Treffer: Overcoming emergency HTTP/3 DDoS attack detection: A domain adaptation solution with graph neural network.

Distributed Denial of Service (DDoS) attacks refer to attacks that exhaust the resources of a target system by flooding it with a large volume of invalid data packets. Existing methods for detecting encrypted malicious traffic under traditional protocols, such as HTTP, TCP, and UDP, have shown satisfactory performance in identifying DDoS attacks. However, a new next-generation HTTP protocol, HTTP/3, based on the Quick UDP Internet Connections (QUIC) protocol, has been recently introduced. With the deployment of HTTP/3 on websites, detecting DDoS attacks targeting the HTTP/3 protocol has become increasingly critical. Due to the relatively recent introduction of HTTP/3, collecting a large amount of usable HTTP/3 DDoS attack traffic samples for training classifiers remains a challenge. Leveraging DDoS attack traffic samples from other protocols, such as UDP-FLOOD and HTTP-FLOOD, can enhance the performance of HTTP/3-DDoS classifiers. Unfortunately, the differences in traffic characteristics between protocols weaken the generalization ability of these classifiers. To address this, this paper proposes a Protocol Shared Feature-Aware Network (PSFAN) for detecting authentic HTTP/3-DDoS attack traffic. PSFAN utilizes a small amount of HTTP/3 DDoS attack traffic along with a large volume of DDoS traffic from traditional protocols to effectively classify HTTP/3 traffic. The model comprises three main components: a protocol confuser, a shared feature extractor, and a graph neural network classifier. The shared feature extractor is designed to extract cross-protocol feature representations from traffic data. The protocol confuser functions to minimize protocol-specific discrepancies, guiding the shared feature extractor to learn protocol-invariant feature representations. It works collaboratively with the traffic classifier to learn discriminative traffic classification representations. Our experiments demonstrate that PSFAN performs effectively in addressing urgent HTTP/3 DDoS detection tasks. [ABSTRACT FROM AUTHOR]

Copyright of Computer Networks is the property of Elsevier B.V. and its content may not be copied or emailed to multiple sites without the copyright holder's express written permission. Additionally, content may not be used with any artificial intelligence tools or machine learning technologies. However, users may print, download, or email articles for individual use. This abstract may be abridged. No warranty is given about the accuracy of the copy. Users should refer to the original published version of the material for the full abstract. (Copyright applies to all Abstracts.)