DDoS Attack Identification
If network and UE anomaly classifications are distributed , then network and UE sensing data must be observed for temporal relationships to determine if a large number of UE affected a large number of network nodes ( DDoS ), or a large number of network nodes affected a large number of UE ( network failure ).
If network anomaly classification is local and UE anomaly classification is distributed , then an inverse correlation study of UE sensing data can determine what is different , for example , virtual RAN and core network functions and hosting locations , between UE with and without anomalous behavior in the same RAN area . If network anomaly classification is distributed , and UE anomaly classification is relatively unique , then UE sensing data should be observed for coincident behavioral patterns of multiple UE . For example :
a ) Do all anomalous UE exhibit signaling spikes at the same time on different virtual core nodes connected to the same RAN ?
b ) What happens to the signaling volume of non-anomalous UE on the same RAN nodes as anomalous UE ?
c ) What is the difference between the anomalous and non-anomalous UE ( subscription / slice , IMEI range indicating hardware )?
d ) What is common between the anomalous UE ? For example , do they all change cells at the same time , indicating the presence in a common vehicle , etc .
Layers of anomaly classifications and causal inference should lead to targeted UE or network remedy actions .
The challenge is to observe and act on data , from all the distributed core nodes , without creating an unmanageable amount of data collection , transportation , privacy and compute overhead . Blockchain is a new technology that records and maintains transactions in a verifiable and permanent manner using decentralized and open ledgers that can be updated from multiple nodes along a network transaction path .
A smart contract is a computer program that is executed in a secure environment that directly monitors and controls digital assets . A smart contract can be configured with rules that update records when specified conditions are met at nodes along a network transaction path .
As shown in Figure 3-6 , when applied to the IoT DDoS use case , blockchain records and smartcontract-initiated updates can be used to track device behavior and network impacts , and therefore provide an efficient data source for DDoS anomaly detection , countermeasure , and mitigation functions , from each intermediate node . Compared to traditional probing , packet inspection , and data caching techniques , this blockchain approach is better suited for the privacy , scale , and speed of IoT networks .
64 March 2022