CAPoW: Context-Aware AI-Assisted Proof of Work based DDoS Defense

TL;DR

CAPoW addresses DDoS defense by fusing context-aware AI with adaptive proof-of-work puzzles. It learns normal request patterns from server logs across context attributes (e.g., IP, time, flow) using an ensemble of base models (DAbR, TAM, Flow) to compute a context score $\Phi$, which a policy component maps to PoW difficulty. The resulting puzzles impose resource and latency costs on attackers, throttling attack throughput while preserving legitimate access. The authors implement a demonstrator and validate it on CIC-IDS2017, showing that contextual deviations can be translated into increased puzzle difficulty to deter adversaries, and they discuss policy design and future work including PoS or human-in-the-loop enhancements.

Abstract

Critical servers can be secured against distributed denial of service (DDoS) attacks using proof of work (PoW) systems assisted by an Artificial Intelligence (AI) that learns contextual network request patterns. In this work, we introduce CAPoW, a context-aware anti-DDoS framework that injects latency adaptively during communication by utilizing context-aware PoW puzzles. In CAPoW, a security professional can define relevant request context attributes which can be learned by the AI system. These contextual attributes can include information about the user request, such as IP address, time, flow-level information, etc., and are utilized to generate a contextual score for incoming requests that influence the hardness of a PoW puzzle. These puzzles need to be solved by a user before the server begins to process their request. Solving puzzles slow down the volume of incoming adversarial requests. Additionally, the framework compels the adversary to incur a cost per request, hence making it expensive for an adversary to prolong a DDoS attack. We include the theoretical foundations of the CAPoW framework along with a description of its implementation and evaluation.

Figures (4)

• Figure 1: The figure illustrates the architecture of CAPoW framework. CAPoW consists of four core components: request context extractor, context-aware AI model, policy, and proof of work. The AI model learns context patterns from previous activity-logs selected by security personnel and calculates a context score based on the deviation of the incoming packet. The calculated score is mapped to the PoW puzzle difficulty level as defined by the security professional in policy files. The proof of work component performs evaluations to find the constrained solution. The request with a correct solution is placed on the server queue to process.
• Figure 2: The figure shows that selected activity-logs (left) are used to generate a temporal activity model (TAM) (right). The illustration shows that out of four activity logs, currently only two activity logs are used to form the model (blue box). The remaining activity-logs are aged in an attempt to keep the model up-to-date.
• Figure 3: The figure contains four sub-figures. (A) Representation of trained DAbR in the 2-D plot. The red dot cluster represents malicious IP attributes. (B) Representation of trained TAM. The stars represent the current time of arrival. (C) Representation of Flow. The green cluster represents legitimate flow-level attributes and the red cluster represents malicious ones. (D) Represents the calculated context score after combining scores from Model A is DAbR, Model B is TAM, and Model C is Flow.
• Figure 4: An evaluation of our three implemented policies. The median of 30 trials is reported for each reputation score.