AI and DDoS Attacks – A Powerful, Scary Partnership


As if we need any scarier IT security headlines. The latest edition of The Rocky Horror DDoS Show presents us with new and disturbing news. Already powerful DDoS exploits now add AI capabilities to amplify persistence and attack flexibility.

Good reason for concern

The story of AI and DDoS attacks is a story of increasing power and sophistication. At first, denial of service (DoS) attacks were very simple. Each machine sent one attack signature to a single target. There was no automation. A human attacker guided the exploit with manual keystrokes.

Although feedback loops mimicked automation, these attacks used only an IP source and a few predefined signatures. These skimpy resources limited the methods that attackers could use.

DoS attacks became much more powerful and flexible when hackers added multiple attack sources and command-and-control servers to their exploits. When a centralized computer started guiding zombie attack devices, the age of distributed denial of service (DDoS) attacks and botnets was born.

The age of botnets

DDoS attacks were more powerful but less sophisticated than their DoS relatives. Each bot in a botnet could act on the same, standardized script. But then, when DDoS attacks automated the delivery of malicious software, everything changed. Attacks became larger, and botmasters (human attackers) could aim bots at a target without getting involved with the operational details.

Bots could infect a target network, one segment after another, but the attacks still lacked operational flexibility. Bots would go to sleep or wake up and infect a network, but that’s it.

When hackers combined automated malware infections spread by Internet of Things (IoT) devices, attacks became even more serious. Servers used in advanced DDoS attacks are more flexible and control botnets with tactics that change in seconds. The attack’s automation guides these changes, which respond to the tactics of defenders.

AI enters the DDoS attack field

Now, flexible botnet attacks are morphing into even more sophisticated types of attack. The latest form of DDoS attack combines IoT devices used as bots, artificial intelligence, automated changes in tactics, and feedback loops.

Security researchers have grown increasingly concerned that attackers will target AI systems and make their attacks more difficult to defend. Many types of businesses use AI to control their operations. However, AI systems that link to massive data stores make very appealing attack targets. Attackers use AI techniques to make own their own criminal activities more flexible and powerful. The result: AI-controlled malware that attacks susceptible AI systems, corrupts system logic, and blocks operations.

One headline-grabbing exploit uses thousands of IoT-connected devices to launch massive cryptojacking attacks. In these assaults, the bad guys take over the CPU capacity of co-opted computers to mine for cryptocurrencies, usually without owners’ knowledge.

Big changes in DDoS attacks

In mid-2018, IT security reporters noted a substantial change in DDoS attacks. Exploits controlled with AI and carried out by many thousands of IoT-connected devices changed the way that bad actors managed DDoS bots.

Once managed by human operators, some DDoS exploits now use machine learning-based computer systems that control botnets with varying degrees of human intervention. Upgrading attack tool performance is easy. Start with an advanced tool. Then, add an algorithm that improves the tool’s ability to direct complex attacks. Voila! The malware’s destructiveness increases by a factor of hundreds or thousands.

Good news: security pros have AI, too

When you compare response times of botnets and human defenders, it’s no contest, the bots win every time. That’s a serious problem. Many attackers currently possess state-of-the-art capabilities, but most IT security teams still use manual or semi-automated methods.

But before all this sad and scary news puts you in a funk, consider this: the bad guys aren’t the only folks who use AI. Defenders are starting to use AI and other technologies to better protect their IT infrastructures from DDoS attacks.

Sorting through millions of files

New operating systems and software updates introduce unknown and unpredictable vulnerabilities. This constantly changing environment requires a new type of defense. Machine learning enables IT security pros to set up defenses that automatically learn and keep evolving, just as the threats do.

Rather than setting up electronic barriers and filters against known malicious files, machine-learning-based tools sort through millions of malware files. Their target: shared characteristics that will help AI defense tools identify new malware attacks.

AI identifies new assaults when they appear. Defense systems analyze existing malware and determine the traits that the files have in common. Then, the data analytics check to see if potential new threats have those traits.

When a user clicks on a suspicious file, the company’s tool scans for hundreds of different attributes, such as the content, size, and distribution of code in the file. The defense tool runs the data through a machine-learning algorithm, which compares the malware profiles to signatures in the malware database.

The need for speed

The tool’s most important trait is speed. AI-based detection, diagnosis, and response can take mere seconds. Speed is essential because some of those millions of files might contain alerts. The anti-DDoS software recognizes malware identity and behavior patterns and determines whether malware is involved. Often, manual and semi-automated defense systems miss this important evidence.

AI and other types of machine learning extend the familiar, tit-for-tat existence of hackers and IT security pros. Neither bad actors nor IT security pros can claim a breakthrough advantage. However, AI-based, anti-DDoS software suggests that defenders might gain a bit of ground. Now, all users have to do is get proactive and modernize their defenses.