Scalable Technology to Accelerate Research Network Operations Vulnerability Alerts

We propose a translational research effort to extend the capabilities of existing NSF-funded network measurement infrastructure to immediately improve the robustness, integrity, and resilience of SDSC's wide range of scientific infrastructure.

Sponsored by:
National Science Foundation (NSF)

Principal Investigators: Ka Pui Mok kc claffyFabian Bustamante

Funding source:  OAC-2319959 Period of performance: August 15, 2023 - July 31, 2026.


Project Summary

Cyber attacks, such as ransomware, malware, and denial-of-service (DOS), are persistent threats to the security, reliability, and robustness of scientific cyberinfrastructure (CI). We propose a translational research effort to extend the capabilities of existing NSF-funded Internet measurement infrastructure—UCSD Network Telescope (UCSD-NT)—to immediately improve the robustness, integrity, and resilience of wide range of CI hosted in the San Diego Supercomputer Center (SDSC). Specifically, we propose to develop a novel platform—Sustainable Technology to Accelerate Research Network Operations Vulnerability Alerts (STARNOVA)—which will substantially expand the capability to identify targeted attacks against scientific CI at the SDSC.

Tasks

We structure the design and implementation of STARNOVA as three tasks.

Our first task is to expand the visibility of UCSD-NT by capturing traffic toward SDSC’s production networks. We will leverage network/broadcast IP addresses in each SDSC’s subnets and the addresses assigned to router interface and point-to-point links to form greynets, a collection of dark IP addresses that interspersed with active addresses in the same subnets, to capture unsolicited traffic. We will deploy equipment to mirror the traffic to the modernized UCSD-NT.

Second, we will leverage NSF-funded compute resources (i.e., the Expanse supercomputer at SDSC) to deploy our recent research on machine learning(ML)-based time series analytic methods to detect anomalies in IBR traffic. Our method will efficiently analyze over 200K time series and identify those containing either transient or persistent suspicious pattern changes.

Third, we will automate network flow analysis to examine the time series flagged by our anomaly detection method. We will enhance our current flow data representation, correlate anomalies in different time series, identify potentially affected services, and infer attack origins. We will implement near real-time alerts for operators to make informed defensive actions against potential threats.

Project Timeline

62
Description
818
Task 1: Enhance UCSD-NT infrastructure
1.1 Deploy 400Gbps taps in SDSC network
1.2 Forward greynet traffic to UCSD-NT
1.3 Upgrade UCSD-NT hardware
1.4 Develop packet filtering software
1.5 Switch over to new infrastructure
156
Task 2: Develop anomaly detection method
2.1 Enhance and refine DTW-base method
2.2 Evaluate the accuracy with historical data
2.3 Integrate greynet traffic data
2.4 Implement near real-time detection
2.5 Deploy GPU-based implementation
657
Task 3: Generate threat intelligence
3.1 Implement new FlowTuple version
3.2 Develop automatic analyzer
3.3 Evaluate the accuracy of threat intelligence
3.4 Publish threat intelligence

Acknowledgment of awarding agency’s support

National Science Foundation (NSF)

This material is based on research sponsored by the National Science Foundation (NSF) grant OAC-2319959. The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of NSF.

Published
Last Modified