Scope and Objectives of the Project


Scope

The Internet is a network of autonomous networks / systems that are interconnected in order to provide communication services to end users (individuals, businesses, public organizations), communicating with each other to route information packets. This communication is implemented at the control plane level with the BGP protocol, based on which the policies of incoming and outgoing packet flows are applied to each network through the announcement and selection of paths to Internet address areas (IP prefixes).

BGP was designed without inherent security mechanisms (e.g. authentication) of the exchanged data routing information. Such a serious shortcoming often leads (for decades now) to attacks known as "BGP prefix hijacking", where one or more networks, either due to human error or (malicious) intent, report false routing information. This information is disseminated throughout the Internet via the BGP and leads to the redirection of data to invalid destinations, where they may be subject to destruction (and interruption of relevant services), interception and/or alteration.

The available defence mechanisms against such attacks either act in advance, based on the authentication of routing information (RPKI, BGPsec, etc.), or take place after the event (detection and non-automated response). Ex-ante defense mechanisms are usually limited and ineffective. In particular, they require implementation by most networks, compliance with central certification authorities, as well as changes to the BGP, requirements that have historically been extremely difficult to achieve. Ex-post detection and response systems are delayed and/or require third parties to operate and maintain them properly. It often takes hours or even days to recover the full functionality of a network after such attacks, resulting in immeasurable financial losses. For example, in 2018, for hours, half the population of Japan was left without Internet access due to a misconfiguration of the Google network.

The scope of the “MIRAGE” project (Mitigation of Internet Routing Attacks Globally and Efficiently) is to develop an advanced system based on new features and services around the ARTEMIS open-source tool, developed by FORTH's INSPIRE research team. ARTEMIS aims to monitor the level of control of the Internet and the accurate and complete detection of BGP prefix hijacking attacks. A key advantage of ARTEMIS is that it significantly reduces detection-response time from hours or days to seconds, as confirmed by real-world experiments, making it state-of-the-art internationally among the respective protection services available. The results of the implementation of the basic version of ARTEMIS have been published in leading scientific journals (IEEE / ACM Transactions on Networking) and have attracted the interest of international media and blogs from reputable bodies (APNIC, IBM). It has also been adopted by network interconnectors with hundreds of client networks to protect their network resources.


Objectives

  • Research and development of additional innovative technical features of the ARTEMIS system with commercial interest, namely:
    1. The automation of system configuration pipelines
    2. The automation of attack mechanism and
    3. Detection of advanced forms of attacks (route leaks)
  • Development of mobile user interface for easy monitoring of the system by mobile devices, and use of mobile technologies for instant notifications when attacks take place.
  • Development of a new commercial service "ARTEMIS-as-a-service", where the system can be run in the facilities of hosting service providers (cloud services) and run for each customer a separate snapshot of the application, thus providing (automatic) escalation of the load-based system, isolation of virtual customer access areas for greater security, and support for multiple operating points to provide high availability.
  • Development of educational material (presentations, technical reports, user manuals) required to educate users of the new system regarding its installation and use as well as dissemination of results (e.g. through research publications) to both the research community and industry.
  • Implementation of the project as a complete system (current implementation of ARTEMIS, additional functions, mobile user interface, ARTEMIS-as-a-service) in real networks for the evaluation of the system under realistic operating conditions and collection of data and information by the engineers of the network administration center; for the ease of use of the system and its efficiency.
  • Investigation of commercial utilization mechanisms of the project services by the involved partners.

Mobile ARTEMIS

Cytech will design and implement "Mobile ARTEMIS" - a mobile application of the system with an emphasis on ease of use and its maintenance and support. Specifically, the application can be run on mobile phones, adapted to the limitations of each mobile platform. It will work on both Android and iOS devices.

In addition, mechanisms will be developed to alert users in real-time (instant notification) of new attacks, using mobile notification systems (SMS, push notifications, etc.). These mechanisms will also work on parallel networks such as mobile networks. Using these alerts will allow network administrators to quickly get basic information wherever they are, so if they want more information they can use the ARTEMIS web application to deepen and take action to troubleshoot. The notification system will ensure that the information being transmitted is not sensitive or is encrypted due to security and privacy reasons.


ARTEMIS-as-a-service

Enartia will design and implement "ARTEMIS-as-a-service", a new cloud hosting service, which will allow system users to access it from anywhere on the Internet without having to worry about security issues or performance. Regarding the handling of sensitive data coming from the client network (such as configuration files, data feeds), the client will be able to choose the location of the cloud datacenter as well as whether all data will be encrypted. In this way, ARTEMIS-as-a-service will be available as a service to companies that do not want to install any software in their internal network or in cases where this process is expensive and time-consuming. Also, this service will be useful to companies that want access to remote (e.g. on another continent) sources of BGP data surveillance and network device configuration, since it will not require their physical presence (e.g. dedicated rackspace), with the extra costs this involves.

^