Networking and Security Projects

Co-Design of Network, Storage and Computation Fabrics for Disaggregated Datacenters

Traditional datacenters are built using servers, each of which tightly integrates a small amount of CPU, memory and storage onto a single motherboard. The slowdown of Moore's Law has led to surfacing of several fundamental limitations of such server-centric architectures (e.g, the memory-capacity wall making CPU-memory co-location unsustainable). As a result, a new computing paradigm is emerging --- a disaggregated datacenter architecture, where each resource type is built as a standalone "blade" and a network fabric interconnects the resource blades within and across datacenter racks.

Universal Packet Scheduling

This project addresses a seemingly simple question: Is there a universal packet scheduling algorithm? More precisely, researchers are analyzing whether there is a single packet scheduling algorithm that, at a network-wide level, can perfectly match the results of any given scheduling algorithm. The question of universal packet scheduling is being investigated from both a theoretical and empirical perspective.

Bro Intrusion Detection System Refinements

ICSI is working with LBNL on refinements to Zeek (formerly known as Bro). The work includes troubleshooting and resolving the most complex problems with the Zeek network monitor, development/integration of the communication framework, development and implementation of new features for the Input framework, and development of a persistence solution for the NetControl and Catch-and Release frameworks of Zeek/Bro. Zeek/Bro is an open-source network intrustion detection system developed at ICSI and LBNL which is currently in use at Fortune 500 companies, universities, and governments.

When do Computers Discriminate? Toward Informing Users About Algorithmic Discrimination

In this collaborative project with University of Maryland, ICSI researchers are tackling the challenge of explaining what constitutes unacceptable algorithmic discrimination. Getting the answer to this question right is key to unlocking the potential of automated decision systems without eroding the ability of people to get a fair deal and advance in society.

Creating an Evolvable, Diverse, and Dynamic Internet

The Internet has ushered in a new era of communication, and has supported an ever-growing set of applications that have transformed our lives. It is remarkable that all this has taken place with an Internet architecture that has remained unchanged for over forty years. While unfortunate, some view this architectural stagnation as inevitable. After all, it has long been a central tenet that the Internet needs a "narrow waist" at the internetworking layer (L3), a single uniform protocol adopted by everyone; given this assumption, changing this layer is inevitably hard.

Towards Programming Datacenters

Datacenters have redefined the nature of high-end computing, but harnessing their computing power remains a challenging task. Initially, programming frameworks such as MapReduce, Hadoop, Spark, TensorFlow, and Flink provided a way to run large-scale computations. These frameworks took care of the difficult issues of scaling, fault-tolerance, and consistency, freeing the developer to focus on the logic of their particular application. However, each of these frameworks were aimed at a specific computational task (e.g., machine learning, data analytics, etc.), and are not fully general.

De-Mystifying and Hardening the Domain Name System

When the DNS fails, nothing works. One does not need to look beyond many real-world advertising campaigns to appreciate that naming is one of the foundational elements upon which most higher layer Internet services are built. We use names as rendezvous points between users and services (e.g., www.twitter.com). Yet, we do not use names directly in traffic routing. Rather, we turn names into IP addresses via the Domain Name System (DNS). A DNS lookup is therefore a prerequisite for most Internet transactions.

Accountable Information Use: Privacy and Fairness in Decision-Making Systems

Increasingly, decisions and actions affecting people's lives are determined by automated systems processing personal data. Excitement over the positive contributions of these systems has been accompanied by serious concerns about their opacity and the threats that they pose to privacy, fairness, and other values. Recognizing these concerns, this project seeks to enable real-world automated decision-making systems to be accountable for privacy and fairness.

Counter Power Lab

In this collaborative project with UC Berkeley, ICSI PIs are working with the lead developer of the "Snowflake" censorship circumvention system to refine the code for production deployment in both the Tor Browser Bundle and as a stand-alone application. The work includes developing instrumentation to measure the usage of Snowflake as its deployment rolls out and analyzing the results to assess Snowflake's impact on enabling circumvention.

Exploring Internet Balkanization through the Lens of Regional Discrimination

One of the Internet’s greatest strengths is the degree to which it facilitates access to any of its resources from users anywhere in the world. Various forces, however, have arisen that restrict particular users from accessing particular destinations, resulting in a "balkanization" of the network. This project explores apt methodologies for understanding such balkanization, an effort we will undertake in the context of examining "regional discrimination," i.e., the degree to which certain web services deny or degrade access to users from particular geographic regions.

Effective and Economical Protection for High-Performance Research and Education Networks

As scientific research requires free exchange of information and ideas among collaborators world-wide, scientists depend critically on full and open access to the Internet. Yet in today’s world, such open access also exposes sites to incessant network attacks. Some of the most powerful networks today remain particularly hard to defend: for the 100G environments and backbones that facilitate modern data-intensive sciences, classic inline firewalls remain infeasible options.

Lumen Privacy Monitor

Your mobile phone hosts a rich array of information about you and your behavior. This includes a wide range of unique identifiers and sensitive personal information that enables online tracking, often times for delivering targeted advertisement. It is, however, striking how little insight and control we, as mobile users have into the operation and performance of our devices, into how (or whether) they protect information we entrust to them, and who they share it with.

Shining Light on Non-Public Data Flows

This project looks into the usage and collection of data by programs that operate behind the scenes. The collected data and its use by a network of sellers, brokers, and marketers represents a direct privacy threat as it can be used for marketing, profiling, crime, or government surveillance, and yet consumers have little knowledge about it and no legal means to access the data. ICSI researchers are conducting surveys and experiments to determine the current status of this data and observe its effects.

Understanding the State of TLS Using Large-scale Passive Measurements

This project leverages and extends the data collection of the ICSI SSL Notary for an extensive study of the real-world TLS/X.509 ecosystem through measurement-centric research. The SSL/TLS protocol suite constitutes the key building block of today’s Internet security, providing encryption and authentication for end-to-end communication with the help of an associated global X.509 public key infrastructure. However, from its first version in 1994 until today, researchers and practioners keep discovering TLS deficiencies undermining the protocol’s security on a regular basis.

Towards a Science of Censorship Resistance

This project focuses on establishing a science of censorship resistance. Recent years have seen significant efforts on the part of both practitioners and researchers in countering large-scale Internet censorship imposed by nation-states. Driven by an active arms race, much of the research work in the field has been reactive in nature, lacking solid and methodical foundations.

Security and Privacy for Wearable and Continuous Sensing Platforms

In this collaborative project, researchers at ICSI, UC Berkeley, and University of Washington are systematically exploring the security and privacy issues brought up by the increasing popularity of wearable computers. The recent demand for devices like Google Glass, smart watches, and wearable fitness monitors suggests that wearable computers may become as ubiquitous as cellphones.

Internet-Wide Vulnerability Measurement, Assessment, and Notification

Vulnerable software costs the U.S. economy more than $180 billion a year, and large-scale, remotely exploitable vulnerabilities affecting millions of Internet hosts have become a regular occurrence. This project seeks to reduce the impact of software vulnerabilities in Internet-connected systems by developing measurement-driven techniques for global vulnerability detection, assessment, and mitigation.

Science of Security

In this collaborative project, researchers at ICSI are utilizing Carnegie Mellon University's Security Behavior Observatory (SBO) infrastructure to conduct quantitative experiments about how end-users make security decisions. The results of these experiments are used to design new security mitigations and interventions, which are then iteratively evaluated in the laboratory and the field. This collaboration is designed to provide keen insights into how users make security decisions in situ.

A Software-Defined Internet Exchange

In this collaborative project with researchers from Georgia Tech and Princeton, ICSI researchers are finding incrementally deployable ways to leverage the power of Software-Defined Networking (SDN) to improve interdomain routing. SDN has had a profound influence on how people think about managing networks. To date, however, it has had little impact on how separately administered networks are interconnected through BGP. Since many of the current failings of the Internet are due to BGP's poor performance and limited functionality, it is imperative that these methods are developted.

Teaching Resources for Online Privacy Education (TROPE)

Researchers are developing classroom-ready teaching modules to educate young people about why and how to protect their privacy online, as well as a Teachers' Guide with background information, suggested lesson plans, and guidance on how to employ the modules in the classroom.

Pages