To minimize risk to the OS and other accounts on a system, organizations often limit their users to the minimal privileges needed on the system. To limit threat propagation within the network, organizations use firewalls and virtual LANs (VLANs) to group hosts into smaller risk pools. They then use monitoring tools, such as intrusion-detection systems (IDS), at the network boundaries between groups to detect threats.
Unfortunately, these enforcement and monitoring tools lack visibility into hosts and other parts of the network, hindering their ability to make informed decisions. Specifically, 1) they are blind to activity among grouped hosts (e.g., within VLANs or subnets), 2) they are blind to the host-level cause (or catalyst) of the network traffic when making security decisions, 3) they can only examine a subset of the network's traffic without seeing network-wide behavior, 4) they allow adversaries to perform reconnaissance on the organization's network and infrastructure, and 5) they use broad rules to allow or deny traffic without the ability to consider details.
This work seeks to create centralized access control systems for all network traffic and to inform the network access controller of the host-level context and catalyst of network traffic.
In exploring these research directions, this project will make the following contributions:
This approach increases the security of computer systems and networks, which will have a direct impact on government, military, educational, and industrial organizations. The tools and systems created in this work will enable educational experiments at both the graduate and undergraduate levels. The work also supports extracurricular activities, including the Collegiate Cyber Defense Competitions and the high school CyberPatriot competition.
The following video gives a short overview of the PEACE technology.
In creating exploring this project, we have created code and collected data to support our publications. The following code and data is available based on those publications.
This material is based upon work supported by the National Science Foundation under Grant No. 1422180. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.