Center for Configuration Analytics and Automation

Real-Time Detection and Mitigation of Low and Slow DDoS Attacks - UNCC

Project Objectives:
  • Overall objective: to detecting application-level  L&S DDoS attacks with high accuracy, make evasion difficult and the data driven analytics actionable by enabling risk based decision making
  • Sept 2013 - Feb 2014: Survey of attacks, investigation of statistical & information theoretical based method, entropy analysis of UNCC data.
  • March 2014 - Oct 2014: feature identification and evaluation: analyze the correlation of feature combinations and Markovian analysis of web access distribution for detecting malicious behavior based on UNCC data.
  • Oct 2014 - March 2015:  experimentation and refinement using enterprise data: repeat all experiments on data received from other enterprises, investigate normal vs. botnet distribution (ISP ranking and bad neighborhood identification).
  • March 2015 - Oct 2015:  simulation of attack scenarios based on bad neighborhood distribution and other intelligent sources, request-server mutation, mitigation approaches.
Project Activities: 
  • Identify features with statistical or information-theoretical significance for attack detection.
  • Use multi-dimensional Spatial, Temporal and Behavior analysis that correlate both network and application-specific features, develops a data-driven prototype for application-level L&S attack detection and evaluates the results using real web log data from CCAA Members
  • Develop methods to differentiate normal and botnet distribution, ranking ISPs and Internet neighborhood.
  • Simulate attack scenarios to verify the feasibility and accuracy of the detectors.
Project Findings:

Spatial Detectors
For a specific time and preference, the distribution of location is skewed (small of locations access by/in majority of
preference/ time)
The rate of Increase (over time) of new users  is constant and low in each Geo -locations
DDoS Bots are usually comes from Geo concentrated areas but not IPs
Temporal/Resource Detectors
For a specific time and location, the distribution of the preference is skewed (small preferences are accessed by/in majority of locations/communities or in specific time)
The distribution of the response size is skewed (small number of sizes are used by/ during the majority of locations or time )
Session Behavior Detector (based on Markovian Analysis)
Normal user behavior (preference, inter-arrival) of next request is mostly predictable with low MC order.
Temporal logic based rules can be efficiently used for early detection of this attack.