2004 — 2009 |
Saunders, B. David Mirkovic, Jelena |
N/AActivity Code Description: No activity code was retrieved: click on the grant title for more information |
Collaborative Research: Defcom - Distributed Defense Against Ddos Attacks
Collaborative Research: DefCOM - Distributed Defense against DDoS
Jelena Mirkovic, University of Delaware Peter Reiher, UCLA
Award 0430228
Abstract
This project investigates a distributed cooperative solution to the problem of distributed denial-of-service attacks. The proposed defense system, DefCOM, combines the advantages of victim-end defenses (accurate attack detection) and source-end defenses (efficient response and precise separation of the legitimate traffic from the attack traffic). It also enlists the help of backbone routers to control attack traffic in partial deployment scenarios where many potential sources do not deploy a source-end defense.
DefCOM nodes will be deployed in source, victim and core networks, and will cooperate via an overlay to detect and stop attacks. Overlay communication will ensure effective operation even if DefCOM nodes are sparsely and non-contiguously deployed. DefCOM's response to attacks is twofold: defense nodes reduce the attack traffic, freeing the victim's resources; and they also cooperate to detect legitimate traffic within the suspicious stream and ensure its correct delivery to the victim. Because networks deploying defense nodes directly benefit from their operation, DefCOM has a workable economic model to spur its deployment. DefCOM further offers a framework for existing security systems to join the overlay and cooperate in the defense. These features create excellent motivation for wide deployment, and the possibility of a large impact on the DDoS threat.
|
0.961 |
2007 — 2010 |
Mirkovic, Jelena |
N/AActivity Code Description: No activity code was retrieved: click on the grant title for more information |
Cri: Crd: Isim - Simulator of Internet-Scale Events
Dynamics of Internet-scale events such as worm propagation, distributed denial-of-service attacks, flash crowds, routing instabilities, and DNS attacks depend on the configuration of all the networks that generate or forward legitimate and malicious traffic. To fully understand these events researchers need simulation tools that reproduce all the relevant event details and event traffic?s interaction with the Internet architecture. Collaborative defenses against Internet-scale attacks have also been proposed. The effectiveness of these defenses depends on the underlying Internet topology and the deployment locations, so high-fidelity Internet simulation is necessary to properly evaluate these defenses.
Current network simulators cannot be used to study Internet-scale events. They are general-purpose, packet-level simulators that reproduce too many details of network communication, which limits scalability. Even distributed versions of network simulators such as GTNetS and PDNS, designed for large-scale events, have limited scalability because each packet and its handling are simulated in minute detail. For example, PDNS requires powerful, 100+ CPU clusters, to simulate worm propagation with up to 1.28 M vulnerable hosts. Many researchers do not have an access to such a large cluster. Another drawback of the current network simulators is that they lack a built-in Internet model. Researchers that aim to simulate Internet-scale events must themselves assemble the Internet topology, and determine end-host communication patterns, link bandwidths and routes. The effort required to set up a realistic Internet model from scratch is considerable so many researchers adopt simplfied models (e.g., assuming infinite bandwidth links, assuming highly symmetric Internet topology etc.) which leads to incorrect results. The iSim work builds upon our recent achievements in creating an Internet-scale simulator of worm propagation events, called PAWS. PAWS is a distributed simulator, deployed on the Emulab testbed. This project will explore the potential of the PAWS simulator as a community resource.
|
0.961 |
2007 — 2011 |
Mirkovic, Jelena |
N/AActivity Code Description: No activity code was retrieved: click on the grant title for more information |
Ct-Isg: Collaborative Research: Enabling Routers to Detect and Filter Spoofed Traffic @ University of Southern California
0716452 Jelena Mirkovic University of Delaware
0716829 Peter Reiher UCLA
CT-ISG: Collaborative Research: Enabling Routers to Detect and Filter Spoofed Traffic
IP spoofing exacerbates many security threats.If spoofing were eliminated or sufficiently reduced, defenses against DDoS, distributed scanning and intrusions would be much simplified and more effective. Of particular interest are spoofing defenses that will be both practical (cheap to deploy and operate) and effective (provide significant benefit in sparse deployment. This project develops two such defense mechanisms: (1) Clouseau, which enables routers on asymmetric paths to accurately infer associations between the route descriptor and the source address. It will support multiple associations (in case of multipath routing) and will promptly update associations when routes change. Clouseau will be integrated with two very effective spoofing defenses: route-based filtering and hop-count filtering, and will protect deploying networks from spoofed traffic. (2) RAD, which helps networks protect themselves from reflector attacks.
Clouseau and RAD will operate completely autonomously. Deployment of Clouseau at as few as 50 chosen Internet autonomous systems, together with RBF or HCF, will reduce amount of spoofed traffic on the Internet to less than 3%. In isolated deployment, Clouseau with RBF or HCF will reduce spoofed traffic received by the deploying network to less than 3%. RAD system will offer a significant protection from reflector attacks in isolated deployment and an almost perfect protection when RAD is deployed in the Internet core.
This research is leading to a significant reduction of spoofed traffic in the Internet. All code will be released to the public, and graduate and undergraduate students will receive valuable training from participation in this project.
|
0.961 |
2008 — 2011 |
Wroclawski, John Mirkovic, Jelena |
N/AActivity Code Description: No activity code was retrieved: click on the grant title for more information |
Ccollaborative Research: Ct-M: Beyond Testbeds-Catalyzing Transformative Research and Education Through Cybersecurity Collaboratories (Btct) @ University of Southern California
Experimental cybersecurity research is inherently risky. An experiment may involve releasing live malware code, operating a botnet, or creating highly disruptive network conditions. Realism is required in replicating attacks so that proposed defenses can be thoroughly tested and future attacks anticipated. This proposal, in addressing intellectual merit, seeks to develop a unique model for risky experiment management; enabling researchers to carry out experiments that interact with their larger environment while retaining both control and safety. The model forwarded here is based on a very simple line of reasoning: If the behavior of an experiment is completely unconstrained, the behavior of the host environment must be completely constraining, because it can assume nothing about the experiment; but, if the behavior of the experiment is constrained in some particular and well-chosen way or ways, the behavior of the host testbed can be less constraining, because the combination of experiment and environment constraints together can provide the required overall assurance of good behavior. The key benefit of this model is that both experimenter and testbed operator can proceed with assurance in carrying out a wide and interesting range of previously unsupportable experiments. The ultimate goal is to develop both implementation and formalization of this model, including logical tools to reason about experiment and testbed constraint composition (broader impact). Initial work will develop mechanisms to support the model in the DETER facility and similar Emulab-based testbeds.
The proposal was reviewed by panelists and received one Very Good, one Very Good/Good and one Good. Panelists viewed all three elements of the proposal (risky experimentation support, dynamic health monitoring, and federation of testbeds) to represent contributions to the field, with the most valuable area of the three being risky experimentation support. The panel overall wanted to see a stronger case made for improving existing security testbeds in general, and particularly a tie in with current uses and needs of the DETER testbed by researchers. Panelists recognized the team as being well qualified for the work. If successful, the activities were viewed as advancing the state-of-the-art in experimental facilities for cybersecurity.
|
0.954 |
2009 — 2012 |
Mirkovic, Jelena |
N/AActivity Code Description: No activity code was retrieved: click on the grant title for more information |
Collaborative Research: Hands-On Exercises On Deter Testbed For Security Education @ University of Southern California
Computer Science (31)
The objective of this collaborative project is to develop a public repository of practical security exercises for undergraduate curriculum. These exercises involve students in hands-on security experiments, demonstrating realistic threats and defenses. They provide active learning opportunities in computer security curriculum which has been typically taught using passive learning methods. The exercises are hosted on the shared, public and free DETER testbed at the lead institution, University of Southern California; the remaining four collaborating institutions, including Colorado State University, University of California Los Angeles, Lehigh University, and the University of North Carolina at Charlotte offer a unique and diverse experience in security education and research.
The setup of each exercise is fully automated with tools for customization of exercises; accompanied by detailed guidelines about common pitfalls; and supported by experiment health management to send students automated alerts when their experiment is not configured properly. The DETER testbed contains several traffic generation, visualization and experiment monitoring tools which allow students to work at a high-level via a simple GUI interaction as well as at low-level, command-line activities.
The project delivers portable, shared and publicly accessible exercises available from anywhere, at any time, making it more accessible than having to share a computer lab or requiring a complex physical setup. This project has a potential to reach a large number institutions via outreach activities such as tutorials at security conferences; workshops, and the DETER newsletter.
|
0.954 |
2009 — 2013 |
Mirkovic, Jelena |
N/AActivity Code Description: No activity code was retrieved: click on the grant title for more information |
Tc: Small: Privacy-Safe Sharing of Network Data Via Secure Queries (Pseq) @ University of Southern California
This project will explore a novel direction to address the privacy/ utility tradeoff of trace sharing: secure queries on original traces under their owner?s control. The data owner publishes a query language and an online portal, allowing researchers to submit sets of queries to be run on data. Only certain operations are allowed on certain data fields, and in specific contexts. This policy is specified by the provider and enforced by the language interpreter. The interpreter analyzes the queries, runs those that are permitted and returns the results to the researcher. The results consist of aggregate information such as counts, histograms, distributions and not of individual packets.
Secure queries address privacy/utility tradeoff much better than sanitization. Privacy is protected by finer-grain control given to data owner, which permits detection of many passive attacks and minimization of information leakage from active attacks. Future attack vectors can be handled by adding new constraints on the query language. Secure queries also show a potential to reveal more data to researchers than it was possible with sanitization. Fine-grain control via query language enables processing of many fields in the application header, and even in sensitive application content, while satisfying the owner?s privacy concerns. This is likely to increase utility of public traces for application and security research.
The work will investigate research utility of network trace data, and the relationship of known and novel attacks to combinations of packet fields, operations on those fields, and contexts that pose privacy risk. Based on these findings, the team will develop a secure query language Trol, and an interpreter for this language Patrol. Trol will support common operations on traces, needed for networking research, and Patrol will prohibit queries and contexts that pose a privacy risk as specified by the provider ?s privacy policy. Both the language and policies will be extensible by data owners to accommodate future discoveries. Trol and Patrol will be deployed at USC/ISI and will run on publicly available, sanitized trace archives and on synthetically generated, full packet traces. This deployment will help to test expressiveness and privacy protection of Trol operations. The work will also publicize the work among data owners, to motivate the shift from sanitization to protection of traces via secure queries.
|
0.954 |
2010 — 2012 |
Mirkovic, Jelena |
N/AActivity Code Description: No activity code was retrieved: click on the grant title for more information |
Investigating Network Testbed Usage @ University of Southern California
Network testbeds have revolutionized evaluation practices in computer science. Over the last decade many diverse testbeds have been built throughout the world, and the trend of building faster, bigger, and more diverse testbeds continues. On the other hand, there have been no studies on testbed use. Specifically, who uses testbeds, for what types of research, and what are the use patterns and practices. Answering these question would help testbed builders and funders understand the impact of their work and direct their efforts to maximize the payoff.
This project seeks to analyze existing data about testbeds, and collect new data, to understand how testbeds are used, by whom and for what purpose. It seeks to analyze usage over time and to infer and analyze short-term and long-term trends. It further seeks to understand what motivates people to use testbeds and what hinders their use. For those factors that hinder testbed it attempts to identify their underlying reason, namely if they stem from a specific research field, a specific testbed practice or if they are inherent in the nature of network testbeds.
|
0.954 |
2011 — 2015 |
Mirkovic, Jelena |
N/AActivity Code Description: No activity code was retrieved: click on the grant title for more information |
Sdci Sec: Traffic Modeling and Generation With Custom Fidelity For Cyber Security Experimentation @ University of Southern California
Traffic generation plays an integral part of cyber-security defense testing in network testbeds. Generating just any traffic is easy, but generating realistic traffic is hard. The key reason for this is that "realistic" means different things to different people. The definition of realism depends on the use of the traffic in testing, but all existing traffic generators have a fixed definition of realism that users cannot change.
This project will build a traffic generator whose definition of realism can be fully specified by a user. The generator will consist of three modules: (1) a module that mines values for user-specified dimensions from traffic logs, (2) a module that generates random traffic that fits the model mined in the previous step, (3) a module that replays traffic from a log so that it exactly matches the logged traffic along the user- specified dimensions.
Intellectual Merit: The key novelty of this approach lies in the customizable definition of realism that the generator will support. By allowing users to specify their own reality dimensions this project's traffic generation tool will be generic enough to meet the evaluation needs of any cyber security researcher. Further, integration of the traffic generation from models and traffic replay in a single tool is novel; existing tools support only one of these generation approaches. Finally, the tool will support traffic generation at application, transport or network level while existing tools support it only at one select level.
Broader Impact: The proposed work will advance cyber-security defense research by supporting rigorous and realistic evaluation of its products. It will do that by both fitting researchers' needs and by being extremely portable and easy to deploy and use. Because users will be able to customize the definition of realism as they desire, the evaluation will properly stress the cyber-security defenses and its results will be predictive of the defenses performance in real deployment. The traffic generator's capabilities to both generate traffic from learned models and to replay it from network logs enable a wide range of testing strategies and support thorough exploration of problem space. Better evaluation strategies will lead to better cyber-security defenses. The project will integrate our traffic generator with the DETER testbed for cyber security experimentation. All software will also be released as open-source under the GNU GPL v3 license.
|
0.954 |
2012 — 2014 |
Mirkovic, Jelena |
N/AActivity Code Description: No activity code was retrieved: click on the grant title for more information |
Twc: Small: Critter@Home: Content-Rich Traffic Trace Repository From Real-Time, Anonymous, User Contributions @ University of Southern California
There are very few publicly available network traces that contain application-level data, because of the enormous privacy risk that sharing such data creates. Application-level data is rich with personal and private information, such as human names, social security numbers, etc. that criminals can monetize. Yet such data is necessary for realistic testing of research products, and for understanding trends in the domain of networking and network applications.
This project develops a publicly accessible, diverse and fresh archive of content-rich network data, contributed by volunteer users, called Critter-at-home. Users join the Critter overlay whenever online, offering their data to interested researchers. Privacy of data contributors is protected by several means. First, contributors may opt to host their own data on their machines, thus retaining full control over it. Second, we process contributed data to modify all personal and private information (PPI) and we encrypt it. Third, no human apart from the contributor ever accesses the raw, PPI-sanitized, data. Instead, researchers query the data via our Critter-at-home framework, and they receive aggregate statistics (counts, distributions, etc.) of the traffic features they query for. Four, all contact with a contributor is at her discretion and is done through an anonymous network, where contributor identities are hidden.
The archive this project creates will greatly advance security research by providing necessary data for its validation and for data mining. This archive will further be valuable to a broader networking e.g., for realistic traffic generation, as ground truth in traffic classification, and for many other purposes.
|
0.954 |
2017 — 2019 |
Mirkovic, Jelena |
N/AActivity Code Description: No activity code was retrieved: click on the grant title for more information |
Collaborative Research: Modeling Student Activity and Learning On Cybersecurity Testbeds @ University of Southern California
This project led by the University of Southern California, in collaboration with Evergreen State College and Lewis and Clark College, aims to develop tools that automatically assess student learning in practical cybersecurity tasks, both for individual students and for the entire class. This is currently a challenge because such tasks are often open-ended and exploratory in nature. Because they can be completed in many ways, student learning in cybersecurity may not always be recognized by the instructor. This makes it hard to assess the sophistication of a student's path to success. Similarly, it may also be a challenge to identify the reasons why students experience failure, and to provide useful and timely feedback to students and instructors. The proposed project work will uncover reasons behind student underperformance in practical cybersecurity exercises, and will help identify effective interventions. The proposed research may also help network test beds retain and better serve their users. The impact of these activities will be three-fold. First, the developed tools will be integrated with two previously developed platforms for cybersecurity exercises: DeterLab and EDURange. This will directly impact approximately 2,000 students annually. Second, the tools will be highly portable to other platforms that use Linux in practical cybersecurity exercises, and can reach a wider audience. Third, the tools will help retain talent from disadvantaged and minority populations, as it will allow for earlier intervention and feedback to complete challenging, practical tasks.
This project will develop ACSLE, a framework for automated assessment of student learning in practical cybersecurity exercises. ACSLE will engage in constant and extensive monitoring of student interaction with the computer, and will allow for the correlation with desired learning outcomes. ACSLE starts with the development of tools that monitor low-level student activities, such as commands typed, traffic generated and files and processes created. These low-level records are then synthesized into high-level indicators of student progress on a given cybersecurity task. The outcomes will allow for: (1) classification of students into several learning styles based on proficiency with a task and level of foundational skill; (2) clustering of solutions to specific learning challenges identified in student groups that have similar learning styles; (3) collection of successful learning paths developed over time and methods for identifying struggling students; (4) identification of causes of failure and delivery of appropriate learning interventions; and (5) aggregation of performance data for a class as well as identification of tasks that are difficult for many students. ACSLE will thus provide useful information for students and teachers, and improve overall learning in practical cybersecurity exercises.
|
0.954 |