Assessing and Characterizing DDoS Amplification Attacks
This work proposes a novel approach to infer and characterize Internet-scale
amplification DDoS attacks by leveraging the darknet space. Complementary to the pioneer work on inferring Distributed Denial of Service (DDoS) activities using darknet, this work shows that we can extract DDoS activities without relying on backscattered analysis. The aim of this work is to extract cyber security intelligence related to Amplification DDoS activities such as detection period, attack duration, intensity, packet size, rate and geo-location in addition to various network-layer and flow-based insights. To achieve this task, the proposed approach exploits certain DDoS parameters to detect the attacks. We empirically evaluate the proposed approach using big data on our network infrastructure. Our analysis reveals that the approach was successful in inferring significant DNS amplification DDoS activities including the recent prominent attack that targeted one of the largest anti-spam organizations. Moreover, the analysis disclosed the mechanism of such amplification DDoS attacks. This work lead to a better understanding of the nature and scale of this threat and can generate inferences that could contribute in detecting, preventing, assessing, mitigating and even attributing of amplification DDoS activities.
Since, telephony and the web are converging, Postdoctoral Fellow, Payas Gupta is exploring security issues in telephony security domain. He is also involved in many research projects related to human subjects and user authentication for smartphones. Some of the detection systems resulting from the research on Phoneypot have been integrated in commercial products distributed by Pindrop Security Inc., a spin-off of Georgia Tech that specializes in phone fraud detection, to protect enterprise call centers and phone users, and Nomorobo specializes in stopping robocalls.
Design for Secure Testability (DfST)
When a chip is manufactured, it is being tested for possible manufacture related faults and scan based DfT is the most widely used test infrastructure in an effort to enhance access, and thus, testability. However, for secure chips, this test infrastructure can be misused to leak secret information in the form of test response of the chip. State-of-the-art countermeasure block the data flow from functional mode of a chip to the test mode, thus, blocking any leakage through test response. Postdoctoral Fellow Subidh Ali is developing a new class of attacks, which only use the test mode of the chip, and have shown new vulnerabilities in the state-of-the-art countermeasures. As a result he proposes new countermeasures that can protect against all the attacks that misuse the test infrastructure of a chip. Results of this research are published in top tier hardware security conference and journals. An example of this is Subidh’s work won the best paper of the security track of VLSI-SOC 2013 and included as a chapter in Springer book VLSI-SoC: From Algorithms to Circuits and System-on-Chip Design.