BRAIN: BehavioR Based Adaptive Intrusion Detection in Networks: Using Hardware Performance Counters to Detect DDoS Attacks.

Denial-of-Service (DoS) and Distributed Denial-of Service (DDoS) attacks account for one third of all service downtime incidents. Current DoS/DDoS attacks are not only limited to knocking down online services, but they also disguise other malicious attacks such as delivering malware, data-theft, wire fraud and even extortion. Detection of these attacks is predominantly based on the packet data and metrics derived only from packets. This work proposes a host based DDoS detection framework called BRAIN: BehavioR based Adaptive Intrusion detection in Networks. BRAIN leverages already available Hardware Performance Counters in modern processors to model the application behavior using low-level hardware events. BRAIN combines network statistics and modeled application behavior to detect DDoS attacks using machine learning. Our experiments show that BRAIN can detect multiple types of DDoS attacks, including those are undetectable by existing tools with an accuracy of 99.8% and a false alarm rate of 0%.