Distributed response to network intrusions using multiagent reinforcement learning

Distributed denial of service (DDoS) attacks constitute a rapidly evolving threat in the current Internet. Multiagent Router Throttling is a novel approach to defend against DDoS attacks where multiple reinforcement learning agents are installed on a set of routers and learn to throttle or rate-limit traffic towards a victim server. It has been demonstrated to perform well against DDoS attacks in small-scale network topologies. The focus of this paper is to tackle the scalability challenge. Scalability is one of the most important aspects of a defence system since a non-scalable defence mechanism will never be considered, let alone adopted, for wide deployment by a company or organisation. In this paper we introduce Coordinated Team Learning (CTL) which is a novel design to the original Multiagent Router Throttling approach. One of the novel characteristics of our approach is that it provides a decentralised coordinated response to the DDoS problem. It incorporates several mechanisms, namely, hierarchical team-based communication, task decomposition and team rewards and its scalability is successfully demonstrated in experiments involving up to 100 reinforcement learning agents. We compare our proposed approach against a baseline and a popular state-of-the-art router throttling technique from the network security literature and we show that our approach significantly outperforms both of them in a series of scenarios with increasingly sophisticated attack dynamics. Furthermore, we show that our approach is more resilient and adaptable than the existing throttling approaches.

[1]  Richard S. Sutton,et al.  Introduction to Reinforcement Learning , 1998 .

[2]  Balachander Krishnamurthy,et al.  Flash crowds and denial of service attacks: characterization and implications for CDNs and web sites , 2002, WWW '02.

[3]  Andrew B. Whinston,et al.  Defeating distributed denial of service attacks , 2000 .

[4]  John S. Heidemann,et al.  A framework for classifying denial of service attacks , 2003, SIGCOMM '03.

[5]  Daniel Kudenko,et al.  Multi-Agent Reinforcement Learning for Intrusion Detection: A Case Study and Evaluation , 2008, MATES.

[6]  Angelos D. Keromytis,et al.  SOS: secure overlay services , 2002, SIGCOMM 2002.

[7]  David K. Y. Yau,et al.  Defending against distributed denial-of-service attacks with max-min fair server-centric router throttles , 2005, IEEE/ACM Transactions on Networking.

[8]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[9]  Anna R. Karlin,et al.  Practical network support for IP traceback , 2000, SIGCOMM.

[10]  Paul Ferguson,et al.  Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing , 1998, RFC.

[11]  Jelena Mirkovic,et al.  Attacking DDoS at the source , 2002, 10th IEEE International Conference on Network Protocols, 2002. Proceedings..

[12]  Maja J. Mataric,et al.  Using communication to reduce locality in distributed multiagent learning , 1997, J. Exp. Theor. Artif. Intell..

[13]  Vladimir Krylov,et al.  DDoS Attack and Interception Resistance IP Fast Hopping Based Protocol , 2014, ArXiv.

[14]  David Moore,et al.  Code-Red: a case study on the spread and victims of an internet worm , 2002, IMW '02.

[15]  Aikaterini Mitrokotsa,et al.  DDoS attacks and defense mechanisms: classification and state-of-the-art , 2004, Comput. Networks.

[16]  DouligerisChristos,et al.  DDoS attacks and defense mechanisms , 2004 .

[17]  Heejo Lee,et al.  On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets , 2001, SIGCOMM 2001.

[18]  Craig Boutilier,et al.  The Dynamics of Reinforcement Learning in Cooperative Multiagent Systems , 1998, AAAI/IAAI.

[19]  Prateek Mittal,et al.  Mirage: Towards Deployable DDoS Defense for Web Applications , 2011 .

[20]  Curtis R. Taylor,et al.  On building inexpensive network capabilities , 2012, CCRV.

[21]  Ratul Mahajan,et al.  Controlling high bandwidth aggregates in the network , 2002, CCRV.

[22]  Peter Reiher,et al.  A taxonomy of DDoS attack and DDoS defense mechanisms , 2004, CCRV.

[23]  George Varghese,et al.  Proceedings of the 2001 conference on Applications, technologies, architectures, and protocols for computer communications , 2001, SIGCOMM 2001.

[24]  Daniel Kudenko,et al.  Multiagent Router Throttling: Decentralized Coordinated Response Against DDoS Attacks , 2013, IAAI.

[25]  Ramesh Govindan,et al.  COSSACK: Coordinated Suppression of Simultaneous Attacks , 2003, Proceedings DARPA Information Survivability Conference and Exposition.

[26]  Xin Xu,et al.  Defending DDoS Attacks Using Hidden Markov Models and Cooperative Reinforcement Learning , 2007, PAISI.

[27]  Ratul Mahajan,et al.  Measuring ISP topologies with rocketfuel , 2002, SIGCOMM 2002.