Changes between Version 36 and Version 37 of GEC11PosterDescriptions

07/22/11 11:57:05 (11 years ago)



  • GEC11PosterDescriptions

    v36 v37  
    3030Steven Templeton, University of California, Davis [[br]]
    3131Carrie Gates, CA Labs (CoPI) [[br]]
     35Securing GENI is a challenging task. Its highly distributed and autonomous infrastructure and a requirement that security monitoring and response must notadversely affect networking experiments running on GENI slices both define the problem and limit solutions. Three primary challenges must be managed. First,because the GENI infrastructure is provided by many independent Aggregators,security policy can vary widely; each Aggregator is free to determine what activity is allowed and how violations will be handled. As a result, no standardsecurity policy can be enforced across an entire distributed GENI slice. Second,because of its distributed infrastructure, a centralized IDS is not feasible.Ultimately, monitoring must be done locally, in each Aggregator and on each node -- no central point for monitoring network traffic exists, and in addition to local policy issues, the bandwidth required to forward all collected network and host data to a central point would be excessive and affects the third issue, harming GENI experiments. Security monitoring solutions that use significantamounts of network or host resources may disrupt GENI networking experiments, particularly those with strict timing requirements. This is a problemwith both network and host based monitoring, particularly if the monitored devices are resource constrained such as cyber-physical devices or when highlyvirtualized. Traditional IDS methods relying on continuous full monitoring of all hosts and network activity are not suitable.Our project -- the Hive Mind -- investigates a biologically-inspired, scalable, lightweight, decentralized security event monitoring alternative to "running all sensors, at all times, on all nodes."Instead, using behavior of social insects such as ants, bees and wasps, and higher animals such as crows and wolves, we relyon emergent behavior to determine which sensors to run when and where. Virtual creatures move across the mesh of nodes initiating sensor functions andcommunicating between each other. This dynamically and without external direction, focuses monitoring to areas of immediate interest while minimizingresource overhead. Additionally, by providing directed, limited cross-node communication of security relevant events, we can achieve the equivalent ofcentralized monitoring, without the degradation of resources available to experiments. For example, detecting attacks launched from GENI experiments are a specificconcern of the GENI Project Office. Because these may be distributed attacks,not detectible from a single host or Aggregator, they pose a significant challenge. One such attack would be a distributed denial of service attack (DDoS)launched from a large GENI experiment against an Internet host. The activity ofindividual nodes, in isolation would not be suspicious. Only in aggregate, seenacross the nodes in the experiment, can the activity be considered an attack.Other attacks, such as those directed to a single node, are detected locally, butthe suspicious activity is communicated to neighboring nodes to quickly informothers of the problem so that they may determine if they also were targeted.This poster provides an overview of our research and implementation of thismodel for security event monitoring for GENI. [[br]]
    3337GENI Project: [[br]]
     191== Great Plains Environment for Network Innovation (GpENI) ==
     193James P.G. Sterbenz, The University of Kansas [[br]]
     194Justin P. Rohrer, The University of Kansas [[br]]
     195Egemen Çetinkaya, The University of Kansas [[br]]
     198The Great Plains Environment for Network Innovation – GpENI is an international programmable network testbed centered on a regional optical network in the Midwest US, providing flexible infras- tructure across the entire protocol stack. The goal of GpENI is to build a collaborative research infrastructure enabling the community to conduct experiments in future Internet architecture. GpENI is funded in part by the US National Science Foundation GENI (Global Environments for Network Innovation) program and by the EU FIRE (Future Internet Re- search and Experimentation) Programme, and is affiliated with a project funded by the NSF FIND (Future Internet Design) Program. [[br]]
     200GENI Project: [[br]]
     201     [wiki:GpENI] [[br]]
     203More Information: [[br]]
     204 [[br]]
     205 [[br]]