Early detection of Crossfire attacks using deep learning

TL;DR

This paper presents a deep learning-based framework for early detection of Crossfire attacks by analyzing traffic patterns at decoy servers, addressing the challenge of identifying low-rate malicious traffic during the attack's warm-up phase.

Contribution

It introduces a novel approach using Autoencoder, CNN, and LSTM models to detect Crossfire attacks early, focusing on monitoring traffic at decoy servers for improved detection accuracy.

Findings

Deep learning models effectively identify early-stage Crossfire attack traffic.

Autoencoder, CNN, and LSTM outperform traditional detection methods.

Encouraging experimental results demonstrate the framework's potential.

Abstract

Crossfire attack is a recently proposed threat designed to disconnect whole geographical areas, such as cities or states, from the Internet. Orchestrated in multiple phases, the attack uses a massively distributed botnet to generate low-rate benign traffic aiming to congest selected network links, so-called target links. The adoption of benign traffic, while simultaneously targeting multiple network links, makes the detection of the Crossfire attack a serious challenge. In this paper, we propose a framework for early detection of Crossfire attack, i.e., detection in the warm-up period of the attack. We propose to monitor traffic at the potential decoy servers and discuss the advantages comparing with other monitoring approaches. Since the low-rate attack traffic is very difficult to distinguish from the background traffic, we investigate several deep learning methods to mine the spatiotemporal features for attack detection. We investigate Autoencoder, Convolutional Neural Network (CNN) and Long Short-Term Memory (LSTM) Network to detect the Crossfire attack during its warm-up period. We report encouraging experiment results.