Poisoning Online Learning Filters: DDoS Attacks and Countermeasures

Several unsupervised learning mitigation strategies (Lima Filho et al., 2019; He et al., 2017; Daneshgadeh Çakmakçı et al., 2020) have been proposed to counter such attacks in an online manner. These learning-based methods, employing rudimentary machine learning algorithms, e.g., random forest, logistic regression, decision tree, perform clustering and simple distance measure using a few elementary features. While they can capture some basic network traffic properties, they are unable to learn deeper representations of legitimate and malicious requests to better distinguish between the two types of traffic. Moreover, the optimization goal of these methods is not clear.

In one of the most recent online deep learning filtering methods presented in Tann et al. (Tann et al., 2021b), the two proposed approaches perform filtering by utilizing both the normal-day and the attack-day mixture traffic. One approach estimates the likelihood that each request is an attack, given that it is from the attack-day mixture traffic. The other approach formulates a loss function specific to a two-class classifier with the objective to classify requests from normal traffic as normal and an estimated proportion of requests during the attack as malicious. The two approaches demonstrate to be suitable for attacks with a short time frame.

While several DDoS filtering methods exist, there is a shortage of literature on deep generative models targeting DDoS detection systems. In recent years, some methods (Ibitoye et al., 2019; Warzyński and Kołaczek, 2018) have been proposed to generate adversarial samples to evade DDoS detection. On the one hand, some of these methods were employed in a white-box setting. The attackers are assumed to know the details of the target deep-learning intrusion detection system, which is not practical in the real world. On the other hand, another group of methods (Hashemi et al., 2019; Peng et al., 2019, 2019; Huang et al., 2020; Liu and Yin, 2021) is presented as black-box attacks, where the attacker has very limited knowledge of the target model, such as only the model’s output. Both evasion methods perform perturbations on samples until an adversarial sample successfully evades the target DDoS detector.

While these methods perform evasive attacks on DDoS intrusion systems by manipulating adversarial samples in one way or another, there is no study on the effectiveness of poisoning attacks on online deep-learning DDoS filters. The most relevant work is a study (Li et al., 2005) on adaptive statistical filters. It was determined that adaptive statistical filters perform much worse against attackers that dynamically change their behavior. However, there are no such studies for online deep learning filters.

Data poisoning is a type of attack, where an attacker can inject malicious data that target machine learning models during the training phase. Most existing poisoning attacks (Biggio et al., 2012; Jagielski et al., 2018; Rubinstein et al., 2009; Xiao et al., 2015; Yang et al., 2017a) compromise the training dataset. The attacks aim to compromise the integrity of a machine learning system by having a model learn on unsanitized data, which manipulates a model to learn a high error rate on test samples during operation, leading to abysmal performance and the nullification of the model’s effectiveness. It was first studied by Biggio et al. (Biggio et al., 2012) against support vector machines. Beyond linear classifier models, others have studied poisoning in areas such as collaborative filtering (Li et al., 2016), generative method against neural networks (Yang et al., 2017b), and topic modeling (Mei and Zhu, 2015). However, there is no study on data poisoning attacks targeting online learning filtering methods.

We model the interactions between a “clever” attacker and an online-learning DDoS filter as a game. In this game, there are mainly three notions relating to every time interval $t$: (1) the estimated attack traffic distribution $\widehat{A}_{t}$ of the filter at each interval, (2) the generated attack traffic distribution $\widetilde{A}_{t}$ that the attacker constantly shifts from one interval to the next, and (3) the filter model $F_{t}$, which makes the decision on requests that are to be dropped during an attack. The goal of an attacker is to shift the distribution of attack traffic dynamically, deceiving the filter into approximating an inaccurate attack distribution, such that it is unable to distinguish between normal and attack requests accurately; effectively carrying out a poisoning attack.

Most network service providers would have protective DDoS filtering mechanisms monitoring the availability of their networks. Such a DDoS filtering mechanism is often an online learning-based filter that makes the decision to drop abnormal requests based on some extracted salient features, with an adaptive model trained on observed network traffic. Therefore, it is reasonable to assume that the attacker would not have any knowledge about the protective filtering system that the network service provider has in place (e.g., the features, time interval, and data used by the filter). Nevertheless, the attacker can always probe the filter by making malicious requests and studying the provider’s response (accept/reject) via the status code. For example, receiving the code HTTP 403 means that the requested resource is forbidden by the provider. However, we assume that the attacker can only probe the provider’s filter a limited number of times before its IP address is blacklisted.

To avoid detection, the attacker has a generator that generates controllable network requests that model regular traffic closely. For instance, the generator is able to dynamically generate malicious traffic requests by allowing the attacker to control the distribution shift of generated traffic. Due to the attacker’s limited knowledge of the underlying online DDoS protection mechanism, only by constantly shifting its attack traffic distribution, can the attacker confuse the online learning filter, and it allows the attacker to be always one step ahead of the filter’s estimation of the attack profile. Given the strict constraints, we aim to investigate the effectiveness of such attacks.

For the online filter, we use the deep learning filters (Tann et al., 2021b) that demonstrated effectiveness against DDoS attacks in an online setting. The two filters proposed are the N-over-D nets and Iterative Classifier. Their goal is to filter out an estimated proportion of malicious requests during an attack. The considered filter is one that learns on both the traffic from two operational periods for model training. As an abnormally large number of requests characterizes attacks, it can be readily detected in practice. The first period is the normal-day traffic $\mathcal{N}$, where the requests are logged during the normal period. The second period is the attack-day traffic $\mathcal{A}$ that contains a mixture of unlabeled legitimate and malicious traffic. Based on the volume of attack traffic, it is assumed that the filter is able to roughly estimate the proportion of attack requests in $\mathcal{A}$. All requests in $\mathcal{N}$ are considered to be normal, whereas traffic in $\mathcal{A}$ is unlabeled.

In an online setting, the filtering process can be broadly categorized into three stages. First, during a normal period, intensive processing and training can be performed on normal-day traffic $\mathcal{N}$ to learn an accurate intermediate model $\widehat{N}_{0}$ of normal requests. Next, when an attack begins, the filter model starts its online learning of incoming mixture traffic $\mathcal{A}$. The mixture traffic can be divided into intervals of $\ell$ minutes (e.g., $\ell=1$), and ordered accordingly ($\mathcal{A}_{0},\mathcal{A}_{1},\mathcal{A}_{2},\ldots$), where $\mathcal{A}_{t}$ contains the mixture within the $t$-th interval. At each interval $t$, the model, trained on $\mathcal{A}_{t-1}$ and some intermediate representation $\widehat{N}_{t-1}$, giving the updated $\widehat{N}_{t}$ and a model $F_{t}$. Finally, the trained model $F_{t}$ is used to estimate the attack traffic distribution $\widehat{A}_{t}$ and perform the filtering of incoming requests.

The attacker takes as input a request sample $\bm{x}$ from given traffic (either malicious traffic of a single attack profile or benign traffic of the victim that has been compromised) and generates another request $\widetilde{\bm{x}}=(\widetilde{x}_{1},\widetilde{x}_{2},\ldots,\widetilde{x}_{L})$ that mimics the traffic. In addition, the attacker shifts the distribution of the generated requests in order to fool the filter. It can be achieved by leveraging some data features as conditions to control the traffic generation process. Each request $\bm{x}$ is associated with some selected feature that is grouped into classes $k_{i}\in K$ (e.g., the various request payload sizes), and it corresponds to the request in the given traffic. Through these selected features, the attacker is able to control the distribution during the generative process. We denote this time-varying distribution as $\widetilde{A}_{t}$. The attacker can take advantage of the useful properties of the network features to manipulate the generated samples.

For example, the attacker can use the TCP Len feature as one of the conditions to vary the distribution of generated requests. In one interval, the attacker can generate attack distribution $\widetilde{A}_{t}$ with requests of longer packet lengths. In contrast, the next interval could be generated with short packet lengths. Nevertheless, such traffic features are not fixed, and it is always up to the attacker to select from the set of all network traffic features. As the goal of the attacker is to generate unpredictable requests and attempt to get the online learning filter to accept as many of them as possible, it is sufficient for the attacker to mimic the traffic and find a distribution $\widetilde{A}_{t}$ that the filter’s estimated distribution $\widehat{A}_{t}$ is unable to accurately capture in time.

The mimic model $C$ is designed to learn traffic behavior by modeling features of sub-requests in the sampled requests. It is a sequence-to-sequence model. Given a sequence of traffic request features, the model then predicts the input sub-request features one at a time as the features are observed. We design $C$ using a long short-term memory (LSTM) (Hochreiter and Schmidhuber, 1997) neural network. The purpose of $C$ is to model network traffic, retain a memory of its behavior, and provide a vector of control for the ensuing generative process. When given sampled sequences of features $(\bm{s}_{1},\ldots,\bm{s}_{L})$ as inputs, the mimic $C$ learns to generate synthetic features $(\widetilde{\bm{s}}_{1},\ldots,\widetilde{\bm{s}}_{L})$ that mimic the input features. For example, a sample input Request Len sequence $(60,1514,52,60,\ldots,66)$ given to $C$ could result in such an output of $(60,60,1514,60,\ldots,66)$, which closely mimics the input sample.

The generator $G$ generates network requests $(\widetilde{\bm{x}}_{1},\ldots,\widetilde{\bm{x}}_{L})\sim G$ conditional on the selected features. It is a parameterized LSTM model $f_{\theta}$. At each step $l$, the LSTM $f_{\theta}$ takes as input the previous request $\widetilde{\bm{x}}_{l-1}$, the last memory state $\bm{m}_{l-1}$ of the LSTM model, and the current feature $\widetilde{\bm{s}}_{l}$. The model then generates two values $(\bm{p}_{l},\bm{m}_{l})$, where $\bm{p}_{l}$ denotes the probability distribution over the current request and $\bm{m}_{l}$ the current memory state. Next, the generated request $\widetilde{\bm{x}}_{l}$ is sampled from a categorical distribution $\widetilde{\bm{x}}_{l}\sim Cat(\sigma(\bm{p}_{l}))$ using a one-hot vector representation, where $\sigma(\cdot)$ is the softmax function. A latent noise from a multivariate standard normal distribution $\bm{\bm{z}}\sim\ \mathcal{N}(\bm{0},\bm{I}_{d})$ is drawn and passed through a hyperbolic tangent function $g_{\theta^{\prime}}(\bm{\bm{z}})$ to compute the initial memory state $\bm{m}_{0}$. Generator $G$ takes this noise $\bm{\bm{z}}$ and sampled features $\bm{s}$ as inputs, and generates attack requests $(\widetilde{\bm{x}}_{1},\ldots,\widetilde{\bm{x}}_{L})$.

The discriminator $D$ aims to discriminate between requests sampled from the given traffic and synthetic requests generated by the generator $G$. It is a binary classification LSTM model that takes two inputs: the current request $\bm{x}_{l}$ and its associated feature condition $\bm{s}_{l}$, both represented as one-hot vectors. $D$ then outputs a score between $0$ and $1$, indicating the probability of an actual request.

MimicShift takes traffic features as conditions to input into the generator and influences the generated output requests, creating requests with various feature densities. Our method constantly shifts the distribution of these conditions to produce unpredictable network traffic. The method aims to provide controllability to the attack and generate requests that mislead the filter, allowing the attack requests to elude detection. We first build a Markov chain model according to some user-specified transition distribution and construct specific features sequences for requests of some desired distribution. These sequences are then injected into the mimic $C$ to generate features $(\widetilde{\bm{s}}_{1},\ldots,\widetilde{\bm{s}}_{L})$ that mimic the sampled features of given requests. Next, we train the MimicShift model on given requests $\bm{x}$. Given the trained model, we then construct features that follow some specified distribution and use the generator $G$ to produce desired requests $\widetilde{\bm{x}}$. Through this process, the attacker can control the feature conditions and generate unpredictable requests with varying distributions.

For example, by controlling the parameters of the mimic feature, our method has the ability to generate attack traffic that has shifting distributions. The features provide a vector of control to how requests are generated. We influence the generative process by constructing mimic features of desired distribution using the mimic model $C$. First, we construct select features by specifying the parameters of a transparent Markov model: (1) initial probability distribution over $K$ classes $\bm{\pi}=(\pi_{1},\pi_{2},\dots,\pi_{K})$, where $\pi_{i}$ is the probability that the Markov chain will start from class $i$, and (2) transition probability matrix $\bm{\alpha}=(\alpha_{11}\alpha_{12}\dots\alpha_{k1}\dots\alpha_{kk})$, where each $\alpha_{ij}$ represents the probability of moving from class $i$ to class $j$. Next, we input these constructed sequences into mimic $C$, and it returns model-generated features that replicate the original features. Finally, by injecting these constructed sequences into our trained generator $G$, we generate attack requests that follow the specific distribution.

Our evaluation is performed on the same attacks presented in the existing online DDoS filtering paper (Tann et al., 2021b) to set a fair comparison benchmark. The datasets are from two publicly available network datasets: CICIDS2017 ²²2www.unb.ca/cic/datasets/ids-2017.html (Sharafaldin. et al., 2018) and CAIDA UCSD “DDoS Attack 2007” ³³3www.caida.org/data/passive/ddos-20070804_dataset.xml (Hick et al., 2007), containing generated network traffic resembling real-world attacks and anonymized traffic traces from a DDoS attack on August 04, 2007, respectively. From these two datasets, three distinct DDoS attacks are extracted for evaluation.

Next, we generate fluctuating DDoS attack traffic based on both the CICIDS2017 and CAIDA07 datasets to perform a detailed evaluation of the online learning filtering methods on these attacks. First, we select the feature to mimic and use as a control vector to influence the generative process. After selecting the appropriate feature, we specify the distributions for shifting the attack requests, and generate fluctuating traffic to attack the online filtering methods.

For example, using the Request Len feature as an illustration, it can be seen in Table 1 that the traffic is concentrated in the top few lengths of the feature. In the CAIDA07 dataset, the top three request lengths (60, 52, 1500) make up 91% of the traffic, with the top length (60) accounting for 81% of the traffic alone. As for the LOIC dataset, the top three request lengths (60, 66, 1514) make up 60% of the traffic; the top three features (60, 1514, 2974) of the HULK dataset make up 80% of the total traffic.

As the distribution of the feature Request Len is concentrated in the top few classes, we group all of them into three classes for our experiments. The first two classes are the top two features, and the third class consists of all the other features. We design it such that the distribution of the three classes is more uniform and increases the variability of feature distribution.

The attack is divided into three traffic ($\mathcal{A}_{0},\mathcal{A}_{1},\mathcal{A}_{2}$) with different distributions. At each time period during the attack, one of the attack parameter settings is picked at random for $\mathcal{A}_{t}$. Our model MimicShift would then generate attack traffic according to the specified distributions, and produce fluctuating traffic to attack the online filtering methods.

We perform a detailed evaluation of the online learning filtering methods on the generated mimic attacks, and report the filtering capabilities to identify attack requests from normal traffic. The two online filtering methods are the latest state-of-the-art deep learning approaches to DDoS filtering (Tann et al., 2021b):

1. (1)

   N-over-D approach

2. (2)

   Iterative classifier approach

that take a principled approach to estimate conditional probabilities and an online iterative two-class classifier design for a specifically formulated machine learning loss function, respectively.

In the N-over-D approach, the technique approximates the likelihood that a network request is an attack, given that it is observed in the attack traffic. It is achieved with a two-step process. The first step applies an unsupervised learning model on the normal-day traffic to obtain a model that learns the distribution of normal traffic. Then, when a DDoS attack is detected, the second step is activated, and it trains another unsupervised learning model to rapidly learn the distribution of the attack traffic. At any time, the conditional probability can be estimated by taking the ratio of the normal-traffic distribution over the attack-traffic distribution. As for the Iterative Classifier approach, a particular machine learning loss function is formulated for fast online learning using one learning model. An online iterative two-class classifier performs joint learning on both the normal and attack operational periods, fully leverages all available information for model training.

Both filtering approaches are evaluated using the online interval of 1 min ($\ell=1$) and a rejection rate of $80\%$. Under such settings, it means that each $\mathcal{A}_{t}$ is collected over a period of 1 min for learning and filtering, dropping $80\%$ of the requests. In addition, we also use an offline approach for comparison. In this setting, the interval is set as $\ell=\infty$. We suppose that all normal and attack data is available for training the models. The offline setting effectively shows that it is not easy for models to learn to generalize over the different distributions. By taking an offline approach that trains on all available data, we can (1) study how effective the varying distributions of attack traffic are on online filtering methods, and (2) obtain a reference performance limit for the online filtering results.

We measure the performance of the two filtering approaches in both attack scenarios. As demonstrated in Table 6.2, Figure 3, and Figure 4, both N-over-D and Iterative Classifier result in high false-negative rates and high false-positive rates across the three different attacks, thereby undermining the effectiveness of the filter and reducing it to no better than a random guess. We present both the false-negative and false-positive graphs of the attack with normal traffic $\mathcal{N}$ as both attack scenarios have similar results (see Appendix for the attack without $\mathcal{N}$ plots). These results show that unpredictable attack traffic essentially disables online learning filters.

The reported evaluation metrics used are False Negative Rate (FNR), False Positive Rate (FPR), Accuracy (ACC), Precision (Prec.), Recall (Rec.), and F1 Score (F1). The two most relevant metrics are FNR and FPR. False Negative Rate is the rate that attack requests are wrongly classified as legitimate and not dropped by the filtering methods. False Positive Rate reflects the rate that requests are from normal traffic but predicted as attack and rejected by the filters.

In Table 6.2, the results demonstrate a trade-off between letting attack requests through and denying legitimate requests. The N-over-D approach achieves a lower false-negative rate (FNR) than the Iterative Classifier, but it has a much higher false-positive rate (FPR). On the one hand, it means that while the N-over-D allows a smaller proportion of the attack requests through, it rejects many of the normal requests, denying a large portion of the legitimate requests. On the other hand, the iterative classifier has a higher FNR but a lower FPR, indicating it allows more legitimate requests at the expense of more attack requests. In general, although the attacker with normal traffic $\mathcal{N}$ fares slightly better than an attacker without $\mathcal{N}$ (higher error rates), the FNR and FPR in both attack scenarios are similar; results suggest that the attacks using representative traffic can be successful.

For comparison, we assess the performance of state-of-the-art online DDoS filtering methods, N-over-D and Iterative Classifier approaches, and note the difference. Using the CICIDS2017 and CAIDA07 datasets, we study how our generated fluctuating attack traffic affects the filtering performance. More importantly, we demonstrate that an attacker who can shift its attack traffic distribution can significantly differ from the original attack traffic and effectively inundate online learning filtering methods. Compared to the original attacks, mimic attacks dramatically increase the false positive and false negative error rates.

Moreover, using the N model as a baseline, the accuracy of both the online filters N-over-D and Iterative Classifier significantly dropped from 90% to as low as 65%. The fluctuating mimic traffic fools the online learning filtering methods. The other metrics, such as Precision, Recall, and F1, are also significantly lower than the N-only model, which serves as our benchmark of a clean model that is not uncorrupted by the attack traffic in its filtering evaluation.

While the mimic attacks demonstrate that online learning filters are ill-equipped to handle fluctuating traffic distributions, we discover that the N-only model is able to hold up well against such attacks. As the N-only model trains on normal traffic, the attack traffic does not affect the model, thereby enabling it to differentiate between normal and attack traffic effectively.

We further analyze the poisoning attacks, shifting attack traffic generated by MimicShift that eludes online DDoS filters, to better understand the extent of the shifting traffic effects. We study the contrast between the estimated traffic distributions during normal and DDoS periods by analyzing these distributions from an empirical perspective.

The study was conducted by using the N-over-D approach, which estimates the likelihood that a network request is an attack, given that it is observed in the attack traffic. The process takes a two-step process, where the first step trains an N-only model on normal traffic to learn normal traffic characteristics. The next step activates another learning model, D, that takes an online approach to model the attack traffic. The approach then approximates the conditional probability of the traffic by taking $N/D$. Hence, we are able to clearly examine how the attack traffic affects the online training process by studying the difference between models N and online D.

Using the CAIDA07 dataset for illustration, we study the normalized conditional probability scores of the attack traffic (see Figure 5). Through these distributions, we observe the differences between an anomaly detection method N-only and the online learning approach N-over-D. In Figure LABEL:fig:Nonly_distr, we plot the scores of normal traffic and attack traffic predicted with the N-only model, showing a clear distinction between the two distributions. It can be seen that the attack traffic is assigned a low score. In contrast, the normal traffic is assigned high scores, indicating that the anomaly detector is able to separate the malicious from the benign.

However, when we introduce the online model D into the filtering process, the online filtering approach is deeply poisoned by the shifting traffic. We can clearly see in Figure LABEL:fig:NDonline_distr that the online approach estimates the likelihood of both normal and attack traffic with the same scores, and it is unable to separate the two distributions. Hence, MimicShift can effectively elude online DDoS filters by mimicking normal traffic and injecting erratic attack traffic into the online learning process.

While the results in Sections 6.4, 6.5 and 6.6 demonstrate that poisoning attacks are highly effective against online adaptive filtering systems, we introduce a simple protective measure that greatly diminishes the attack efficacy. It is a straightforward defense technique that can be quickly implemented. The idea of the online learning filter enhancement is to vary time interval $\ell$ in the online learning process during the attack period.

We perform the protective countermeasure by first setting the initial attack interval $\mathcal{A}_{0}$ to the interval size $\ell=5$ mins. As for subsequent intervals ($\mathcal{A}_{1},\mathcal{A}_{2},\ldots$), we randomly set $\ell$ to be between 1–3 mins. By keeping the interval $\ell$ random and unknown to the attacker, online filtering systems are able to improve the estimate of the overall attack traffic distribution while achieving adaptive filtering.

N-over-D estimates the likelihood that a request is an attack given that it is observed in the attack traffic; the enhanced two-step learning process cannot separate the attack from normal traffic. The attack analysis (see Section 6.6) helps us better understand why it is challenging for this two-step process to differentiate the attacks. The attacks generated by MimicShift are designed to closely mimic the normal traffic, resulting in a very high similarity to the normal traffic. This approach trains two different models to estimate the conditional probabilities of normal and attack traffic separately. Hence, both attack and normal traffic distributions are close, so it learns to assign them with similar likelihoods (see Figure LABEL:fig:NDonline_distr). Hence, it becomes tough for this approach to differentiate normal from attack traffic.

In addition, we plot the false-negative graphs of the implemented enhanced countermeasure for all three attacks (see Figure 6). It demonstrates that while the countermeasure slightly improves the performance of the N-over-D approach, it significantly enhances the performance of the Iterative Classifier.

The limitations of MimicShift arise from the design objective, where the generated attack traffic aims to be real with respect to the attacker. The goal of the generative model is for the poisoning attack to work on the online learning filters. It is designed to fool the learning filters and for the defense to fail. Hence, it is a lower requirement, and the fidelity of the generated traffic is not as essential for this requirement. In addition, MimicShift requires a reasonable estimate of the interval $\ell$ to shift its traffic accordingly to poison the online learning filters effectively. Finally, there is an inherent speed and performance trade-off in the interval size, as a larger interval size reduces the rate of detection and increases the filtering performance. In contrast, a smaller interval results in faster filtering and reduces filter performance. The attacker is subject to the effects of such changes in the interval sizes.

Existing approaches to the online filtering of DDoS attacks rely either on simple decision models (He et al., 2017), rudimentary learning algorithms (Daneshgadeh Çakmakçı et al., 2020; Lima Filho et al., 2019), or deep learning models (Tann et al., 2021b) to rank the network requests according to their legitimacy. The filtering methods then set a threshold proportion of the lowest ranking traffic to reject, assuming that the methods assign attack requests a low score accurately and vice-versa for the normal requests. As such, it has been suggested that increasing the threshold to reject a larger proportion of traffic could further mitigate the attacks (Tann et al., 2021b). However, our results show that there is a trade-off between increasing the threshold, which increases the FPR and reduces the FNR, rendering the above-mentioned filtering methods ineffective. For example, a high threshold reduces the number of falsely rejected requests but at the same time falsely classifies more attack traffic as normal, allowing them through to the target server.

In Tann et al. (Tann et al., 2021b), the authors reported that adjusting the rejection threshold from 0.5 to 0.7 into steps of 0.05 has a negligible effect on the false positive rate. However, as we are concerned with attack traffic eluding online filters, we focus on the false-negative rate; our experiments (see Section 6.4) suggest that a change in acceptance threshold could considerably affect the FNR. Thus, a potential filtering strategy would be to set a lower acceptance threshold to increase the chance of stopping attack requests from slipping through the filter. It is a strategy that is worth investigating in future works.

Optimistically, the controlled synthetic generation of various types of network traffic, most likely unobserved previously, can surprisingly aid in building enhanced DDoS filtering systems robust against poisoning attacks. As this is the first work to suggest poisoning attacks on online deep-learning-based DDoS filtering, the robustness of such filters can be secured by occasionally injecting shifting attack traffic throughout its training process. In particular, the generated shifting attack traffic that retains some level of normal traffic properties, especially the ones that are ranked highly to be normal by the online learning systems, can be included and explicitly labeled in the training dataset of the model training during the normal period. We note that by randomly injecting various shifted attack traffic into the normal period training process, the online filters are capable of learning to adapt attack traffic with a wide range of diversity, thereby enhancing the robustness against shifting attack traffic during an attack.

There is little literature on adversarial attacks targeted at DDoS detection systems and the corresponding relevant studies. One such analysis (Li et al., 2005) was performed to determine an adaptive statistical filter can effectively defend against attackers that dynamically change their behavior. They found that, in fact, the adaptive filter performs much worse against a static attacker than if the attacker is dynamic. While in some recent works (Ibitoye et al., 2019; Warzyński and Kołaczek, 2018), the methods leverage machine learning to generate adversarial samples to fool DDoS detection on deep-learning intrusion detection systems. These attacks generate adversarial samples in a white-box attack setting, where attackers have complete knowledge of the target model. Other methods (Hashemi et al., 2019; Peng et al., 2019, 2019; Huang et al., 2020; Liu and Yin, 2021) present black-box attacks, where the attacker does not know the details of the target model. They perform various manipulative procedures and perturbations on adversarial samples until a sample successfully evades the target DDoS detector. However, there is no study on the effectiveness of poisoning attacks on online deep-learning DDoS filters.