduate education as well as workforce education for security professionals, law enforcement, civil regulatory agencies, and legal scholars and professionals tasked with countering modern Internet threats.

Factories, chemical plants, automobiles, and aircraft have come to be described today as cyber-physical systems of systems--distinct systems connected to form a larger and more complex system. For many such systems, correct operation is critical to safety, making their security of paramount importance. Unfortunately, because of their heterogeneous nature and special purpose, it is very difficult to determine whether a malicious attacker can make them behave in a manner that causes harm. This type of security analysis is an essential step in building and certifying secure systems.

Unfortunately, today's state of the art security analysis tools are tailored to the analysis of server, desktop, and mobile software. We currently lack the tools for analyzing the security of cyber physical systems of systems. The proposed work will develop new techniques for testing and analyzing security properties of such systems. These techniques will be used to build a new generation of tools that can handle the complexity of modern cyber-physical systems and thus make these critical systems more secure.The technical approach taken by the investigators is to applying proven dynamic analysis techniques, including dynamic information flow tracking and symbolic execution, to this problem. Existing tools, while powerful, are monolithic, designed to apply a single technique to a single system. Scaling them to multiple heterogeneous systems is the main contribution of the proposed work. To do so, the investigators will develop a common platform for cross-system dynamic analysis supporting arbitrary combinations of component execution modes (physical, simulated, and emulated), requiring new coordination mechanisms. Second, building on the platform above, they will implement cross-system dynamic information flow tracking, allowing dynamic information flow tracking across simulated, emulated, and potentially physical components. Third, they will extend existing symbolic/concrete execution techniques to execution across multiple heterogeneous systems. Fourth, they will introduce new ways of handling special-purpose hardware, a problem faced by dynamic analysis tools in general.

The research enabled by the supported infrastructure has the potential to dramatically impact society in two ways. First, by undermining entire cyber-crime ecosystems: disrupting underground activities, infrastructure, and social networks through strategic intervention. Inhibiting the flow of money reduces the profitability of these activities, thereby subverting the key incentive underlying modern cybercrime. Second, improved efficiency of data center networks will significantly reduce operating costs and increase energy efficiency. The infrastructure will also create educational opportunities for students at a variety of levels, expanding the research skills of postdoc, graduate, and undergraduate students to address both data center network design and security research challenges.

This project is to pursue two separate multi-year research agendas. One is to collect and analyze extremely large datasets pertaining to various aspects of Internet malware and cybercrime while concurrently exploring new high-performance hybrid optical/electrical network architectures that dramatically decrease the cost and complexity of the infrastructure required to support such analytics. This award supports compute and storage resources to both conduct the analytics required for the Ecrime research, while simultaneously serving as a testbed for our prototype hybrid network switches.

The research enabled by this infrastructure has two key components: 1) Through in-depth empirical analyses of a range of online criminal activities, the PIs are developing an understanding of the shape of key economic and social forces---as seen at scale---in terms of relevance for both attackers and defenders. 2) Characterizing network traffic generated by large-scale data analytics, focusing specifically on identifying the class of network traffic that a circuit switch can support as well as the partitioning of the traffic between the circuit and packet portions of the network.

The domain name system (DNS) is one of the most critical pieces of Internet infrastructure in use today. It underlies how we name nearly all Internet resources, such as "nsf.gov", and its correct operation is implicitly assumed both by end users and in the design of many important applications such as email and the World Wide Web. Unfortunately, DNS is also abused in a wide variety of ways to support criminal activities such as spam, phishing, fraud, and host compromise. The goal of this research is to develop infrastructure for the comprehensive and frequent auditing of the domain name system as a basis for discovering and understanding the impact of abuse and attacks on the health of the DNS and the Internet as a whole, and how changes in the domain name system facilitate new kinds of abuse and attacks. Given the indiscriminate nature of Internet abuse, ensuring the vitality of the DNS ecosystem can positively benefit virtually all Internet users. The project itself will also create educational opportunities for students at a variety of levels, expanding the research skills of postdoc, graduate, and undergraduate students.

This research will perform large-scale measurement of many sources of data which, when combined, will provide a global perspective on the health of the DNS, and develop analysis techniques for scalably identifying and characterizing the nature of DNS abuse. We will comprehensively survey DNS to capture the bindings of all key records. We will crawl registered domains in all top-level domains for which we can obtain data, and regularly repeat this survey over time to look for changes. We will scan resources linked to domains, including Web sites, mail servers, login and application servers, any certificates that they provide, linked registration records, results of search engine queries and contemporaneous data from both a range of threat intelligence and passive DNS feeds. We will perform such measurements from a variety of geographically diverse IP addresses to capture differences due to national DNS infrastructure and cache poisoning attacks. We will build tools to process this considerable amount of data to efficiently identify changes in DNS mapping state and characterize abusive behavior. Finally, we will produce an overall analysis of DNS abuse Internet-wide, as revealed by our measurements, in which we capture the prevalence of different kinds of abuse, and what the abusers are using it for.