The Benefits of a Functional Approach to Detecting and Mitigating a DDoS Attack

McAndrew, Robert; Hayne, Stephen; Wang, Haonan

Home // ICIMP 2019, The Fourteenth International Conference on Internet Monitoring and Protection // View article

The Benefits of a Functional Approach to Detecting and Mitigating a DDoS Attack

Authors:
Robert McAndrew
Stephen Hayne
Haonan Wang

Keywords: anomaly detection; clustering; DDoS; Functional Principal Component Analysis; network monitoring

Abstract:
Distributed Denial of Service (DDoS) attacks have received significant global attention because they are increasing in frequency and severity. We analyze all flows surrounding the Network Time Protocol (NTP) amplification attack that occurred during January of 2014 at a large mountain-range university. We present an unsupervised machine learning data- driven approach that can detect and mitigate attacks in near real-time. Our method is based on thresholding, Functional Principal Component Analysis, and K-means clustering (with tuning parameters for flexibility), which dissects the dataset to reveal several categories of outliers. Using eigenfunction scores, clustering, and individual IP behavior summary statistics, we assign risk probabilities to the outliers, which enables creating dynamic firewall rules. We demonstrate the speed and capabilities of our technique in a forensic replay of the NTP attack. We show that we can detect and attenuate the DDoS within two minutes with significantly reduced volume throughout the six waves of the attack.

Pages: 7 to 13

Copyright: Copyright (c) IARIA, 2019

Publication date: July 28, 2019

Published in: conference

ISSN: 2308-3980

ISBN: 978-1-61208-729-0

Location: Nice, France

Dates: from July 28, 2019 to August 2, 2019