Secure Name Service (SNS): A Framework for Protecting Critical Internet Resources

 

As we become more and more reliant on the Internet for a variety of information services, the number of network security attacks with the aim to abuse or disrupt such services has also significantly increased. In addition, the sophistication of cyber attacks has also increased. The emergence of massive distributed denial-of-service attacks is one such example.

 

It is particularly important and challenging to protect “collaborative” Internet “community services” from cyber threats -- services such as Grid computing services and other “high-interest, high-impact” applications (e.g., the high-energy collaborative experiment grid, bioinformatics databases and repositories) that serve specific, yet large and geographically dispersed communities over the Internet. (Note that we focus on “important collaborative” services, not non-critical unrestricted services such as common Web services.) Such services are generally “open” to large and dynamic members, and often operate in distributed, collaborative environments. To ensure availability and integrity of these services, “critical” resources such as applications servers, databases, data repositories and storage systems, networking and other resources must be protected from unauthorized accesses, intrusion, disruption, denial-of-service (DoS) attacks and other cyber threats.

 

In this project, we propose a novel security architecture for enabling and protecting trusted, collaborative and dynamic Internet community services.

Based on a two-tiered (domain-domain and host-domain) trust model, this architecture advances several innovative concepts and mechanisms:

§       “secure naming” and “secure name service” (SNS) for establishing trust relationship among network domains on-demand and for dynamically exchanging credentials/capabilities between domains and hosts along the control path; and

§       “packet access (permit) system” (PAS) for efficiently and intelligently authenticating traffic and filtering out illegitimate packets on the data path;

§       Exploiting the benefits of SNS and PAS, we will construct “active monitoring and defense” (AMD) schemes by incorporating active monitoring and rapid response mechanisms into the control plane of the proposed architecture for further securing collaborative services.

The proposed architecture provides a scalable and flexible framework for establishing “traffic accountability” among domains/hosts, and securing collaborative services without sacrificing their open and dynamic nature. It serves as a comprehensive ``first-line of defense'' against unauthorized accesses, intrusions, DoS attacks and other cyber threats by limiting the abilities of malicious users to launch attacks while hiding their identities.

 

We will investigate various research issues and problems in the design and implementation of the proposed security architecture. In particular, we will explore and quantify the trade-offs in scalability, flexibility and strength of security mechanisms, implementation overheads as well as ease of use and “incremental deployability”.  An incremental-deployable prototype system will be built as proof-of-concept, and evaluated in a wide-area  testbed environment.

 

The proposed project can lead to the development of a scalable and flexible security framework to effectively protect Internet community services from cyber attacks such as unauthorized accesses, intrusions, DoS attacks. Such services are important to the advancement of many high-interest, high-impact, distributed science applications, as well as to provide great value and benefits to society in general. Furthermore, the understanding and insights to be gained as a result of the proposed research will help establish useful design principles, mechanisms, and guidelines for building secure Internet.

 

People

 

          Yingfei Dong, University of Hawaii

          Zhi-Li Zhang, Changho Choi, University of Minnesota

 

Publication

 

“An Authentication Framework for Protecting Critical Internet Services,” Journal of Microprocessors and Microsystems,  Volume 28, Issue 10, Secure Computing Platforms, 1 December 2004, Pages 547-559.

 

“Secure Name Service: A Framework for Protecting Critical Internet Resources,” in Proc. of IFIP Networking 2004, Athens, Greece, May 2004., Lecture Notes in Computer Science (LNCS), Vol. 3042,  2004, XXXIII , pp. 783 – 794.