Collaborative Data-Driven Security
for
High Performance Networks
Questions/Comments to ddcsw@internet2.edu
Home || Agenda/Presentations || Roster || Final Report (pdf)
INTRODUCTION: Internet2 held an invitational workshop on "Collaborative Data-Driven Security for High Performance Networks" at the University of Maryland Baltimore County (UMBC) on Thursday May 21st and Friday May 22nd, 2009. It was our goal for this workshop to have 30 to 60 participants, with participants from higher education, the private sector/commercial security firms, and government/law enforcement.
WORKSHOP FORMAT: The format of the workshop was a mixture of presentations, panels, and discussion sessions, with opportunities for private discussions during breaks and lunch, and during participant-arranged private dinners.
WHO SHOULD ATTEND: This workshop was intended for those who take a data-driven approach to operational security issues, including network security analysts, security researchers, network engineers, security appliance vendor technical staff, cyber crime analysts, and cyber-focused law enforcement officials.
Given the focus of the workshop, most (but not necessarily all) presentations included a discussion of at least one the following areas:
- DATA collection, data reduction and analysis, or data use related to network or system security challenges such as botnets, spam, phising, malware, spyware, DDoS, scanning, intrusion attempts, web application exploits, DNS cache poisoning, route hijacking, fast flux web hosting, etc.
- COLLABORATION, including efforts to address network or system security threats. This area may include data sharing mechanisms, data sharing formats, incident notification, collaborative reputation schemes, etc.
- security challenges unique to the security environment of HIGH PERFORMANCE or HIGH BANDWITH NETWORKS including advanced protocols or advanced network architectures, circuit bandwidths which exceeds security appliance throughput, network transparency, international R&E networking security challenges, GENI and other network testbeds, etc.
- CASE STUDIES integrating or illustrating the above themes. Case studies which help illustrate what worked and what didn't work and why are particularly welcome.
Presentations do NOT need to include ALL of the above elements.
All presentations will be made available online.
Because presentations will be made publicly available, they should be prepared for presentation and dissemination to a public cyber security-oriented audience; please do NOT include any proprietary, "for official use only" information, or classified information, nor any information which might jeopardize ongoing investigations, prosecutions or sources and methods.
Marketing-related presentations would be inappropriate for this workshop.
BACKGROUND AND OUTCOMES: Today's systems and networks are subject to continual attacks including, inter alia, scans and intrusion attempts; spam, phishing and other unwanted email; viruses, trojan horses, worms, rootkits, spyware and other malware; distributed denial of service attacks; and attacks on critical protocols such as DNS, BGP and even IP itself.
Successfully combating those attacks and other cyber threats requires hard data.
Data may come from a variety of sources, including: honeypots and dark space telescopes; deep packet inspection appliances; netflow/ sflow data collectors; intrusion detection systems; passive DNS monitoring; BGP route monitoring systems; system logs and SNMP data; or even abuse complaints and other human intelligence sources.
Once we have data available, we can analyze and understand the phenomena we're experiencing. For instance, with data we may be able to identify botnet command and control hosts; understand who's actually behind the spam that's flooding our users' accounts; use one bad domain to find other, related, equally bad domains; determine who's injecting more specific routes and hijacking our network prefixes; make decisions about problematic network ranges, including the potential consequences of filtering traffic to/from those problematic ranges.
Analysis and understanding ultimately enables action: firewall administrators can filter attack traffic; block list operators can list problematic IPs or domains; law enforcement can initiate investigations; ISPs can terminate problematic customers for cause; or the community can even develop new protocols to address pressing concerns.
But none of us can collect all the data that we'd like to have, or that we need to have. We need to collaborate with each other by sharing data and other resources.
Collaboration can be hard: data availability is often a matter of "feast or famine" -- we're either trying to "drink from the firehose" without drowning, or we can find ourself in a position where getting access to any data at all, or at least the right data, can be quite difficult. Data management can also be daunting -- storing, searching, and effectively using terabytes of data is a non-trivial undertaking. Simply deciding on a format to use to store or share data can sometimes be more of a problem than one might think: should we use IETF-standardized formats? What then if a major provider may use their own proprietary format, instead?
That background should give you an idea of what this workshop's about, and the fundamental challenge we'd like to address: how can we better work together to share data and make a difference when dealing with operational cyber security issues? We believe that attendees will gain valuable new insights from the workshop, make useful professional contacts, and contribute to recommendations meant to factilitate future data-driven collaborative security initiatives.
ACKNOWLEDGEMENTS: This workshop has been underwritten by a grant from the Department of Justice, as well as through the generous support and assistance of UMBC and Internet2.
PROGRAM COMMITTEE: We would also like to acknowledge the valuable contributions and hard work of our program committee for this workshop:
- Brian Allen, Washington U. - St. Louis
- Renee Frost, Internet2
- Terry Gray, U. Washington
- Minaxi Gupta, Indiana U.
- Ken Klingenstein, Internet2
- Chris Misra, U. Massachusetts
- Jose Nazario, Arbor Networks
- Michael O'Reirdan, Comcast, MAAWG
- Doug Pearson, REN-ISAC
- Mark Poepping, Carnegie Mellon U.
- Henry Stern, Cisco
- Joe St Sauver, Internet2/U. Oregon (Chair)
- Michael Van Norman, UCLA
- Paul Vixie, ISC
QUESTIONS? Please contact us at ddcsw@internet2.edu or feel free to get in touch with Joe St Sauver, Internet2 Security Programs Manager at 541-346-1720 or joe@oregon.uoregon.edu or joe@internet2.edu.
