Worcester, Mass. - The nation's 54 million residential computer networks, which often have inadequate or out-of-date security safeguards, leave millions of Americans vulnerable to fraud, compromise, and even property damage. Poorly protected home computers and other connected devices are inviting targets for hackers seeking to build "botnets" to send spam or phishing emails or launch malicious Internet attacks.
A computer science researcher at Worcester Polytechnic Institute (WPI) believes the solution to this widespread and costly problem is to reinvent residential network security by taking the task of defending home networks out of the hands of homeowners -- who typically have little or no computer training and little understanding of the importance of keeping their security safeguards up-to-date -- and putting it in the hands of experts.
With a five-year, $507,600 CAREER Award from the National Science Foundation (NSF), the agency's most prestigious award for young faculty members, Craig Shue, associate professor of computer science at WPI, will develop a groundbreaking approach to security that uses cloud-based security providers and deployable security solutions to outsource the management of home networks, an approach he believes can transform home networks from liabilities into assets.
"Residential networks outnumber enterprise (or non-residential) networks nine to one," Shue said, "but while enterprise networks may follow best practices and have robust security, home networks typically lack these protections and are the last place where networking innovations are deployed. Our aim is to take some of the security practices used in enterprise networks and apply them to home networks. By making millions of home networks more secure, we can also bolster the security of the Internet as a whole."
The system Shue plans to develop will consist of several interconnected components. The first of these is the network router. As the device that connects a home network to the Internet, the router is the portal through which all network traffic must pass. The system Shue envisions will begin by transforming the router already installed in a home by deploying new firmware that will change the way the router manages the flow of information within the network.
One of the principal jobs of a router is to act as traffic manager, directing incoming data to the appropriate device on the network (an email message to the computer, a streaming movie to the TV, an online game to a game console, etc.) and sending outgoing traffic to the appropriate Internet destination. Instead, routers with the new firmware will direct most traffic, incoming and outgoing, over a secure pathway to a cloud-based security system consisting of a controller and a set of virtual computers called middleboxes.
The middleboxes will be loaded with current information about the Internet, including which sites are known to be authentic and safe and which pose a risk. When the controller diverts traffic to a middlebox, whether it is information headed into a home network from a site on the Internet or a stream of data flowing out to a particular site, the middlebox will check the site's profile against its stored information. If the identity of the site can be verified, the middlebox will let the traffic proceed. If not, it will stop the traffic in its tracks.
Shue said it is important to check traffic moving into and out of a home network to catch nefarious sites attempting to get access to computers and devices in the home, but also to detect the activities of devices that may already have been compromised. "We are seeing the rapid expansion of the Internet of Things, or IoT," he said, "which includes all manner of devices--smart TVs, home security systems, appliances--that are connected to the Internet."
"Many of these technologies have weak or even nonexistent security, and even when manufacturers provide security, few homeowners realize that these devices can be hacked, let alone know how to protect themselves. This is why the IoT makes an inviting target for hackers and why devices like TVs and webcams have already been used in large-scale denial of service attacks." Shue said the consequences of inadequate security could be severe if connected devices, like light bulbs, stoves, and home heating systems, were made to run amok and cause fires or other property damage.
Because the key steps in verifying the identity of an Internet server or host occur in the early moments of a network connection (a series of information exchanges known as a handshake), Shue said the remote security system should not noticeably slow network performance. "Once the middlebox has verified the authenticity of the connection you are trying to establish with Netflix, for example," he said, "the middlebox can get out of the way and rest of that transaction can be routed directly to the Netflix server. So while the initial handshake is handled by the middlebox, the movie you want to stream can pass directly from Netflix to your TV."
Handing off security decisions to a cloud-based service will have multiple benefits, Shue said. For one, by preventing home networks from communicating directly with potentially nefarious Internet hosts, the remote service will reduce the risk that residential computer users will fall victim to scams, identity theft, and attacks, such as malware and ransomware, which may damage or destroy files or even render computers unusable. It will also make it harder for hackers to commandeer computers or other networked electronic devices and turn them into platforms for launching malicious attacks on other computers or networks.
While the focus of Shue's research is providing reliable security to individual residential computer networks, the work could also increase the security of the Internet more broadly, he noted. "Given the generally weak security measures in residential networks, an improvement that makes them less likely to be targets of attacks or vectors for attacks will make the Internet, as a whole, more secure." Shue said that since employees often bring to work laptops, mobile devices, or flash drives that can be contaminated by infected home networks, improved home security will also benefit enterprise networks.
Shue said his project also aims to develop what he calls "a new subfield of deployable residential network security." In addition to being able to keep residential routers updated with the latest security firmware, he said the cloud-based security providers could be used to deploy and evaluate new and previously underutilized security techniques -- for example protocols that could flag insecure e-commerce transactions or serve as early warning systems for bot attacks. The platform could also be used to detect and learn about new IoT devices and then quickly deploy that knowledge to other residential networks. "This approach will provide the opportunity to conduct research and deploy new innovations to residential networks in a way that has not previously been possible," he said.
###
About Worcester Polytechnic Institute
Founded in 1865 in Worcester, Mass., WPI is one of the nation's first engineering and technology universities. Its 14 academic departments offer more than 50 undergraduate and graduate degree programs in science, engineering, technology, business, the social sciences, and the humanities and arts, leading to bachelor's, master's and doctoral degrees. WPI's talented faculty work with students on interdisciplinary research that seeks solutions to important and socially relevant problems in fields as diverse as the life sciences and bioengineering, energy, information security, materials processing, and robotics. Students also have the opportunity to make a difference to communities and organizations around the world through the university's innovative Global Projects Program. There are more than 40 WPI project centers throughout the Americas, Africa, Asia-Pacific, and Europe.