scispace - formally typeset
Search or ask a question
Author

Jelena Mirkovic

Bio: Jelena Mirkovic is an academic researcher from Information Sciences Institute. The author has contributed to research in topics: Denial-of-service attack & Computer science. The author has an hindex of 28, co-authored 89 publications receiving 4710 citations. Previous affiliations of Jelena Mirkovic include University of California, Los Angeles & University of Southern California.


Papers
More filters
Book
01 Dec 2004
TL;DR: In this article, the authors present a suite of actions that can be taken before, during, and after an attack to improve the resilience of a network against denial-of-service (DoS) attacks.
Abstract: Suddenly your Web server becomes unavailable When you investigate, you realize that a flood of packets is surging into your network You have just become one of the hundreds of thousands of victims of a denial-of-service attack, a pervasive and growing threat to the Internet What do you do?Internet Denial of Service sheds light on a complex and fascinating form of computer attack that impacts the confidentiality, integrity, and availability of millions of computers worldwide It tells the network administrator, corporate CTO, incident responder, and student how DDoS attacks are prepared and executed, how to think about DDoS, and how to arrange computer and network defenses It also provides a suite of actions that can be taken before, during, and after an attackInside, you'll find comprehensive information on the following topics How denial-of-service attacks are waged How to improve your network's resilience to denial-of-service attacks What to do when you are involved in a denial-of-service attack The laws that apply to these attacks and their implications How often denial-of-service attacks occur, how strong they are, and the kinds of damage they can cause Real examples of denial-of-service attacks as experienced by the attacker, victim, and unwitting accomplicesThe authors' extensive experience in handling denial-of-service attacks and researching defense approaches is laid out clearly in practical, detailed terms

122 citations

Proceedings ArticleDOI
14 Jun 2009
TL;DR: In this article, the authors propose defenses against flash-crowd attacks via human behavior modeling, which differentiate DDoS bots from human users, by learning several chosen features of human interaction dynamics, detecting bots that exhibit higher aggressiveness in one or more of these features, b) request semantics, and c) ability to process visual cues.
Abstract: Flash-crowd attacks are the most vicious form of distributed denial of service (DDoS). They flood the victim with service requests generated from numerous bots. Attack requests are identical in content to those generated by legitimate, human users, and bots send at a low rate to appear non-aggressive -- these features defeat many existing DDoS defenses. We propose defenses against flash-crowd attacks via human behavior modeling, which differentiate DDoS bots from human users. Current approaches to human-vs-bot differentiation, such as graphical puzzles, are insufficient and annoying to humans, whereas our defenses are highly transparent. We model three aspects of human behavior: a) request dynamics, by learning several chosen features of human interaction dynamics, and detecting bots that exhibit higher aggressiveness in one or more of these features, b) request semantics, by learning transitional probabilities of user requests, and detecting bots that generate valid but low-probability sequences, and c) ability to process visual cues, by embedding into server replies human-invisible objects, which cannot be detected by automated analysis, and flagging users that visit them as bots. We evaluate our defenses' performance on a series of web traffic logs, interlaced with synthetically generated attacks, and conclude that they raise the bar for a successful, sustained attack to botnets whose size is larger than the size observed in 1-5% of DDoS attacks today.

121 citations

Proceedings ArticleDOI
03 Dec 2010
TL;DR: The next generation of DETER envisions several conceptual advances in testbed design and experimental research methodology, targeting improved experimental validity, enhanced usability, and increased size, complexity, and diversity of experiments.
Abstract: Since 2004, the DETER Cybersecurity Testbed Project has worked to create the necessary infrastructure — facilities, tools, and processes-to provide a national resource for experimentation in cyber security. The next generation of DETER envisions several conceptual advances in testbed design and experimental research methodology, targeting improved experimental validity, enhanced usability, and increased size, complexity, and diversity of experiments. This paper outlines the DETER project's status and current R&D directions.

115 citations

01 Jan 2003
TL;DR: A source-end defense (implemented in the D-WARD system) can detect and prevent a significant number of DDoS attacks, does not incur significant cost for its operation, and offers good service to legitimate traffic during the attack.
Abstract: Distributed denial-of-service (DDoS) attacks are a grave and challenging problem. Perpetration requires little effort on the attacker's side, since a vast number of insecure machines provides fertile ground for attack zombies, and automated scripts for exploit and attack can easily be downloaded and deployed. On the other hand, prevention of the attack or the response and traceback of perpetrators is extremely difficult due to a large number of attacking machines, the use of source-address spoofing and the similarity between legitimate and attack traffic. Many defense systems have been designed in the research and commercial communities to counter DDoS attacks, yet the problem remains largely unsolved. This thesis explores the problem of DDoS defense from two directions: (1) it strives to understand the origin of the problem and all its variations, and provides a survey of existing solutions, and (2) it presents the design (and implementation) of a source-end DDoS defense system called D-WARD that prevents outgoing attacks from deploying networks. Source-end defense is not the complete solution to DDoS attacks, since networks that do not deploy the proposed defense can still perform successful attacks. However, this thesis shows that a source-end defense (implemented in the D-WARD system) can detect and prevent a significant number of DDoS attacks, does not incur significant cost for its operation, and offers good service to legitimate traffic during the attack. By performing successful differentiation between legitimate and attack traffic close to the source, source-end defense is one of the crucial building blocks of the complete DDoS solution and essential for promoting Internet security. The thesis also includes a description of two joint projects where D-WARD has been integrated into a distributed defense system, and extensively tested. In all of the experiments, the operation of the system significantly improved with the addition of D-WARD.

101 citations

Proceedings ArticleDOI
11 Dec 2006
TL;DR: This work proposes to harvest the strengths of existing defenses by organizing them into a collaborative overlay, called DefCOM, and augmenting them with communication and collaboration functionalities, and naturally lead to an Internet-wide response to DDoS threat.
Abstract: Increasing use of the Internet for critical services makes flooding distributed denial-of-service (DDoS) a top security threat. A distributed nature of DDoS suggests that a distributed mechanism is necessary for a successful defense. Three main DDoS defense functionalities -- attack detection, rate limiting and traffic differentiation -- are most effective when performed at the victim-end, core and sourceend respectively. Many existing systems are successful in one aspect of defense, but none offers a comprehensive solution and none has seen a wide deployment. We propose to harvest the strengths of existing defenses by organizing them into a collaborative overlay, called DefCOM, and augmenting them with communication and collaboration functionalities. Nodes collaborate during the attack to spread alerts and protect legitimate traffic, while rate limiting the attack. DefCOM can accommodate existing defenses, provide synergistic response to attacks and naturally lead to an Internet-wide response to DDoS threat.

99 citations


Cited by
More filters
Journal ArticleDOI
01 Apr 2004
TL;DR: This paper presents two taxonomies for classifying attacks and defenses in distributed denial-of-service (DDoS) and provides researchers with a better understanding of the problem and the current solution space.
Abstract: Distributed denial-of-service (DDoS) is a rapidly growing problem. The multitude and variety of both the attacks and the defense approaches is overwhelming. This paper presents two taxonomies for classifying attacks and defenses, and thus provides researchers with a better understanding of the problem and the current solution space. The attack classification criteria was selected to highlight commonalities and important features of attack strategies, that define challenges and dictate the design of countermeasures. The defense taxonomy classifies the body of existing DDoS defenses based on their design decisions; it then shows how these decisions dictate the advantages and deficiencies of proposed solutions.

1,866 citations

Proceedings ArticleDOI
Frank McSherry1
29 Jun 2009
TL;DR: PINQ's unconditional structural guarantees require no trust placed in the expertise or diligence of the analysts, substantially broadening the scope for design and deployment of privacy-preserving data analysis, especially by non-experts.
Abstract: We report on the design and implementation of the Privacy Integrated Queries (PINQ) platform for privacy-preserving data analysis. PINQ provides analysts with a programming interface to unscrubbed data through a SQL-like language. At the same time, the design of PINQ's analysis language and its careful implementation provide formal guarantees of differential privacy for any and all uses of the platform. PINQ's unconditional structural guarantees require no trust placed in the expertise or diligence of the analysts, substantially broadening the scope for design and deployment of privacy-preserving data analysis, especially by non-experts.

1,278 citations

Proceedings Article
16 Aug 2017
TL;DR: It is argued that Mirai may represent a sea change in the evolutionary development of botnets--the simplicity through which devices were infected and its precipitous growth, and that novice malicious techniques can compromise enough low-end devices to threaten even some of the best-defended targets.
Abstract: The Mirai botnet, composed primarily of embedded and IoT devices, took the Internet by storm in late 2016 when it overwhelmed several high-profile targets with massive distributed denial-of-service (DDoS) attacks. In this paper, we provide a seven-month retrospective analysis of Mirai's growth to a peak of 600k infections and a history of its DDoS victims. By combining a variety of measurement perspectives, we analyze how the botnet emerged, what classes of devices were affected, and how Mirai variants evolved and competed for vulnerable hosts. Our measurements serve as a lens into the fragile ecosystem of IoT devices. We argue that Mirai may represent a sea change in the evolutionary development of botnets--the simplicity through which devices were infected and its precipitous growth, demonstrate that novice malicious techniques can compromise enough low-end devices to threaten even some of the best-defended targets. To address this risk, we recommend technical and nontechnical interventions, as well as propose future research directions.

1,236 citations

Journal ArticleDOI
TL;DR: The primary intention for this work is to stimulate the research community into developing creative, effective, efficient, and comprehensive prevention, detection, and response mechanisms that address the DDoS flooding problem before, during and after an actual attack.
Abstract: Distributed Denial of Service (DDoS) flooding attacks are one of the biggest concerns for security professionals. DDoS flooding attacks are typically explicit attempts to disrupt legitimate users' access to services. Attackers usually gain access to a large number of computers by exploiting their vulnerabilities to set up attack armies (i.e., Botnets). Once an attack army has been set up, an attacker can invoke a coordinated, large-scale attack against one or more targets. Developing a comprehensive defense mechanism against identified and anticipated DDoS flooding attacks is a desired goal of the intrusion detection and prevention research community. However, the development of such a mechanism requires a comprehensive understanding of the problem and the techniques that have been used thus far in preventing, detecting, and responding to various DDoS flooding attacks. In this paper, we explore the scope of the DDoS flooding attack problem and attempts to combat it. We categorize the DDoS flooding attacks and classify existing countermeasures based on where and when they prevent, detect, and respond to the DDoS flooding attacks. Moreover, we highlight the need for a comprehensive distributed and collaborative defense approach. Our primary intention for this work is to stimulate the research community into developing creative, effective, efficient, and comprehensive prevention, detection, and response mechanisms that address the DDoS flooding problem before, during and after an actual attack.

1,153 citations