Question

How can we use metadata, inductive reasoning, and inference for things such as indicators of compromise (IOC), or potential attacks are underway and at the same time minimize false positives from the various attack vectors? For example, how could we infer through metadata that a Distributed Reflection Denial of Service (DRDoS) is more than likely underway?

Answer 1

I will answer both the questions by merging them providing the reference to context about DRDOS.

Short Answer: Metadata modification is a kind of Indicator-of-Attack(and not IOC, there is a small difference between IOAs and IOCs) which happens when the Attacker/Adversary is attacking/intruding your servers, systems, storage and solutions in Production. The metadata starts to get modified as soon as some kinds of Super User Privileged Database queries are executed. That is where the IRs(Incident Responders) start mitigating the attack which is often flagged-up in the deployed and launched software suites such as SIEMs in SOCs and NOCs. Detection of DRDOS is possible by implementing the Deep Forest model analyzing the statistics from previous DRDOS attack flows from the DRDOS HDTI's network flows.

Explanation

(As per important points the reader needs to know prior to answering such questions on DRDOS prevention and mitigation.)
A. IOCs vs IOAs: Indicators-of-Comprise are taken into account during DF(Digital Forensics) after the attack/breach/intrusion has been done, by the Forensics experts to record and analyze the bread-crumbs left out by the Attacker/Intruder/Hacker in the system logs files, applications' files, etc data. Whereas, Indicators-of-Attack are taken into account by the IRs(Incident Responders) during the Attack is Underway.
Example: IOC==Database Query manipulation, Super User Creation, etc. IOA==NMapping the target's ports, fingerprinting, etc.
Although, in a theoretical-academic context, IOAs house inside the IOCs database lists; but for Enterprise solutions on Cybersecurity these both are different.!

B. False Positives: Every endpoint detection software generates False Positive Alerts, especially the SIEM suites have been popular for their FPRs(False-Positive-Rates) the world over. (The only company survives at Best and Top in the Global List of Security Product deliverers(i.e. both Leaders and Visionaries) which provide a Lesser FPR in their SIEM software.) For DRDOS, not only IOCs, but we require IOAs too for detecting and mitigating the attacks. Actually the telecom operator and the webserver provider benefits due to these attacks as a huge traffic is generated at their servers providing them additional income, so some telecom operators do not take action(for some time duration) even if these attacks are underway many-a-times as they know these kinds of attacks are to be billed on the Client-side and no Client will then put a claim or sue the Telecom operator. This is a shocking fact about the DRDOS attacks.

C. Defense: Feature Extraction in real-time by implementing the Deep Forest model (first training then testing) on the DRDOS HDTI network flows data. When it comes to metadata, Deep Learning and Deep Forest model, as well as Natural-Language-Processing algorithms, have been previously implemented by Researchers to detect-prevent-mitigate such DDOS attacks.

Note: Attacks on the CloudFlare and Spamhaus servers were Network-based DDOS. The DDOS that laymen hear about usually in the news media is the Network-based DDOS. However, Host-based DRDOS is more difficult to detect-prevent-mitigate since not many solutions are available in the market to defend from it. But the Host-based DRDOS is definitely going to rise in numbers in the upcoming years.