PEDDA: Practical and Effective Detection of Distributed Attacks on enterprise networks via progressive multi-stage inference

Abstract

Network attacks on enterprises are distributed in sources and versatile in patterns. However, practical solutions (firewalls) often focus on potential enterprise victims by way of coarse-grained monitoring due to their limited compute resources; thus, ineffective in detecting distributed sources and flows of network attacks. In contrast, fine-grained flow-level detection methods are impractical in handling millions of flows for large enterprises. We present PEDDA, a progressive multi-stage inference method to detect distributed attacks by leveraging dynamic controls of programmable networks. It flexibly applies inference stages, each with an orchestratable granularity, whereby packet streams are either proactively or reactively partitioned and analysed by specialised functions depending on the evolution of attacks. The granularity of each stage/function is dynamically determined by an optimisation framework subject to computing resource constraints. We prototype a proof-of-concept system consisting of three inference stages that monitors active enterprise hosts, detects and isolates those victims under attacks, and differentiates distributed sources and flows from benign ones, respectively. We evaluate the efficacy of our prototype by applying it to real traffic traces from a large enterprise network injected by DDoS attacks from a public dataset.