Traffic-flow analysis for source-side DDoS recognition on 5G environments

This paper introduces a novel approach for detecting the participation of a protected network device in flooding-based Distributed Denial of Service attacks. With this purpose, the traffic flows are inspected at source-side looking for discordant behaviors. In contrast to most previous solutions, the proposal assumes the non-stationarity and heterogeneity inherent in the emergent communication environment. In particular, the approach takes advantage of the monitorization and knowledge acquisition capabilities implemented in the SELFNET (H2020-ICT-2014-2/671672) project, which facilitates its implementation as a self-organizing solution on 5G mobile networks. Monitorization, feature extraction and knowledge acquisition tasks are carried out on centralized control plane, hence the proposed architecture minimizes the impact on operational performance and prompts the end-points mobility. The preliminary results observed when considering different metrics, adjustment parameters, and a dataset with traffic observed in 61 real devices proven efficiency when distinguishing normal activities from DDoS behaviors of different intensity. With an optimal granularity selection, the highest AUC reached values close to 1.0 when measured under the most intense attacks, hence demonstrating optimal TPR and FPR relationships by adapting to the instantiated use cases.