Background
With thanks to the National Science Foundation (NSF), Duke University has embarked on a project titled “CICI: RSSD: Massive Internal System Traffic Research Analysis and Logging Dataset” (MISTRAL Dataset) to leverage and expand an internal network monitoring fabric and data collection points, and to create a reference scientific security dataset (RSSD) and associated data pipeline and analysis techniques. The project aims to improve detection of abnormal or malicious activities impacting identified science drivers and associated cyberinfrastructure in Duke datacenters and research labs. The project is a key step in a larger effort to detect and respond to security incidents or Indicators of Compromise (IoC) for scientific application workflows and workloads in a privacy- preserving manner, including developing the data handling capacity to evolve threat intelligence and alerting. Specifically, the MISTRAL Dataset will capture domain science workflow behavior for analysis and interpretation of that behavior, and to identify an expected or standard characterization of the science workflow. Thus, the highest order goals of the project extend beyond creation of an RSSD and encompass improvements in the protection and security of the science cyberinfrastructure itself and associated improvement to application workflows.
Duke and other universities have long focused on monitoring traffic between the campus and the public Internet. This so-called north-south traffic analysis is valuable but increasingly limited in impact since the increasing prevalence of compromised devices within the campus network leaves it susceptible to attack from within, from what are considered east-west traffic. The MISTRAL project takes its name from the Mistral winds, a cold northwesterly wind that is a significant determinant of fair weather in France and the Mediterranean: without a keen understanding of not only north-south network traffic, but also east-west, it is not possible to ensure the security of network flows, especially for research infrastructure, data, and workflow. MISTRAL’s innovation begins with capturing not only north-south also but east-west traffic, to provide a richer data source for cybersecurity researchers and security and network operators.
The project, led by Duke’s Office of Information Technology (OIT) together with multi- disciplinary faculty collaborators, has identified three major objectives:
Objective 1: Build a scalable infrastructure to capture relevant scientific data and workflow.
Objective 2: Enrich the dataset using other data; analyze for anomalies or to optimize workflow.
Objective 3: Extend dataset access internally, to external partners and then to the public.
A key focus area of Object 3 is the establishment of an advisory board comprised of faculty and IT administrators from Duke and key external partners to advise on data collection techniques, preferred data formats, and additional science uses.
Mission
The MISTRAL advisory board (AB) comprised of representatives from Duke, other universities, and partners is responsible for advising on data collection techniques, preferred data formats, data privacy protections and additional science application. A key responsibility of the AB will be to help define, establish, and refine metrics for the project:
- Science (quantitative measures of community adoption / number of users as well as qualitative assessments of improved ‘speed to science’ from process improvement)
- Cybersecurity Research (downloads of datasets, number of publication citations) and
- Operational Improvement (effectiveness of dataset use for securing infrastructure)
Initial analysis on the MISTRAL dataset will focus on identifying “normal/abnormal” activities in a privacy preserving framework, developed, and tested on the initial data collection.
The project intent is to fully instrument and collect data and relevant metadata for multiple science drivers over the period of the grant (See Figure 1 for a mapping of science drivers).
Benefits as an AB Member
The AB members have an opportunity to share knowledge and expertise in this groundbreaking MISTRAL Dataset project. This opportunity will give AB members a way to help improve and contribute to the security aspects of Duke, its partners and eventually the public sector by working with peers in other departments and groups.
Group Structure
In recognition of the importance of protecting science data as well as generating data for operational as well as research use, the AB will consist of at least three members and be comprised of cybersecurity practitioners as well as members of the research community.
- Members can resign their seat at any time or if they have missed three or more consecutive meetings.
- AB member selection will be initiated by the MISTRAL Dataset stakeholders.
- AB members will not make decisions for the project but will make recommendations that will be reviewed by the project stakeholders and project team.
- AB members should not speak on behalf of the project organization or partners and shall not speak regarding project details to the press and or public forum, including social media.
Meetings and Format
MISTRAL AB meetings shall occur at least quarterly and will review the established initial project metrics.
Prior to each meeting, the MISTRAL project manager will submit the meeting agenda and materials. After each meeting, the minutes and recommendations will be shared with all board members. AB artifacts are stored in Duke’s Box service and available to all AB members.
