Abstract

Traditional DDoS attack detection monitors volumetric traffic features to detect attack onset. To reduce false positives, such detection is often conservative---raising an alert only after a sustained period of observed anomalous behavior. However, contemporary attacks tend to be short, which combined with a long detection delay means that most of the attack still reaches and impacts the victim. We propose Xatu, a system that utilizes auxiliary signals to improve the accuracy and timeliness of existing DDoS detection systems. We explore two types of auxiliary signals, attack preparation signals and the history of prior attacks. These signals can be easily mined from existing traffic monitoring systems in many ISP networks. To leverage these auxiliary signals for attack detection, we propose a multi-timescale LSTM model, which derives both long-term and short-term patterns from diverse auxiliary signals. We then …

Metadata

publication

Proceedings of the 18th International Conference on emerging Networking …, 2022

year

2022

publication date

2022/11/30

authors

Zhiying Xu, Sivaramakrishnan Ramanathan, Alexander Rush, Jelena Mirkovic, Minlan Yu

link

https://dl.acm.org/doi/abs/10.1145/3555050.3569121

resource_link

https://dl.acm.org/doi/pdf/10.1145/3555050.3569121

book

Proceedings of the 18th International Conference on emerging Networking EXperiments and Technologies

pages

1-17