Distributed Denial of Service (DDOS) attacks remain one of the most common and destructive forms of cybercrime. Defenders have traditionally focused on detecting these attacks ongoing. New research suggests that it is possible to predict DDOS attacks in advance, and security teams can get a head start when planning their defenses.
The new study outlines an approach to predict DDOS activity using deep learning. Researchers from the University of Malaya and Technical University Melaka University analyzed 192,525 DDOS attacks that took place between 2019 and 2021. Their goal was to determine whether past activities could be used to predict future surges.
The team focused on the Covid-19 period, when many organizations were forced to shift operations online. During this time, DDOS activity has grown rapidly, reaching unprecedented levels of attack size and duration. In one example, the researchers found a 94% increase in attacks that exceed 1 terabit per second between 2019 and 2020.
Moving from detection to prediction
Most cybersecurity tools are designed to detect attacks in real time. By the time an abnormality is flagged, the damage can already occur. Researchers propose an alternative approach that focuses on predicting DDO attacks rather than simply detecting DDOS attacks.
Their model uses Long-Term Memory (LSTM), a kind of deep learning algorithm designed to recognize patterns of sequential data. In this case, the sequence is time series data for the DDOS activity. By training a model for historical attack data, the system attempts to predict what will happen next, such as a spike in traffic or a sudden increase in attack duration.
The predictions were not accurate, but the model showed promising results. It was successfully identified when critical spikes of attack activity were likely to occur even if the exact size of the surge was not necessarily predicted. This partial foresight can also be valuable to security teams. Warning of future increases in DDOS traffic can help organizations allocate resources, adjust their network configuration, or prepare mitigation services before attacks reach peak.
Locally impactful global dataset
The dataset used in this study was scraped from the Digital Attack Map, a project that visualizes DDOS activities around the world. The data came from over 330 internet service providers, making it one of the more comprehensive public sources available to predict DDO attacks on a global scale.
By analyzing this global data, researchers identified key trends in attacker behavior. Total traffic, UDP misuse, and IP fragmentation attacks were the most common types throughout the study period. Research shows that several attack methods have been around for years, but have not disappeared. Instead, attackers combine old techniques with new tactics to create complex, multi-vector campaigns that are difficult to defend.
These findings are consistent with what many security teams see on the ground. The rise of IoT botnets and “DDOS-for-hire” services has made attackers easier for a variety of unpredictable campaigns. This diversity tactic is the main reason static defense often fails.
Why predictions are important for security teams
This study highlights a significant change in how defenders think about the DDOS threat. Detection and mitigation are always necessary, but they are reactive procedures. Predicting a DDOS attack gives you the opportunity to move upstream and predicts threats before they come true.
This technology is not yet available for production use. Researchers acknowledge that their model has a high margin of error and need further improvements. However, the concept itself has gained traction. As machine learning models improve and datasets become more detailed, predictions can become a standard part of DDOS defense.
This study highlights the value of excellent data. Accurate predictions rely on large, most recent datasets. Many existing public datasets are outdated or incomplete, limiting the accuracy of the current model. Security teams may need to work closely with service providers and threat intelligence partners to ensure access to relevant, high-quality data.
The future of DDOS prediction
Although this research is still in its early stages, we can get a glimpse into where DDOS defense is heading. In the future, organizations can have dashboards that show current attack traffic and potential times or days ahead of activity. The transition from reaction to predicting DDOS attacks can make a difference in how defenders prepare for massive disruptions.
For now, this research provides the foundation for future development. It also gives CISOS a reason to start a conversation with your team about how predictive analytics could help you preempt one of the most persistent threats in cybersecurity.
Download: Cyber Defense Guide for the Financial Sector
