Canopy: A Learning-Based Approach for Automatic Low-Volume DDoS Mitigation

Banjo Obayomi, Chris Todd, Lucas Cadalzo, Brad Moore, Tony Wong

In a low-volume distributed denial-of-service (LVDDoS) attack, an adversary attempts to overwhelm the server by making requests specially crafted to use an inordinate amount of the server’s resources. The imbalance between the resources used by the server and attacker during an LVDDoS attack allows otherwise resource-constrained adversaries to mount effective attacks on large systems. Standard defense tools focus on metrics such as the number of requests and don’t focus on nuanced metrics such as user experience.

We propose Canopy, a novel approach for detecting LVDDoS attacks by applying machine learning techniques to extract meaning from observed patterns of TCP state transitions. We differentiate between malicious and benign traffic by employing a supervised learning approach, using features extracted from the temporal patterns of TCP state transitions. We employ three different algorithms of varying complexity for our classification model: decision trees, ensemble methods, and temporal convolutional networks.

Canopy is able to detect and mitigate these low-volume attacks accurately and quickly: our tests find that attacks are identified during 100% of test runs within 650 milliseconds. Server performance is restored quickly: in our experimental testbed, we find that clients’ experience is restored to normal within 7.5 seconds.

During active attack mitigation, which only occurs during server performance degradation indicative of an attack, Canopy exhibits minimal erroneous mitigative action applied to benign clients: under 5% of benign clients are incorrectly blocked. These clients are blocked for an average of 4 seconds.

Canopy is able to identify various types of attacks regardless of the protocols they exploit. We tested attacks that exploit HTTP features such as SlowRead and ApacheKiller and TCP protocol attacks such as Sockstress. The robust attack suite used to train Canopy allows for its capabilities to generalize well to LVDDoS attacks not included in its training dataset. In our evaluation runs Canopy was able to identify never-before-seen attacks within 750 milliseconds.

Disclaimer: This research was developed with funding from the Defense Advanced Research Projects Agency (DARPA). The views, opinions and/or findings expressed are those of the author and should not be interpreted as representing the official views or policies of the Department of Defense or the U.S. Government.