Visible to the public Low False Alarm Ratio DDoS Detection for ms-scale Threat Mitigation

TitleLow False Alarm Ratio DDoS Detection for ms-scale Threat Mitigation
Publication TypeConference Paper
Year of Publication2018
AuthorsOrosz, P., Nagy, B., Varga, P., Gusat, M.
Conference Name2018 14th International Conference on Network and Service Management (CNSM)
ISBN Number978-3-9031-7614-0
Keywordsadvanced security solutions, attackers, automated response, Botnet, Computer crime, computer network security, data center networks, DDoS, Detectors, false alarm rate, false detection, field programmable gate arrays, FPGA, high-intensity short-duration volatile ephemeral attack waves, Human Behavior, human out-of-loop, human-in-the-loop security center paradigm, IDS, Inspection, intrusion detection and prevention, intrusion detection system, low false alarm ratio DDoS detection, low reaction time detection system, massive IoT botnets, metric, mitigation system, Monitoring, ms-scale threat mitigation, Network security, next-generation security solutions, pubcrawl, reaction times, Resiliency, threat mitigation, threat type, volatile DDoS threats, volatile ephemeral DDoS attacks

The dynamically changing landscape of DDoS threats increases the demand for advanced security solutions. The rise of massive IoT botnets enables attackers to mount high-intensity short-duration "volatile ephemeral" attack waves in quick succession. Therefore the standard human-in-the-loop security center paradigm is becoming obsolete. To battle the new breed of volatile DDoS threats, the intrusion detection system (IDS) needs to improve markedly, at least in reaction times and in automated response (mitigation). Designing such an IDS is a daunting task as network operators are traditionally reluctant to act - at any speed - on potentially false alarms. The primary challenge of a low reaction time detection system is maintaining a consistently low false alarm rate. This paper aims to show how a practical FPGA-based DDoS detection and mitigation system can successfully address this. Besides verifying the model and algorithms with real traffic "in the wild", we validate the low false alarm ratio. Accordingly, we describe a methodology for determining the false alarm ratio for each involved threat type, then we categorize the causes of false detection, and provide our measurement results. As shown here, our methods can effectively mitigate the volatile ephemeral DDoS attacks, and accordingly are usable both in human out-of-loop and on-the-loop next-generation security solutions.

Citation Keyorosz_low_2018