Can a DDoS attack be predicted?
23 Feb 2021
In the forecasting of tsunamis, buoys with sensors lie in the ocean, waiting for anomalous behaviour of the waves. The satellite to which the sensors are connected sends the signal to the weather station, after which a warning is issued. Everyone can prepare in time for what is to come. Can a similar prediction be made for DDoS attacks? The project group of the Partnership for Cyber Security Innovation (PCSI) went to investigate.
Anticipate instead of react
In a DDoS attack, so much traffic is sent to computers or computer networks that they become overloaded and, for example, a website is no longer accessible to normal visitors. This can bring down entire IT infrastructures. "If we can predict such an attack, we can anticipate it much earlier and thus really prevent an attack instead of only reacting to it afterwards, when the damage has already been done," says Erik Meeuwissen, project leader within the PCSI and senior consultant at TNO.
current DDoS solutions
The current commercial solutions mainly focus on recognising and filtering DDoS traffic before a blockade is put in place. This can be done within minutes. Still, it remains a reactive system, as a result of which you are always one step too late and the network can go offline, even if it is just for a moment.
Rob Schrama, Security Analyst at the Volksbank, adds: "Another disadvantage of these existing services is that they cannot stop all DDoS attacks. We want to use our research to see if we can add an extra layer of protection to these existing solutions, so that we can also stop the attacks that slip through. We thereby focus on the probes that are already sent to the respective network to look for possible entry points for an attack, before an attack actually takes place."
In the upcoming Proof of Concept phase, the PCSI project team will further investigate how the probes on the application layer can be detected and how they differ from normal traffic. A scientifically challenging task, in which Meeuwissen and his team will make use of Artificial Intelligence.
"There are many possibilities to attack the application layer. We need to analyse them properly and determine which probes have malicious intents and which not, so that the malicious ones can be detected. This is a prerequisite for the success of our research. We use AI techniques for this, among other things. In addition, in the PoC phase we need sufficient data, servers and the expertise of all our PCSI partners to be able to carry out the research thoroughly," Schrama points out.
There are still only a few publications available on this subject. That makes the project even more interesting within the PCSI. "This is a project in which we are really innovating, by trial and error. We do not yet know where we will end up or whether we will succeed in our mission. Being able to detect the non-legitimate probes is a big challenge. If we can do that, then we can look into the future and detect DDoS attacks early. Just like the sensors in the ocean do for tsunamis. That would be a great step!" concludes Meeuwissen.
The PCSI makes an essential contribution to a secure and resilient digital society by innovation in the field of cybersecurity.
Within the PCSI, applicable, innovative cybersecurity solutions are developed that enable stakeholders in Dutch society to protect themselves against tomorrow's cyber-attacks.
By working together intensively through an innovative ecosystem, the PCSI partners connect applied research, current data and societal issues in the field of cybersecurity in a unique way.
Participating partners: ABN AMRO, Achmea, ING, de Volksbank and TNO.