Jelena Mirkovic

Bio: Jelena Mirkovic is an academic researcher from Information Sciences Institute. The author has contributed to research in topics: Denial-of-service attack & Computer science. The author has an hindex of 28, co-authored 89 publications receiving 4710 citations. Previous affiliations of Jelena Mirkovic include University of California, Los Angeles & University of Southern California.

Measuring Changes in Regional Network Traffic Due to COVID-19 Stay-at-Home Measures

Abstract: During the 2020 pandemic caused by the COVID-19 virus, many countries implemented stay-at-home measures, which led to many businesses and schools moving from in-person to online mode of operation. We analyze sampled Netflow records at a medium-sized US Regional Optical Network to quantify the changes in the network traffic due to stay-athome measures in that region. We find that human-driven traffic in the network decreases to around 70%, and mostly shifts to local ISPs, while VPN and online meeting traffic increases up to 5 times. We also find that networks adopt a variety of online meeting solutions and favor one but continue using a few others. We find that educational and government institutions experience large traffic changes, but aim to keep their productivity via increased online meetings. Some scientific traffic also reduces possibly leading to loss of research productivity. Businesses mostly lose their traffic and few show VPN or online meeting activity. Most network prefixes experience large loss of live addresses but a handful increase their liveness. We also find increased incidence of network attacks. Our findings can help plan network provisioning and management to prepare for future possible infection outbreaks and natural disasters.

RESECT: Self-Learning Traffic Filters for IP Spoofing Defense

Abstract: IP spoofing has been a persistent Internet security threat for decades. While research solutions exist that can help an edge network detect spoofed and reflected traffic, the sheer volume of such traffic requires handling further upstream. We propose RESECT---a self-learning spoofed packet filter that detects spoofed traffic upstream from the victim by combining information about the traffic's expected route and about the sender's response to a few packet drops. RESECT is unique in its ability to autonomously learn correct filtering rules when routes change, or when routing is asymmetric or multipath. Its operation has a minimal effect on legitimate traffic, while it quickly detects and drops spoofed packets. In isolated deployment, RESECT greatly reduces spoofed traffic to the deploying network and its customers, to 8-26% of its intended rate. If deployed at 50 best-connected autonomous systems, RESECT protects the deploying networks and their customers from 99% of spoofed traffic, and filters 91% of spoofed traffic sent to any other destination. RESECT is thus both a practical and highly effective solution for IP spoofing defense.

Mesonephric‐like adenocarcinoma of the female genital tract: novel observations and detailed molecular characterisation of mixed tumours and mesonephric‐like carcinosarcomas

Abstract: To report novel observations in five mesonephric‐like adenocarcinomas (MLAs) of the female genital tract.

Polymorphic Malware Behavior Through Network Trace Analysis

Abstract: Malware continues to be a major threat to information security. To avoid being detected and analyzed, modern malware is continuously improving its stealthiness, including code obfuscation and encryption. On the other hand, a high number of unique malware samples detected daily suggests a likely high degree of code reuse under the layers of stealth. We observe that although obfuscation greatly changes a malware's binary, its functionalities remain intact. We propose to leverage malware's network behavior during its execution, to understand the malware's functionality and detect related or even same (polymorphic) malware. While malware may transform its code to evade analysis, we contend that its key network behaviors must endure through the transformations to achieve the malware's ultimate purpose, such as sending victim information, scanning for vulnerable hosts, etc. We propose an encoding of malware samples that can help us classify samples, identify code reuse and genealogy, and develop behavioral signatures for malware defense based on malware's network behavior. We leverage the same encoding to identify polymorphic malware in a random dataset containing more than 8,000 diverse samples from the Georgia Tech Apiary project. We cluster 6,595 samples which show some network activity based on our embedding features and more than 90% of the cluster contains potentially polymorphic malware with up to 80 % of the clusters identify truly polymorphic malware samples, i.e., they have identical network behavior as at least one other sample in our dataset. Such high level of polymorphism indicates a high level of code reuse, and shows how our approach can complement traditional code analysis techniques for malware defense.

A taxonomy of DDoS attack and DDoS defense mechanisms

Abstract: Distributed denial-of-service (DDoS) is a rapidly growing problem. The multitude and variety of both the attacks and the defense approaches is overwhelming. This paper presents two taxonomies for classifying attacks and defenses, and thus provides researchers with a better understanding of the problem and the current solution space. The attack classification criteria was selected to highlight commonalities and important features of attack strategies, that define challenges and dictate the design of countermeasures. The defense taxonomy classifies the body of existing DDoS defenses based on their design decisions; it then shows how these decisions dictate the advantages and deficiencies of proposed solutions.

Privacy integrated queries: an extensible platform for privacy-preserving data analysis

Abstract: We report on the design and implementation of the Privacy Integrated Queries (PINQ) platform for privacy-preserving data analysis. PINQ provides analysts with a programming interface to unscrubbed data through a SQL-like language. At the same time, the design of PINQ's analysis language and its careful implementation provide formal guarantees of differential privacy for any and all uses of the platform. PINQ's unconditional structural guarantees require no trust placed in the expertise or diligence of the analysts, substantially broadening the scope for design and deployment of privacy-preserving data analysis, especially by non-experts.

Understanding the mirai botnet

Abstract: The Mirai botnet, composed primarily of embedded and IoT devices, took the Internet by storm in late 2016 when it overwhelmed several high-profile targets with massive distributed denial-of-service (DDoS) attacks. In this paper, we provide a seven-month retrospective analysis of Mirai's growth to a peak of 600k infections and a history of its DDoS victims. By combining a variety of measurement perspectives, we analyze how the botnet emerged, what classes of devices were affected, and how Mirai variants evolved and competed for vulnerable hosts. Our measurements serve as a lens into the fragile ecosystem of IoT devices. We argue that Mirai may represent a sea change in the evolutionary development of botnets--the simplicity through which devices were infected and its precipitous growth, demonstrate that novice malicious techniques can compromise enough low-end devices to threaten even some of the best-defended targets. To address this risk, we recommend technical and nontechnical interventions, as well as propose future research directions.

A Survey of Defense Mechanisms Against Distributed Denial of Service (DDoS) Flooding Attacks

Abstract: Distributed Denial of Service (DDoS) flooding attacks are one of the biggest concerns for security professionals. DDoS flooding attacks are typically explicit attempts to disrupt legitimate users' access to services. Attackers usually gain access to a large number of computers by exploiting their vulnerabilities to set up attack armies (i.e., Botnets). Once an attack army has been set up, an attacker can invoke a coordinated, large-scale attack against one or more targets. Developing a comprehensive defense mechanism against identified and anticipated DDoS flooding attacks is a desired goal of the intrusion detection and prevention research community. However, the development of such a mechanism requires a comprehensive understanding of the problem and the techniques that have been used thus far in preventing, detecting, and responding to various DDoS flooding attacks. In this paper, we explore the scope of the DDoS flooding attack problem and attempts to combat it. We categorize the DDoS flooding attacks and classify existing countermeasures based on where and when they prevent, detect, and respond to the DDoS flooding attacks. Moreover, we highlight the need for a comprehensive distributed and collaborative defense approach. Our primary intention for this work is to stimulate the research community into developing creative, effective, efficient, and comprehensive prevention, detection, and response mechanisms that address the DDoS flooding problem before, during and after an actual attack.