Poisoning of Online Learning Filters: DDoS Attacks and Countermeasures Wesley Joon-Wie Tann & Ee-Chien Chang Department of Computer Science, National University of Singapore [email protected],[email protected] Abstract—The recent advancements in machine learning have against them. Online approaches typically perform incremental led to a wave of interest in adopting online learning-based ap- updates as more attack requests are observed to mitigate the proaches for long-standing attack mitigation issues. In particular, malicious requests rapidly during an attack. However, such DDoS attacks remain a significant threat to network service avail- online learning methods assume that the attackers are static and ability even after more than two decades. These attacks have been that their behaviors stay the same during an attack. While these well studied under the assumption that malicious traffic originates approaches are applicable to a static attacker, what if “crafty” from a single attack profile. Based on this premise, malicious traffic characteristics are assumed to be considerably different attackers can dynamically change their attack behavior? We from legitimate traffic. Consequently, online filtering methods are focus on studying such shifting attacks on online learning- designed to learn network traffic distributions adaptively and based DDoS filtering. rank requests according to their attack likelihood. During an attack, requests rated as malicious are precipitously dropped Existing online learning-based filtering mechanisms can by the filters. In this paper, we conduct the first systematic be broadly categorized into two groups. In one group, the study on the effects of data poisoning attacks on online DDoS approaches [7], [19], [3] either employ simple decision tree filtering; introduce one such attack method, and propose practical methods or basic machine learning algorithms. The other protective countermeasures for these attacks. We investigate group [29], [4] takes a deep learning approach, where the latest an adverse scenario where the attacker is “crafty”, switching work [29] proposed two online filtering methods designed to be profiles during attacks and generating erratic attack traffic that computationally efficient to respond in a real-time environment is ever-shifting. This elusive attacker generates malicious requests where time constraint is a crucial consideration. Conversely, by manipulating and shifting traffic distribution to poison the there is minimal literature that analyzes the effectiveness of training data and corrupt the filters. To this end, we present a fluctuating DDoS attacks on filtering methods. One study [18] generative model MIMICSHIFT, capable of controlling traffic gen- eration while retaining the originating regular traffic’s intrinsic found that adaptive statistical filters cannot effectively mitigate properties. Comprehensive experiments show that online learning malicious traffic from attackers that dynamically change their filters are highly susceptible to poisoning attacks, sometimes behavior, performing much worse against a dynamic attacker performing much worse than a random filtering strategy in than if the attacker was static. Most other works [11], [32], [6], this attack scenario. At the same time, our proposed protective [24], [24], [10], [20] perform adversarial attacks on targeted countermeasure effectively minimizes the attack impact. DDoS detection systems. However, there is no study on the effects of erratic attack traffic on online learning DDoS filters. I. INTRODUCTION In this paper, we study the effects of poisoning attacks on With the accelerating adoption of machine learning in online learning-based filtering, where the attacker dynamically the enterprise, poisoning attacks [16], [35], [12] on learning changes its behavior and generates fluctuating requests that systems are increasingly common. These attacks generally vary from one time interval to the next. Our investigation of compromise the integrity of a learning system by injecting the elusive DDoS attack scenario is much more elaborate than unsanitized malicious samples into the training dataset, leading those considered in existing online filtering approaches [29], arXiv:2107.12612v1 [cs.CR] 27 Jul 2021 to terrible system performance. As a result, it poses a serious [7], [19], [3]. In particular, we study a sophisticated setting problem for online cyberattack mitigation systems. One such where the attacker is “crafty”, shifting its attack behavior (e.g., cyberattack, the Distributed Denial-of-Service (DDoS), denies distribution of requests and features) periodically to corrupt the legitimate users access to resources on a target network by adaptive filters. The attacker models the attack traffic on the sending an overwhelmingly large amount of traffic to exhaust normal-day traffic N and generates malicious traffic At with the victim network’s resources. As a result, legitimate users different distributions in short timeframes t’s while mimicking receive severely degraded to no service. As recent as Q1 2020, properties of normal traffic. Amazon Web Services (AWS) reported the largest publicly disclosed attack on record at 2.3 Tbps (https://aws-shield-tlr.s3. Under this shifting attack setting (see Figure 1), the online amazonaws.com/2020-Q1 AWS Shield TLR.pdf). The previ- learning filters utilize traffic data from two operational periods, N A ous record was held by the GitHub Memcached-based DDoS (1) normal-day traffic , and (2) the attack-day traffic to attack, which peaked at 1.35 Tbps in February 2018. learn and update its filtering policy. Normal traffic behavior can be learned by performing intensive processing on N . As more and more present-day adaptive DDoS filtering However, during an attack, the incoming traffic A is divided methods adopt an online machine learning approach, we into short intervals of ` minutes (e.g., ` = 1). The attack traffic anticipate the growing urgency to study the effects of poi- (A0; A1; A2;:::), where At contains the traffic during the t-th soning attacks on DDoS filters and find practical defenses interval, will be used for the online training and update of the separate DDoS attacks from these datasets, containing both generated traffic and anonymized traffic traces from a real- world attack, respectively. In the experiments, we first train a filtering model N based on anomaly detection techniques. It uses only the normal traffic for learning to determine if requests during an attack are legitimate or malicious. This model sets a baseline for Fig. 1: Illustration of fluctuating DDoS traffic: In this case, us to compare MIMICSHIFT. Empirical results show that a “crafty” attacker is not only able to learn from the normal MIMICSHIFT can generate attack traffic that eludes online traffic N to generate attack traffic that mimics characteristics filtering systems, attaining close to 100% false-negative rates of normal traffic; the attacker constantly shifts the attack traffic at times (see Table IV, Figures 3 and 4 for experiment details). At data distribution from one interval to the next, in order to It effectively negates the filtering capabilities, making the corrupt and elude online learning filtering methods. performance worse than a 50-50 random guess. Next, we introduce a simple yet effective protective countermeasure that greatly minimizes the attack impact, achieving a significant boost in filtering performance (see Table VIII). It serves as a filters to learn attack traffic behavior. The filters then use these starting point for the future research of robust countermeasures. last updated models to create and identify a blacklist of attack identities (e.g., IP addresses), and filter them accordingly. Furthermore, our experiments also show that the dif- ferent acceptance or rejection thresholds significantly affect To this end, we formulate a controllable generative method the filtering performance. A slight change in the acceptance that captures the sophisticated attack setting described above. threshold could considerably affect the false-negative rate, We present MIMICSHIFT, a conditional generative method for allowing markedly more attack requests to be accepted. The controlling network traffic generation to generate shifting and result powerfully demonstrates the robustness of MIMICSHIFT. unpredictable traffic. Our method is inspired by a controllable Interestingly, even when we only use a random combination approach [28] that is based on a conditional generative ad- of three Markov model parameter settings for the different versarial network, and it addresses the challenge of generat- attack traffic distributions, it severely degrades the online ing network requests of varying distributions. It is achieved filtering performance. While this may appear counter-intuitive, by using request features such as Request Len and TCP we believe that two reasons can explain the results. (1) The Window Size that capture the intrinsic request properties. primary objective of the MIMICSHIFT generative method is These features form the condition that we control to guide to learn from the normal traffic and replicate it as closely as the traffic generative process. The method introduces control possible, and (2) the online filtering methods are designed to by leveraging the conditions, managed with a transparent adapt quickly to new data and place higher importance on Markov model, as a control vector. It allows us to influence the latest observed attack traffic. Hence, online learning filters the generative process. By specifying the density distribution