Can a DDoS attack be predicted?Monday 15 February of 2021
In the forecasting of tsunamis, buoys with sensors lie in the ocean, waiting for anomalous behaviour of the waves. The satellite to which the sensors are connected sends the signal to the weather station, after which a warning is issued. Everyone can prepare in time for what is to come. Can a similar prediction be made for DDoS attacks?
Anticipate instead of react
In a DDoS attack, so much traffic is sent to computers or computer networks that they become overloaded and, for example, a website is no longer accessible to normal visitors. This can bring down entire IT infrastructures. "If we can predict such an attack, we can anticipate it much earlier and thus really prevent an attack instead of only reacting to it afterwards, when the damage has already been done," says Erik Meeuwissen, project leader within the PCSI and senior consultant at TNO.
Current DDoS solutions
The current commercial solutions mainly focus on recognising and filtering DDoS traffic before a blockade is put in place. This can be done within minutes. Still, it remains a reactive system, as a result of which you are always one step too late and the network can go offline, even if it is just for a moment. Rob Schrama, Security Analyst at the Volksbank, adds: "Another disadvantage of these existing services is that they cannot stop all DDoS attacks. We want to use our research to see if we can add an extra layer of protection to these existing solutions, so that we can also stop the attacks that slip through. We thereby focus on the probes that are already sent to the respective network to look for possible entry points for an attack, before an attack actually takes place."
In the upcoming Proof of Concept phase, the PCSI project team will further investigate how the probes on the application layer can be detected and how they differ from normal traffic. A scientifically challenging task, in which Meeuwissen and his team will make use of Artificial Intelligence. "There are many possibilities to attack the application layer. We need to analyse them properly and determine which probes have malicious intents and which not, so that the malicious ones can be detected. This is a prerequisite for the success of our research. We use AI techniques for this, among other things. In addition, in the PoC phase we need sufficient data, servers and the expertise of all our PCSI partners to be able to carry out the research thoroughly," Schrama points out.
There are still only a few publications available on this subject. That makes the project even more interesting within the PCSI. "This is a project in which we are really innovating, by trial and error. We do not yet know where we will end up or whether we will succeed in our mission. Being able to detect the non-legitimate probes is a big challenge. If we can do that, then we can look into the future and detect DDoS attacks early. Just like the sensors in the ocean do for tsunamis. That would be a great step!" concludes Meeuwissen.