DDoS Attack Identification
Beyond the radio , IoT transactions disperse between control and user plane core nodes along the path from the IoT device to the server . Each IoT transaction involves multiple network control plane nodes , that manage IoT device to radio network coordination , and network user plane nodes , that manage IoT device to server data packet transportation . These core nodes are interdependent DDoS victims and detection points .
Figure 3-5 : High-level IoT network topology .
As is true for radio , core node DDoS detection must exploit temporal and spatial observations from multiple core nodes . Sensing data must be compared at multiple nodes ( including virtual functions and their host locations ) in order to determine if anomaly trends occur at the same time , with perhaps different intensities . If yes , then common spatial and morphology factors , for example overlapping or adjacent coverage areas and host locations , must be identified . If no , then node-specific indications , including metrics and alarms , should be observed for temporal correlation to the anomaly condition .
Such observations should lead to a distributed or local network anomaly classification . From the UE / subscriber perspective , sensing data must be analyzed to determine if network-observed anomalies correlate with signaling spikes for a single UE or multiple UE with something in common . Such observations should lead to a distributed or unique anomaly classification or some sort of distribution factor shades between " black " and " white ".
IIC Journal of Innovation 63