Google fortified its networking security portfolio with a new capability that uses machine learning to block layer 7 distributed denial of services (DDoS) attacks. It’s called Cloud Armor Adaptive Protection, and it uses multiple machine learning models to analyze security signals for each web service and detect potential attacks against web apps and services.

The new capability builds on the updated Cloud Armor features that Google rolled out over the summer at its virtual Cloud Next event.

Google says Adaptive Protection can detect high-volume layer 7 DDoS attacks against web apps and services and decrease an organization’s time to mitigation. “For example, attackers frequently target a high volume of requests against dynamic pages like search results or reports in web apps in order to exhaust server resources to generate the page,” wrote Peter Blum, product management lead for network security, and Sam Lugani, lead security product marketing manager for GCP and Google Workspace, in a blog. Adaptive Protection will be available in public preview “soon,” they wrote.

The new feature “learns” from traffic visiting an organization’s services to set a baseline for what “normal” looks like, Blum and Lugani explain. Adaptive Protection then uses this context to determine if there’s a potential attack, and it generates alerts. “In other words, where traditional threshold-based detection mechanisms could generate a great deal of lower confidence alerts that would require investigation and triage only once an attack has accelerated to the detection threshold, Adaptive Protection produces high confidence signals about a potential attack much earlier, while the attack is still ramping up,” they wrote.

In addition to generating alerts about potential attacks, Adaptive Protection provides context on why the system said the activity was malicious, and it will also provide a rule to mitigate the attack. Google says this will save application owners and incident responders countless hours that they would have spent analyzing traffic logs for sufficient context to make a decision on whether and how to stop a potential attack.

Last month, Google talked about some of the largest attacks it stopped. For example, its infrastructure absorbed a 2.5 Tb/s DDoS attack that was the culmination of a six-month campaign using multiple methods of attack. “Despite simultaneously targeting thousands of our IPs, presumably in hopes of slipping past automated defenses, the attack had no impact,” Google explained.

Additionally, a Nokia Deepfield report published this week said the ongoing COVID-19 pandemic significantly expanded the threat surface and potential for malicious activity. There was a “steady increase in the overall volume of DDoS traffic” during the first weeks of the lockdown phase of the pandemic, the analysts wrote.

“Aggregated data from five large service providers showed that by April, DDoS traffic exceeded pre-pandemic levels by 40%,” Nokia Deepfield wrote. That increase, it added, is attributed to a jump in online gaming and growing abuse of DDoS amplifiers in Europe and North America.