Detect DDoS Attacks Using a Biological Model

Israeli company "L7 Defense" is trying to do the impossible – stop application layer DDoS attacks in seconds instead of hours. Their solution is a protection system based on an immune-biological model that combines with Real-Time Big Data analysis

An Israeli company named "L7 Defense" is trying to do the impossible – stop application layer DDoS attacks in seconds instead of hours. It wants to do so by using an automatic protection system based on an immune-biological model that combines with Real-Time Big Data analysis.

"The (human) body knows how to deal in real time with damage to critical systems. It broadcasts warnings such as fever or other signs that activate the immune system. We found that combining the biological model for analyzing Big Data, identifies sophisticated DDoS attacks in real-time," said Israel Gross, co-founder, and L7 Defense CMO.  

Alongside Gross, the partners are Dr. Doron Chema (CEO), Bio-Information by training, who also developed the System model, and Mr. Mark Ginsburg, a senior algorithmic developer who served in an Elite Cyber Unit (IDF).

"DDoS attacks on the application layer are very challenging today. A major reason for this is the use of tools that successfully simulate human behavior and are tailor-made for the specific target", says Gross. "The trick in application layer DDoS is to attack a large number of vulnerabilities while exhausting the target servers' resources in a short time period".

Gross explains that today, defense systems against DDoS attacks are mainly based on forwarding the traffic to human analysts for a test. "In reality, the average time for the discovery and blockage of complex DDoS attacks is over an hour," says Gross. "We strive for detection and blocking in no more than a few seconds, automatically, regardless of the number of attacking vectors. This protection model is patented".

DDoS attacks began in the 90s, when the original method was to "strangle" the network traffic. Over the years, this type of attack has become easier to identify and block. At the same time, a new trend was born in recent years – targeted attacks on system servers.

These attacks are called "application layer DDoS". They operate relatively modest volume of traffic, and very efficient due to their adaptation to the target. For example, in an e-commerce site, each search request could have a potential of serving as an attacking vector. One can carry out a DDoS attack using Bots, sending multiple search requests to products simultaneously. The result of the load on a search engine, which is usually supported by heavy mechanisms, may bring down the entire site or at least cause a significant slowdown.

L7 Defense's system is software based, located within the boundaries of enterprise systems (DMZ), and can be installed on a public cloud (Amazon, Azure, etc.) and/or the customer's server farm. The system is compact and can be installed as a single server, serving as a protective reverse proxy system.

The system operates at all times (Always On), with no prior knowledge or accumulated memory (such as the use of a central signatures bank). From the moment of identifying an attack in real time, the system produces an unequivocal identification of each attack vector and stops them immediately.

"Demonstrations show that the system is dealing effectively with the detection and blocking of 4-5 vectors simultaneously without prior knowledge. It is not limited to blocking even more complex attacks," says Gross.

"Let's recall that currently, identifying and stopping more than one vector is a real challenge to the SOC personnel in various organizations, and it usually lasts a few hours (handled) by a team of dedicated experts.

"Our system is adapted to the current situation where organizations are attacked frequently and over days or even weeks. It does not require manual operation by teams of experts, that the level of their availability decreases and the level of cost increases accordingly".

In July this year, the company raised 750 thousand dollars from Incubate (Elbit Systems Technology Venture) and the Israeli Office of the Chief Scientist (OCS). "Elbit is a strategic partner and it opens doors for us," says Gross.

Defense L7 company officially began operating in last July and has been awarded first prize in start-up companies competition in Germany (Tech Ecosystems). "Winning the competition will expose us to the German market," concludes Gros.