A summary of DDoS Attack Prediction Using Misbehaviour Detection Model by Anika Anwar of Queen’s Reliable Software Technology (QRST) Lab
Research commissioned by Irdeto Connected Transport
Companies are making major investments into research of connected vehicle technologies to improve both driver experience and safety. There is great interest in communication between a connected vehicle and other connected vehicles or roadside infrastructure (like traffic lights). The infrastructure could communicate important information about ongoing construction, road conditions, or accidents to the vehicle and driver. This would allow them to avoid delays or dangers. Because these communications occur in an open wireless medium, security is a major concern. Cyberattacks on a system like this could result in considerable physical damage or even loss of human life.
One of the most common and dangerous cyberattacks is a Distributed Denial of Service (DDoS) attack. Here, an attacker overloads the system with a large volume of fake messages. This, therefore, essentially blocks delivery of valid messages, interrupting service for legitimate users. This blog considers a way to detect malicious vehicles or devices in the network and then predict the DDoS attack before it disrupts service. The goal is to keep vehicles and people safe.
The benefits are great, but the threats are real
It is estimated that the global market for connected vehicles will grow by 270% by 2022, and 100% cars will be connected by 2025. This technology will improve road safety and traffic management by introducing services like accident prevention, internet access, infotainment, vehicular social networking, etc. To gather this data, connected vehicles communicate with other vehicles and roadside infrastructure to transmit information about speed, location, travel route, braking, loss of stability, etc. for these services. The major drawbacks of these communications, however, are the use of an open wireless medium and unreliable or unencrypted protocols. These enable attackers to eavesdrop the traffic between vehicles.
No denying that DDoS must be addressed
The Denial of Service (DoS) attack is one of the most common and popular attacks in the vehicular system. In this attack, attackers try to make the resources and the services unavailable to the vehicles. They do so by sending a large volume of messages through the network. Unable to handle the huge amounts of data, the On-Board Units (OBUs) inside the vehicles and the Roadside Units (RSUs) shut down and critical systems and commands that ensure vehicle and driver safety cannot function as intended. In a DDoS attack, multiple malicious vehicles or devices target a single or multiple network nodes. Thus making the attack much more dangerous.
Because these attacks are happening in dynamic scenarios like roads and highways, detecting a threat once it is happening is no longer good enough. Safety is already compromised. Connected vehicles need a secure system based on a comprehensive predictive analysis of cyber threats. If a system can anticipate the potential intrusion or malicious activity, it can protect the system before it completely fails to operate, and thwart the attacker. While many existing studies look at predicting attacks, they do not provide solutions.
Smart computers and misbehaving models
This blog proposes a DDoS attack prediction framework based on machine learning techniques. This approach involves anticipating a DDoS attack based on the messages sent by malicious vehicles or devices by observing them within a certain time frame. This requires the following two steps:
- Identifying which messages come from malicious vehicles or devices.
- Using this misbehavior detection model to predict an actual attack.
Identifying bad cars
To develop a misbehavior detection model, the team input message logs (containing information like position and speed of the sender, time to deliver, Received Signal Strength Indicator (RSSI), and sender-ID) from 180 cyberattack simulations into a computer. The computer used machine learning algorithms to recognize similarities and patterns in the malicious messages. The team used six different, well-known, linear and non-linear algorithms to build the model. In essence, the model used the learned patterns to know what to look for when identifying malicious messages. It then classified the sender (vehicle or device) as either normal or malicious based on the messages sent. The study then used an additional 45 message logs to validate the model.
Anticipating the attack
A connected vehicle can anticipate a DDoS attack through the following steps:
- The vehicle receives a message.
- The vehicle sends the message through the DDoS attack prediction model.
- The message is preprocessed to match the input of the misbehavior detection model.
- The prediction model compares the speed, position, transmission time, and RSSI of the message with the other received message to determine if the same message has already been received.
- If these features match with an existing received message, it will store the message and keep a count of the number of times the message has been received.
- If a vehicle receives the same message more than a set number of times within a defined span of time, the prediction model sends the message log through the misbehavior detection model.
- The misbehavior detection model determines if the message log is from a malicious sender.
- If it determines that the message is coming from a malicious sender, the model predicts a DDoS attack and informs the user with the vehicle ID or takes necessary actions.
Attack to the future
One next step would be to evaluate the DDoS attack prediction model using message logs sent by vehicles in a live road network. Another would be to build an adaptive threat model for the communication system of the vehicle. This would assist in identifying the vulnerabilities and building a vulnerability prediction model of the communication system. The vulnerability prediction model can further help build a security decay model. Additionally, we plan to predict other attacks using a similar model and predict vulnerabilities associated with it with the goal of understanding how we can help keep roads and people safe from malicious attacks in a connected world.
For complete details of this study, read DDoS Attack Prediction Using Misbehaviour Detection Model by Anika Anwar of Queen’s Reliable Software Technology (QRST) Lab. DDoS Attack Prediction is a part of Irdeto’s Anomaly Detection System.
Follow us here to stay up to date!
Click here to contact us.