FMitF: Track I: Synthesis of Quantitative Network Analytics: From Left-of-Launch to Right-of-Boom

Network-security analysis is currently a tedious and detailed exercise that starts with analysts collecting data from diverse sources (such as network traffic, server histories and individual computer states), and then cross-comparing this information against attack data, such as malicious host names or malware descriptions. Analysts then make security decisions by manually inspecting these data sets and looking for rare but dangerous events.

Unsurprisingly, this is an error-prone process, which is further complicated by rising traffic volumes, complex network structures, and confounding factors such as proxies and Network Address Translation (NAT) boxes. This project's goal is to use ideas inspired by formal methods to develop a novel framework to automate network-traffic analysis. By improving data collection through better sensor placement and by analyzing the provenance of hostile events, the project's impacts are an improvement in security analysis, better situational awareness and lowered response times.

The project develops a query language that allows network analysts to describe the structure of the network and the desired analysis objective assuming complete observability across the network. To account for elements that confound such analyses, the project investigates automatic methods to test feasibility of analysis under partial observability.

If this does not hold, it identifies statistically correlated alternative quantities that can be used to give approximately correct results with high probability. The framework also allows for the automatic synthesis of necessary monitors and their optimal placement so as to minimize errors and resource overheads. The system is equipped with mechanisms to track the provenance of measurements from all deployed sensors, thus enabling researchers to diagnose root causes after warnings are triggered or attacks uncovered.

This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.