Visible to the public DDoS-as-a-Smokescreen: Leveraging Netflow Concurrency and Segmentation for Faster Detection

Submitted by grigby1 on Fri, 08/26/2022 - 11:23am
TitleDDoS-as-a-Smokescreen: Leveraging Netflow Concurrency and Segmentation for Faster Detection
Publication TypeConference Paper
Year of Publication2021
AuthorsRicks, Brian, Tague, Patrick, Thuraisingham, Bhavani
Conference Name2021 Third IEEE International Conference on Trust, Privacy and Security in Intelligent Systems and Applications (TPS-ISA)
Date Publisheddec
Keywordsanomaly detection, composability, Concurrency, concurrent flow, Conferences, DaaSS, DDoS, DDoS-as-a-smokescreen, denial-of-service attack, distributed denial-of-service, feature extraction, Internet, Intrusion detection, Metrics, NetFlow, Personnel, privacy, pubcrawl, resilience, Resiliency, security, segmented flow, smoke-screen, underlying attack
AbstractIn the ever evolving Internet threat landscape, Distributed Denial-of-Service (DDoS) attacks remain a popular means to invoke service disruption. DDoS attacks, however, have evolved to become a tool of deceit, providing a smokescreen or distraction while some other underlying attack takes place, such as data exfiltration. Knowing the intent of a DDoS, and detecting underlying attacks which may be present concurrently with it, is a challenging problem. An entity whose network is under a DDoS attack may not have the support personnel to both actively fight a DDoS and try to mitigate underlying attacks. Therefore, any system that can detect such underlying attacks should do so only with a high degree of confidence. Previous work utilizing flow aggregation techniques with multi-class anomaly detection showed promise in both DDoS detection and detecting underlying attacks ongoing during an active DDoS attack. In this work, we head in the opposite direction, utilizing flow segmentation and concurrent flow feature aggregation, with the primary goal of greatly reduced detection times of both DDoS and underlying attacks. Using the same multi-class anomaly detection approach, we show greatly improved detection times with promising detection performance.
DOI10.1109/TPSISA52974.2021.00024
Citation Keyricks_ddos-as–smokescreen_2021
Groups: