I'm Maria Konte, Research Scientist @ Georgia Institute of Technology.

My research is on data-driven network security, with an emphasis on understanding how early indications of Internet abuse materialize, designing and deploying systems to detect them. My approach often involves designing large scale data collection systems, and intersects empirical measurements and data mining techniques.

Representative projects I am working on include:



I am a Research Scientist at the School of Computer Science at Georgia Tech and I am affiliated with the Institute for Information Security & Privacy. My supervisor is Dr. Wenke Lee. I received the Ph.D. degree in Computer Science at Georgia Tech in 2015. My advisor was Dr. Nick Feamster.

During my Ph.D. degree years I interned at the Cybersecurity Group at Verisign Labs, working with Allison Mankin. Prior to joining the Ph.D. program, I received the M.S. degree in Computer Science at Georgia Tech. I also hold an M.S. degree in Systems Engineering from Boston University, and a Diploma in Eng. from Industrial Engineering and Management Dept. at Technical University of Crete, Greece.

Prior to joining Georgia Tech as a Research Scientist I was a Research Scientist at cybersecurity startup Damballa.



Detecting and Measuring In-The-Wild DRDoS Attacks at IXPs
Karthika Subramani, Roberto Perdisci, Maria Konte
In Proceedings of DIMVA 2021

Distributed reflective denial of service (DRDoS) attacks are a popular choice among adversaries. In fact, one of the largest DDoS attacks ever recorded, reaching a peak of 1.3Tbps against GitHub, was a memcached-based DRDoS attack. More recently, a record-breaking 2.3Tbps attack against Amazon AWS was due to a CLDAP-based DRDoS attack. Although reflective attacks have been known for years, DRDoS attacks are unfortunately still popular and largely unmitigated.
In this paper, we measure in-the-wild DRDoS attacks as observed from a large Internet exchange point (IXP) and provide a number of security-relevant insights. To enable our measurements, we first developed IXmon, an open-source DRDoS detection system specifically designed for deployment at large IXP-like network connectivity providers and peering hubs. We deployed IXmon at Southern Crossroads (SoX), an IXP-like hub that provides both peering and upstream Internet connectivity services to more than 20 research and education (R&E) networks in the South-East United States. In a period of about 21 months, IXmon detected more than 900 DRDoS attacks towards 31 different victim ASes. An analysis of the real-world DRDoS attacks detected by our system shows that most DRDoS attacks are short lived, lasting only a few minutes, but that large-volume, long-lasting, and highly-distributed attacks against R&E networks are not uncommon. We then use the results of our analysis to discuss possible attack mitigation approaches that can be deployed at the IXP level, before the attack traffic overwhelms the victim's network bandwidth.


  title={Detecting and Measuring In-The-Wild DRDoS Attacks at IXPs},
  author={Subramani, Karthika and Perdisci, Roberto and Konte, Maria},
  booktitle={International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment},

Understanding and Defending Against Internet Infrastructures Supporting Cybercrime Operations
M. Konte, Georgia Tech, 2015

ASwatch: An AS Reputation System to Expose Bulletproof Hosting ASes
M. Konte, R. Perdisci, N. Feamster
In Proceedings of SIGCOMM 2015

Bulletproof hosting Autonomous Systems (ASes)—maliciousASes fully dedicated to supporting cybercrime—provide free-dom and resources for a cyber-criminal to operate. Theirservices include hosting a wide range of illegal content, bot-net C&C servers, and other malicious resources. Thousandsof new ASes are registered every year, many of which areoften used exclusively to facilitate cybercrime. A natural ap-proach to squelching bulletproof hosting ASes is to develop areputation system that can identify them for takedown by lawenforcement and as input to other attack detection systems(e.g., spam filters, botnet detection systems). Unfortunately,current AS reputation systems rely primarily on data-planemonitoring of malicious activity from IP addresses (and thuscan only detect malicious ASes after attacks are underway),and are not able to distinguish betweenmaliciousandlegiti-mate but abusedASes.
As a complement to these systems, in this paper, we ex-plore a fundamentally different approach to establishing ASreputation. We presentASwatch, a system that identifies mali-cious ASes using exclusively thecontrol-plane(i.e., routing)behavior of ASes.ASwatch’s design is based on the intuitionthat, in an attempt to evade possible detection and remediationefforts, malicious ASes exhibit “agile” control plane behavior(e.g., short-lived routes, aggressive re-wiring). We evaluateour system on known malicious ASes; our results show thatASwatchdetects up to 93% of malicious ASes with a 5% falsepositive rate, which is reasonable to effectively complementexisting defense systems.


  title={Aswatch: An as reputation system to expose bulletproof hosting ases},
  author={Konte, Maria and Perdisci, Roberto and Feamster, Nick},
  booktitle={Proceedings of the 2015 ACM Conference on Special Interest Group on Data Communication},

Re-wiring Activity of Malicious Networks
M. Konte and N. Feamster
In Proceedings of PAM 2012

This paper studies the AS-levelre-wiring dynamics(changes in theconnectivity) of malicious networks. Anecdotal evidence suggests that some ma-licious ASes that are primarily involved in nefarious activities on the Internet,were sequentially de-peered by providers before their final cut-off (as occurredin the well-publicized cases of Atrivo/Intercage). We present the first systematicstudy of the re-wiring dynamics of malicious ASes. We tracked the ASes thatwere listed by Hostexploit over the last two years and compared their AS-levelre-wiring dynamics with non-reported ASes. Using a publicly available dataset ofCustomer-Provider (CP) relations in the Internet’s AS graph, we studied how in-terconnection between autonomous systems evolves, both for ASes that provideconnectivity for attackers and ASes that were not reported as malicious. We findthat malicious networks are more aggressive both in forming links with providersand changing their upstream connectivity than other ASes. Our results indicatethat the re-wiring dynamics of the networks that host attacks are stable over time,despite the evolving nature of the attacks themselves, which suggests that existingdefense mechanisms could benefit from incorporating these features.


  title={Re-wiring activity of malicious networks},
  author={Konte, Maria and Feamster, Nick},
  booktitle={International Conference on Passive and Active Network Measurement},
Poster SIGCOMM 2011
Talk at NANOG 62

Dynamics of Online Scam Hosting Infrastructure
M. Konte, N. Feamster and Jaeyeon Jung
In Proceedings of PAM 2009
Best Paper Award

This paper studies the dynamics of scam hosting infrastructure, withan emphasis on the role of fast-flux service networks. By monitoring changes inDNS records of over 350 distinct spam-advertised domains collected from URLsin 115,000 spam emails received at a large spam sinkhole, we measure the ratesand locations of remapping DNS records, and the rates at which “fresh” IP ad-dresses are used. We find that, unlike the short-lived nature of the scams them-selves, the infrastructure that hosts these scams has relatively persistent featuresthat may ultimately assist detection.


  title={Dynamics of online scam hosting infrastructure},
  author={Konte, Maria and Feamster, Nick and Jung, Jaeyeon},
  booktitle={International conference on passive and active network measurement},
Technical Report



Class Program Number of Students Content Notes Semesters
CS6250, Graduate Computer Networks OMS in CS 700+ per semester Reproduced entire course 2016 - now
CS3251, Undergraduate Computer Networks CS 100+ per semester Updated syllabus Spring 2017, Spring 2020, Fall 2020



I am looking to work with students: If you are already a student at GT, please feel free to contact me.

I feel fortunate that I have worked with very talented students over their MS in CS or MS in Cybersecurity projects:

Arindum Roy
Sahithi Puligundla
Benjamin Bernard Vargas
Pablo Boserman
Vaishnavi Kannan
Karan Rajesh Kishinani
Vatsal Srivastava
Gali Prem Sagar
Tina Johnson
Changho Brian Lee
Sangharsh Aglave
Jingyang Sui
Manuel Arene
Golder Kamuzora
Sam Paulissian
Akshay Sharma



I have been organizing our weekly seminar; the Cybersecurity Lecture Series. The seminar takes place every Friday at noon. It is open to the entire GT community and the audience comprises of students, faculty and staff with wide range of backgrounds.

If you would like to receive news or browse past talks, please see here: https://cyber.gatech.edu/cyber-lecture

Please feel free to send me a note if your work is in the area of security, and you are interested in giving a talk.


Get in Touch


CODA Building
756 W Peachtree St NW
Atlanta GA 30308


Send me a note