Poisoning of Online Learning Filters: Ddos Attacks and Countermeasures

Poisoning of Online Learning Filters: DDoS Attacks and Countermeasures

Wesley Joon-Wie Tann & Ee-Chien Chang Department of Computer Science, National University of Singapore [email protected],[email protected]

Abstract—The recent advancements in machine learning have against them. Online approaches typically perform incremental led to a wave of interest in adopting online learning-based ap- updates as more attack requests are observed to mitigate the proaches for long-standing attack mitigation issues. In particular, malicious requests rapidly during an attack. However, such DDoS attacks remain a significant threat to network service avail- online learning methods assume that the attackers are static and ability even after more than two decades. These attacks have been that their behaviors stay the same during an attack. While these well studied under the assumption that malicious traffic originates approaches are applicable to a static attacker, what if “crafty” from a single attack profile. Based on this premise, malicious traffic characteristics are assumed to be considerably different attackers can dynamically change their attack behavior? We from legitimate traffic. Consequently, online filtering methods are focus on studying such shifting attacks on online learning- designed to learn network traffic distributions adaptively and based DDoS filtering. rank requests according to their attack likelihood. During an attack, requests rated as malicious are precipitously dropped Existing online learning-based filtering mechanisms can by the filters. In this paper, we conduct the first systematic be broadly categorized into two groups. In one group, the study on the effects of data poisoning attacks on online DDoS approaches [7], [19], [3] either employ simple decision tree filtering; introduce one such attack method, and propose practical methods or basic machine learning algorithms. The other protective countermeasures for these attacks. We investigate group [29], [4] takes a deep learning approach, where the latest an adverse scenario where the attacker is “crafty”, switching work [29] proposed two online filtering methods designed to be profiles during attacks and generating erratic attack traffic that computationally efficient to respond in a real-time environment is ever-shifting. This elusive attacker generates malicious requests where time constraint is a crucial consideration. Conversely, by manipulating and shifting traffic distribution to poison the there is minimal literature that analyzes the effectiveness of training data and corrupt the filters. To this end, we present a fluctuating DDoS attacks on filtering methods. One study [18] generative model MIMICSHIFT, capable of controlling traffic generation while retaining the originating regular traffic’s intrinsic found that adaptive statistical filters cannot effectively mitigate properties. Comprehensive experiments show that online learning malicious traffic from attackers that dynamically change their filters are highly susceptible to poisoning attacks, sometimes behavior, performing much worse against a dynamic attacker performing much worse than a random filtering strategy in than if the attacker was static. Most other works [11], [32], [6], this attack scenario. At the same time, our proposed protective [24], [24], [10], [20] perform adversarial attacks on targeted countermeasure effectively minimizes the attack impact. DDoS detection systems. However, there is no study on the effects of erratic attack traffic on online learning DDoS filters. I.INTRODUCTION In this paper, we study the effects of poisoning attacks on With the accelerating adoption of machine learning in online learning-based filtering, where the attacker dynamically the enterprise, poisoning attacks [16], [35], [12] on learning changes its behavior and generates fluctuating requests that systems are increasingly common. These attacks generally vary from one time interval to the next. Our investigation of compromise the integrity of a learning system by injecting the elusive DDoS attack scenario is much more elaborate than unsanitized malicious samples into the training dataset, leading those considered in existing online filtering approaches [29], arXiv:2107.12612v1 [cs.CR] 27 Jul 2021 to terrible system performance. As a result, it poses a serious [7], [19], [3]. In particular, we study a sophisticated setting problem for online cyberattack mitigation systems. One such where the attacker is “crafty”, shifting its attack behavior (e.g., cyberattack, the Distributed Denial-of-Service (DDoS), denies distribution of requests and features) periodically to corrupt the legitimate users access to resources on a target network by adaptive filters. The attacker models the attack traffic on the sending an overwhelmingly large amount of traffic to exhaust normal-day traffic N and generates malicious traffic At with the victim network’s resources. As a result, legitimate users different distributions in short timeframes t’s while mimicking receive severely degraded to no service. As recent as Q1 2020, properties of normal traffic. Amazon Web Services (AWS) reported the largest publicly disclosed attack on record at 2.3 Tbps (https://aws-shield-tlr.s3. Under this shifting attack setting (see Figure 1), the online amazonaws.com/2020-Q1 AWS Shield TLR.pdf). The previ- learning filters utilize traffic data from two operational periods, N A ous record was held by the GitHub Memcached-based DDoS (1) normal-day traffic , and (2) the attack-day traffic to attack, which peaked at 1.35 Tbps in February 2018. learn and update its filtering policy. Normal traffic behavior can be learned by performing intensive processing on N . As more and more present-day adaptive DDoS filtering However, during an attack, the incoming traffic A is divided methods adopt an online machine learning approach, we into short intervals of ` minutes (e.g., ` = 1). The attack traffic anticipate the growing urgency to study the effects of poi- (A0, A1, A2,...), where At contains the traffic during the t-th soning attacks on DDoS filters and find practical defenses interval, will be used for the online training and update of the separate DDoS attacks from these datasets, containing both generated traffic and anonymized traffic traces from a real- world attack, respectively. In the experiments, we first train a filtering model N based on anomaly detection techniques. It uses only the normal traffic for learning to determine if requests during an attack are legitimate or malicious. This model sets a baseline for Fig. 1: Illustration of fluctuating DDoS traffic: In this case, us to compare MIMICSHIFT. Empirical results show that a “crafty” attacker is not only able to learn from the normal MIMICSHIFT can generate attack traffic that eludes online traffic N to generate attack traffic that mimics characteristics filtering systems, attaining close to 100% false-negative rates of normal traffic; the attacker constantly shifts the attack traffic at times (see Table IV, Figures 3 and 4 for experiment details). At data distribution from one interval to the next, in order to It effectively negates the filtering capabilities, making the corrupt and elude online learning filtering methods. performance worse than a 50-50 random guess. Next, we introduce a simple yet effective protective countermeasure that greatly minimizes the attack impact, achieving a significant boost in filtering performance (see Table VIII). It serves as a filters to learn attack traffic behavior. The filters then use these starting point for the future research of robust countermeasures. last updated models to create and identify a blacklist of attack identities (e.g., IP addresses), and filter them accordingly. Furthermore, our experiments also show that the different acceptance or rejection thresholds significantly affect To this end, we formulate a controllable generative method the filtering performance. A slight change in the acceptance that captures the sophisticated attack setting described above. threshold could considerably affect the false-negative rate, We present MIMICSHIFT, a conditional generative method for allowing markedly more attack requests to be accepted. The controlling network traffic generation to generate shifting and result powerfully demonstrates the robustness of MIMICSHIFT. unpredictable traffic. Our method is inspired by a controllable Interestingly, even when we only use a random combination approach [28] that is based on a conditional generative ad- of three Markov model parameter settings for the different versarial network, and it addresses the challenge of generat- attack traffic distributions, it severely degrades the online ing network requests of varying distributions. It is achieved filtering performance. While this may appear counter-intuitive, by using request features such as Request Len and TCP we believe that two reasons can explain the results. (1) The Window Size that capture the intrinsic request properties. primary objective of the MIMICSHIFT generative method is These features form the condition that we control to guide to learn from the normal traffic and replicate it as closely as the traffic generative process. The method introduces control possible, and (2) the online filtering methods are designed to by leveraging the conditions, managed with a transparent adapt quickly to new data and place higher importance on Markov model, as a control vector. It allows us to influence the latest observed attack traffic. Hence, online learning filters the generative process. By specifying the density distribution could be easily influenced and deceived by shifting attack parameters of the Markov model, the method can generate traffic. requests with different proprieties. Contribution. We show that by the clever shifting of attack traffic distribution periodically, the attacker can effectively inun- 1) We formulate the problem of corrupting and eluding date online learning filtering systems through such poisoning online DDoS filtering by poisoning attacks. The at- attacks. We maintain that it is a compelling result as it tacker, only observing normal traffic, can generate suggests that existing proposed online filtering mechanisms attacks that mimic the observed traffic and shift are inadequate in mitigating poisoning attacks against online behaviors during the attack process. learning systems. We design a deep-learning-based generative 2) We design a mimic model, which can replicate fea- approach, MIMICSHIFT, and demonstrate the effectiveness of tures of any given requests, producing features of poisoning attacks. The main advantage of MIMICSHIFT is the specified distributions that follow a simple and easy- controllability of the generative process. It first learns normal to-understand Markov model. Leveraging on this behavior from normal traffic, and generates synthetic traffic mimic function, we propose a controllable generative that is subject to manipulation, producing requests of different attack method, which undermines the capabilities of specified distributions. The control is performed in an easy-to- online filtering systems, making them perform worse understand Markov process to derive traffic distribution based than a 50-50 random guess filtering strategy. on the Markov model parameters. We believe that this Markov 3) We propose a simple yet practical countermeasure process provides an intuitive approach to the control of shifting that dramatically diminishes the success of poisoning traffic distributions. attacks on online learning filters. 4) We conduct experiments that evaluate the poisoning We evaluate the proposed controllable poisoning attack on attacks on two state-of-the-art online deep-learning- two state-of-the-art online deep-learning DDoS filtering meth- based DDoS filtering approaches. The empirical re- ods, N-over-D and Iterative Classifier [29]. Our evaluation is sults demonstrate both the efficacy and robustness of performed on the same datasets presented in the existing online the attacks generated by MIMICSHIFT. filtering work [29] to set a fair comparison benchmark. The two publicly available network datasets are (1) CICIDS2017 [27] Organization. We organize the rest of the paper by presenting and (2) CAIDA UCSD “DDoS Attack 2007” [8]. We use three the background information and challenges of the eluding

2 DDoS detection problem in Section II. We introduce the way or another, there is no study on the effectiveness of problem in Section III and propose an appropriate conditional poisoning attacks on online deep-learning DDoS filters. The generative adversarial network approach in Section IV. We most relevant work is a study [18] on adaptive statistical filters. then detail the generative approach in Section V. In Section VI, It was determined that adaptive statistical filters perform much we describe the datasets and evaluate our approach on online worse against attackers that dynamically change their behavior. filters, comparing them with regular DDoS traffic. We also However, there are no such studies for online deep learning discuss several practical issues of our approach in Section VII. filters. Finally, we summarize related work in Section VIII and conclude the paper in Section IX. C. Data Poisoning Data poisoning is a type of attack, where an attacker can II.BACKGROUNDAND CHALLENGES inject malicious data, that targets machine learning models This section gives an overview of existing machine during the training phase. Most existing poisoning attacks [1], learning-based DDoS filtering methods and detection mech- [12], [26], [33], [35] compromise the training dataset. The anisms; we highlight the ease of detecting DDoS attacks in attacks aim to compromise the integrity of a machine learning such systems. Next, we cover attacks on DDoS defenses and system by having a model learn on unsanitized data, which highlight poisoning attacks. manipulates a model to learn a high error rate on test samples during operation, leading to abysmal performance and the A. Online DDoS Filtering nullification of the model’s effectiveness. It was first studied by Biggio et al. [1] against support vector machines. Beyond Several unsupervised learning mitigation strategies [19], linear classifier models, others have studied poisoning in areas [7], [3] have been proposed to counter such attacks in an such as collaborative filtering [16], generative method against online manner. These learning-based methods, employing rudi- neural networks [34], and topic modeling [21]. However, there mentary machine learning algorithms, e.g., random forest, is no study on data poisoning attacks targeting online learning logistic regression, decision tree, perform clustering and simple filtering methods. distance measure using a few elementary features. While they can capture some basic network traffic properties, they III.ELUDE DDOSFILTERING are unable to learn deeper representations of legitimate and malicious requests to better distinguish between the two types In this section, we formulate the problem of poisoning of traffic. Moreover, the optimization goal of these methods is and eluding DDoS filtering, and we discuss the challenges not clear. of avoiding online learning detection models that constantly update themselves. We also provide an illustrating example to In one of the most recent online deep learning filtering describe the problem and highlight its relevant concepts. methods presented in Tann et al. [29], the two proposed approaches perform filtering by utilizing both the normal- A. Eluding DDoS Filters day and the attack-day mixture traffic. The traffic consists of unlabeled requests. One approach estimates the likelihood that We model the interactions between a clever attacker and each request is an attack, given that it is from the attack- an online-learning DDoS filter as a game. In this game, there day mixture traffic. The other approach formulates a loss are mainly three notions relating to every time interval t: (1) function specific to a two-class classifier with the objective the estimated attack traffic distribution Abt of the filter at each to classify requests from normal traffic as normal and an interval, (2) the generated attack traffic distribution Aet that the estimated proportion of requests during the attack as malicious. attacker constantly shifts from one interval to the next, and (3) The two approaches demonstrate to be suitable for attacks with the filter model Ft, which makes the decision on requests that a short time frame. are to be dropped during an attack. The goal of an attacker is to shift the distribution of attack traffic dynamically, deceiving B. Attacking DDoS Defenses the filter into approximating an inaccurate attack distribution, such that it is unable to distinguish between normal and attack While several DDoS filtering methods exist, there is a requests accurately; effectively carry out a poisoning attack. shortage of literature on deep generative models targeting DDoS detection systems. In recent years, some methods [11], Motivating Example. Let us consider a scenario where an elu- [32] were proposed to generate adversarial samples to evade sive attacker aims to disrupt the network service availability of DDoS detection. On the one hand, some of these methods were a target victim server by overwhelming the target with a flood employed in a white-box setting. The attackers are assumed to of unpredictable attack traffic. In this scenario, the attacker know the details of the target deep-learning intrusion detection decided to attack the victim service provider in the application system, which is not practical in the real world. On the layer, as such attacks are especially effective at consuming other hand, another group of methods [6], [24], [24], [10], server and network resources. A request in the application- [20] is presented as black-box attacks, where the attacker has layer DDoS could be a sequence x = (x1, x2, . . . , xL) of very limited knowledge of the target model, such as only the sub-requests x’s. For example, a visit to a website consists of model’s output. Both evasion methods perform perturbations an HTTP-GET request to the landing page, followed by other on samples until an adversarial sample successfully evades the requests. Each user who makes a request x, a sequence of target DDoS detector. sub-requests, corresponds to an IP address. While these methods perform evasive attacks on DDoS Most network service providers would have DDoS filtering intrusion systems by manipulating adversarial samples in one mechanisms and protective systems monitoring the availability

3 and performance of their networks. Such a DDoS filtering C. Elusive Attacker mechanism is often an online learning-based filter that makes The attacker takes as input a request sample x from normal the decision to drop abnormal requests based on some ex- traffic N and generates another request x = (x , x ,..., x ) tracted salient features, with an adaptive model trained on e e1 e2 eL that mimics the normal traffic. In addition, the attacker shifts observed network traffic. Therefore, it is reasonable to assume the distribution of the generated requests in order to fool the that the attacker would not have any knowledge about the filter. It can be achieved by leveraging some data features protective filtering system that the network service provider has as conditions to control the traffic generation process. Each in place (e.g., the features, time interval, and data used by the request x is associated with some selected feature that is filter). Nevertheless, the attacker can always probe the filter by grouped into classes k ∈ K (e.g., the various request payload making malicious requests and study the provider’s response i sizes), and it corresponds to the request in N . Through these (accept/reject) via the status code. For example, receiving selected features, the attacker is able to control the distribution the code HTTP 403 means that the requested resource is during the generative process. We denote this time-varying forbidden by the provider. However, we assume that the A attacker can only probe the provider’s filter a limited number distribution as et. The attacker can take advantage of the of times before its IP address is blacklisted. useful properties of the network features to manipulate the generated samples. To avoid detection, the attacker has a generator that For example, the attacker can use the TCP Len feature generates controllable network requests modeled on normal as one of the conditions to vary the distribution of generated traffic. For instance, the generator is able to dynamically requests. In one interval, the attacker can generate attack generate malicious traffic requests by allowing the attacker to distribution Aet with requests of longer packet lengths. In control the distribution shift of generated traffic. Due to the contrast, the next interval could be generated with short packet attacker’s limited knowledge of the underlying online DDoS lengths. Nevertheless, such traffic features are not fixed, and protection mechanism, only by constantly shifting its attack it is always up to the attacker to select from the set of all traffic distribution, can the attacker confuse the online learning network traffic features. As the goal of the attacker is to filter, and it allows the attacker to be always one step ahead generate unpredictable requests and attempt to get the online of the filter’s estimation of the attack profile. Given the strict learning filter to accept as many of them as possible, it is constraints, we aim to investigate the effectiveness of such sufficient for the attacker to mimic the normal traffic and find attacks. a distribution Aet that the filter’s estimated distribution Abt is unable to accurately capture in time. B. Online Learning-Based Filtering IV. PROPOSED GENERATIVE METHOD For the online filter, we use the deep learning filters [29] In this section, we present the controllable generative that demonstrated effectiveness against DDoS attacks in an method MIMICSHIFT that generates unpredictable malicious online setting. The two filters proposed are the N-over-D traffic with varying distributions for poisoning online learning nets and Iterative Classifier. Their goal is to filter out an DDoS detection filters. It is a generative model that leverages estimated proportion of malicious requests during an attack. both conditional modeling and generative adversarial networks The considered filter is one that learns on both the traffic from (GANs) to generate sequence data. The approach is inspired by two operational periods for model training. As an abnormally the controllable generative model [28] that poses the problem large number of requests characterizes attacks, it can be readily of controlling the distribution of biased random walks to detected in practice. The first period is the normal-day traffic generate networks of desired structures. N , where the requests are logged during the normal period. The second period is the attack-day traffic A that contains a We design MIMICSHIFT as a controllable network request mixture of unlabeled legitimate and malicious traffic. Based generation method (see Figure 2). It is based on a condi- on the volume of attack traffic, it is assumed that the filter is tional GAN framework. MIMICSHIFT leverages selected traffic able to roughly estimate the proportion of attack requests α features (e.g., Request Len or TCP Window Size) as in A. All requests in N are considered to be normal, whereas a control vector to influence the generative process. During traffic in A is unlabeled. the training phase, MIMICSHIFT first takes normal requests x as input and selects some corresponding features s as the In an online setting, the filtering process can be broadly condition for controlling the request generation. Next, the categorized into three stages. First, during a normal period, method trains an imitative mimic model C, which inputs intensive processing and training can be performed on normal- the feature sequences s of the corresponding requests x in day traffic N to learn an accurate intermediate model Nb0 the normal traffic N , and it generates representative feature of normal requests. Next, when an attack begins, the filter sequences se that mimic the real features. After learning to model starts its online learning of incoming mixture traffic A. mimic the features, a generative model G then takes these The mixture traffic can be divided into intervals of ` minutes representative feature sequences se as conditions to produce (e.g., ` = 1), and ordered accordingly (A , A , A ,...), where 0 1 2 generated attack requests xe. The goal of G is to capture the At contains the mixture within the t-th interval. At each distribution of normal traffic requests and generate synthetic interval t, the model, trained on At−1 and some intermediate requests that are as closely similar as possible to the normal representation Nbt−1, giving the updated Nbt and a model Ft. requests. At the same time, a discriminative model D estimates Finally, the trained model Ft is used to estimate the attack the probability that a request sequence and its corresponding traffic distribution Abt and perform the filtering of incoming features are produced by G or a real normal request; its goal requests. is to distinguish between the synthetic and real requests.

4 Fig. 2: MIMICSHIFT: The proposed generative method for controlling and generating network trafﬁc with shifting distributions.

After training the models C, G, and D, we specify the V. IMPLEMENTATION DETAILS Markov model parameters (π, A) for controlling the mimic In this section, we describe in detail each stage of the model C, producing representative requests based on the speci- MIMICSHIFT generative process and formally present the fied parameters to produce representative features s that follow e procedure (see Algorithm 1). the intended transition dynamics. We then control the request traffic generative process with these designed features se, and it influences the generator G to create synthetic manipulated A. Mimic Model requests xe. We provide details of our method and design The mimic model C is a sequence-to-sequence model. It is choices below. designed to learn normal traffic behavior by modeling features Using the conditional GAN framework, we train both G of sub-requests in the sampled requests. Given a sequence and D conditioned on some particular information—selected of normal traffic request features, the model then predicts features s corresponding to its requests x. We designed our the input sub-request features one at a time as the features model to allow itself to be significantly influenced by some are observed. We design C using a long short-term memory user-specific features such as TCP Len or any other network (LSTM) [9] neural network. The purpose of C is to model request feature. As a result, the model can (1) introduce normal traffic, retaining memory of its behavior, and provide a high dimensional control vector to generate unpredictable a vector of control for the ensuing generative process. requests, and (2) directly control the data generation process to When given sampled sequences of features (s1,..., sL) confuse and elude DDoS filters. For example, by using payload as inputs, the mimic model C learns to generate synthetic information of the requests, we can learn the distribution features (se1,..., seL) that mimic the inserted normal fea- of normal payloads, using this information, then explicitly tures. For example, a sample input Request Len sequence generate requests that mimic normal traffic closely. (60, 1514, 52, 60,..., 66) given to C could result in such Following the first introduced conditional GAN frame- an output of (60, 60, 1514, 60,..., 66), which closely mimics work [22], we present the conditional GAN training for normal traffic features. network traffic requests and define the loss function as: B. Generator L = log(D(x | s)) + log(1 − D(G(z | s))) (1) The generator G is a probabilistic sequential learning where z ∼ N (0, Id) is the latent noise sampled from a model. It generates network requests (xe1,..., xeL) ∼ G multivariate standard normal distribution. conditional on the selected features. We model G using another parameterized LSTM network f . At each step l, the We represent the normal network traffic as a binary adja- θ LSTM network f takes as input the previous memory state cency matrix A¯ ∈ {0, 1}N×N of N different types of requests. θ m of the LSTM model, the current feature s , and the We then sample sets of random walks of length T from l−1 el last request x . The model produces two values (p , m ), adjacency matric A¯ to use as training data x for our model. el−1 l l where p denotes the probability distribution over the current The sampled random walks are network requests where each l request and m the current memory state. Next, the current request could be made up of a sequence x = (x , x , . . . , x ) l 1 2 L generated request x is sampled from a categorical distribution of sub-requests x’s. Following [28], we employ a biased el x ∼ Cat(σ(p )) using a one-hot vector representation, where second-order random walk sampling strategy. One of the el l σ(·) is the softmax function. properties of such a random walk is that the walks only include connected sub-requests, which efficiently exploits the In order to initialize the model, we draw a latent noise from sequential nature of requests in real-world network traffic. a multivariate standard normal distribution z ∼ N (0, Id)

5 D. Controlling Generated Graphs Algorithm 1 Controllable network traffic generative adversar- Our MIMICSHIFT method takes features as conditions to ial nets training process. We use the hyperparameter ω = 3 input into the generator and influences the generated output for the number of loops to update the discriminator D. requests, creating requests with various feature densities. To for number of training iterations do produce unpredictable network traffic, our method constantly shifts the distribution of the conditions. The method’s goal is (1) (m) Sample m samples {x ,..., x } from N traffic to provide controllability to the attack and generate requests Extract respective m features {s(1),..., s(m)} that mislead the filter, allowing the attack requests to elude Update mimic model C: detection. m K 1 P P (c) (c) For any requests with some desired distribution, we first ∇θs m [− s log C(s )] i=1 c=1 build a Markov chain model some user-specified transition (1) (m) distribution and construct specific sequences of features. These Generate m features {se ,..., se } using C (1) (m) sequences are then injected into the mimic C to generate fea- Sample m noise samples {z ,..., z } ∼ N (0, Id) tures (se1,..., seL) that mimic the sampled features of normal Update generator model G: IMIC HIFT m requests. Next, we train the M S model on normal ∇ 1 P[log(1 − D(G(z(i) | s(i))))] requests x. Given the trained model, we construct features θg m e i=1 (s1,..., sL) that follow some specified distribution, and use for ω loops do e e the generator G to produce desired requests xe. Through this Update discriminator model D: process, the attacker can control the feature conditions and m generate unpredictable requests with varying distributions. ∇ 1 P[log D(x(i) | s(i)) + log(1 − D(G(z(i) | θd m e i=1 (i) For example, by controlling the parameters of the mimic se )))] feature, our method is the ability to generate attack traffic end for that has shifting distributions. The features provide a vector end for of control to how requests are generated. We influence the generative process by constructing mimic features of desired distribution using the mimic model C. First, we construct select features by specifying the parameters of a transparent and pass it through a hyperbolic tangent function gθ0 (z) to and straightforward Markov model: (1) initial probability dis- compute memory state m0. Generator G takes as inputs the tribution over K classes π = (π1, π2, . . . , πK ), where πi is the noise z and sampled features s, and it outputs generated probability that the Markov chain will start from class i, and requests (xe1,..., xeL). Through this process, G generates (2) transition probability matrix A = (a11a12 . . . ak1 . . . akk), attack network requests. where each aij represents the probability of moving from class i to class j. Next, we input these constructed sequences into mimic model C, and it returns model-generated features learn C. Discriminator to replicate the original normal features. Finally, by injecting these constructed sequences into our trained generator G, we The discriminator D is a binary classification LSTM generate attack requests that follow the specific distribution. model. The goal of D is to discriminate between benign requests sampled from the normal-day traffic N and malicious VI.EVALUATION requests generated by G. At each time-step l, the discriminator In this section, we present the evaluation of online deep takes two inputs: the current request xl and the associated learning filters performed on various DDoS attacks with fluc- feature condition sl, both represented as one-hot vectors. After processing each presented sequence of requests and features, tuating requests. We demonstrate the ineffectiveness of such D outputs a score between 0 and 1, indicating the probability filters against our generative attack method MIMICSHIFT, and of a normal request. compare their performance against known DDoS attacks.

After training the model, we have both a mimic C and a A. Datasets generator G that generates attack requests. First, the mimic takes as input some user-defined class distribution and con- The datasets we use are from two publicly available network datasets: structs a relatively small number of features (se1,..., seL) (e.g., 10, 000). Next, the generator takes the mimic model 1) CICIDS2017 1 [27] constructed features as conditions for generating a large set of 2 requests (e.g., 10, 000, 000). Using this large set of requests, 2) CAIDA UCSD “DDoS Attack 2007” [8] S we construct a score matrix by counting how often a request containing generated network traffic resembling real-world appears in the set of requests. We could then convert S into ˆ attacks and anonymized traffic traces from a DDoS attack on a binary adjacency matrix A by first setting sij = sji = August 04, 2007, respectively. From these two datasets, three max{sij, sji} to get a symmetric matrix, by using simple distinct DDoS attacks are extracted for evaluation. binarization strategies such as thresholding or choosing top- k entries. Such a probabilistic strategy mitigates the issue of 1www.unb.ca/cic/datasets/ids-2017.html leaving out requests with a low count. 2www.caida.org/data/passive/ddos-20070804 dataset.xml

6 Synthetic Benchmark Data. In the first dataset for evaluation, on these attacks. First, we select the feature to mimic and use we use the synthetic CICIDS2017 [27] dataset provided by the as a control vector to influence the generative process. After Canadian Institute for Cybersecurity of the University of New selecting the appropriate feature, we specify the distributions Brunswick (UNB), Canada. The human traffic was generated for shifting the attack requests, and generate fluctuating traffic by modeling the abstract behavior of user interactions, and to attack the online filtering methods. the response of 25 users based on the HTTP, HTTPS, FTP, SSH, and email protocols were used to create the abstract Feature Analysis. In order to select a feature for the appro- behavior. The implemented attacks include DoS and DDoS. priate condition as a control vector, we perform an analysis While the data consists of the most up-to-date common DDoS of the features in the normal traffic. We found that the attacks over five days (Monday–Friday) of network activity, distributions of the features of the normal traffic are highly we select two volumetric attacks, one on Wednesday and one skewed. This skewness is because a large majority of the traffic on Friday. The traffic traces are in the pcap format, which is concentrated at a few top features, such as the most common includes information such as traffic flow statistics. IP flags, TCP lengths, and window sizes. The two attacks: (1) HULK and (2) Low Orbit Ion Canon (LOIC) last for 17 and 20 mins, respectively. We retrieve TABLE II: Feature analysis of Request Len in the normal normal traffic data prior to the attacks that is as close as traffic of all three datasets. The distribution of the requests are possible to the attacks in order to learn a meaningful gen- mostly concentrated in the top few classes of the feature. eralization of legitimate users in the particular days. This Top normal data is then used to train our MIMICSHIFT generative # Request Dataset Len 3 Distribution method. In each attack, after training MIMICSHIFT on the (%) respective normal traffic, we perform attack traffic generation with varying distributions. These unpredictable attack requests are then fed into the online learning filters for training and testing. We leave the last set of generated requests as the test HULK 3753 79.7 set, evaluate the filters on them, and compare with the original DDoS attack traffic. Real-world Data. In the second dataset, we use a real-world attack CAIDA07 UCSD “DDoS Attack 2007” [8]. This attack occurred on August 04, 2007, and affected various locations LOIC 3490 60.4 around the world. It contains anonymized traffic traces from a DDoS attack that lasted around an hour, including network traffic such as Web, FTP, and Ping. These traces mostly only include attack traffic to the victim and responses from the victim, and non-attack traffic has been removed as much as possible. The network load surges dramatically from about 200 kbits/s to about 80 Mbits/s within a few minutes. We CAIDA07 1059 91.2 use all available traffic traces before the attack as normal data for training our generative method. Next, we generate unpredictable attack requests of varying distributions. The filters then perform online learning on our generated data, and For example, using the Request Len feature, as an the last set of generated attack traffic is used as the test set to illustration, it can be seen in Table II that the traffic is evaluate the filters. concentrated in the top few lengths of the feature. In the CAIDA07 dataset, the top three request lengths (60, 52, 1500) TABLE I: Generated attack test data. Both HULK and LOIC make up 91% of the normal traffic, with the top length (60) attacks are from the CICIDS2017 benchmark [27], and the accounting for 81% of the traffic alone. As for the LOIC 2007 Attack is from CAIDA07 real-world [8] dataset. dataset, the top three request lengths (60, 66, 1514) make up 60% of the normal traffic; the top three features (60, 1514, Dataset # Total # Normal # DDoS DDoS (%) 2974) of the HULK dataset make up 80% of the total normal HULK 12996 2888 10108 77.8 traffic. LOIC 12506 2506 10000 80.0 CAIDA07 12263 2263 10000 81.5 As the distribution of the feature Request Len is concentrated in the top few classes, we group all of them into We provide the summary statistics of the generated test three classes for our experiments. The first two classes are the attack request data in Table I, showing the proportion of attack top two features, and the third class consists of all the other traffic for each dataset. features. We design it such that the distribution of the three classes is more uniform and increases the variability of feature B. Mimic Attacks distribution. Next, we generate fluctuating DDoS attack traffic based Distribution Parameters. We specify the Markov model pa- on both the CICIDS2017 and CAIDA07 datasets, to perform rameters, initial probability distribution π = (π1, π2, π3) and a detailed evaluation of the online learning filtering methods transition probability matrix A = (a11a12 . . . a31 . . . a33), used

7 in our experiments for controlling the shift of the generated Both filtering approaches are evaluated using the online mimic attacks. We use various parameters for all the datasets. interval of 1 min (` = 1) and a rejection rate at 80%. Using such settings, it means that each At is collected over a period of 1 min for learning and filtering, dropping 80% of the TABLE III: Distributions of the generated attack data. All requests. In addition, we also use an offline approach for attacks, HULK, LOIC, and CAIDA07, use these specific distri- comparison. In this setting, the interval is set as ` = ∞. butions. We suppose that all normal and attack data is available for training the models. The offline setting effectively shows that Dataset π A it is not easy for models to learn to generalize over the different 0.98 0.01 0.01 distributions. By taking an offline approach that trains on all A0 0.9 0.05 0.05  0.1 0.6 0.3  available data, we can (1) study how effective the varying 0.0 0.1 0.9 distributions of attack traffic are on online filtering methods, and (2) obtain a reference performance limit for the online  0.9 0.1 0.0  filtering results. A1 0.05 0.05 0.9  0.1 0.6 0.3  0.03 0.02 0.95

0.9 0.1 0.0 D. Evaluation Results A2 0.05 0.9 0.05 0.1 0.7 0.2 0.0 0.1 0.9 We measure the performance of the two filtering approaches. As demonstrated in Table IV, Figure 3, and Figure 4, both N-over-D and Iterative Classifier result in high false- The attack is divided into three traffic (A0, A1, A2) with negative rates and high false-positive rates across the three different distributions (see Table III). At each time period different attacks, thereby undermining the effectiveness of during the attack, one of the attack parameter settings is the filter and reducing it to no better than a random guess. picked at random for At. Our model MIMICSHIFT would then These results show that unpredictable attack traffic essentially generate attack traffic according to the specified distributions, disables online learning filters. and produce fluctuating traffic to attack the online filtering methods. The reported evaluation metrics used are False Negative Rate (FNR), False Positive Rate (FPR), Accuracy (ACC), C. Online Filtering Methods Precision (Prec.), Recall (Rec.), and F1 Score (F1). The two most relevant metrics are FNR and FPR. False Negative Rate is We perform a detailed evaluation of the online learning the rate that attack requests are wrongly classified as legitimate filtering methods on the generated mimic attacks, and report and not dropped by the filtering methods. False Positive Rate the filtering capabilities to identity attack requests from normal reflects the rate that requests are from normal traffic but traffic. The two online filtering methods are the latest state-of- predicted as attack and rejected by the filters. The evaluation the-art deep learning approaches to DDoS filtering [29]: metrics are defined as: 1) N-over-D approach 2) Iterative classifier approach FNR = FN/(FN + TP ) that take a principled approach to estimate conditional prob- FPR = FP/(FP + TN) abilities and an online iterative two-class classifier design for a specifically formulated machine learning loss function, ACC = (TP + TN)/(TP + TN + FP + FN) respectively. Prec. = TP/(TP + FP ) In the N-over-D approach, the technique approximates the likelihood that a network request is an attack, given that it Rec. = TP/(TP + FN) is observed in the attack traffic. It is achieved with a two- step process. The first step applies an unsupervised learning F1 = 2[(P rec. × Rec.)/(P rec. + Rec.)] model on the normal-day traffic to obtain a model that learns the distribution of normal traffic. Then, when a DDoS attack where TP = True Positives, TN = True Negatives, FP = is detected, the second step is activated, and it trains another False Positives, FN = False Negatives. unsupervised learning model to learn the distribution of the In Table IV, the results demonstrate that it is a trade-off attack traffic rapidly. At any time, the conditional probability between letting attack requests through and denying legitimate can be estimated by taking the ratio of the normal-traffic requests. The N-over-D approach achieves a lower false- distribution over the attack-traffic distribution. negative rate (FNR) than the Iterative Classifier, but it has As for the Iterative Classifier approach, a particular ma- a much higher false-positive rate (FPR). On the one hand, it chine learning loss function is formulated for fast online means that while the N-over-D allows a smaller proportion learning using one learning model. An online iterative two- of the attack requests through, it rejects many of the normal class classifier performs joint learning on both the normal requests, denying a large portion of the legitimate requests. On and attack operational periods, fully leverages all available the other hand, the iterative classifier has a higher FNR but a information for model training. It is suitable for filtering lower FPR, indicating it allows more legitimate requests at the attacks within a short time frame. expense of more attack requests.

8 TABLE IV: [Filtering Performance] The performance of N-over-D and Iterative Classiﬁer on the various shifting attack trafﬁc in CICIDS2017 and CAIDA07 datasets.

Dataset Model FPR FNR ACC Prec. Rec. F1 N 0.2790 0.7824 0.9019 0.9196 0.9561 0.9375 N-over-D (` = 1) 0.6295 0.8997 0.7403 0.8186 0.8511 0.8345 N-over-D (` = ∞) 0.6461 0.9693 0.6461 0.7597 0.7899 0.7745 HULK Iterative Classifier (` = 1) 0.5684 0.6802 0.8435 0.8780 0.9252 0.9010 Iterative Classifier (` = ∞) 0.6619 0.7006 0.7864 0.8702 0.8548 0.8624 N 0.2350 0.7863 0.9062 0.9411 0.9416 0.9414 N-over-D (` = 1) 0.6532 0.8882 0.7386 0.8364 0.8368 0.8366 N-over-D (` = ∞) 0.9741 0.9836 0.6100 0.7560 0.7564 0.7562 LOIC Iterative Classifier (` = 1) 0.2003 0.8823 0.2085 0.0520 0.5538 0.0951 Iterative Classifier (` = ∞) 0.4102 0.6943 0.3798 0.3129 0.7795 0.4465 N 0.0013 0.7555 0.9825 0.9987 0.9798 0.9891 N-over-D (` = 1) 0.8025 0.7622 0.6884 0.8149 0.7995 0.8071 N-over-D (` = ∞) 0.7905 0.9288 0.6928 0.8177 0.8022 0.8099 CAIDA07 Iterative Classifier (` = 1) 0.1109 0.9434 0.8818 0.8754 0.9773 0.9236 Iterative Classifier (` = ∞) 1.0000 0.9266 0.9753 0.9998 0.9708 0.9851

Fig. 3: [False Negative Rate] The x-axis is the acceptance ratio (0–1), and the y-axis is the corresponding false accept rate. If the acceptance ratio is at 0.2, it means that only 20% of the requests are accepted, and the graph shows the rate of false negatives.

(a) HULK (FNR) (b) LOIC (FNR) (c) CAIDA07 (FNR)

(a) HULK (FPR) (b) LOIC (FPR) (c) CAIDA07 (FPR) Fig. 4: [False Positive Rate] The x-axis is the rejection ratio (0–1), and the y-axis is the corresponding false rejection rate. If the rejection ratio is at 0.8, it means that 80% of the requests are rejected, and the graph shows the rate of false positives.

9 E. Result Comparison TABLE VII: CAIDA07 shifting traffic. Performance compari- For comparison, we assess the performance of state-of- son. the-art online DDoS filtering methods, N-over-D and Iterative Attack Model ACC FPR Prec. Rec. F1 Classifier approaches, and note the difference. Using the CI- N 0.6009 0.2639 0.8958 0.5671 0.6945 Original N/D (` = 1) 0.6944 0.0251 0.9900 0.6242 0.7657 CIDS2017 and CAIDA07 datasets, we study how our generated CAIDA07 N/D (` = ∞) 0.6880 0.0411 0.9837 0.6202 0.7608 fluctuating attack traffic affects the filtering performance. More [29] Iter. (` = 1) 0.7081 0.0208 0.9919 0.6403 0.7783 importantly, we demonstrate that an attacker who can shift Iter. (` = ∞) 0.7088 0.0141 0.9945 0.6396 0.7785 its attack traffic distribution can significantly differ from the N 0.9825 0.0013 0.9987 0.9798 0.9891 Mimic N/D (` = 1) 0.6884 0.8025 0.8149 0.7995 0.8071 original attack traffic and effectively inundate online learning CAIDA07 N/D (` = ∞) 0.6928 0.7905 0.8177 0.8022 0.8099 filtering methods. Iter (` = 1) 0.8818 0.1109 0.8754 0.9773 0.9236 Iter (` = ∞) 0.9753 1.0 0.9998 0.9708 0.9851 HULK attack. We compare the online filtering performance on our generated fluctuating attacks and the original attack traffic. As shown in Table V, the FPR of the filtering methods While the mimic attacks demonstrate that online learning significantly increased from less than 10% to around 60%. It filters are ill-equipped to handle fluctuating traffic distributions, implies that the filtering systems are systematically classifying we discover that the N-only model is able to hold up well normal requests as attacks wrongly, making it worse than a against such attacks. As the N-only model only train on normal 50% random guess. traffic, the attack traffic does not affect the model, thereby enabling it to differentiate between normal and attack traffic TABLE V: HULK shifting traffic. Performance comparison. effectively.

Attack Model ACC FPR Prec. Rec. F1 N 0.5903 0.3837 0.7016 0.5739 0.6313 F. Attack Analysis Original N/D (` = 1) 0.8086 0.1030 0.9198 0.7524 0.8277 HULK N/D (` = ∞) 0.8291 0.0766 0.9403 0.7692 0.8462 We further analyze the poisoning attacks, shifting attack [29] Iter.(` = 1) 0.9088 0.0378 0.8831 0.7659 0.8204 traffic generated by MIMICSHIFT that eludes online DDoS Iter. (` = ∞) 0.9120 0.0206 0.9299 0.7313 0.8187 filters, to better understand the extent of the shifting traffic N 0.9019 0.2790 0.9196 0.9561 0.9375 Mimic N/D (` = 1) 0.7403 0.6295 0.8186 0.8511 0.8345 effects. We study the contrast between the estimated traffic HULK N/D (` = ∞) 0.6461 0.6461 0.7597 0.7899 0.7745 distributions during normal and DDoS periods by analyzing Iter. (` = 1) 0.8435 0.5684 0.8780 0.9252 0.9010 Iter. (` = ∞) 0.7864 0.6619 0.8702 0.8548 0.8624 these distributions from an empirical perspective. We conduct the study by using the N-over-D approach, Moreover, using the N model as a baseline, the accuracy which estimates the likelihood that a network request is an of both the online filters N-over-D and Iterative Classifier attack, given that it is observed in the attack traffic. The process significantly dropped from 90% to as low as 65%. The takes a two-step process, where the first step trains an N-only fluctuating mimic traffic effectively fools the online learning model on normal traffic to learn normal traffic characteristics. filtering methods. The other metrics, such as Precision, Recall, The next step activates another learning model, D, that takes and F1, are also significantly lower than the N-only model, an online approach to model the attack traffic. The approach which serves as our benchmark of an uncorrupted model that then approximates the conditional probability of the traffic by is not affected by the attack traffic in its filtering evaluation. taking N/D. Hence, we are able to clearly examine how the LOIC attack. attack traffic affects the online training process by studying the difference between models N and online D. TABLE VI: LOIC shifting traffic. Performance comparison. Using the CAIDA07 dataset for illustration, we study the normalized conditional probability scores of the attack traffic Attack Model ACC FPR Prec. Rec. F1 N 0.3257 0.6997 0.3889 0.3454 0.3659 (see Figure 5). Through these distributions, we observe the Original N/D (` = 1) 0.9330 0.0047 0.9959 0.8846 0.9370 LOIC differences between an anomaly detection method N-only and N/D (` = ∞) 0.9330 0.0047 0.9959 0.8846 0.9370 [29] the online learning approach N-over-D. In Figure 5a, we plot Iter. (` = 1) 0.8805 0.0329 0.8808 0.6494 0.7476 Iter. (` = ∞) 0.9486 0.0220 0.9016 0.8275 0.8630 the scores of normal traffic and attack traffic predicted with N 0.9062 0.2350 0.9411 0.9416 0.9414 the N-only model, showing a clear distinction between the two Mimic N/D (` = 1) 0.7386 0.6532 0.8364 0.8368 0.8366 distributions. It can be seen that the attack traffic is assigned LOIC N/D (` = ∞) 0.6100 0.9741 0.7560 0.7564 0.7562 Iter. (` = 1) 0.2085 0.2003 0.0520 0.5538 0.0951 a low score. In contrast, the normal traffic is assigned high Iter. (` = ∞) 0.3798 0.4102 0.3129 0.7795 0.4465 scores, indicating that the anomaly detector is able to separate the malicious from the benign. As for the LOIC attack, it can be seen in Table VI that the However, when we introduce the online model D into FPR has increased from values close to zero in the original the filtering process, the online filtering approach is deeply attack traffic to values ranging from (20–97)%. The accuracy poisoned by the shifting traffic. We can clearly see in Figure 5b of the online filters has also dropped from 90% in the original that the online approach estimates the likelihood of both attack to values less than 50% on the mimic attacks. normal and attack traffic with the same scores, and it is unable CAIDA07 attack. In the real-world CAIDA07 attack, the to separate the two distributions. Hence, MIMICSHIFT can results (see Table VI) corroborate with the findings in both the effectively elude online DDoS filters by mimicking normal previous attacks, LOIC and HULK. The FPR is high (closer to traffic and injecting erratic attack traffic into the online learning 1.0), while the accuracy is much lower than the N-only model. process.

10 (a) N only (b) Online N-over-D Fig. 5: The estimated distributions of the normal and CAIDA shifting attack traffic determined by models (a) N-only and (b) online N-over-D. The online approach has been poisoned by the fluctuating attack traffic, resulting in the successful attack. The x-axis is the normalized score values (0–1), and the y-axis is the traffic volume.

G. Countermeasure against Poisoning two-step learning process cannot separate attack from normal traffic. The performance of this countermeasure shows that While the results in Sections VI-D to VI-F demonstrate that is achieves similar performance to the original approach (see poisoning attacks are highly effective against online adaptive Table VIII). filtering systems, we introduce a simple protective measure that greatly diminishes the attack efficacy. It is a straightforward defense technique that can be quickly implemented. The idea TABLE IX: Comparison of performance between the enhanced of the online learning filter enhancement is to simply vary N-over-D and the original approach. time interval ` in the online learning process during the attack period. We perform the protective countermeasure by setting Dataset Model (` = 1) FNR FPR ACC Prec. Rec. F1 N-over-D 0.8997 0.6295 0.7403 0.8186 0.8511 0.8345 the initial attack interval A0 to the interval size ` = 5 mins. HULK Enhanced N/D 0.9142 0.6756 0.7191 0.8053 0.8373 0.8210 For subsequent intervals (A1, A2,...), we randomly set ` to N-over-D 0.8882 0.6532 0.7386 0.8364 0.8368 0.8366 be between 1–3 mins. By keeping the interval ` random and LOIC unknown to the attacker, online filtering systems are able to Enhanced N/D 0.9312 0.8085 0.6764 0.7975 0.7979 0.7977 N-over-D 0.7622 0.8025 0.6884 0.8149 0.7995 0.8071 improve the estimate of the overall attack traffic distribution, CAIDA07 Enhanced N/D 0.7622 0.1851 0.6884 0.8149 0.7995 0.8071 while achieving adaptive filtering (see Figure 6). However, the attack analysis (see Section VI-F) helps us TABLE VIII: Comparison of performance between the en- to better understand why it is challenging for this two-step hanced iterative classifier and the original classifier. process to differentiate the attacks. The attacks generated by MIMICSHIFT are designed to closely mimic the normal Dataset Model (` = 1) FNR FPR ACC Prec. Rec. F1 traffic, resulting in a very high similarity to the normal traffic. Iter. Classifier 0.6802 0.5684 0.8435 0.8780 0.9252 0.9010 HULK As this approach trains two different models to estimate the Enhanced Iter. 0.2562 0.4489 0.6826 0.8893 0.6710 0.7649 conditional probabilities of normal and attack traffic separately, Iter. Classifier 0.8823 0.2003 0.2085 0.0520 0.5538 0.0951 LOIC where both attack and normal traffic distributions are close, it Enhanced Iter. 0.7470 0.7570 0.3749 0.7216 0.3553 0.4761 learns to assign them with similar likelihoods (see Figure 5b). Iter. Classifier 0.9434 0.1109 0.8818 0.8754 0.9773 0.9236 CAIDA07 Hence, it becomes tough for this approach to differentiate Enhanced Iter. 0.1035 0.0305 0.9386 0.9933 0.9310 0.9611 normal from attack traffic.

Two-class Iterative Approach. The performance of our VII.DISCUSSION improved two-class online approach, the Enhanced Iterative Classifier, demonstrates that the introduced countermeasure In this section, we discuss potential filtering strategies successfully reduces its FNR and FPR significantly (see Ta- against DDoS attack traffic with shifting distributions, and ble VIII). This countermeasure, in addition to the joint training review the implications suggested by our poisoning attacks. of the Enhanced Iterative Classifier, provides good protection against poisoning attacks. A. Existing Online Filtering Methods Likelihood Approach. As for the principled approach, N-over- Existing approaches to the online filtering of DDoS attacks D, which estimates the likelihood that a request is an attack rely either on simple decision models [7], rudimentary learning given that it is observed in the attack traffic, the enhanced algorithms [3], [19], or deep learning models [29] to rank the

11 (a) HULK (FNR) (b) LOIC (FNR) (c) CAIDA07 (FNR) Fig. 6: The countermeasure greatly improves the performance of the iterative classifier. It can be seen that the false-negative rates of the Enhanced Iterative Classifier are much lower than that of the Iterative Classifier. The x-axis is the acceptance ratio (0–1), and the y-axis is the corresponding false accept rate.

network requests according to their legitimacy. The filtering some level of randomness. In particular, the learning strategy methods then set a threshold proportion of the lowest ranking of a learning model for attack traffic can choose from a traffic to reject, assuming that the methods assign attack range of short time interval ` for each period At with some requests a low score accurately and vice-versa for the normal probability. Given that the interval ` between 1 and 10 mins requests. As such, it has been suggested that increasing the does not have much of an effect on the filtering performance, threshold to reject a larger proportion of traffic could further the strategy that makes a random selection of ` for attack traffic mitigate the attacks [29]. However, our results show that there learning could possibly mitigate the effects of shifting attack is a trade-off between increasing the threshold, which increases traffic. Further study is needed to analyze the impact of such the FPR, and reduces the FNR, rendering the above-mentioned a countermeasure. filtering methods ineffective. For example, a high threshold Similarity of Distribution. Another potential filtering strategy reduces the number of falsely rejected request but at the same for shifting attack distributions is to only accept requests time allows more attack traffic to be falsely classified as normal during the attack period with the closest probability score and allowing them through to the target server. to that of normal traffic. Most filtering methods are able to approximate the normal traffic distribution to a high degree B. Potential Filtering Strategies of accuracy. Hence, during an attack, another model can be employed to learn the attack traffic of that specific period Hardening the Accept Threshold. The previous deep learning and estimate the distribution of the attack requests. With online filtering work suggested that the approaches [29] are both distributions, the filtering mechanism would only accept robust against the choice of rejection threshold (0.5–0.7) and requests from the attack traffic that falls in the distribution of time interval ` = {1, 2, 5, 10} for each period of learning the normal traffic plus some specified error margin, thereby greatly attack traffic. One reason for the robustness is that volumetric minimizing the FNR. In other words, the filtering system is DDoS attacks characteristically make up more than half of designed to be very strict that traffic during a detected attack the attack traffic, even reaching up to 80–90% of the traffic falls within the scope of normal behavior. volume, and this large proportion of attack enables a higher threshold to not adversely affect the filtering performance. C. Shifting for Improved Filtering In Tann et al. [29], the authors reported that adjusting the rejection threshold from 0.5 to 0.7 into steps of 0.05 Optimistically, the controlled synthetic generation of vari- has a negligible effect on the false positive rate. However, ous types of network traffic, most likely unobserved previously, as we are concerned with attack traffic eluding online filters, can surprisingly aid in building enhanced DDoS filtering sys- we focus on the false-negative rate; our experiments (see tems robust against poisoning attacks. As this is the first work Section VI-D) suggest that a change in acceptance threshold to suggest poisoning attacks on online deep-learning-based could considerably affect the FNR. Thus, a potential filtering DDoS filtering, the robustness of such filters can be secured strategy would be to set a lower acceptance threshold to by occasionally injecting shifting attack traffic throughout its increase the chance of stopping attack requests from slipping training process. In particular, the generated shifting attack through the filter. It is a strategy that is worth investigating in traffic that retains some level of normal traffic properties, future works. especially the ones that are ranked highly to be normal by the online learning systems, can be included and explicitly Random Learning of Attack. One other potential filtering labeled in the training dataset of the model training during strategy is to set the attack traffic learning model to embed the normal period. We note that by randomly injecting various

12 shifted attack traffic into the normal period training process, the B. Attacking DDoS Defenses online filters are capable of learning to adapt attack traffic with a wide range of diversity, thereby enhancing the robustness There is little literature on adversarial attacks targeted against shifting attack traffic during an attack. at DDoS detection systems and the corresponding relevant studies. One such analysis [18] was performed to determine VIII.RELATED WORK an adaptive statistical filter can effectively defend against attackers that dynamically change their behavior. They found In this section, we examine some of the most relevant that, in fact, the adaptive filter performs much worse against a works that take statistical and machine learning approaches static attacker than if the attacker is dynamic. While in some in DDoS attacks and defenses. recent works [11], [32], the methods leverage machine learning to generate adversarial samples to fool DDoS detection on A. Approaches to DDoS Defense deep-learning intrusion detection systems. These attacks gen- Statistical. Statistical approaches to DDoS mitigation, widely erate adversarial samples in a white-box attack setting, where popular when first introduced in the early 2000s [41], generally attackers have complete knowledge of the target model. Other involve methods that measure select statistics of network traffic methods [6], [24], [24], [10], [20] present black-box attacks, properties, such as entropy scoring of network packets [31], where the attacker does not know the details of the target [38], [5], [13], applied to IP filtering [30], [23] and IP source model. They perform various manipulative procedures and per- traceback [14], [39]. However, given that DDoS attacks vary turbations on adversarial samples until a sample successfully from previous attacks, statistical methods are not generally evades the target DDoS detector. However, there is no study on appropriate in an online setting as some traffic statistics the effectiveness of poisoning attacks on online deep-learning cannot be computed during attacks. While Kim et al. [37] DDoS filters. proposed a statistical method to support distributed filtering and automated online attack characterization, which assigns a IX.CONCLUSION score to each packet that estimates a packet’s legitimacy given the attributes, it remains especially challenging for statistical Given the recent success and growing interest in machine techniques to perform online updates and select appropriate learning, we expect increased adoption of online learning model parameters that minimize false detection rates. models to mitigate and filter prevailing cyber attack issues. We identify a particularly challenging problem, DDoS attacks, Machine Learning. The rapid progress of machine learning a primary concern in present-day network security. Hence, we has led to the increasingly widespread adoption of deep conduct the first systematic study of data poisoning attacks on learning models in DDoS filtering. These learning models can online deep-learning-based filtering systems. In this study, we be broadly categorized into two main groups, where one group show that online learning filters are not robust against “crafty” takes an offline approach [36], [2], [17], [15], [40], [25], where attackers that can shift attack traffic distributions and vary the the models are trained on all attack data that is observed type of attack requests from time to time. When an online- and available, and the other group adopts an online learning learning filter wrongly estimates the attack distribution in the approach [29], [19], [7], [3], [4], which trains models that only next period based on this period, its performance would be receive data incrementally, as more attack traffic is observed much worse than that on a fixed attack distribution. We demon- with time. strate that online adaptive filters are vulnerable to attackers that Offline learning methods [15], [36], [2], [17], [40], [25] act in an erratic and unpredictable manner, causing the filter utilize various types of deep learning models based on Convo- much difficulty to update its adaptation accurately. lutional Neural Network (CNN) and Recurrent Neural Network In addition, we propose a controllable generative method, (RNN) architectures. It is observed that modeling network MIMICSHIFT, for generating attack traffic of specific dis- traffic through time in a sequential manner, retaining historical tributions for poisoning online filtering systems. Such an information, results in better filtering performance. RNN- approach assumes that the generative method only observes based intrusion detection systems [36], [2], [17], [40] demon- the normal traffic, and it has no other knowledge about the strate that the sequential learning models demonstrate superior filtering systems. The effectiveness of our proposed approach modeling capabilities. They were able to detect sophisticated is demonstrated by experimental studies conducted against attacks in various intrusion detection tasks. However, all these two recent online deep-learning-based DDoS filtering methods. methods preprocess the entire training data for model training, Furthermore, we suggest practical protective countermeasures, and they are not designed for online learning to perform which enhance online deep-learning-based defenses against adaptive updates as new data is observed. poisoning attacks. Empirical studies verify that our proposed Online Learning. There is only a handful of online learning defensive countermeasure can effectively minimize the impact approaches to DDoS filtering. While an online method [4] uses of such attacks, serving as a starting point for the future ground-truth labels for training, the other methods [29], [7], development of robust defenses. [19], [3] do not use data labels for training. However, these approaches either employ basic machine learning algorithms, REFERENCES simple decision tree methods, or even a rudimentary kernel- based learning algorithm with some Mahalanobis distance [1] B. Biggio, B. Nelson, and P. Laskov, “Poisoning attacks against support vector machines,” in Proceedings of the 29th International Coference measure and a chi-square test. Their modeling capabilities limit on International Conference on Machine Learning, 2012. these online approaches. Tann et al. [29] presented one of the [2] J. Cui, J. Long, E. Min, Q. Liu, and Q. Li, “Comparative study of CNN only approaches that employ powerful online deep learning and RNN for deep learning based intrusion detection system,” in Cloud models, which does not use data labels for training. Computing and Security, 2018.

13 [3] S. Daneshgadeh Çakmakçı, T. Kemmerich, T. Ahmed, and N. Baykal, ceedings of the Third International IFIP-TC6 Networking Conference, “Online DDoS attack detection using mahalanobis distance and kernel- 2002. based learning algorithm,” Journal of Network and Computer Applica- [24] X. Peng, W. Huang, and Z. Shi, “Adversarial attack against dos intrusion tions, 2020. detection: An improved boundary-based method,” in 2019 IEEE 31st [4] R. Doriguzzi-Corin, S. Millar, S. Scott-Hayward, J. Martinez-del Rin- International Conference on Tools with Artificial Intelligence (ICTAI), con, and D. Siracusa, “LUCID: A practical, lightweight deep learning 2019. solution for DDoS attack detection,” IEEE Transactions on Network [25] M. Roopak, G. Yun Tian, and J. Chambers, “Deep learning models for and Service Management, 2020. cyber security in IoT networks,” in 2019 IEEE 9th Annual Computing [5] A. Gaurav and A. K. Singh, “Entropy-score: A method to detect DDoS and Communication Workshop and Conference (CCWC), 2019. attack and flash crowd,” in 2017 2nd IEEE International Conference on [26] B. I. Rubinstein, B. Nelson, L. Huang, A. D. Joseph, S.-h. Lau, Recent Trends in Electronics, Information Communication Technology S. Rao, N. Taft, and J. D. Tygar, “Antidote: understanding and defending (RTEICT), 2017. against poisoning of anomaly detectors,” in Proceedings of the 9th ACM [6] M. J. Hashemi, G. Cusack, and E. Keller, “Towards evaluation of SIGCOMM Conference on Internet Measurement, 2009. nidss in adversarial setting,” in Proceedings of the 3rd ACM CoNEXT [27] I. Sharafaldin., A. H. Lashkari., and A. A. Ghorbani., “Toward generat- Workshop on Big DAta, Machine Learning and Artificial Intelligence ing a new intrusion detection dataset and intrusion traffic characteriza- for Data Communication Networks, 2019. tion,” in Proceedings of the 4th International Conference on Information [7] Z. He, T. Zhang, and R. B. Lee, “Machine learning based DDoS attack Systems Security and Privacy - Volume 1: ICISSP, 2018. detection from source side in cloud,” in 2017 IEEE 4th International [28] W. J.-W. Tann, E.-C. Chang, and B. Hooi, “Shadowcast: Controllable Conference on Cyber Security and Cloud Computing (CSCloud), 2017. graph generation,” arXiv preprint, vol. 2006.03774, 2021. [8] P. Hick, E. Aben, K. Claffy, and J. Polterock, “The CAIDA DDoS attack [29] W. J.-W. Tann, J. J. W. Tan, J. Purba, and E.-C. Chang, “Filtering ddos 2007 dataset,” 2007. attacks from unlabeled network traffic data using online deep learning,” [9] S. Hochreiter and J. Schmidhuber, “Long short-term memory,” Neural in Proceedings of the 2021 ACM Asia Conference on Computer and Comput., 1997. Communications Security, 2021. [10] W. Huang, X. Peng, Z. Shi, and Y. Ma, “Adversarial attack against [30] Tao Peng, C. Leckie, and K. Ramamohanarao, “Protection from dis- lstm-based DDoS intrusion detection system,” in 2020 IEEE 32nd tributed denial of service attacks using history-based IP filtering,” in International Conference on Tools with Artificial Intelligence (ICTAI), IEEE International Conference on Communications. ICC, 2003. 2020. [31] R. Wang, Z. Jia, and L. Ju, “An entropy-based distributed DDoS [11] O. Ibitoye, O. Shafiq, and A. Matrawy, “Analyzing adversarial attacks detection mechanism in software-defined networking,” in 2015 IEEE against deep learning for intrusion detection in iot networks,” arXiv Trustcom/BigDataSE/ISPA, 2015. preprint, vol. 1905.05137, 2019. [32] A. Warzynski´ and G. Kołaczek, “Intrusion detection systems vulnerabil- [12] M. Jagielski, A. Oprea, B. Biggio, C. Liu, C. Nita-Rotaru, and B. Li, ity on adversarial examples,” in 2018 Innovations in Intelligent Systems “Manipulating machine learning: Poisoning attacks and countermea- and Applications (INISTA), 2018. sures for regression learning,” in 2018 IEEE Symposium on Security [33] H. Xiao, B. Biggio, G. Brown, G. Fumera, C. Eckert, and F. Roli, “Is and Privacy (SP), 2018. feature selection secure against training data poisoning?” in Interna- [13] K. Kalkan, L. Altay, G. Gur,¨ and F. Alagoz,¨ “JESS: Joint entropy-based tional Conference on Machine Learning, 2015. DDoS defense scheme in SDN,” IEEE Journal on Selected Areas in [34] C. Yang, Q. Wu, H. Li, and Y. Chen, “Generative poisoning attack Communications, 2018. method against neural networks,” arXiv preprint, vol. 1703.01340, 2017. [14] V. Kuznetsov, H. Sandstrom,¨ and A. Simkin, “An evaluation of different [35] G. Yang, N. Z. Gong, and Y. Cai, “Fake co-visitation injection attacks IP traceback approaches,” in Information and Communications Security, to recommender systems.” in NDSS, 2017. 2002. [36] C. Yin, Y. Zhu, J. Fei, and X. He, “A deep learning approach for [15] D. Kwon, K. Natarajan, S. C. Suh, H. Kim, and J. Kim, “An empir- intrusion detection using recurrent neural networks,” IEEE Access, ical study on network anomaly detection using convolutional neural 2017. networks,” in 2018 IEEE 38th International Conference on Distributed Computing Systems (ICDCS), 2018. [37] Yoohwan Kim, Wing Cheong Lau, Mooi Choo Chuah, and H. J. Chao, “Packetscore: statistics-based overload control against distributed [16] B. Li, Y. Wang, A. Singh, and Y. Vorobeychik, “Data poisoning denial-of-service attacks,” in IEEE INFOCOM, 2004. attacks on factorization-based collaborative filtering,” in Proceedings of the 30th International Conference on Neural Information Processing [38] S. Yu, S. Guo, and I. Stojmenovic, “Fool me if you can: Mimicking at- IEEE Transactions on Computers Systems, ser. NIPS’16, 2016. tacks and anti-attacks in cyberspace,” , 2015. [17] C. Li, Y. Wu, X. Yuan, Z. Sun, W. Wang, X. Li, and L. Gong, “Detection and defense of DDoS attack–based on deep learning in OpenFlow-based [39] S. Yu, W. Zhou, R. Doss, and W. Jia, “Traceback of DDoS attacks using IEEE Transactions on Parallel and Distributed SDN,” International Journal of Communication Systems, 2018. entropy variations,” Systems, 2011. [18] Q. Li, E.-C. Chang, and M. Chan, “On the effectiveness of DDoS attacks on statistical filtering,” in Proceedings IEEE 24th Annual Joint [40] X. Yuan, C. Li, and X. Li, “DeepDefense: Identifying DDoS attack via deep learning,” 2017 IEEE International Conference on Smart Conference of the IEEE Computer and Communications Societies., Computing (SMARTCOMP) 2005. , 2017. [19] F. S. d. Lima Filho, F. A. Silveira, A. de Medeiros Brito Junior, [41] S. T. Zargar, J. Joshi, and D. Tipper, “A survey of defense mechanisms IEEE G. Vargas-Solar, and L. F. Silveira, “Smart detection: An online against distributed denial of service (DDoS) flooding attacks,” Communications Surveys Tutorials, 2013. approach for DoS/DDoS attack detection using machine learning,” Security and Communication Networks, 2019. [20] Z. Liu and X. Yin, “Lstm-cgan: Towards generating low-rate DDoS adversarial samples for blockchain-based wireless network detection models,” IEEE Access, 2021. [21] S. Mei and X. Zhu, “The Security of Latent Dirichlet Allocation,” in Proceedings of the Eighteenth International Conference on Artificial Intelligence and Statistics, ser. Proceedings of Machine Learning Re- search, 2015. [22] M. Mirza and S. Osindero, “Conditional generative adversarial nets,” arXiv preprint, vol. 1411.1784, 2014. [23] T. Peng, C. Leckie, and K. Ramamohanarao, “Detecting distributed denial of service attacks using source IP address monitoring,” in Pro-

14 APPENDIX dynamic attributes capturing network information that varies from request to request and two static attributes that are A. Implementation Details (MIMICSHIFT) common for all requests in a sequence. A large portion of the The MIMICSHIFT model consists of a sequence-to- normal requests are typically from only a few top classes of sequence (Seq2Seq) learning model, a generator, and a dis- the features, mostly concentrating among the top 3–5 classes. criminator. Mimic Seq2Seq Model. In the sequence-to-sequence model, TABLE X: Information about the extracted network traffic we use an LSTM with 10 cells for all three datasets. The features. input of this LSTM is a batch of feature sequences length n and dimension d, where the batch size is 128, feature length Feature Information Example Absolute absolute time (in seconds) of the request arrival time 23557.0 16, and dimension is set as the number of classes |K| = 3 Time in each dataset (128 x 16 x d). We select the length as 16 Request size of the request 86 because it should capture most typical normal user behaviors. Len The LSTM hidden layer with 10 memory units should be IP flags (unsigned integer, 2 bytes) consisting of: IP Flags Don’t fragment, More fragments, Reserved bit, 0x00004000 more than sufficient to learn this problem. A dense layer with and Security flag.

Softmax activation is connected to the LSTM layer, and the TCP Len length of the TCP segment 216.0 generated output is a batch of sequences with size (128 x 16 TCP Ack acknowledgement number (unsigned integer, 4 bytes) 426.0 x d). TCP Flags ﬂags (unsigned integer, 2 bytes) 0x00000012

calculated receive window size allowed TCP Window Size 17520.0 Generator. In the generator, we use a conditional LSTM (unsigned integer, 4 bytes) with 40 layers. We follow a similar architecture [28] to Highest Layer last protocol used MDNS generate sequences of walks on the graph nodes. However, (Protocol) different from the referenced architecture, our generator not Standard query 0x0000 PTR Extra extra information on the response of the server 111.2.168.192.in-addr.arpa, Info after receiving a request only initializes the model with Gaussian noise, but it also takes ”QM” question the features as conditions at each step of the process. List of the full list of protocols to the highest layer eth:ethertype:ip:udp:mdns Protocols

z ∼ N (0, Id) Given an interval of trafﬁc, the requests are sorted chrono- t = 0 m = g 0 (z) 0 θ logically and requests are grouped by source and destination t = 1 f (m , s˜ , 0) = (p , m ), v ∼ Cat(σ(p )) θ 0 1 1 1 1 1 IP addresses and divided into sequences of length 16. The t = 2 fθ(m1, s˜2, v1) = (p2, m2), v2 ∼ Cat(σ(p2)) number of classes for each feature of the requests vary across ...... a wide range (see Table XI).

t = T fθ(mT −1, s˜T , vT −1) = (pT , mT ), vT ∼ Cat(σ(pT )) TABLE XI: Number of classes for each extracted network Interestingly, we notice that the LSTM generator is more traffic feature in all three datasets. sensitive to the input conditions than hyperparameters for per- Num. of classes Feature formance. Hence, the set of hyperparameters for the generator HULK LOIC CAIDA07 is the same for all the datasets. We summarize the generative Request Len 3753 3490 1059 process of G below. We note that the conditional generative IP Flags 5 5 2 TCP Len 3746 3463 1051 process is similar to the unconditional process of the reference TCP Ack 827122 88202 7598 architecture [28], with the addition of conditions s˜t in each TCP Flags 15 12 9 timestep. TCP Window Size 11098 9909 1614 Protocols 367 412 4 Highest Layer(Protocol) 42 42 3 Discriminator. Our discriminator is an LSTM with 35 layers. Info 2133226 498219 98743 The inputs are sequences of requests concatenated with the re- TCP Ack 84 72 15 spective conditions. The discriminator has similar architecture as the mimic model, where they are LSTM models that take sequences as inputs, expect that the LSTM layer is connected C. Select Feature Distributions to a final dense layer. The output is a single value between 0 In addition, we select a few different features to plot and 1, which distinguishes real requests from synthetic ones. the distributions, and highlight that the traffic is concentrated among only the top few classes of each feature. In the MIMICSHIFT training, we use Adam optimizers for all the models. The learning rate of the mimic sequence-to- IP Flags (HULK). sequence model training is 0.01, while both the generator and the discriminator use a learning rate of 0.0002. TABLE XII: Distributions of the IP Flags feature in the HULK dataset. The top three classes make up almost 100% of B. Feature Analysis the entire dataset.

We perform feature analysis on the normal trafﬁc data of Protocol Count Total Proportion (%) the three datasets to analyze the characteristics of the feature 0x00004000 474183 593462 95.1 distributions. A summary of the features and the information 0x00000000 106706 593462 4.5 they provide are listed in Table X. The features include eight 0x00002000 12570 593462 0.3

15 Fig. 7: Distribution of the IP Flags feature in the HULK Fig. 9: Distribution of the Protocols feature in the normal dataset. CAIDA07 normal dataset.

D. Distribution Analysis TCP Flags (LOIC). We include additional attack analysis below to illustrate the similar distributions of the poisoning attacks on both HULK and LOIC datasets. Both figures show that the online likelihood approach assigns both normal and attack traffic with similar scores, and it is unable to differentiate the two distributions, TCP Flags TABLE XIII: Distributions of the feature in the resulting in successful attacks. LOIC dataset. The top five classes make up almost 93.6% of the entire dataset.

TCP Flag Count Total Proportion (%) 0x00000010 421311 760674 55.4 0x00000018 134301 760674 17.7 0 99479 760674 13.1 0x00000002 33459 760674 4.4 0x00000014 23183 760674 3.0

Fig. 10: MIMICSHIFT attack (HULK). Distributions of the estimated normal and attack trafﬁc.

Fig. 8: Distribution of the TCP Flags feature in the LOIC normal dataset.

Protocols (CAIDA07).

TABLE XIV: Distributions of the Protocols feature in the Fig. 11: MIMICSHIFT attack (LOIC). Distributions of the CAIDA07 dataset. The top three classes make up almost 100% estimated normal and attack trafﬁc. of the entire dataset.

Protocol Count Total Proportion (%) raw:ip:icmp 474183 593462 79.9 raw:ip:tcp 106706 593462 18.0 raw:ip:icmp:ip 12570 593462 2.1