Network Security Data Analytics
Network Security Analytics is the application of data science methods to network security. Data science can be approached as a collaboration between experts in a specific problem domain, statisticians and computer scientists with the additional requirement of analytic infrastructure supporting big data techniques. The specific problem domain in this case is network security. The ITSL is conducting research in collection, data processing, analytics, and dissemination of network security intelligence. In the area of collection the ITSL designed a proof-of-concept log aggregation system using the Elastic stack which is now implemented in the operational Virginia Tech network. Currently we are researching data processing and analytic techniques with an end goal of producing actionable network security intelligence.
Our research in network security visualizations strives to improve the perspective of concerned users and network security professionals. By leveraging augmented reality and ELK infrastructure we are working towards the visualization of a user’s “digital footprint” in real time and space. Additionally, we are working to incorporate augmented reality to enhance traditional security visualizations by presenting current data and predictive analytics in intuitive manners accessible to all.
Data-Driven Network Inventory
The goal of this research is to better understand the challenges institutions face with network inventory and to develop new methods for implementing controls. This addresses the critical need for institutions to know what devices are on their network in the age of NAT, IoT, virtual machines, and application containers. This effort is supported by Network Security Data Analytics as a specific problem which can be addressed by the use of existing data in the form of network service logs.
Higher Education Host Inventory Control Survey Results.
Moving Target IPv6 Defense (MT6D)
The goal of our research is to protect sensitive communications, which are commonly used by government agencies, from eavesdroppers or social engineers. In prior work, we investigated the privacy implications of stateless address autoconfiguration in the Internet Protocol version 6 (IPv6). Autoconfigured addresses, the default addressing system in IPv6, provide a third party a means to track and monitor targeted users globally using simple tools such as ping and traceroute. Signed messages also expose the identities of both the sender and receiver to a third party. Our research focuses on preventing the issue of IPv6 address tracking as well as creating a "moving target defense." The Moving Target IPv6 Defense (MT6D) dynamically hides network and transport layer addresses of packets in IPv6 to achieve anonymity and protect against certain classes of network attacks. MT6D focuses on providing users with anonymity as well as intrusion protection. It accomplishes this through automatically changing addresses with no outside involvement. Packets are encrypted to prevent traffic correlation, which provides significantly improved anonymity. In its preferred implementation, MT6D protects against address tracking, traffic correlation, and certain classes of network attacks. MT6D can be implemented embedded on a host device or as a gateway device, either in software or hardware. Use of MT6D requires negligible configuration and is transparent to applications and hosts. It has numerous applications ranging from hosts desiring to keep their locations private to hosts conducting sensitive communications. Although our primary focus is IPv6, these techniques can also apply to the Internet Protocol version 4 (IPv4) provided an available pool of unallocated addresses exists.
Micro-Moving Target IPv6 Defense (µMT6D)
As the use of low-power and low-resource embedded devices continues to increase dramatically with the introduction of new Internet of Things (IoT) devices, security techniques are necessary which are compatible with these devices. This research advances the knowledge in the area of cyber security for the IoT through the exploration of a moving target defense to apply for limiting the time attackers may conduct reconnaissance on embedded systems while considering the challenges presented from IoT devices such as resource and performance constraints. This variation, based on MT6D, is called µMT6D, a Micro-Moving Target IPv6 Defense. This research enhances the methodology to be suitable for low powered and memory devices and explores multiple modes of operation including host and border based. Communication protocols and the use of lightweight hash algorithms is also central to this work. Ongoing efforts also look at the testing and validation possibilities including a Cooja simulation configuration, and the direction to further enhance and validate the security technique through large scale simulations and hardware testing.
Moving Target IPv6 Defense (MT6D) Hardware Development
The goal of our research is to develop a high-performance Network Security Processor (NSP) implementation of Moving Target IPv6 Defense (MT6D) on a Field Programmable Gate Array (FPGA). Verilog and other Hardware Description Languages used to synthesize FPGA designs provide register transfer level control that support future work in developing an Application Specific Integrated Circuit (ASIC) solution. Development and research encompasses integrating Physical, Data Link, Network, Transport, and Session layer protocols of the Open Systems Interconnection (OSI) network model. Low-latency packet modification at near line-rate speed is accomplished by utilizing stream-based system architectures, real-time packet modification techniques, and fully parallelized cryptographic engines.
Using Honeypots in a MT6D Communication
Although MT6D provides security and privacy to a host on the network, it is not a fullproof protection scheme. The addresses generated for each hop are pseudorandom addresses that are cryptographically generated, so an adversary could possibly find patterns and manage to predict the address of the next hop. In order to prevent this we are conducting research on an Omnipot system that will monitor the subnet of an MT6D host. Once the MT6D host rotates to a new address, the dropped address will be picked up by the Omnipot and create a honeypot that will use the dropped address and mimic a live machine. A prototype of the Omnipot system has been researched and created, but we are currently researching ways to improve on the Omnipot system by allowing the host to do an on demand MT6D address hop once an attacker has been detected in any of the honeypots.
An Optimized Alert System based on Geospatial Location
This research project is focused on designing, implementing, and analyzing the operation of a software application and communication channels for an optimized crisis alert system. As is standard for notification systems, the project includes the development and evaluation of dual notification system communication channels, each uniquely suited for separate purposes. The creation of a geospatially aware application for smart phones is being implemented for push notifications available anywhere and our Virginia Tech campus network is being explored for utilization for fast multicast notification transmission. In the event of a crisis, unique multicast messages will be designated by geospatial location and sent to the devices of on-campus users connected to the network. All users, including the off-campus or network unconnected users, will receive differentiated messages based on their current location from a downloaded smart phone application. Integration and testing is being done with the fully operational VTAlerts notification system with the main goal being to provide an optimized, reliable, and situationally customized crisis notification system.