Critical Infrastructure Network DDoS Defense, via Cognitive Learning Todd Booth and Karl Andersson Research@ToddBooth.Com Karl.Andersson@Ltu.Se http://OrcId.Org/0000-0003-0593-1253 http://OrcId.Org/0000-0003-0244-3561 Division of Computer Science / Lule˚ a University of Technology / 97187 Lule˚ a, Sweden Abstract—Some public and private services are called part of the Critical Infrastructure (CI), which are considered as the most important services to protect the functioning of a society and the economy. Many CIs provide services via the Internet and thus cyber-attacks can be performed remotely. It is now very simple and free to find and download software, which automates performing cyber-attacks. A recent example is that two teenagers, with close to no security knowledge, created an on-line business. They would run cyber-attacks (online booter service called vDOS, as reported by Brian Krebs) for a small fee. They reportedly earned over 600,000 USD in a short period of time by conducting a large number of automated DDoS cyber-attacks. Then Krebs was retaliated against, and the highest DDoS attack bandwidth ever recorded, 620 Gbps, was launched against Krebs. In this paper we show how cognitive learning can be used to significantly mitigate any effects of DDoS network attacks, against the critical infrastructure. 1. Introduction Various acronyms and terms used in this paper, are defined in table 1. 1.1. Research Problem The scope of this paper is concerning using a cognitive informatics approach, to defend against distributed denial of service (DDoS) attacks, as part of countries’ homeland security defenses. The research problem is that it is extremely easy and inexpensive to initiate a computer network DDoS attack, but it is very difficult and expensive to defend against. One new DDoS trend is that mobile phone BotNets can be used to launch attacks. [1] Further, many countries have developed and are improving warfare grade cyber-attack DDoS capabilities and we should not be surprised if many countries (perhaps North Korea and certainly the USA, Russia and China), now have the capability to perform cyber DDoS attacks, specifically against other countries’ critical infrastructures (CI). The research community has not yet found an easy, inexpensive and general solution to defend against both the server side and the client side, during cyber DDoS Term Definition Booters DDoS attacks as a service (for rent) CAPTCHA Completely Automated Public Turing test CI Critical Infrastructure CIA Confidentiality, integrity and accessibility CR Cognitive Radio DoS Denial of Service attack DDoS Distributed Denial of Service attack DSR Design Science Research methodology IoT Internet of Things IT Information Technology L3 Layer 4 (network) L4 Layer 4 (transport) L7 Layer 7 (application) L347 IP layer 3, 4 and/or 7 attacks NAT IP Network Address Translation OSI Open Systems Interconnection ISO 7498 QoS Quality of Service PAT IP Port Address Translation (overload) PUE Primary user emulation SDR Software defined Radio TCP IP L4 protocol, transmision control protocol UDP IP L4 protocol, user datagram protocol VPN Virtual Private Network TABLE 1. ACRONYM AND TERM DEFINITION TABLE CI attacks. There is a lack of adequate research to see if cognitive learning can now be used to provide a better anti cyber-DDoS defense. For example, a SCOPUS search of ”TITLE-ABS-KEY (ddos or ”denial of service”) AND PUBYEAR AFT 2010” found 4,067 hits, but when also adding the ”cognitive” search keyword, there were only 72 hits. However, most of the 72 hits are only concerning DDoS protection of the Cognitive Radio Network (CRN). So the cognitive relevance is only concerning how the radio net- work works, NOT concerning how the security defenses work. Once we take away the SCOPUS papers which are only concerning the cognitive related to CRN, there are very