1. Field of the Disclosure
The present disclosure generally relates to a system and method for detecting and predicting network attacks. More specifically, it relates to correlating historical attacks with diverse indicators to generate indicator profiles and decision rules for detecting and predicting future network attacks.
2. Description of the Related Art
Accurate detection and prediction of network attacks is a difficult problem due to a large variation in the manifestation of attacks and their evolution over time. The variations and evolution make it difficult to create signatures that capture characteristics of attacks in the observed data. It would be desirable to construct a system that can recognize any ongoing attacks and provide warnings of any imminent attacks.
While DDoS detection is a well studied problem, most solutions produce an excessive number of false alarms of attacks and cannot detect variants of existing attacks.
The most widely studied approach for DDoS attack detection is the anomaly detection based approach. This approach is usually based on an unsupervised learning approach and does not use the knowledge of attacks at the time of constructing rules or models to detect or predict attacks. Anomaly based approaches use information about known attacks to evaluate the performance of an existing approach and not to improve the approach itself.
Recently there has been some work in time-series analysis for detecting DDoS attacks, but this work focuses on analyzing the time-series alone without considering which parts correspond to attacks. Although it captures some temporal component, the main drawback is high rates of false positives and false negatives or missed detections.