Networking and Security Projects

Science of Security

In this collaborative project, researchers at ICSI are utilizing Carnegie Mellon University's Security Behavior Observatory (SBO) infrastructure to conduct quantitative experiments about how end-users make security decisions. The results of these experiments are used to design new security mitigations and interventions, which are then iteratively evaluated in the laboratory and the field. This collaboration is designed to provide keen insights into how users make security decisions in situ.

A Software-Defined Internet Exchange

In this collaborative project with researchers from Georgia Tech and Princeton, ICSI researchers are finding incrementally deployable ways to leverage the power of Software-Defined Networking (SDN) to improve interdomain routing. SDN has had a profound influence on how people think about managing networks. To date, however, it has had little impact on how separately administered networks are interconnected through BGP. Since many of the current failings of the Internet are due to BGP's poor performance and limited functionality, it is imperative that these methods are developted.

Previous Work: Teaching Resources for Online Privacy Education (TROPE)

Researchers are developing classroom-ready teaching modules to educate young people about why and how to protect their privacy online, as well as a Teachers' Guide with background information, suggested lesson plans, and guidance on how to employ the modules in the classroom.

Developing Security Science from Measurement

This project aims to define foundational data-driven methodologies and the related science to create a basis for continuous and dynamic monitoring that enables adaptive approaches to mitigate and contain the spread of attacks. The basis of the approach is data on security incidents from a real large-scale production environment at the National Center for Supercomputing Applications (NCSA) at the University of Illinois at Urbana-Champaign (UIUC).

Bro Center of Expertise for the NSF Community

Researchers at ICSI and NCSA are operating a center to provide support and guideance to the NSF community on customized Bro installations that meet the specific needs of research environments. They are simultaneously making improvements to Bro that benefit the community, and leveraging Bro as a deployment platform for networking research results.

CESR: The Center for Evidence-based Security Research

The Center for Evidenced-based Security Research (CESR) is a joint project among researchers at UC San Diego, the International Computer Science Institute, and George Mason University. This interdisciplinary effort takes the view that, while security is a phenomenon mediated by the technical workings of computers and networks, it is ultimately a conflict driven by economic and social issues that merit a commensurate level of scrutiny.

Network Virtualization for OpenCloud

Researchers are working to implement a network virtualization infrastructure to allow the academic community to explore the fundamental technical challenges that underlie the cloud.

Semantic Security Monitoring for Industrial Control Systems

Industrial control systems differ significantly from standard, general-purpose computing environments, and they face quite different security challenges. With physical "air gaps" now the exception, our critical infrastructure has become vulnerable to a broad range of potential attackers. In this project we develop novel network monitoring approaches that can detect sophisticated semantic attacks: malicious actions that drive a process into an unsafe state without exhibiting any obvious protocol-level red flags.

Censorship Counterstrike via Measurement, Filtering, Evasion, and Protocol Enhancement

This project studies Internet censorship as practiced by some of today's nation-states. The effort emphasizes analyzing the technical measures used by censors and the extent to which their operations inflict collateral damage (unintended blocking or blocking of activity wholly outside the censoring nation). Researchers also study the vulnerabilities that arise because of how censorship operates by analyzing flaws in either how the censorship monitoring detects particular network traffic to suppress, or in how the monitor then attempts to block or disrupt the target traffic.

Understanding and Exploiting Parallelism in Deep Packet Inspection on Concurrent Architectures

Researchers are developing a comprehensive approach to introducing parallelism across all stages of the complex deep packet inspection (DPI) pipeline. DPI is a crucial tool for protecting networks from emerging and sophisticated attacks. However, it is becoming increasingly difficult to implement DPI effectively due to the rising need for more complex analysis, combined with the relentless growth in the volume of network traffic that these systems must inspect.

The Design and Implementation of a Consolidated MiddleBox Architecture

Researchers are designing infrastructures for specialized network appliances, called middleboxes, that consolidate their management, reducing the cost of deploying new middleboxes and simplifying network management. Middleboxes fill a number of needs and include network intrusion detection systems and WAN optimizers. They are typically added to a network as a need arises, and each has its own management interface. In this project, researchers will explore architectures that provide centralized control.

Enhancing Bro for Operational Network Security Monitoring in Scientific Environments

In collaboration with the National Center for Supercomputing Applications at the University of Illinois at Urbana-Champaign, researchers are improving the Bro Intrusion Detection System, an open-source network monitoring framework that helps defend networks against attacks. The system monitors networks at major universities, large research labs, supercomputing centers, and open–science communities around the country. Many of these networks have tens of thousands of systems each, and some have as many as 100,000. In this project, researchers are working to unify and modernize the Bro code base, to improve its performance capabilities to deal with large-scale networks, and to improve its integration into operational deployments.

Characterizing Enterprise Networks

While the global Internet have been extensively studied, the behavior of enterprise networks at the Internet's edge remains under-studied. One of the crucial reasons for this is a lack of apt tools that focus on protocols and technologies used within an enterprise, but not used across the global Internet (e.g., protocols that drive distributed file systems). As part of this project, researchers are developing tools to better analyze the traffic specific to these enterprise networks.

Previous Work: Evaluating Price Mechanisms for Clouds

Researchers are studying the problems that arise in cloud computing centers that use economic models to allocate resources. In these clouds, resources, such as storage, processing, and data transfer, must be allocated to different users. In economics-based clouds, artificial economies are set up; each resource is assigned a "price" and each user is given a "budget," which they spend on the resources they need.


Researchers are exposing the ways in which it is possible to aggregate public and seemingly innocuous information from different media and Web sites to attack the privacy of users. The project seeks to help users, particularly younger ones, understand the privacy implications of the information they share publicly on the Internet and to help them understand what control they can exercise over it.

User-Centric Networking

In collaboration with Case Western Reserve University, we are investigating foundation architectural constructs that bring users into networked systems in a way that has to this point not been possible. Rather than relegating users to an artifact of the application layer, we seek to accommodate users and their relationships at all layers of the system and to give users new controls over how their traffic is handled by the system.

Funding provided by NSF grant 1213157, NeTS: Large: Collaborative Research: User-Centric Network Measurement.

Open Software-Defined Networks

Today's routers and switches are both complicated and closed. The forwarding path on these boxes involve sophisticated ASICs, and the large base of installed software is typically closed and proprietary. Thus, functionality can only evolve on hardware design timescales, and only through the actions of the vendors. At ICSI, in collaboration with our colleagues at Stanford University, we are pursuing a radically different approach which we call Open Software-Defined Networks.

Future Internet Architecture

Along with research groups around the world, we are exploring fundamental questions about Internet architecture. In particular, we are, "If we were to redesign the Internet, what would it look like?" This effort involves looking at all aspects of the Internet architecture, including addressing, intradomain routing, interdomain routing, naming, name resolution, network API, monitoring, and troubleshooting. Moreover, the effort involves both in-depth investigations of these isolated topics, and a synthesis of these aspects into a coherent and comprehensive future Internet architecture.

Detecting and Preventing Network Attacks

We conduct extensive research on technology for analyzing network traffic streams to detect attacks, either in "real time" as they occur, or in support of post facto forensic exploration. The particular context for much of this research is the open-source "Bro" network intrusion detection system authored by ICSI staff. Bro runs 24x7 operationally at a number of institutes, and we have particularly close ties with the Lawrence Berkeley National Laboratory, where Bro deployments have formed an integral part of the Institute's cybersecurity operations for more than a decade.

Investigating the Underground Economy

One of the most disturbing recent shifts in Internet attacks has been the change from attackers motivated by glory or vanity to attackers motivated by commercial (criminal) gain. This shift threatens to greatly accelerate the "arms race" between defenders developing effective counters to attacks and highly motivated, well funded attackers finding new ways to circumvent these innovations.