A Distributed Architecture for DDoS Prediction and Bot Detection

Abstract

Distributed Denial-of-Service (DDoS) attacks disrupt servers, services and the network, overloading the target resources and denying normal traffic. In order to defend from this attack, mitigation actions usually overprovision and sinkhole malicious traffic. Sooner the attack is detected, better is the mitigation. Hence, we advocate for using a prediction technique aiming to anticipate actions against the possible attack, before it effectively starts. Then, this article contributes to advance the state-of-the-art presenting a distributed architecture that identifies early signals of a possible DDoS attack and detects bots composing a botnet. The architecture identifies the malicious actors (bots) participating in the attack. The bot detection technique is triggered by the prediction of DDoS supported by early signals. Prediction identifies signals of attack on the network before it reaches advanced stages. Based on the metastability theory, it provides unsupervised statistical learning and identifies the imminence of DDoS attacks. The botnet detection is challenging because of the high dimension of data involved and because of resource constraints (memory and processing) in network devices. Network devices are clustered based on features extracted from the traffic and based on the causality between devices. Detection is performed per cluster. Performance evaluations took as input the CTU-13 Czech Republic University, CAIDA and Botnet 2014 datasets, efficiently detecting the bots in the dataset with an accuracy of 99.9%.