On the inference and prediction of DDoS campaigns

AbstractThis work proposes a distributed denial‐of‐service (DDoS) inference and forecasting model that aims at providing insights to organizations, security operators, and emergency response teams during and after a DDoS attack. Specifically, our work strives to predict, within minutes, the attacks' features, namely intensity/rate (packets/second) and size (estimated number of used compromised machines/bots). The goal is to understand the future short‐term trend of the ongoing DDoS attack in terms of those features and thus provide the capability to recognize the current as well as future similar situations and hence appropriately respond to the threat. Further, our work aims at investigating DDoS campaigns by proposing a clustering approach to infer various victims targeted by the same campaign and predicting related features. Our analysis employs real darknet data to explore the feasibility of applying the inference and forecasting models on DDoS attacks and evaluate the accuracy of the predictions. To achieve our goal, our proposed approach leverages a number of time series and fluctuation analysis techniques, statistical methods, and forecasting approaches. The extracted inferences from various DDoS case studies exhibit a promising accuracy reaching at some points less than 1% error rate. Further, our approach could lead to a better understanding of the scale, speed, and size of DDoS attacks and generates inferences that could be adopted for immediate response and mitigation. Moreover, the accumulated insights could be used for the purpose of long‐term large‐scale DDoS analysis. Copyright © 2014 John Wiley & Sons, Ltd.