Researchers Find New Protection Method Against DDoS Attacks

This post is also available in: עברית (Hebrew)

Computer scientists at the Department of Energy’s Pacific Northwest National Laboratory (PNNL) developed a new way of dealing with DDoS attacks by keeping an eye on the ever-changing traffic patterns on the internet.

DDoS or Denial-of-Service attacks are when malicious cyber actors try to disable and shut down a website by bombarding it with requests by fake computers, then either hold it for ransom or simply aim to disrupt the business.

Now, the scientists at PNNL decided to approach it in a way different than what is commonly used to detect this attack type. Most of the time people rely on a raw number called a threshold- if the number of users trying to access a site crosses that number, then there is likely an attack, and defensive measures are triggered. But relying on this method may leave systems vulnerable.

Omer Subasi, a scientist at PNNL claims that a threshold doesn’t offer much insight or information about what’s happening in a system, and adds that a simple threshold can easily miss actual attacks. A threshold can also create false alarms, which can force defenders to take a site offline.

To improve detection accuracy, the PNNL team focused on the evolution of entropy, a measure of disorder in a system- according to Techxplore, there’s consistent disorder everywhere on the internet at all times, but during a denial-of-service attack, two measures of entropy go in opposite directions. At the target address, many more clicks than usual are going to one place, a state of low entropy, but the sources of those clicks originate in many different places—high entropy. This mismatch could signify an attack.

In PNNL’s testing, 10 standard algorithms correctly identified on average 52 percent of DOS attacks; the best one correctly identified 62 percent of attacks. The PNNL formula correctly identified 99 percent of such attacks.

This revolutionary new solution is automated and doesn’t require close oversight by a human to distinguish between legitimate traffic and an attack and doesn’t require much computing power or network resources to do its job. The researchers claim that this is different from machine learning-based solutions since while those approaches also avoid thresholds, they require a large amount of training data.

The PNNL team is currently looking at how denial-of-service attacks may be affected by the buildout of 5G networking and the booming Internet of Things landscape, saying that with so many more devices and systems connected to the Internet, there are many more opportunities than before to attack systems maliciously.