Statistics are troublesome for securing digital systems. Every day, 560,000 new pieces of malware, which are malicious programs or codes, are detected. Meanwhile, over the past decade, there has been an 87% increase in malware infections. Many digital systems are vulnerable to cyberattacks, but Integrated Information Technology (IIT) Professor Jorge Crichigno will begin a research project next month that aims to enhance network security by utilizing new technologies and machine learning to detect and classify malware.
Crichigno, along with IIT Assistant Professor Elie Kfoury, will lead the $600,000 National Science Foundation-funded research. The primary goal is to detect and block attackers who conduct malicious activities.
“The system we’re developing can already detect cyberattacks, but we want to be able to classify the type of malware in real time or worst case, near real time,” Crichigno says.
Cyberinfrastructures use a variety of approaches to protect against malware but there are limitations. For example, while security operation centers have intrusion detection systems, they operate offline and cannot prevent real-time attacks. And a central processing unit, the functional component of a computer, can only inspect a small fraction of digital traffic.
Crichigno plans to develop a malware detection and classification that will run on P4 programmable switches. These switches can be configured in different ways, such as forwarding packets of information based on specific criteria. They also enhance network reliability and provide visibility. The switches will run online at line rate, which refers to information processed quickly at maximum speed to prevent malware from communicating with servers.
“A switch is an essential component and basically a gateway to the Internet for users. These switches have a chip at the core which moves packets back and forth. We have been using P4 switch technology for about five years and have a lot of expertise,” Crichigno says.
According to Crichigno, the switch will be programmed at the point of entry, where data ingresses into the network.
“Switches are not typically programmed. We’re programming the chip inside the switch to develop a program that will detect and classify the malware, which will be a unique application,” Crichigno says.
In addition to using programmable switches, the project will use a technology known as Smart network interface card (SmartNIC). An application will be developed to run on SmartNICs, with the purpose of analyzing encrypted traffic only. SmartNICs are embedded into a computer and allow the sending and receiving of data. A machine-learning algorithm will be incorporated so the switches can learn to detect and classify malware with precision. This can be applied to traditional networks, with minimal upgrades.
“The P4 switch must process packets in a few hundred nanoseconds. Encrypted traffic data cannot be quickly analyzed with traditional methods, so we need a more powerful device for computation,” Crichigno says. “The P4 switch will send encrypted packets to a SmartNIC, which has powerful processors that can operate at higher speed compared to a regular server.”
According to Kfoury, traditional network interface cards have existed for a long time but have limited capabilities. They have recently become smarter and more capable of learning and being programmed. This includes how a user can augment the available features of traditional cards. SmartNICs also provide faster detection before the data reaches the server.
“One thing appealing to network operators is that SmartNICs are programmable. This means having specific processors within the card to implement an algorithm or system,” Kfoury says. “The advantage is that you are basically isolating the traffic from the server, which may be malicious.”
The project is primarily based on the work of Ph.D. candidate Ali AlSabeh, who is graduating this August. While he says that balancing network performance and security has always been a challenge, P4 switch technology offers a groundbreaking solution.
“These devices not only handle high-speed network traffic but also possess the flexibility and precision to detect and mitigate cyberattacks in real-time, providing a powerful tool for eliminating cyberattacks before they can cause damage,” AlSabeh says. “Embracing these programmable switches marks a significant step forward in creating more resilient and responsive network defense systems."
The work will be performed at the University of South Carolina Molinaroli College of Engineering and Computing’s Cyberinfrastructure Lab, which investigates issues in high-speed networks and Internet of Things.
“Our lab has unique capabilities and technology that can be applied to cybersecurity. This will allow us to address the problem of detecting and classifying malware at high speeds, much higher than typical computers,” Crichigno says.
Also, since the Cyberinfrastructure Lab is a leader in training and developing teaching materials, another objective will be to disseminate the work and organize workshops and tutorials for communities of practice. These are the individuals and groups who run the networks.
“We have been doing this around the country for the last five years. The goal is to apply these to real networks, but to do that, the communities of practice need to learn this technology,” Crichigno says. “We want to try to do it all: develop the technology and then train the community on how to use it.”
During the project’s three years, Crichigno is excited to combine two state-of-art technologies: programmable switches and smart needs.
“Combining P4 switches and SmartNICs has not been done in the research community. We want to combine the two, so switches and SmartNICs cooperate without human intervention, which is something new,” Crichigno says. “I'm enthusiastic about how this will be implemented and looking forward to seeing the results.”