Software-defined Network Security

Project Overview

The state of network security today is quite abysmal. Security breaches and downtime of critical infrastructures continue to be the norm rather than the exception, despite the dramatic rise in spending on network security. Attackers today can easily leverage a distributed and programmable infrastructure of compromised machines (or botnets) to launch large-scale and sophisticated attacks. In contrast, the defenders of our critical infrastructures are crippled as they rely on fixed capacity, inflexible, and expensive hardware appliances. This forces them into adopting weak and static security postures, as they face unpleasant tradeoffs between false positives and false negatives. Continuing along this trajectory means that attackers will always hold the upper hand as defenders are stifled by the inflexible and impotent tools in their arsenal. The goal of this project is to reverse this long-standing asymmetry and fundamentally change the dynamics of this attack- defense equation. Instead of developing attack-specific defenses, we focus on empowering defenders with the right tools and abstractions to tackle the constantly evolving attack landscape. To this end, we envision a new software-defined approach to network security, where we can rapidly develop and deploy novel in-depth defenses and dynamically customize the network’s security posture to the current operating context. Realizing this vision raises fundamental challenges that transcend conventional networking and security technologies and necessitates a radical rethink across the entire “stack”.

People

  • PIs: Vyas Sekar
  • PhD Students: Seyed Fayaz, Min Suk Kang, Yoshiaki Tobioka, Tianlong Yu
  • Papers

  • [SIGCOMM] One Sketch to Rule Them All: Rethinking Network Flow Monitoring with UnivMon
    Zaoxing Liu, Antonis Manousis, Greg Vorsanger, Vyas Sekar, Vladimir Braverman
    to appear in SIGCOMM 2016
  • [NDSS] SPIFFY: Inducing Cost-Detectability Tradeoffs in Persistent Link-Flooding Attacks.
    Min Suk Kang, Virgil D. Gligor, and Vyas Sekar.
    in NDSS 2016
  • [AsiaCCS] Congesting the Internet with Coordinated And Decentralized Pulsating Attacks
    Yu-Ming Ke, Chih-Wei Chen, Hsu-Chun Hsiao, Adrian Perrig, Vyas Sekar
    in AsiaCCS 2016
  • [CCS] Nomad: Mitigating Arbitrary Cloud Side Channels via Provider-Assisted Migration
    Soo-jin Moon, Vyas Sekar, Michael Reiter
    in ACM CCS 2015 2nd place 2015 CSAW Best Applied Security paper
  • [USENIX SECURITY] Flexible and Elastic DDoS Defense Using Bohatei
    Seyed K Fayaz, Yoshiaki Tobioka, Vyas Sekar, Michael Bailey
    in USENIX Security 2015 Finalist for the 2015 CSAW Best Applied Security paper

    Code

    Acknowledgments