DDoS Attacks with Randomized Traffic Innovation: Botnet Identification Challenges and Strategies

TL;DR

This paper introduces a new model for application-layer DDoS attacks where botnets adaptively mimic normal traffic, and proposes an inference algorithm to reliably identify such botnets over time using real network data.

Contribution

It presents an abstract attack model where botnets learn and emulate normal traffic patterns, and develops a consistent inference algorithm for detecting these adaptive botnets.

Findings

The inference algorithm converges to the true botnet identification over time.

The proposed method effectively detects adaptive botnets in real network traces.

The model captures the evolving nature of application-layer DDoS attacks.

Abstract

Distributed Denial-of-Service (DDoS) attacks are usually launched through the $botnet$, an "army" of compromised nodes hidden in the network. Inferential tools for DDoS mitigation should accordingly enable an early and reliable discrimination of the normal users from the compromised ones. Unfortunately, the recent emergence of attacks performed at the application layer has multiplied the number of possibilities that a botnet can exploit to conceal its malicious activities. New challenges arise, which cannot be addressed by simply borrowing the tools that have been successfully applied so far to earlier DDoS paradigms. In this work, we offer basically three contributions: $i)$ we introduce an abstract model for the aforementioned class of attacks, where the botnet emulates normal traffic by continually learning admissible patterns from the environment; $ii)$ we devise an inference algorithm that is shown to provide a consistent (i.e., converging to the true solution as time progresses) estimate of the botnet possibly hidden in the network; and $iii)$ we verify the validity of the proposed inferential strategy over $real$ network traces.