Please note this CyLab seminar is open only to Carnegie Mellon University faculty, students and staff.

Speaker: Zhiying Xu, 5th year PhD student, Harvard University

Talk Title: Xatu: Boosting Existing DDoS Detection Systems Using Auxiliary Signals  

Abstract: Traditional DDoS attack detection monitors volumetric traffic features to detect attack onset. To reduce false positives, such detection is often conservative—raising an alert only after a sustained period of observed anomalous behavior. However, contemporary attacks tend to be short, which combined with a long detection delay means that most of the attack still reaches and impacts the victim. We propose Xatu, which utilizes auxiliary signals to improve the accuracy and timeliness of existing DDoS detection systems. We explore two types of auxiliary signals, attack preparation signals and the history of prior attacks. These signals can be easily mined from existing traffic monitoring systems in many ISP networks. To leverage these auxiliary signals for attack detection, we propose a multi-timescale LSTM model, which derives both long-term and short-term patterns from diverse auxiliary signals. We then leverage survival analysis to quickly detect attacks when they occur while minimizing false positives and thus scrubbing costs. We evaluate Xatu on traffic from a large ISP, using commercial defense alert data to label prevalent attack events. Xatu would help the commercial defense scrub up to 44.1% of additional anomalous traffic and would reduce its median detection delay by 9.5 minutes.

Bio: Zhiying is a 5th year Ph.D. student in the CS department at Harvard University working with Professor Minlan Yu. Her main research interest lies in solving network problems with machine learning.