DDoS Attack Identification
legitimate traffic , the neighbor cells are also likely to experience a similar rise in uplink noise . In the case of a DoS attack , the noise rise is local to that cell under consideration only , with minimal environmental impact . The same is depicted in Figure 3-1 , with average interference of the primary cell ( in red ), the average SINR of the primary cell ( blue ), and the average interference of the first neighbor ( green ).
It can be seen that the rise in uplink noise of the primary cell follows a pattern very similar to that of its neighbors and can be seen for most of the days – this is clearly due to typical legitimate traffic . On the second day , the rise in noise exceeds that of the neighbors and there is little or no environmental impact . Here , we observe the following :
a ) Uplink noise is low and similar to neighbor cells most of the time b ) There are traffic-dependent spikes in uplink noise that are higher than neighbor cells , and c ) Uplink SINR drops do not correlate with uplink noise rise at neighbor cells , i . e . it is local traffic-dependent noise with no environmental impact d ) Some connected UE exhibit signaling and / or user data volume patterns that correlate with the uplink SINR patterns of the attacked cell . These UE are classified as DDoS perpetrators .
Hence , it is possible to conclude that the uncorrelated noise is from DoS . We propose time seriesbased anomaly detection to detect the same , as discussed below .
The data for this work was obtained from 50,000 cells collected from a customer LTE network . The Key Performance Indicators ( KPIs ) were collected at every 15 minutes . The KPI that is primarily used for this work was Radio interference in the control and shared channel for each cell and it ’ s 3 neighbors . The neighbors were decided based on the number of handovers or using the cell latitude / longitude .
Figure 3-1 : Rise in Uplink noise due to DoS may not have an impact on the neighboring cells . In blue is SINR of primary cell , and in red the interference of primary cell . In green , is shown the interference of the first neighbor .
For radio DDoS detection , we must exploit temporal and spatial observations from multiple radio nodes . We propose an ensemble of time series-based machine learning and signal processing approaches , that can automatically identify DoS in real-time , by analyzing Key Performance
IIC Journal of Innovation 59