Networking and Security Projects

Accountable Information Use: Privacy and Fairness in Decision-Making Systems

Increasingly, decisions and actions affecting people's lives are determined by automated systems processing personal data. Excitement over the positive contributions of these systems has been accompanied by serious concerns about their opacity and the threats that they pose to privacy, fairness, and other values. Recognizing these concerns, this project seeks to enable real-world automated decision-making systems to be accountable for privacy and fairness.

Counter Power Lab

In this collaborative project with UC Berkeley, ICSI PIs are working with the lead developer of the "Snowflake" censorship circumvention system to refine the code for production deployment in both the Tor Browser Bundle and as a stand-alone application. The work includes developing instrumentation to measure the usage of Snowflake as its deployment rolls out and analyzing the results to assess Snowflake's impact on enabling circumvention.

Exploring Internet Balkanization through the Lens of Regional Discrimination

One of the Internet’s greatest strengths is the degree to which it facilitates access to any of its resources from users anywhere in the world. Various forces, however, have arisen that restrict particular users from accessing particular destinations, resulting in a "balkanization" of the network. This project explores apt methodologies for understanding such balkanization, an effort we will undertake in the context of examining "regional discrimination," i.e., the degree to which certain web services deny or degrade access to users from particular geographic regions.

Effective and Economical Protection for High-Performance Research and Education Networks

As scientific research requires free exchange of information and ideas among collaborators world-wide, scientists depend critically on full and open access to the Internet. Yet in today’s world, such open access also exposes sites to incessant network attacks. Some of the most powerful networks today remain particularly hard to defend: for the 100G environments and backbones that facilitate modern data-intensive sciences, classic inline firewalls remain infeasible options.

Lumen Privacy Monitor

Your mobile phone hosts a rich array of information about you and your behavior. This includes a wide range of unique identifiers and sensitive personal information that enables online tracking, often times for delivering targeted advertisement. It is, however, striking how little insight and control we, as mobile users have into the operation and performance of our devices, into how (or whether) they protect information we entrust to them, and who they share it with.

Shining Light on Non-Public Data Flows

This project looks into the usage and collection of data by programs that operate behind the scenes. The collected data and its use by a network of sellers, brokers, and marketers represents a direct privacy threat as it can be used for marketing, profiling, crime, or government surveillance, and yet consumers have little knowledge about it and no legal means to access the data. ICSI researchers are conducting surveys and experiments to determine the current status of this data and observe its effects.

Understanding the State of TLS Using Large-scale Passive Measurements

This project leverages and extends the data collection of the ICSI SSL Notary for an extensive study of the real-world TLS/X.509 ecosystem through measurement-centric research. The SSL/TLS protocol suite constitutes the key building block of today’s Internet security, providing encryption and authentication for end-to-end communication with the help of an associated global X.509 public key infrastructure. However, from its first version in 1994 until today, researchers and practioners keep discovering TLS deficiencies undermining the protocol’s security on a regular basis.

Towards a Science of Censorship Resistance

This project focuses on establishing a science of censorship resistance. Recent years have seen significant efforts on the part of both practitioners and researchers in countering large-scale Internet censorship imposed by nation-states. Driven by an active arms race, much of the research work in the field has been reactive in nature, lacking solid and methodical foundations.

Security and Privacy for Wearable and Continuous Sensing Platforms

In this collaborative project, researchers at ICSI, UC Berkeley, and University of Washington are systematically exploring the security and privacy issues brought up by the increasing popularity of wearable computers. The recent demand for devices like Google Glass, smart watches, and wearable fitness monitors suggests that wearable computers may become as ubiquitous as cellphones.

Internet-Wide Vulnerability Measurement, Assessment, and Notification

Vulnerable software costs the U.S. economy more than $180 billion a year, and large-scale, remotely exploitable vulnerabilities affecting millions of Internet hosts have become a regular occurrence. This project seeks to reduce the impact of software vulnerabilities in Internet-connected systems by developing measurement-driven techniques for global vulnerability detection, assessment, and mitigation.

Science of Security

In this collaborative project, researchers at ICSI are utilizing Carnegie Mellon University's Security Behavior Observatory (SBO) infrastructure to conduct quantitative experiments about how end-users make security decisions. The results of these experiments are used to design new security mitigations and interventions, which are then iteratively evaluated in the laboratory and the field. This collaboration is designed to provide keen insights into how users make security decisions in situ.

A Software-Defined Internet Exchange

In this collaborative project with researchers from Georgia Tech and Princeton, ICSI researchers are finding incrementally deployable ways to leverage the power of Software-Defined Networking (SDN) to improve interdomain routing. SDN has had a profound influence on how people think about managing networks. To date, however, it has had little impact on how separately administered networks are interconnected through BGP. Since many of the current failings of the Internet are due to BGP's poor performance and limited functionality, it is imperative that these methods are developted.

Teaching Resources for Online Privacy Education (TROPE)

Researchers are developing classroom-ready teaching modules to educate young people about why and how to protect their privacy online, as well as a Teachers' Guide with background information, suggested lesson plans, and guidance on how to employ the modules in the classroom.

Developing Security Science from Measurement

This project aims to define foundational data-driven methodologies and the related science to create a basis for continuous and dynamic monitoring that enables adaptive approaches to mitigate and contain the spread of attacks. The basis of the approach is data on security incidents from a real large-scale production environment at the National Center for Supercomputing Applications (NCSA) at the University of Illinois at Urbana-Champaign (UIUC).

Bro Center of Expertise for the NSF Community

Researchers at ICSI and NCSA are operating a center to provide support and guideance to the NSF community on customized Bro installations that meet the specific needs of research environments. They are simultaneously making imrpovements to Bro that benefit the community, and leveraging Bro as a deployment platform for networking research results.

CESR: The Center for Evidence-based Security Research

The Center for Evidenced-based Security Research (CESR) is a joint project among researchers at UC San Diego, the International Computer Science Institute, and George Mason University. This interdisciplinary effort takes the view that, while security is a phenomenon mediated by the technical workings of computers and networks, it is ultimately a conflict driven by economic and social issues that merit a commensurate level of scrutiny.

Network Virtualization for OpenCloud

Researchers are working to implement a network virtualization infrastructure to allow the academic community to explore the fundamental technical challenges that underlie the cloud.

Semantic Security Monitoring for Industrial Control Systems

Industrial control systems differ significantly from standard, general-purpose computing environments, and they face quite different security challenges. With physical "air gaps" now the exception, our critical infrastructure has become vulnerable to a broad range of potential attackers. In this project we develop novel network monitoring approaches that can detect sophisticated semantic attacks: malicious actions that drive a process into an unsafe state without exhibiting any obvious protocol-level red flags.

Censorship Counterstrike via Measurement, Filtering, Evasion, and Protocol Enhancement

This project studies Internet censorship as practiced by some of today's nation-states. The effort emphasizes analyzing the technical measures used by censors and the extent to which their operations inflict collateral damage (unintended blocking or blocking of activity wholly outside the censoring nation). Researchers also study the vulnerabilities that arise because of how censorship operates by analyzing flaws in either how the censorship monitoring detects particular network traffic to suppress, or in how the monitor then attempts to block or disrupt the target traffic.

Understanding and Exploiting Parallelism in Deep Packet Inspection on Concurrent Architectures

Researchers are developing a comprehensive approach to introducing parallelism across all stages of the complex deep packet inspection (DPI) pipeline. DPI is a crucial tool for protecting networks from emerging and sophisticated attacks. However, it is becoming increasingly difficult to implement DPI effectively due to the rising need for more complex analysis, combined with the relentless growth in the volume of network traffic that these systems must inspect.