Distributed denial of service attacks, which attempt to inundate a website with traffic to cause it to crash, are becoming an increasingly expensive and embarrassing incident for companies and governments to deal with.
One example of this was the 2016 attack on the Australian government’s Census, one of the “largest peacetime logistical operations,” with the website taken down after its fourth DDoS traffic spike.
But a new innovation called the Probability Engine for Identifying Malicious Activity (PEIMA) could put an end to these attacks.
The software solution, which was the overall winner of the 2017 Curtinnovation Award, uses statistical techniques to detect and neutralise attacks, while ensuring the online service continues running.
Mihai Lazarescu, head of the department of computing at Curtin University’s school of electrical engineering and computing, has been working in cybersecurity for a number of years.
One of the key aspects of DDoS attacks is that they create artificial traffic, which Lazarescu said does not comply with what normal traffic patterns look like, with PEIMA able to determine these artificial traffic spikes.
PEIMA was developed by a team including Lazarescu, Stefan Prandl, Sonny Pham and Sie Teng Soh and regents professor Subhash Kak from Oklahoma State University.
It is relatively simple to operate and does not need any hardware – it simply needs to observe what normal traffic looks like on a website in order to determine with is abnormal.
“When a volumetric denial service attack happens, it’s not difficult to tell because you can see a large volume of traffic coming in. What is different about our approach is that we can tell what is bad and what is legitimate traffic,” Lazarescu said.
“Machines are very bad at generating completely randomised traffic, and because of that, whatever is generated doesn’t comply with the power laws, and that’s how we can tell.”
These power laws refer to how the change in one quantity results in proportional change in another quantity.
“Everything that is normal would have to comply with these laws. If it doesn’t, then we know that it’s not created by normal traffic,” Lazarescu said. “The moment you create something artificial, the power law detects it. You cannot hide.”
Lazarescu started working on PEIMA with professor Kak when they were discussing problems they would like to solve, and they raised the idea of trying to use power laws to solve the issue of DDoS attacks to define what is normal traffic.
But being able to detect what was normal was not just a simple matter of applying the law. It required being able to detect and remove the bad packets as well, which no one had previously done.
“Most of the solutions that are out there are on a completely different basis. It’s all about keeping a certain amount of bandwidth available to do mitigation,” Lazarescu said.
One of the biggest challenges was to figure out what was an artificially created packet. Due to this, PEIMA does not use just one power law but several to indicate bad packets.
The other challenge was the amount of resources that were required, because the team wanted to have a solution that was deployable for large corporations and organisations.
“So instead of looking at 100 megabit links, we were looking at gigabyte links, and now we’re trying testing with 10 gigabyte links, which are at an ISP level,” Lazarescu said.
PEIMA took about six to eight months to develop, and testing was carried out under a classic scenario in online gaming, where gaming companies aim to ensure that users don’t try to gain an advantage through DDoS attacks or freezing out other players.
This means gaming companies have a vested interest to make sure that every single player has exactly the same amount of bandwidth and the same amount of reaction time.
Lazarescu said part of this testing was to see if it was effective in allowing all players to play without any problems. It worked.
Lazarescu estimates from the tests conducted that PEIMA was so effective that it could remove 92 per cent to 96 per cent of bad traffic.
He is also 100 per cent confident that if PEIMA had been running during the Census, the failure would not have happened.
The team now wants to test on a larger scale with ISPs and see if the team’s effectiveness estimates are correct.
“If that’s the case, then denial of service attacks will no longer be an issue – period,” Lazarescu said.
“If we remove, let’s say only 80 per cent of the malicious traffic … that’s better than anything else that it is out there [at the moment].”
[Image: (Back L -R) Dr Sonny Pham, Dr Sie Teng Soh, (Front L-R) Professor Mihai Lazarescu, Stefan Prandl.]