scispace - formally typeset
Search or ask a question
Author

Jelena Mirkovic

Bio: Jelena Mirkovic is an academic researcher from Information Sciences Institute. The author has contributed to research in topics: Denial-of-service attack & Computer science. The author has an hindex of 28, co-authored 89 publications receiving 4710 citations. Previous affiliations of Jelena Mirkovic include University of California, Los Angeles & University of Southern California.


Papers
More filters
Journal Article
TL;DR: This tutorial will introduce the participants to the DeterLab testbed and demonstrate how to use it in research and in education, and practice use of several tools to create and manipulate several security experiments.
Abstract: This tutorial will introduce the participants to the DeterLab testbed and demonstrate how to use it in research and in education. DeterLab is publicly available and free network testbed hosted by USC/ISI and UC Berkeley that is geared towards security experimentation. It has 500+ nodes, 3,000+ users and is extensively used both for research and for education. It also has many shared education materials for illustrative hands-on exercises in security that could be used as homework or project assignments in classes. Attendees will learn about DeterLab, its experimentation interfaces and tools, and shared education materials. They will also practice use of several tools to create and manipulate several security experiments. At the end of the tutorial, attendees will be able to create DeterLab experiments and manipulate them with ease.

8 citations

Proceedings ArticleDOI
20 Oct 2008
TL;DR: A method to infer worm-induced congestion drops from Telescope's observations and use them to accurately estimate global worm dynamics is proposed and applied to CAIDA telescope's observations of Witty worm's spread and released corrected statistics of worm dynamics for public use.
Abstract: Network telescopes have been invaluable for collecting information about dynamics of large-scale worm events. Yet, a telescope's observation may be incomplete due to scan congestion drops, hardware limitations, filtering and presence of NATs, a worm's non-uniform scanning strategy or its short life. We investigate inaccuracies in telescope observations that arise from worm-induced congestion drops of worm scans and show that they may lead to significant underestimates of the number of infectees and their scanning rate. We propose a method to infer worm-induced congestion drops from telescope's observations and use them to accurately estimate global worm dynamics. We apply our methods to CAIDA telescope's observations of Witty worm's spread, and release corrected statistics of worm dynamics for public use.

8 citations

Book ChapterDOI
10 Sep 2018
TL;DR: This work proposes GuidedPass – a system that suggests real-time password modifications to users, which preserve the password’s semantic structure, while increasing password strength.
Abstract: Password meters and policies are currently the only tools helping users to create stronger passwords However, such tools often do not provide consistent or useful feedback to users, and their suggestions may decrease memorability of resulting passwords Passwords that are difficult to remember promote bad practices, such as writing them down or password reuse, thus stronger passwords do not necessarily improve authentication security In this work, we propose GuidedPass – a system that suggests real-time password modifications to users, which preserve the password’s semantic structure, while increasing password strength Our suggestions are based on structural and semantic patterns mined from successfully recalled and strong passwords in several IRB-approved user studies [30] We compare our approach to password creation with creation under NIST [12] policy, Ur et al [26] guidance, and zxcvbn password-meter We show that GuidedPass outperforms competing approaches both in password strength and in recall performance

7 citations

Proceedings ArticleDOI
19 May 2008
TL;DR: This work combines two existing defenses against distributed denial-of-service (DDoS) attacks - DefCOM and speak-up into a synergistic defense that addresses the shortcomings of the individual defenses and confirms the success of collaborative protection against DDoS attacks.
Abstract: This work combines two existing defenses against distributed denial-of-service (DDoS) attacks - DefCOM and speak-up - resulting in a synergistic improvement. DefCOM defense organizes existing source-end, victim-end and core defenses into a collaborative overlay to filter DDoS floods. Source networks that do not participate in DefCOM often receive poor service and their traffic is severely rate-limited. This is because core nodes in DefCOM that perform filtering lack cheap algorithms to differentiate legitimate from attack traffic at line speed - they must conservatively assume all high-rate traffic from legacy networks to be attack. Thus, in its attempt to mitigate DDoS, DefCOM ends up denying service during attacks to legitimate hosts that reside in legacy networks. Speak-up is a recently proposed defense, which invites all clients of the DDoS victim to send additional payment traffic, with the assumption that attack machines are already sending close to their full capacity. Clients that send a lot of payment traffic are considered legitimate and whitelisted. Speak-up is relatively cheap to deploy at the clients and the DDoS victim, but since payment traffic needs to be sent continuously, this creates additional congestion at the victim, which is undesirable. We combine speak-up and DefCOM into a synergistic defense that addresses the shortcomings of the individual defenses and confirms the success of collaborative protection against DDoS attacks. Speak-up is integrated with core defenses in DefCOM and whitelists clients based on their payment traffic. Legitimate clients in legacy networks can thus be detected and served. Further, since Speak-up is implemented in the core, payment and attack traffic do not reach the victim and any undesirable congestion effects are localized to the vicinity of legacy networking.

7 citations

13 Jun 2007
TL;DR: A series of DoS impact metrics that measure the QoS experienced by end users during an attack are proposed that are easily reproducible and the relevant traffic parameters are extracted from packet traces gathered at the source and the destination networks during an experiment.
Abstract: The exclusive goal of a Denial of Service (DoS) attack is to significantly degrade a network's service quality by introducing large or variable delays, excessive losses, and service interruptions. Conversely, the aim of any DoS defense is to neutralize this effect, and to quickly and fully restore service quality to levels acceptable to the users. DoS attacks and defenses have typically been studied by researchers via network simulation and live experiments in isolated testbeds. To objectively evaluate an attack's impact on network services, its severity and the effectiveness of a potential defense, we need a precise, quantitative and comprehensive DoS impact metrics that are applicable to any test scenario. Current evaluation approaches do not meet these goals. They commonly measure one or a few traffic parameters and determine attack's impact by comparing parameter value distributions in different tests. These approaches are customized to a particular test scenario, and they fail to monitor all traffic parameters that signal service degradation for diverse applications. Further, they are imprecise because they fail to map application quality-of-service (QoS) requirements into specific parameter thresholds. We propose a series of DoS impact metrics that measure the QoS experienced by end users during an attack. Our measurements and metrics are ideal for testbed experimentation. They are easily reproducible and the relevant traffic parameters are extracted from packet traces gathered at the source and the destination networks during an experiment. The proposed metrics consider QoS requirements for a range of applications and map them into measurable traffic parameters. We then specify thresholds for each relevant parameter that, when breached, indicate poor service quality. Service quality is derived by comparing measured parameter values with corresponding thresholds, and aggregated into a series of appropriate DoS impact metrics. We illustrate the proposed metrics using extensive live experiments, with a wide range of background traffic and attack variants. We successfully demonstrate that our metrics capture the DoS impact more precisely than the measures used in the past.

6 citations


Cited by
More filters
Journal ArticleDOI
01 Apr 2004
TL;DR: This paper presents two taxonomies for classifying attacks and defenses in distributed denial-of-service (DDoS) and provides researchers with a better understanding of the problem and the current solution space.
Abstract: Distributed denial-of-service (DDoS) is a rapidly growing problem. The multitude and variety of both the attacks and the defense approaches is overwhelming. This paper presents two taxonomies for classifying attacks and defenses, and thus provides researchers with a better understanding of the problem and the current solution space. The attack classification criteria was selected to highlight commonalities and important features of attack strategies, that define challenges and dictate the design of countermeasures. The defense taxonomy classifies the body of existing DDoS defenses based on their design decisions; it then shows how these decisions dictate the advantages and deficiencies of proposed solutions.

1,866 citations

Proceedings ArticleDOI
Frank McSherry1
29 Jun 2009
TL;DR: PINQ's unconditional structural guarantees require no trust placed in the expertise or diligence of the analysts, substantially broadening the scope for design and deployment of privacy-preserving data analysis, especially by non-experts.
Abstract: We report on the design and implementation of the Privacy Integrated Queries (PINQ) platform for privacy-preserving data analysis. PINQ provides analysts with a programming interface to unscrubbed data through a SQL-like language. At the same time, the design of PINQ's analysis language and its careful implementation provide formal guarantees of differential privacy for any and all uses of the platform. PINQ's unconditional structural guarantees require no trust placed in the expertise or diligence of the analysts, substantially broadening the scope for design and deployment of privacy-preserving data analysis, especially by non-experts.

1,278 citations

Proceedings Article
16 Aug 2017
TL;DR: It is argued that Mirai may represent a sea change in the evolutionary development of botnets--the simplicity through which devices were infected and its precipitous growth, and that novice malicious techniques can compromise enough low-end devices to threaten even some of the best-defended targets.
Abstract: The Mirai botnet, composed primarily of embedded and IoT devices, took the Internet by storm in late 2016 when it overwhelmed several high-profile targets with massive distributed denial-of-service (DDoS) attacks. In this paper, we provide a seven-month retrospective analysis of Mirai's growth to a peak of 600k infections and a history of its DDoS victims. By combining a variety of measurement perspectives, we analyze how the botnet emerged, what classes of devices were affected, and how Mirai variants evolved and competed for vulnerable hosts. Our measurements serve as a lens into the fragile ecosystem of IoT devices. We argue that Mirai may represent a sea change in the evolutionary development of botnets--the simplicity through which devices were infected and its precipitous growth, demonstrate that novice malicious techniques can compromise enough low-end devices to threaten even some of the best-defended targets. To address this risk, we recommend technical and nontechnical interventions, as well as propose future research directions.

1,236 citations

Journal ArticleDOI
TL;DR: The primary intention for this work is to stimulate the research community into developing creative, effective, efficient, and comprehensive prevention, detection, and response mechanisms that address the DDoS flooding problem before, during and after an actual attack.
Abstract: Distributed Denial of Service (DDoS) flooding attacks are one of the biggest concerns for security professionals. DDoS flooding attacks are typically explicit attempts to disrupt legitimate users' access to services. Attackers usually gain access to a large number of computers by exploiting their vulnerabilities to set up attack armies (i.e., Botnets). Once an attack army has been set up, an attacker can invoke a coordinated, large-scale attack against one or more targets. Developing a comprehensive defense mechanism against identified and anticipated DDoS flooding attacks is a desired goal of the intrusion detection and prevention research community. However, the development of such a mechanism requires a comprehensive understanding of the problem and the techniques that have been used thus far in preventing, detecting, and responding to various DDoS flooding attacks. In this paper, we explore the scope of the DDoS flooding attack problem and attempts to combat it. We categorize the DDoS flooding attacks and classify existing countermeasures based on where and when they prevent, detect, and respond to the DDoS flooding attacks. Moreover, we highlight the need for a comprehensive distributed and collaborative defense approach. Our primary intention for this work is to stimulate the research community into developing creative, effective, efficient, and comprehensive prevention, detection, and response mechanisms that address the DDoS flooding problem before, during and after an actual attack.

1,153 citations