The widespread adoption of microservices captured the attention of attackers, mainly due to their distributed and dynamic nature. Unfortunately, traditional intrusion detection mechanisms may struggle to accurately and efficiently identify the most effective threats, for instance, DDoS campaigns. To advance in the security of modern microservice architectures, this paper presents an Intrusion Detection Agent (IDA) for the run-time identification and classification of DDoS campaigns. Specifically, the IDA takes advantage of AI to classify attacks in a multi-container environment. To prove the effectiveness of our approach, we collected data from a realistic testbed built on top of the Train Ticket framework. Then, a classification pipeline has been evaluated when used to identify four attack templates, i.e., Standard DDoS, Slow DDoS, GET floods, and SYN floods. Obtained results showcased that the AI-based IDA can correctly handle the considered offensive templates, even when the data is scarce. For instance, when a decision tree is used, our IDA achieves an accuracy of ∼0.991 by considering only 4% of measurements capturing the behavior of containers (e.g., the used RAM or the volume of network traffic).
Detecting DDoS Attacks in Microservice Architectures via AI-Based Agents
Ficco M.;Guerriero A.
2026
Abstract
The widespread adoption of microservices captured the attention of attackers, mainly due to their distributed and dynamic nature. Unfortunately, traditional intrusion detection mechanisms may struggle to accurately and efficiently identify the most effective threats, for instance, DDoS campaigns. To advance in the security of modern microservice architectures, this paper presents an Intrusion Detection Agent (IDA) for the run-time identification and classification of DDoS campaigns. Specifically, the IDA takes advantage of AI to classify attacks in a multi-container environment. To prove the effectiveness of our approach, we collected data from a realistic testbed built on top of the Train Ticket framework. Then, a classification pipeline has been evaluated when used to identify four attack templates, i.e., Standard DDoS, Slow DDoS, GET floods, and SYN floods. Obtained results showcased that the AI-based IDA can correctly handle the considered offensive templates, even when the data is scarce. For instance, when a decision tree is used, our IDA achieves an accuracy of ∼0.991 by considering only 4% of measurements capturing the behavior of containers (e.g., the used RAM or the volume of network traffic).I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
