Google has released a public preview of the “Cloud Armor’s Adaptive Protection”. This is a machine learning (ML)-powered method of detecting & protecting enterprise apps & services from Layer 7 DDoS attacks.
Google said Adaptive Protection builds machine-learning models that do the following:
- Detect & alert on anomalous activity
- Generate a signature describing the potential attack
- Generate a custom Google Cloud Armor WAF rule to block the signature
Users can enable or disable Adaptive Protection on a per-security-policy basis.
How Does Google Adaptive Protection Work
Google said when Adaptive Protection suspects an incoming attack, it creates an event in the Adaptive Protection event dashboard. It also generates a log item in “Cloud Logging”. The log item is generated under the Network Security Policy resource there. The log message identifies the backend service under attack, & includes a confidence score indicating how strongly Adaptive Protection rates the identified traffic pattern change as anomalous. The log message also includes an attack signature that illustrates the characteristics of the attack traffic, along with suggested Google Cloud Armor rules that users might apply to mitigate the attack.
How To Read Attack Signatures
An Adaptive Protection alert comes with an attack signature. This signature carries a description of the traffic attributes of the potential attack. You then use the signature to identify & potentially block the attack. The signature has 2 forms: as a user-readable table & as a preconstructed Google Cloud Armor WAF rule that users can deploy in the relevant security policy.
Google said the signature consists of a set of attributes such as source IP address, geographical regions, cookies, user agents, referers & other HTTP request headers. It also has the set of values for those attributes thought to be associated with the potential attack traffic. The set of attributes is not user- configurable. The attribute values depend on the values in the incoming traffic to your backend service.
If you want to read more about this, click here.
