Adaptive Protection: Detect suspicious traffic early for rapid attack mitigation
First, let’s take a deeper dive into what Adaptive Protection has to offer. Adaptive Protection monitors traffic out-of-band and learns what normal traffic patterns look like, developing and constantly updating a baseline on a per-application/service basis. Adaptive Protection quickly identifies and analyzes suspicious traffic patterns and provides customized, narrowly tailored rules that mitigate ongoing attacks in near-real time.
Applications and workloads exposed to the internet are at constant risk of DDoS attacks. While L3/L4 volumetric- and protocol-based attacks are effectively mitigated at Google’s edge, targeted application layer (Layer 7) attacks are still a constant risk. In L7 attacks, well-formed, legitimate web requests are generated by automated processes from compromised devices (e.g., botnets) at volumes high enough to saturate the web site or service. This problem has grown increasingly acute as the size and frequency of DDoS attacks increases with the proliferation of widely-available DDoS attack tools and for-hire botnets. Since attacks can come from millions of individual IPs, manual triage and analysis to generate and enforce blocking rules becomes time and resource intensive, ultimately allowing high-volume attacks to impact applications.
How Adaptive Protection works to detect potential attacks
Adaptive Protection is the result of a multi-year research and development effort conducted by teams across Google, with feedback and testing from external technology partners and customers. Security operations teams receive three primary benefits from Adaptive Protection: 1) early alerts on anomalous requests on a per-backend-service basis, 2) dynamically generated signatures describing the potential attack, and 3) a suggested custom WAF rule to block the offending traffic. Alerts from Adaptive Protection are sent to the Cloud Armor dashboard, Security Command Center, and Cloud Logging with notification of an impending attack. The attack-specific signatures and WAF rule are the result of a second set of ML models, comprised of dozens of traffic features and attributes. Adaptive Protection’s models are built using TensorFlow in order to efficiently and accurately detect application level attacks and identify the best way to mitigate them. The WAF rule is presented to the user as part of the alert issued for the detection. Users are then able to choose to deploy the proposed WAF rule in near-real time to block the attack at the edge of Google’s network. This early detection helps the teams rapidly mitigate attacks far upstream from cloud infrastructure and services.