Networking and Security Projects

The Design and Implementation of a Consolidated MiddleBox Architecture

Researchers are designing infrastructures for specialized network appliances, called middleboxes, that consolidate their management, reducing the cost of deploying new middleboxes and simplifying network management. Middleboxes fill a number of needs and include network intrusion detection systems and WAN optimizers. They are typically added to a network as a need arises, and each has its own management interface. In this project, researchers will explore architectures that provide centralized control.

Enhancing Bro for Operational Network Security Monitoring in Scientific Environments

In collaboration with the National Center for Supercomputing Applications at the University of Illinois at Urbana-Champaign, researchers are improving the Bro Intrusion Detection System, an open-source network monitoring framework that helps defend networks against attacks. The system monitors networks at major universities, large research labs, supercomputing centers, and open–science communities around the country. Many of these networks have tens of thousands of systems each, and some have as many as 100,000. In this project, researchers are working to unify and modernize the Bro code base, to improve its performance capabilities to deal with large-scale networks, and to improve its integration into operational deployments.

Characterizing Enterprise Networks

While the global Internet have been extensively studied, the behavior of enterprise networks at the Internet's edge remains under-studied. One of the crucial reasons for this is a lack of apt tools that focus on protocols and technologies used within an enterprise, but not used across the global Internet (e.g., protocols that drive distributed file systems). As part of this project, researchers are developing tools to better analyze the traffic specific to these enterprise networks.

Evaluating Price Mechanisms for Clouds

Researchers are studying the problems that arise in cloud computing centers that use economic models to allocate resources. In these clouds, resources, such as storage, processing, and data transfer, must be allocated to different users. In economics-based clouds, artificial economies are set up; each resource is assigned a "price" and each user is given a "budget," which they spend on the resources they need.


Researchers are exposing the ways in which it is possible to aggregate public and seemingly innocuous information from different media and Web sites to attack the privacy of users. The project seeks to help users, particularly younger ones, understand the privacy implications of the information they share publicly on the Internet and to help them understand what control they can exercise over it.

User-Centric Networking

In collaboration with Case Western Reserve University, we are investigating foundation architectural constructs that bring users into networked systems in a way that has to this point not been possible. Rather than relegating users to an artifact of the application layer, we seek to accommodate users and their relationships at all layers of the system and to give users new controls over how their traffic is handled by the system.

Funding provided by NSF grant 1213157, NeTS: Large: Collaborative Research: User-Centric Network Measurement.

Open Software-Defined Networks

Today's routers and switches are both complicated and closed. The forwarding path on these boxes involve sophisticated ASICs, and the large base of installed software is typically closed and proprietary. Thus, functionality can only evolve on hardware design timescales, and only through the actions of the vendors. At ICSI, in collaboration with our colleagues at Stanford University, we are pursuing a radically different approach which we call Open Software-Defined Networks.

Future Internet Architecture

Along with research groups around the world, we are exploring fundamental questions about Internet architecture. In particular, we are, "If we were to redesign the Internet, what would it look like?" This effort involves looking at all aspects of the Internet architecture, including addressing, intradomain routing, interdomain routing, naming, name resolution, network API, monitoring, and troubleshooting. Moreover, the effort involves both in-depth investigations of these isolated topics, and a synthesis of these aspects into a coherent and comprehensive future Internet architecture.

Detecting and Preventing Network Attacks

We conduct extensive research on technology for analyzing network traffic streams to detect attacks, either in "real time" as they occur, or in support of post facto forensic exploration. The particular context for much of this research is the open-source "Bro" network intrusion detection system authored by ICSI staff. Bro runs 24x7 operationally at a number of institutes, and we have particularly close ties with the Lawrence Berkeley National Laboratory, where Bro deployments have formed an integral part of the Institute's cybersecurity operations for more than a decade.

Investigating the Underground Economy

One of the most disturbing recent shifts in Internet attacks has been the change from attackers motivated by glory or vanity to attackers motivated by commercial (criminal) gain. This shift threatens to greatly accelerate the "arms race" between defenders developing effective counters to attacks and highly motivated, well funded attackers finding new ways to circumvent these innovations.

Understanding and Taming the Privacy Footprint

Typical Web pages may contain numerous third-party components, ranging from advertisement networks to analytics tools to third-party APIs necessary for page function. All of these components may leak information to third parties about the users' current activity. We are attempting to quantify this information leakage through a policy written in the Bro IDS. Preliminary analysis paints a bleak picture, as more than 1 percent of all HTTP requests observed by ICSI users are deliberately leaking information just through Google Analytics alone.