Man vs. Botnet: Adapting to the New DDoS Battlefield

Over the last few months, the way Distributed Denial of Service (DDoS) cyberattacks are managed has changed. "Artificial intelligence and IoT have changed the rules of the game in the DDoS cyberattack category," says Dr. Doron Chema, CEO of L7 Defense, in a special interview

Image: Bigstock

The high-capacity Distributed Denial of Service (DDoS) cyberattacks observed over the last few weeks mark the emergence of a change in the way such attacks are managed. Instead of management by a human operator, these cyberattacks are evolving toward management by a machine learning-based computer system that controls botnets of thousands and hundreds of thousands of entities. "Artificial intelligence and IoT have changed the rules of the game in the DDoS cyberattack category," explains the co-founder and CEO of the L7 Defense Company, Dr. Doron Chema. Another founding partner of this company is CMO Yisrael Gross, the person in charge of business development.

"In our estimate, the effectiveness of the recent attacks can reflect a substantial upgrade in the command and control capabilities of the attacking side. For example, the current barrier for the upgrading of such cyberattack systems as the MIRAI malware, which manages millions of IoT-type bots using machine learning components, is one week from the moment of decision. Such an upgrade can dramatically increase the effectiveness of the attack. The most basic upgrade is obtained by incorporating a feedback loop model. In other words, you execute the attack, receive feedback on your success and adjust the attack method accordingly. Such adjustments may be performed at a high rate, every few seconds, while optimizing the types of the attacking vectors (the content of the attack), the amount of vectors being employed and so forth."

Dr. Chema explains that this is an autonomous capability that does not depend on the attack infrastructure. "You can program any type of infrastructure into that autonomous command center, and it will run that infrastructure," he explains. "One of the most recent attacks was staged against cache servers on the Internet. In an attack of this type, you can control the content being sent from them and the content they receive in return. If the victim has a UDP protocol running, it will become a dynamic problem."

The Message Goes Through the Protocol

According to Dr. Chema, this revised operating concept is expected to permeate from the DDoS attack world to other cyberattack worlds possessing similar characteristics. You take a dynamic attack tool, add a learning algorithm that upgrades its ability to manage a complex infrastructure, and its lethality will increase by orders of magnitude. "This is a substantial change in the cyberattack world. Once the defender is denied the ability to shut off a protocol (such as UDP, TCP, etc.), he will be forced to deal with attacks conveyed by these protocols. Human teams will be ineffective in the new situation, given the dynamic nature of the attack," explains Dr. Chema.

"In fact, the cost of the attack in the context of such a profile only amounts to the cost of the AI specialist who programs the bot command center. The attacks observed recently were just a trial. They were only the beginning. The volume will increase. Attacks will be staged against apps using HTTP/S as well. The implication is that the cost of defending an asset will, in some cases, amount to the same cost as the asset itself. This is a financial equation the organization will not be able to bear."

The answer has been provided recently by Symantec – a machine learning-based, autonomous active defense is required. The response intervals of human operators, compared to those of an automated attacker, are incomparably in favor of the automated attacker. The system developed by the L7 Defense Company is a fully autonomous artificial intelligence system of the "unsupervised" machine learning type. It provides a real-time solution by actively protecting the Internet traffic in the 3-4 and 7 layers of the OSI model. The same algorithms are applied to all of the relevant layers, both the bearing layers and the application layer. According to Dr. Chema, the system was tested over a period of more than eighteen months in the course of the production process in protecting traffic through two primary applicative protocols – HTTP/S and DNS.

"An applicative attack can be a prompt for the user to upload the log-in page, a transaction page in a bank website, a prompt by a cellular app or any other prompt for an app or command. Such an attack is measured by dozens of attacks simultaneously, with each attack evolving dynamically into different services. The content changes during the attack. With DNS, fake calls to nonexistent addresses are examined – an operation capable of immobilizing a database," explains Dr. Chema.

"The system has been tested in several extreme scenarios as described. For HTTP/S it was tested in protecting against an attack by dozens of dynamic vectors at rates of 100,000/200,000 prompts per second, and for DNS it was tested in protecting against hundreds of dynamic vectors at similar and even higher traffic rates. In both cases, the system effectively protected the Internet systems while providing accurate identification and producing a number of errors that was close to zero."

The Attacker is Familiar with the Static Defenses

The system by L7 Defense knows how to dynamically build a profile of the traffic coming into the organization at a very fast update rate (every few seconds). New prompts are cross-referenced against this profile, based on a sophisticated algorithm model, which relies on the operating model of the innate immune system.

"The system possesses several capabilities. It initiates a smart cross-referencing process between the prompts and the existing situation, while sensing whether the system is under a DDoS attack, and can also identify the end of the attack or a variation thereof over time. Having identified the attack, the system will generate detailed signatures of that attack. For example, if a certain bank transaction is attacked, its characteristics will be based on the entire transaction in order to establish a vector that may be distinguished from 'normal' prompts," says Dr. Chema.

"Additionally, the system teaches itself to identify changes that take place in the system (the app) being protected and the capacity of its operation may be expanded elastically, as required, by adding work units side-by-side. Additionally, the traffic may be sent to the cloud or to a designated area in the server farm, as per the client's decision. This will be an advantage, given the effective use of virtual software machines.

"Attackers currently know how to effectively and dynamically bypass the barriers of the classic cybersecurity systems facing them. If you produce a barrier that combines IP/traffic volume – the attacker will divide the traffic among more IP addresses. The problem is you do not know in advance which barriers will be required – this may only be determined dynamically. You have to sense the nature of the attack and change the barriers dynamically. If new DDoS attack vectors with which the system is not familiar come in, the system will change accordingly. The game in the DDoS cyberattack category has changed. Attackers currently possess state-of-the-art capabilities and when the defending side is still in the semi-manual or fully-manual mode – the equation as to where this is going is very clear."

You might be interested also

Photo: AP

“There is no Substitute for First-Rate Intelligence”

Jean-Louis Bruguière, formerly the Head of the National Counterterrorism Division of France, says in a special interview to Israel Defense that the secrets to effective counterterrorism are the development of technologies, international cooperation and most importantly – intelligence enabling early spotting of the threats