CYERSECURITYDenying Denial-of-Service: Strengthening Defenses Against Common Cyberattack
A Denial-of-Service attack is a cyberattack that makes a computer or other device unavailable to its intended users. This is usually accomplished by overwhelming the targeted machine with requests until normal traffic can no longer be processed. Scientists have developed a better way to recognize a common internet attack, improving detection by 90 percent compared to current methods.
Scientists have developed a better way to recognize a common internet attack, improving detection by 90 percent compared to current methods.
The new technique developed by computer scientists at the Department of Energy’s Pacific Northwest National Laboratory works by keeping a watchful eye over ever-changing traffic patterns on the internet. The findings were presented on August 2 by PNNL scientist Omer Subasi at the IEEE International Conference on Cyber Security and Resilience, where the manuscript was recognized as the best research paper presented at the meeting.
The scientists modified the playbook most commonly used to detect denial-of-service attacks, where perpetrators try to shut down a website by bombarding it with requests. Motives vary: Attackers might hold a website for ransom, or their aim might be to disrupt businesses or users.
Many systems try to detect such attacks by relying on a raw number called a threshold. If the number of users trying to access a site rises above that number, an attack is considered likely, and defensive measures are triggered. But relying on a threshold can leave systems vulnerable.
“A threshold just doesn’t offer much insight or information about what it is really going on in your system,” said Subasi. “A simple threshold can easily miss actual attacks, with serious consequences, and the defender may not even be aware of what’s happening.”
A threshold can also create false alarms that have serious consequences themselves. False positives can force defenders to take a site offline and bring legitimate traffic to a standstill—effectively doing what a real denial-of-service attack, also known as a DOS attack, aims to do.
“It’s not enough to detect high-volume traffic. You need to understand that traffic, which is constantly evolving over time,” said Subasi. “Your network needs to be able to differentiate between an attack and a harmless event where traffic suddenly surges, like the Super Bowl. The behavior is almost identical.”
As principal investigator Kevin Barker said: “You don’t want to throttle the network yourself when there isn’t an attack underway.”
Denial-of-Service—Denied
To improve detection accuracy, the PNNL team sidestepped the concept of thresholds completely. Instead, the team focused on the evolution of entropy, a measure of disorder in a system.
