University campus infrastructures count among the most complex and sophisticated information technology (IT) deployments; often combining a mix of enterprise, academic, research, and healthcare environments, each having their own distinct security, privacy, and priority policies. Dealing with the security of this complex and highly dynamic environment is extremely challenging, particularly since Campus IT infrastructures are increasingly under attack both from external Internet sources, and often unknowingly, from internal campus devices. Different segments of the campus have very different policies and regulations that govern its treatment of sensitive data (e.g., private student/employee information, health care data, financial transactions etc.). Further, the unique requirements of data-intensive scientific research traffic often require exceptions to conventional IT policies, which typically result in ad-hoc solutions that bypass standard operational methods and procedures, thus leaving both the scientific workflow and the campus as a whole vulnerable to attack. In short, state-of-the-art campus security operations still heavily rely on human domain experts to interpret high level policy documents, attempt to implement those policies through low level mechanisms, manually implement exceptions to these policies to accommodate scientific workflow requirements, interpret reports and alerts from a variety of security point solutions, and be able to react to security events in near real time on a 24-by-7 basis.
In this project we address these challenges through a collaborative research effort, called NetSecOps (Network Security Operations), that attempts to assist IT security teams by automating many of the operational steps that are tedious, error-prone, and otherwise problematic in current campus networks. NetSecOps is policy-driven in that the proposed framework encodes high level human readable policies into systematic policy specifications that drive the actual configuration and operation of the IT infrastructure. NetSecOps is knowledge-centric in that the proposed framework will capture data, information, and knowledge about the infrastructure, and, maintain this data in a central knowledge store, allowing the framework to realize IT operational tasks, and the knowledge-store to inform and guide those tasks.
This is a joint project with the University of Utah.
Pinyi Shi, Yongwook Song, Zongming Fei, and James Griffioen, Checking Network Security Policy
Violations via Natural Language Questions. 2021 International Conference on Computer Communications and Networks
Huffman Hayes, Jane. Towards Improved Network Security Requirements and Policy: Domain-Specific
Completeness Analysis via Topic Modeling. 2020 IEEE 28th International Requirements Engineering Conference
Workshops (REW), 2020
Sergio Rivera, Zongming Fei, and James Griffioen, POLANCO: Enforcing Natural Language Network Policies,
2020 29th International Conference on Computer Communications and Networks (ICCCN), August 2020.
Hayes, Jane Huffman and Payne, Jared and Leppelmeier, Mallory. Toward Improved Artificial Intelligence
in Requirements Engineering: Metadata for Tracing Datasets. 2019 IEEE 27th International Requirements
Engineering Conference Workshops (REW), 2019, doi:10.1109/REW.2019.00052
Pinyi Shi, Sergio Rivera, Lowell Pike, Zongming Fei, James Griffioen, and Kenneth Calvert, "Enabling Shared
Control and Trust in Hybrid SDN/Legacy Networks", The 28th International Conference on Computer
Communications and Networks (ICCCN 2019), July 2019.
Sergio Rivera, James Griffioen, Zongming Fei, and Jane Huffman Hayes, "Expressing and Managing Network
Policies for Emerging HPC Systems", Practice and Experience in Advanced Research Computing Conference
2019 (PEARC'19), July 2019.
Griffioen, James and Fei, Zongming and Rivera, Sergio and Chappell, Jacob and Hayashida, Mami and Shi, Pinyi
and Carpenter, Charles and Song, Yongwook and Chitre, Bhushan and Nasir, Hussamuddin and Calvert, Kenneth
L.. Leveraging SDN to Enable Short-Term On-Demand Security Exceptions. 5TH IEEE/IFIP Workshop on
Security for Emerging Distributed Network Technologies (DISSECT 2019), 2019
Payne, Jared and Huffman Hayes, Jane. University of Kentucky TraceLab Component Similarity Matrix
Voting Merge. Proceedings of the 10th International Workshop on Software and System Traceability (SST'19) at
the International Conference on Software Engineering, 2019
Farrar, David and Huffman Hayes, Jane. A Comparison of Stemming Techniques in Tracing. Proceedings
of the 10th International Workshop on Software and System Traceability (SST'19) at the International Conference
on Software Engineering, 2019
Rivera, Sergio and Griffioen, James and Fei, Zongming and Hayashida, Mami and Shi, Pinyi and Chitre, Bhushan
and Chappell, Jacob and Song, Yongwook and Pike, Lowell and Carpenter, Charles and Nasir,
Hussamuddin. Navigating the Unexpected Realities of Big Data Transfers in a Cloud-based World.
PEARC '18 Proceedings of the Practice and Experience on Advanced Research Computing, 2018, doi:10.1145/3219104.3229276
Hayashida, Mami and Rivera, Sergio and Griffioen, James and Fei, Zongming and Song,
Yongwook. Debugging SDN in HPC Environments. PEARC '18 Proceedings of the Practice and
Experience on Advanced Research Computing, 2018, doi:10.1145/3219104.3229277
Dekhtyar, Alex. Automating Requirements Traceability: Two Decades of Learning from KDD. IEEE
International Conference on Requirements Engineering. 2018
Huffman Hayes, Jane. The REquirements TRacing On target (RETRO).NET Dataset. IEEE International
Conference on Requirements Engineering (RE) 2018.
Chitre, Bhushan and Huffman Hayes, Jane and Dekhtyar, Alexander. Second-Guessing in Tracing Tasks
Considered Harmful?. International Working Conference on Requirements Engineering: Foundation for Software
Quality REFSQ 2018: Requirements Engineering: Foundation for Software Quality. 2018 doi:10.1007/978-3-319-77243-1_6
Rivera, Sergio and Hayashida, Mami and Griffioen, James and Fei, Zongming. Dynamically Creating
Custom SDN High-Speed Network Paths for Big Data Science Flows. Practice & Experience in Advanced
Research Computing Conference (PEARC 2017), 2017, doi:10.1145/3093338.3104155