 |
|
|
|
 |
|
||
 |
 |
 |
|
 |
|
||
 |
|
||
 |
|
||
 |
|
||
 |
|
||
 |
|
||
 |
|
||
 |
|
||
 |
|
||
 |
|
||
 |
|
||
 |
|
||
 |
|
||
We have recently started a new project at University of Delaware, that focuses on detection and defense against zero-day and polymorphic worms and viruses. This project is at an early stage.
D-WARD was my Ph.D. thesis project at UCLA. I am continuing this work at University of Delaware. D-WARD is a DDoS defense system that detects and controls outgoing DDoS attacks. It is an inline defense system installed at the exit router of an end network. D-WARD continuously monitors incoming and outgoing traffic, collecting per-destination and per-connection statistics. Periodic profiling of those statistical records reveals anomalies in traffic dynamics that D-WARD detects as potential attack alerts. In response, D-WARD imposes dynamic rate limit on all outgoing traffic to the alleged victim. This rate limit is selective - packets from those connection records that are deemed legitimate are allowed to proceed to the victim regardless of the rate limit. D-WARD has been evaluated extensively in controlled testbed environment, joint tests with other research groups and in real network operation and has demonstrated high detection accuracy, and swift and selective response. To learn more, visit UCLA Web page on D-WARD project.
DefCOM is a project conducted at UCLA, with my participation. DefCOM builds a distributed peer-to-peer framework that various DDoS defense nodes can join. It facilitates communication between nodes located throughout the Internet - close to the victim, close to attack sources and in the middle of the Internet backbone. Through communication nodes cooperatively fight DDoS attacks, complementing their deficiencies with strengths of other framework participants. DefCOM provides fast and accurate attack detection by victim-end nodes, distributed supression of attack close to attack sources by core nodes, and priviledged handling of those packets that are labeled legitimate by source-end defense nodes. Any DDoS defense system can become a part of DefCOM by supporting communication required by the framework and committing to provide a functionality of a victim, a source or a core defense node. To learn more, visit UCLA Web page on DefCOM project.
Measuring DDoS Defense. This is an ongoing joint effort between my group at University of Delaware and LASR group at UCLA to define common methodology for evaluating DDoS defense systems. Presently, there exist numerous DDoS defense approaches that all work well in some scenarios and perform poorly in others. Defining a common evaluation framework would help us compare those approaches to one another, combine them to complement their strengths and eliminate weeknesses and identify missing pieces for a comprehensive DDoS defense.
SAVE is a project conducted at UCLA, with my participation. The goal of SAVE project is to design protocols for building of the incoming tables at core routers. Incoming tables are tables necessary for route-based filtering of packets with spoofed IP source addresses. To learn more, visit UCLA Web page on SAVE project.