According to researchers from the Pacific Northwest National Laboratory (PNNL), a new algorithm called DDoS attack detection via differential analysis of generalized entropy (DoDGE) can identify 99% of distributed denial-of-service (DDoS) attacks with a low false positive rate of 2%. This algorithm outperforms a set of 10 standard algorithms that only identified an average of 52% of attacks, with the best-case scenario detecting 62% of attacks.
The DoDGE algorithm focuses on analyzing the entropy of network traffic during DDoS attacks. Under normal circumstances, the flow of network packets is distributed evenly between different sources and destinations, resulting in a stable level of entropy. However, during attacks, there is an imbalance between senders and receivers, leading to a detectable change in entropy over time. By quantifying and analyzing these changes, the researchers can identify ongoing attacks.
DDoS attacks continue to be the most impactful for businesses, despite ransomware and business email compromise (BEC) attacks receiving more attention from security groups. Over the past four years, DDoS attacks have accounted for the largest share of security incidents reported by companies, according to the annual Verizon Data Breach Investigations Report.
Improved methods of attack detection can help businesses respond more quickly and implement more effective countermeasures. Allen West, a researcher with Akamai, explains that confirming whether a DDoS attack is taking place allows defenders to deploy targeted defense mechanisms and gather valuable intelligence about the incident, such as identifying the source or reason behind the attacks.
The PNNL research focuses on measuring the changes in entropy during DDoS attacks, rather than setting a threshold for bandwidth or packet count increase. They differentiate between surges of legitimate traffic, known as “flash events,” and actual attacks by examining the small changes in entropy over time. This approach sets the algorithm apart from other solutions that either use thresholds or rely on machine learning and artificial intelligence, which require large amounts of data and costly training.
While the entropy-based detection of DDoS attacks significantly improves upon threshold-based methods with a low false positive rate, the researchers acknowledge that false positives still need to be reduced. Patrick Donahue, vice president of product for Cloudflare, emphasizes that techniques must have a false positive rate approaching zero to be practical in real-world scenarios. However, the PNNL researchers assure that their algorithms are adaptive and can minimize false positives by sacrificing some precision in attack detection. They also suggest that additional data can be used to enhance the basic algorithm in real-world situations.
The DoDGE algorithm is computationally lightweight, making it suitable for building resilient infrastructure for 5G networks. As the number of connected devices increases with the adoption of 5G, the threat landscape expands, making it crucial to develop effective measures to counter malicious attacks. By leveraging algorithms like DoDGE, researchers hope to strengthen defenses against DDoS attacks and safeguard critical systems and networks.