Ali Hamieh | University of Michigan (original) (raw)
Papers by Ali Hamieh
2016 11th International Conference on Availability, Reliability and Security (ARES), 2016
—An Amplified DNS DDoS (ADD) attack involves tens of thousands of DNS resolvers that send huge vo... more —An Amplified DNS DDoS (ADD) attack involves tens of thousands of DNS resolvers that send huge volumes of amplified DNS responses to a single victim host, quickly flooding the victim's network bandwidth. Because ADD attacks are distributed, it is difficult for individual DNS resolvers to detect them based on local DNS query rates alone. Even if a victim detects an ADD attack, it cannot stop the attacker from flooding its network bandwidth. To address this problem, we present a novel mitigation system called " Distributed Rate Sharing based Amplified DNS-DDoS Attack Mitigation " (DRS-ADAM). DRS-ADAM facilitates DNS query rate sharing between DNS resolvers that are involved in an attack to detect and completely stop an ADD attack. Each DNS resolver quickly builds the global DNS query rate for potential victims by accumulating the shared rate values, and uses that global rate to make mitigation decisions locally. DRS-ADAM can be easily deployed through a small software update on resolvers and victim hosts, and does not require any additional server component. Our simulation results show that DRS-ADAM can contain the peak attack rates close to a victim's acceptable threshold values (which are far smaller than their sustainable bandwidth) at all times, regardless of the number of resolvers involved in ADD attacks. ADD attacks can be fully mitigated within a few seconds.
—Social insect colonies have survived over evolutionary time in part due to the success of their ... more —Social insect colonies have survived over evolutionary time in part due to the success of their collaborative methods: using local information and distributed decision making algorithms to detect and exploit critical resources in their environment. These methods have the unusual and useful ability to detect anomalies rapidly, with very little memory, and using only very local information. Our research investigates the potential for a self-organizing anomaly detection system inspired by those observed naturally in colonies of honey bees. We provide a summary of findings from a recently presented algorithm for a nonparametric, fully-distributed coordination framework that translates the biological success of these methods into analogous operations for use in cyber defense and discuss the features that inspired this translation. We explore the impacts to detection performance from the defined range of distributed communication for each node and from involving only a small percent of total nodes in the network in the distributed detection communication. We evaluate our algorithm using a software-based testing implementation, and demonstrate up to 20% improvement in detection capability over parallel, isolated anomaly detectors.
In this paper, we describe a fully nonparametric, scalable, distributed detection algo... more In this paper, we describe a fully nonparametric,
scalable, distributed detection algorithm for intrusion/anomaly detection in networks. We discuss how this approach addresses a growing trend in distributed attacks while also providing solutions to problems commonly associated with distributed
detection systems. We explore the impacts to detection performance from network topology, from the defined range of distributed communication for each node, and from involving only a small percent of total nodes in the network in the distributed detection communication. We evaluate our algorithm using a software-based testing implementation, and demonstrate
up to 20% improvement in detection capability over parallel, isolated anomaly detectors for both stealthy port scans and DDoS attacks.
Caching is an effective technique to improve the quality of streaming multimedia services. In thi... more Caching is an effective technique to improve the quality of streaming multimedia services. In this paper, we propose a novel content caching scheme referred as “Cache Management using Temporal Pattern based Solicitation” (CMTPS), to further minimize both service delays and load in the network for Video on Demand (VoD) applications. CMPTS is based on the analysis of clients' requests over passed time intervals to predict the contents that will be solicited in the near future. By means of experimental tests, the CMTPS protocol is evaluated. The obtained results show that CMTPS outperforms LRU, in terms of peak traffic reduction and number of cache hits.
Mobile ad hoc networks are a new wireless networking paradigm for mobile hosts. Unlike traditiona... more Mobile ad hoc networks are a new wireless networking paradigm for mobile hosts. Unlike traditional mobile wireless networks, ad hoc networks do not rely on any fixed infrastructure. Instead, hosts rely on each other to keep the network connected. The military tactical and other security- sensitive operations are still the main applications of ad hoc networks. One main challenge in design of these networks is their vulnerability to Denial-of-Service (DoS) attacks. In this paper, we consider a particular class of DoS attacks called Jamming. The objective of a jammer is to interfere with legitimate wireless communications. A jammer can achieve this goal by either preventing a real traffic source from sending out a packet, or by preventing the reception of legitimate packets. We propose in this study a new method of detection of such attack by the measurement of error distribution.
Wireless ad hoc networks are vulnerable to jamming attacks due to their shared medium. Jamming is... more Wireless ad hoc networks are vulnerable to jamming attacks due to their shared medium. Jamming is a type of Denial of Service (DoS), in which the attacker tries to block the communication by interfering with the radio signals. Among the DoS attacks, jamming is very simple to achieve and very hard to eliminate. In this paper, we present POWJAM (POWer reaction system against JAMming attacks), a system to react at jamming attacks in wireless ad hoc networks. The basic idea of POWJAM is to hide the communication from a reactive jammer through changing the transmission power. In normal 802.11 ad hoc networks, if a node A wants to communicate with its neighbors it uses a direct link. However, in POWJAM, A uses a path, in which the jammer cannot hear the communication on this path. By means of simulation, the POWJAM system is evaluated. Results show the effectiveness of POWJAM to defend against reactive jammers.
2016 11th International Conference on Availability, Reliability and Security (ARES), 2016
—An Amplified DNS DDoS (ADD) attack involves tens of thousands of DNS resolvers that send huge vo... more —An Amplified DNS DDoS (ADD) attack involves tens of thousands of DNS resolvers that send huge volumes of amplified DNS responses to a single victim host, quickly flooding the victim's network bandwidth. Because ADD attacks are distributed, it is difficult for individual DNS resolvers to detect them based on local DNS query rates alone. Even if a victim detects an ADD attack, it cannot stop the attacker from flooding its network bandwidth. To address this problem, we present a novel mitigation system called " Distributed Rate Sharing based Amplified DNS-DDoS Attack Mitigation " (DRS-ADAM). DRS-ADAM facilitates DNS query rate sharing between DNS resolvers that are involved in an attack to detect and completely stop an ADD attack. Each DNS resolver quickly builds the global DNS query rate for potential victims by accumulating the shared rate values, and uses that global rate to make mitigation decisions locally. DRS-ADAM can be easily deployed through a small software update on resolvers and victim hosts, and does not require any additional server component. Our simulation results show that DRS-ADAM can contain the peak attack rates close to a victim's acceptable threshold values (which are far smaller than their sustainable bandwidth) at all times, regardless of the number of resolvers involved in ADD attacks. ADD attacks can be fully mitigated within a few seconds.
—Social insect colonies have survived over evolutionary time in part due to the success of their ... more —Social insect colonies have survived over evolutionary time in part due to the success of their collaborative methods: using local information and distributed decision making algorithms to detect and exploit critical resources in their environment. These methods have the unusual and useful ability to detect anomalies rapidly, with very little memory, and using only very local information. Our research investigates the potential for a self-organizing anomaly detection system inspired by those observed naturally in colonies of honey bees. We provide a summary of findings from a recently presented algorithm for a nonparametric, fully-distributed coordination framework that translates the biological success of these methods into analogous operations for use in cyber defense and discuss the features that inspired this translation. We explore the impacts to detection performance from the defined range of distributed communication for each node and from involving only a small percent of total nodes in the network in the distributed detection communication. We evaluate our algorithm using a software-based testing implementation, and demonstrate up to 20% improvement in detection capability over parallel, isolated anomaly detectors.
In this paper, we describe a fully nonparametric, scalable, distributed detection algo... more In this paper, we describe a fully nonparametric,
scalable, distributed detection algorithm for intrusion/anomaly detection in networks. We discuss how this approach addresses a growing trend in distributed attacks while also providing solutions to problems commonly associated with distributed
detection systems. We explore the impacts to detection performance from network topology, from the defined range of distributed communication for each node, and from involving only a small percent of total nodes in the network in the distributed detection communication. We evaluate our algorithm using a software-based testing implementation, and demonstrate
up to 20% improvement in detection capability over parallel, isolated anomaly detectors for both stealthy port scans and DDoS attacks.
Caching is an effective technique to improve the quality of streaming multimedia services. In thi... more Caching is an effective technique to improve the quality of streaming multimedia services. In this paper, we propose a novel content caching scheme referred as “Cache Management using Temporal Pattern based Solicitation” (CMTPS), to further minimize both service delays and load in the network for Video on Demand (VoD) applications. CMPTS is based on the analysis of clients' requests over passed time intervals to predict the contents that will be solicited in the near future. By means of experimental tests, the CMTPS protocol is evaluated. The obtained results show that CMTPS outperforms LRU, in terms of peak traffic reduction and number of cache hits.
Mobile ad hoc networks are a new wireless networking paradigm for mobile hosts. Unlike traditiona... more Mobile ad hoc networks are a new wireless networking paradigm for mobile hosts. Unlike traditional mobile wireless networks, ad hoc networks do not rely on any fixed infrastructure. Instead, hosts rely on each other to keep the network connected. The military tactical and other security- sensitive operations are still the main applications of ad hoc networks. One main challenge in design of these networks is their vulnerability to Denial-of-Service (DoS) attacks. In this paper, we consider a particular class of DoS attacks called Jamming. The objective of a jammer is to interfere with legitimate wireless communications. A jammer can achieve this goal by either preventing a real traffic source from sending out a packet, or by preventing the reception of legitimate packets. We propose in this study a new method of detection of such attack by the measurement of error distribution.
Wireless ad hoc networks are vulnerable to jamming attacks due to their shared medium. Jamming is... more Wireless ad hoc networks are vulnerable to jamming attacks due to their shared medium. Jamming is a type of Denial of Service (DoS), in which the attacker tries to block the communication by interfering with the radio signals. Among the DoS attacks, jamming is very simple to achieve and very hard to eliminate. In this paper, we present POWJAM (POWer reaction system against JAMming attacks), a system to react at jamming attacks in wireless ad hoc networks. The basic idea of POWJAM is to hide the communication from a reactive jammer through changing the transmission power. In normal 802.11 ad hoc networks, if a node A wants to communicate with its neighbors it uses a direct link. However, in POWJAM, A uses a path, in which the jammer cannot hear the communication on this path. By means of simulation, the POWJAM system is evaluated. Results show the effectiveness of POWJAM to defend against reactive jammers.