Visible to the public Biblio

Filters: Author is Yegneswaran, Vinod  [Clear All Filters]
2018-09-12
Nagendra, Vasudevan, Yegneswaran, Vinod, Porras, Phillip.  2017.  Securing Ultra-High-Bandwidth Science DMZ Networks with Coordinated Situational Awareness. Proceedings of the 16th ACM Workshop on Hot Topics in Networks. :22–28.

The Science DMZ (SDMZ) is a special purpose network infrastructure that is engineered to cater to the ultra-high bandwidth needs of the scientific and high performance computing (HPC) communities. These networks are isolated from stateful security devices such as firewalls and deep packet inspection (DPI) engines to allow HPC data transfer nodes (DTNs) to efficiently transfer petabytes of data without associated bandwidth and performance bottlenecks. This paper presents our ongoing effort toward the development of more fine-grained data flow access control policies to manage SDMZ networks that service large-scale experiments with varying data sensitivity levels and privacy constraints. We present a novel system, called CoordiNetZ (CNZ), that provides coordinated security monitoring and policy enforcement for sites participating in SDMZ projects by using an intent-based policy framework for effectively capturing the high-level policy intents of non-admin SDMZ project users (e.g., scientists, researchers, students). Central to our solution is the notion of coordinated situational awareness that is extracted from the synthesis of context derived from SDMZ host DTN applications and the network substrate. To realize this vision, we present a specialized process-monitoring system and flow-monitoring tool that facilitate context-aware data-flow intervention and policy enforcement in ultra-highspeed data transfer environments. We evaluate our prototype implementation using case studies that highlight the utility of our framework and demonstrate how security policy could be effectively specified and implemented within and across SDMZ networks.

2018-03-19
Ghosh, Shalini, Das, Ariyam, Porras, Phil, Yegneswaran, Vinod, Gehani, Ashish.  2017.  Automated Categorization of Onion Sites for Analyzing the Darkweb Ecosystem. Proceedings of the 23rd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. :1793–1802.

Onion sites on the darkweb operate using the Tor Hidden Service (HS) protocol to shield their locations on the Internet, which (among other features) enables these sites to host malicious and illegal content while being resistant to legal action and seizure. Identifying and monitoring such illicit sites in the darkweb is of high relevance to the Computer Security and Law Enforcement communities. We have developed an automated infrastructure that crawls and indexes content from onion sites into a large-scale data repository, called LIGHTS, with over 100M pages. In this paper we describe Automated Tool for Onion Labeling (ATOL), a novel scalable analysis service developed to conduct a thematic assessment of the content of onion sites in the LIGHTS repository. ATOL has three core components – (a) a novel keyword discovery mechanism (ATOLKeyword) which extends analyst-provided keywords for different categories by suggesting new descriptive and discriminative keywords that are relevant for the categories; (b) a classification framework (ATOLClassify) that uses the discovered keywords to map onion site content to a set of categories when sufficient labeled data is available; (c) a clustering framework (ATOLCluster) that can leverage information from multiple external heterogeneous knowledge sources, ranging from domain expertise to Bitcoin transaction data, to categorize onion content in the absence of sufficient supervised data. The paper presents empirical results of ATOL on onion datasets derived from the LIGHTS repository, and additionally benchmarks ATOL's algorithms on the publicly available 20 Newsgroups dataset to demonstrate the reproducibility of its results. On the LIGHTS dataset, ATOLClassify gives a 12% performance gain over an analyst-provided baseline, while ATOLCluster gives a 7% improvement over state-of-the-art semi-supervised clustering algorithms. We also discuss how ATOL has been deployed and externally evaluated, as part of the LIGHTS system.

2017-06-05
Pan, Xiang, Yegneswaran, Vinod, Chen, Yan, Porras, Phillip, Shin, Seungwon.  2016.  HogMap: Using SDNs to Incentivize Collaborative Security Monitoring. Proceedings of the 2016 ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization. :7–12.

Cyber Threat Intelligence (CTI) sharing facilitates a comprehensive understanding of adversary activity and enables enterprise networks to prioritize their cyber defense technologies. To that end, we introduce HogMap, a novel software-defined infrastructure that simplifies and incentivizes collaborative measurement and monitoring of cyber-threat activity. HogMap proposes to transform the cyber-threat monitoring landscape by integrating several novel SDN-enabled capabilities: (i) intelligent in-place filtering of malicious traffic, (ii) dynamic migration of interesting and extraordinary traffic and (iii) a software-defined marketplace where various parties can opportunistically subscribe to and publish cyber-threat intelligence services in a flexible manner. We present the architectural vision and summarize our preliminary experience in developing and operating an SDN-based HoneyGrid, which spans three enterprises and implements several of the enabling capabilities (e.g., traffic filtering, traffic forwarding and connection migration). We find that SDN technologies greatly simplify the design and deployment of such globally distributed and elastic HoneyGrids.