Deep learning-based prediction of reflection attacks using NetFlow data

Abstract

Large networks provide tremendous support for the deployment of networked services with fast response times by deploying a large number of servers and high-speed routers. While several techniques exist to detect network attacks, predicting future attacks can help to enhance the security of the network. Reflection attacks are known to be one of the most common causes of service disruption in large networks. A reflection attack is a special type of Distributed Denial-of-Service (DDoS) attack that hides the identity of the attacker and floods the network with a large volume of malicious traffic by using reflectors. Modern networks generate a large volume of NetFlow data, and analyzing this data is an advocated basis for identifying reflection attacks. A comprehensive analysis of 3.1 billion NetFlow records obtained from a large enterprise network is conducted, and reflection attacks on the Domain Name Service (DNS) and NetBIOS servers are identified in the NetFlow data. As far as it is known, there is no work that evaluated Temporal Convolution Network (TCN), Recurrent Neural Network (RNN) and Long Short Term Memory (LSTM) deep learning (DL) models to predict reflection attacks in a large network. Thus, the aim of this paper is to determine if TCN, RNN and LSTM can predict reflection attacks using NetFlow data. This paper proposes an approach to predict reflection attacks and evaluates TCN, RNN and LSTM on real NetFlow data. The results from this study show that: (a) RNN and LSTM predicted DNS server reflection attacks with the highest coefficient-of-determination ($R^2$) value that ranged from 0.39 to 0.992 on different dates, (b) RNN, LSTM and TCN predicted NetBIOS server reflection attacks with the highest value of $R^2$ that ranged from 0.749 to 0.999 on different dates, (c) the percentage of packets generated by DNS server reflection attacks ranged from 0.001% to 18%, (d) the percentage of packets generated by NetBIOS server reflection attacks ranged from 0.2% to 16%, (e) the percentage of source and destination devices associated with DNS server reflection attacks ranged from 0.0006% to 0.022% and (f) the percentage of source and destination devices associated with NetBIOS server reflection attacks ranged from 0.071% to 34%. The outcomes are: (a) RNN and LSTM predicted DNS server reflection attacks with high accuracy on 12 dates, (b) RNN, LSTM and TCN predicted NetBIOS server reflection attacks with high accuracy on 14 dates, (c) RNN, LSTM and TCN predicted DNS server reflection attacks with low accuracy on 2 dates, (d) the traffic generated by DNS and NetBIOS servers reflection attacks did not overwhelm the network, and (e) a small number of source and destination devices are associated with these reflection attacks.