A group of researchers from the US, China, and Saudi Arabia, have demonstrated how artificial intelligence (AI) algorithms can help detect distributed denial-of-Service (DDoS) attacks where other methods fail.

With the number of internet-connected devices growing at an exponential rate and attackers becoming more sophisticated in their methods, finding and filtering out harmful DDoS traffic against web servers is becoming a mounting challenge.

Their method, presented in a paper published on the open science platform Europe PMC, uses deep learning to determine whether network traffic coming from a source is normal or part of a malicious DDoS attack.

The researchers’ findings show that when dealing with large-scale data, deep learning-based detection methods improve speed and accuracy while reducing false alarm rates.

The work focuses on software-defined networks (SDN), a networking paradigm that has gained popularity in recent years.

SDN provides flexible virtualization capabilities that fulfill the growing demands of cloud computing, mobile networks, and internet of things (IoT).

However, SDN and OpenFlow, the protocol often used to enable communications between SDN controllers and network devices such as switches and routers, are vulnerable to DDoS attacks, as many researchers have found.

Rule-based detection failures

The classical way to detect DDoS is to compare incoming network traffic against a predefined set of rules that can separate normal from attack traffic.

But setting rules for DDoS detection is very difficult due to the diversity of DDoS attack schemes and the difficulty of defining thresholds between normal and malicious traffic.

“In practice, there is no clear distinction between normal traffic and attack traffic,” the authors of the paper note, adding that it would practically be impossible for humans to analyze the huge volume of data running through networks to find the correct rules.

Tackling DDoS with deep learning

Instead of manually perusing data, the authors propose to analyze it with deep neural networks (DNNs).

DNNs, which roughly imitate the workings of their biological counterparts, ingest large amounts of data and find relevant patterns, which they transform into complex mathematical representations.

They can then use this model to classify new incoming data or predict the next piece of information in a sequence.

In the case of DDoS, the researchers treat it as a classification problem. The goal of the algorithm is to determine, on a scale of 0 to 1, how likely incoming traffic from a node in the network is malicious, or, as the researchers put it, “judging whether the characteristic data of the OpenFlow flow table is normal or not”.

By analyzing reams of data, a well-trained deep learning model will be able to glean intricate characteristics of safe and malicious traffic that would have otherwise gone undetected to a human analyst.

The neural network was trained on a large dataset comprised of both normal and malicious table entries, and then tested against five different types of DDoS attacks, including various traffic flooding attacks and slow-connection HTTP attacks, where attackers try to bog down a server by sending it very lengthy requests.

As is true for most deep learning uses, developing a reliable DDoS detection model depends largely on gathering enough quality training data.

As the authors note:

In the case of a small data scale, the relevance ratio of the DL model in the face of flooding attacks has a slight advantage [in comparison to traditional detection methods], but it has not shown its detection advantage in other aspects. The detection performance is not outstanding.

But as the system was scaled to larger datasets, the researchers found that the deep learning model eventually became more accurate and made fewer errors than other established DDoS detection tools, including those based on other machine learning algorithms, including support vector machines (SVM) and decision trees.

Human support needed

Deep learning systems are very good at handling classification and prediction tasks, as long as they’re dealing with data that is statistically similar to their training examples.

But as soon as they meet novel situations that vary from what they’ve previously seen, they behave in unexpected ways.

“Although some achievements have been obtained in this research, there are still some shortcomings,” the authors of the paper note. “The DL model of this research also needs a certain degree of human adjustment, and it cannot be completely intelligent.”

The paper has not been peer-reviewed, and the authors have not released the code and data for examination by industry experts, so it’s hard to independently verify the accuracy of their model.

But using machine learning algorithms to address the growing threat of DDoS attacks has become a growing area of interest, and several projects have already shown promising results.

Other efforts in the field range from simple machine learning models that detect compromised IoT devices in networks to SVM models that analyze OpenFlow tables for malicious behavior.

The post Going deep: How advances in machine learning can improve DDoS attack detection appeared first on Artificial Intelligence.

One of the most dangerous aspects looming the computer world is security threats. It is estimated that around three trillion dollars are lost in cyber crimes every year. This figure is expected to double by 2021. With all of these threats lurking around, it is difficult to track and eliminate every threat, especially as the number of users is rising exponentially.

The most popular among the existing cyber threats now is the distributed denial of service (DDoS) attack. A DDoS attack is a malicious attempt to disrupt normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of the internet traffic. DDoS attacks have adversely affected businesses on a large scale.

Now, with machine learning prevailing in the tech ecosystem, eliminating DDoS attacks has found a new way. In this article, we will lay out a research paper that has used ML techniques to subdue DDoS attacks in systems.

Session Initiation Protocol (SIP) And Voice Over Internet Protocol (VoIP)

Z Tsiatsikas and a team from the University of the Aegean, Greece, have published a new research study in countering DDoS in SIP-based VoIP systems through ML. The reason for choosing VoIP systems is its popularity and spread in the hardware ecosystem. With the growing number of digital devices and the abundant availability of the internet, VoIP is the preferred method for voice and multimedia communications.

In order to establish a VoIP session, Session Initiation Protocol (SIP) is the popular means of initiating and these sessions. A simple version of the SIP/VoIP architecture is given below:

• User Agent (UA): The active entities in the session which represent the endpoints of SIP. For example, in the context of voice communications, the caller and the receiver, which denote the endpoints in the session.
• SIP Proxy Server: An intermediate entity which acts as a client and a server simultaneously during the session. The role of this server is to maintain send and receive requests as well as transfer information to and fro from the users.
• Registrar: This component takes care of authentication and register requests for the UA.

All of the SIP communication is logged by the VoIP provider. This is important because it gives out billing and accounting information for service providers based on users’ activity. Interestingly, it can also give out information regarding intrusion or suspicious activity present in the network. This can be a breeding ground for DDoS attacks if left neglected.

Aggregating ML Techniques In VoIP

The researchers consider the same SIP VoIP architecture and use five standard ML classifier algorithms in their experiments, which are as follows:

1. Sequential minimal optimisation
2. Naive Bayes
3. Neural networks
4. Decision trees
5. Random Forest

These algorithms are set up for dealing with communications directly in the experiment. Then, classification features are generated once the network is made anonymous using keyed-hash method authentication code (HMAC) for the VoIP communications. The algorithms are tested under 15 DDoS attack scenarios. In order to do this, a ‘test bed’ of DDoS simulations is designed by the researchers which is shown below:

“Three or four different Virtual Machines (VMs) have been used for the SIP proxy, the legitimate users, and the generation of the attack traffic depending on the scenario. All VMs run on an i7 processor 2.2 GHz machine having 6GB of RAM. For the SIP proxy, we employed the widely known VoIP server Kamailio (kam, 2014). We simulated distinct patterns for both legitimate and DoS attack traffic using sipp v.3.21 and sipsak2 tools respectively. Furthermore, for the simulation of DDoS attack, the SIPp-DD tool has been used. The well-known Weka tool has been employed for ML analysis.”

Training and Testing process for algorithms include both normal traffic and attack traffic. To simulate the attack traffic, they use a range of random high call rates to give a feel of real VoIP whereas the normal traffic has normal, observed call rates.

The training scenario in the experiment is denoted as SN1 and testing scenarios are denoted as SN1.1, SN1.2, SN1.3 etc. A detailed description is given here.

Performance

The algorithms fare well compared to non-ML detection. Among the algorithms, Random Forest and decision trees stand top when measured from an intrusion detection viewpoint. The other three fare below them. In addition, as the attack traffic rises, the intrusion detection rate drops, which means DDoS is evident. Ultimately, ML techniques outclass conventional attack detection techniques/methods.

The post Machine Learning Is Chasing Out DDoS, The Newest Evil In Cyber Security appeared first on Artificial Intelligence.