Junchi Xing,Haifeng Zhou,Jinfan Shen,Kai Zhu,Yansong Wang,Chunming Wu,Wei Ruan

DOI: https://doi.org/10.1109/ICT.2018.8464855

2018-01-01

Abstract:Distributed Denial-of-Service (DDoS) attack has been a "nightmare" for cloud. A countermeasure is to establish an Intrusion Detection and Prevention System (IDPS) for cloud. Nevertheless, current IDPSes fail to achieve the detection and prevention in a flexible and lightweight way. In this paper, we propose a novel scheme of IDPS for overcoming the above problem, termed as Auto-scaling IDPS (AsIDPS). AsIDPS is based on Software-Defined Networking (SDN) and Docker container technologies. It first detects abnormal traffic based on the flow statistics collected in SDN switches in real-time. By the SDN controller, the abnormal traffic will be directed to the created Docker containers with Snort running on them for further detection and clean-up. Particularly, the Docker containers can be automatically scaled out or scaled down on demand. The Snort will also deliver an alert to the SDN controller if it detects attack traffic so as to perform a countermeasure if necessary. Benefitting from the flexible network management offered by SDN and the lightweight Docker container, AsIDPS is able to build a flexible and lightweight defense against DDoS attack in cloud. Based on our prototype implementation, we validate the effectiveness of AsIDPS in defending DDoS attack, and also verify its flexibility and lightweight.

Qiang Wu,Ran Wang,Xincheng Yan,Chunming Wu,Rongxing Lu

DOI: https://doi.org/10.1109/MWC.001.2100251

IF: 12.777

2022-01-01

IEEE Wireless Communications

Abstract:Opening-up sharing has prompted the multi-tenancy architecture, whereby different vendors (including outsourcees) work together with network operators to form a vibrant service ecosystem, resulting in several advantages as well as risks. In particular, the static nature of existing architectures in network functions virtualization-based (NFV-based) clouds facilitate hacking. Thus, much attention has been focused on determining how to avoid the uncontrollable cloud security induced by complex production relations and non-trustworthy software/hardware sources when the two sets of security risks intersect. In this article, we investigate latent persistent threats against cloud environments and determine a high degree of complementarity and consistency between the NFV-based cloud environment and the dynamic defense concept. More specifically, new NFV-based cloud features provide an effective implementation for dynamic defense, while the generalized robustness of dynamic defense theory allows for high security gains. Intrinsic cloud security (iCS) is then proposed to align NFV-based clouds, mimicking defense and the moving target defense (MTD) paradigm to implement a seamless integration and symbiosis evolution between security and NFV-based clouds. We quantify the impact on system overhead to account for efficiency and cost issues. The simulation analysis demonstrates that the enhanced mode is able to consistently obtain a more beneficial and stable defense compared with the counterparts.

Zhenqian Feng,Bing Bai,Baokang Zhao,Jinshu Su

DOI: https://doi.org/10.6138/jit.2012.13.4.14

2012-01-01

Abstract:In homeland security and defense, cloud security is critical. As an increasing number of governments and organizations outsource their computing to the cloud, they at the same time make it an attractive target for terrorists and hackers. Cloud computing offers a great opportunity for improved productivity and lowered cost, however, it meanwhile raises potential security issues as attackers from around the nation or world could be its legal tenants. This paper studies one of the potential security problem, namely, legal yet malicious tenants would launch low-rate DoS (Denial of Service) attack (or Shrew attack for short) to the co-residents once they rent and control a part of computing resources. To explore the feasibility and understand the possible attack pattern, we try to identify bottlenecks in the underlying DCNs (Data Center Networks), and then attack the victim with as little traffic. Moreover, an analytical model is built to quantitatively analyze the necessary and sufficient traffic for an effective attack. Finally, we propose a universal receiver-enforced dynamic bandwidth allocation technique named Redball to enhance defense capabilities of the cloud. Redball could intelligently throttle shrew attack in DCNs by decomposing its group behavior, enforce an average fair share of bandwidth among tenants in a work-conserving way, and yet sacrifice only a small proportion of flows by delaying allocating bandwidth for them. Further, our proposal modifies only the endpoints, leaving the network gears untouched.

Yuquan Shan,George Kesidis,Daniel Fleck,Angelos Stavrou

DOI: https://doi.org/10.48550/arXiv.1704.06794

2017-08-02

Abstract:We consider a cloud based multiserver system, that may be cloud based, consisting of a set of replica application servers behind a set of proxy (indirection) servers which interact directly with clients over the Internet. We address cloud-side proactive and reactive defenses to combat DDoS attacks that may target this system. DDoS attacks are endemic with some notable attacks occurring just this past fall. Volumetric attacks may target proxies while "low volume" attacks may target replicas. After reviewing existing and proposed defenses, such as changing proxy IP addresses (a "moving target" technique to combat the reconnaissance phase of the botnet) and fission of overloaded servers, we focus on evaluation of defenses based on shuffling client-to-server assignments that can be both proactive and reactive to a DDoS attack. Our evaluations are based on a binomial distribution model that well agrees with simulations and preliminary experiments on a prototype that is also described.

Cryptography and Security

Tianwen Jili,Nanfeng Xiao

DOI: https://doi.org/10.1088/1742-6596/1621/1/012005

2020-01-01

Journal of Physics Conference Series

Abstract:Abstract Currently, the distributed denial service attacks (DDoS) are increased rampantly on the internet, the threshold of such attacks is relatively low for the malicious attackers. Therefore, the DDoS attacks are serious threats to the security availability of the cloud computing. Aiming at the threats, this paper studies the malicious traffic identification and the detection scheme of the denial service attack under the soft-ware-defined Network (SDN), which uses the SDN forwarder to distinguish the DDoS attack traffic and adopt the corresponding filtering means to achieve protection for the distributed denial service attack. This paper firstly implements cloud platform resource calls, then an attack detection technology based on information entropy is proposed and implemented to carry out the DDoS attack detection, because the size of the entropy value can show the discrete or aggregated characteristics of the current data set, which can be used to detect abnormal data traffic. At last, the experiments are also carried out to verify and analyze the effectiveness of the DDoS attack detection and the protection methods.

Shui Yu,Yonghong Tian,Song Guo,Dapeng Oliver Wu

DOI: https://doi.org/10.1109/tpds.2013.181

IF: 5.3

2014-01-01

IEEE Transactions on Parallel and Distributed Systems

Abstract:Cloud is becoming a dominant computing platform. Naturally, a question that arises is whether we can beat notorious DDoS attacks in a cloud environment. Researchers have demonstrated that the essential issue of DDoS attack and defense is resource competition between defenders and attackers. A cloud usually possesses profound resources and has full control and dynamic allocation capability of its resources. Therefore, cloud offers us the potential to overcome DDoS attacks. However, individual cloud hosted servers are still vulnerable to DDoS attacks if they still run in the traditional way. In this paper, we propose a dynamic resource allocation strategy to counter DDoS attacks against individual cloud customers. When a DDoS attack occurs, we employ the idle resources of the cloud to clone sufficient intrusion prevention servers for the victim in order to quickly filter out attack packets and guarantee the quality of the service for benign users simultaneously. We establish a mathematical model to approximate the needs of our resource investment based on queueing theory. Through careful system analysis and real-world data set experiments, we conclude that we can defeat DDoS attacks in a cloud environment.

Yasir Ali,Xia Yuanqing,Liang Ma

DOI: https://doi.org/10.1109/cac.2017.8243372

2017-01-01

Abstract:Nowadays, Cloud Computing is developing rapidly, and it has given power to the resource constrained Network Control System (NCS) to outsource heavy computations to the cloud server. However, the development of Cloud Computing produced many security challenges regarding the cyber-physical connection between the cloud and control system. The control system which is connected with the cloud and receives real-time guidance from the cloud, can be subjected to Distributed Denial of Service (DDoS) attack initiated by an attacker, which will destabilize the NCS. In this paper we will address this issue by introducing a proper strategy for securing Cloud Control Systems (CCS) against DDoS attack.

Fangyuan Xing,Fei Tong,Jialong Yang,Guang Cheng,Shibo He

DOI: https://doi.org/10.1109/tcc.2024.3480194

IF: 5.697

2024-01-01

IEEE Transactions on Cloud Computing

Abstract:Distributed Denial of Service (DDoS) attacks threaten cloud servers by flooding redundant requests, leading to system resource exhaustion and legitimate service shutdown. Existing DDoS attack mitigation mechanisms mainly rely on resource expansion, which may result in unexpected resource over-provisioning and accordingly increase cloud system costs. To effectively mitigate DDoS attacks without consuming extra resources, the main challenges lie in the compromise between incoming requests and available cloud resources. This paper proposes a resource-aware DDoS attack mitigation framework named RAM, where the mechanism of feedback in control theory is employed to adaptively adjust the interaction between incoming requests and available cloud resources. Specifically, two indicators including request confidence level and maximum cloud workload are designed. In terms of these two indicators, the incoming requests will be classified using proportional-integralderivative (PID) feedback control-based classification scheme with request determination adaptation. The incoming requests can be subsequently processed according to their confidence levels as well as the workload and available resources of cloud servers, which achieves an effective resource-aware mitigation of DDoS attacks. Extensive experiments have been conducted to verify the effectiveness of RAM, which demonstrate that the proposed RAM can improve the request classification performance and guarantee the quality of service.

Han Qin,Jiaming Weng,Dong Liu,Donglian Qi,Yufei Wang

DOI: https://doi.org/10.17775/cseejpes.2020.04550

IF: 6.014

2024-01-01

CSEE Journal of Power and Energy Systems

Abstract:With the help of advanced information technology, real-time monitoring and control levels of cyber-physical distribution systems (CPDS) have been significantly improved. However due to the deep integration of cyber and physical systems, attackers could still threaten the stable operation of CPDS by launching cyber-attacks, such as denial-of-service (DoS) attacks. Thus, it is necessary to study the CPDS risk assessment and defense resource allocation methods under DoS attacks. This paper analyzes the impact of DoS attacks on the physical system based on the CPDS fault self-healing control. Then, considering attacker and defender strategies and attack damage, a CPDS risk assessment framework is established. Furthermore, risk assessment and defense resource allocation methods, based on the Stackelberg dynamic game model, are proposed under conditions in which the cyber and physical systems are launched simultaneously. Finally, a simulation based on an actual CPDS is performed, and the calculation results verify the effectiveness of the algorithm.

Kexin Chen,Hang Wang,Peilin Hong

DOI: https://doi.org/10.1109/icc45041.2023.10279833

2023-01-01

Abstract:Multi-tenancy and the vulnerabilities of network isolation make Low-Rate Distributed Denial-of-Service (LDDoS) severe threats to cloud data centers. Due to the stealthy nature of the LDDoS attack, it is not easy to detect in data center networks (DCN) with frequent Incast traffic. And the traditional Detect-Drop defense strategy may drop some benign flows, significantly reducing user experience. To this end, this paper first proposes a mathematical model that reveals the attack aggregation mechanism and queuing pattern of LDDoS attack in DCN. On this basis, this article proposes a novel defense strategy that can interfere with LDDoS attack aggregation without breaking the benign user's connection. When there is an attack detected, the information of normal and suspicious flows will be roughly grouped and notified to the preceding switch, where they will enter different switch queues separately. Afterward, the packets in the suspicious flow queue will be added with a subtle delay when dequeuing. As for the attack flows, it directly results in the inability to aggregate into large pulses. For the normal flow, it merely increases the flow completion time (FCT) by a few microseconds. It is due to this property that the method proposed can defend against attacks without affecting the connection of the normal flows. The simulation results are consistent with the theoretical analysis and show that this strategy can effectively recover the network performance. Moreover, it achieves excellent robustness at low detection accuracy, making it suitable for running in DCN.

Qian Wang,Zhifeng Zhao,Honggang Zhang

DOI: https://doi.org/10.1109/iccsn.2017.8230285

2017-01-01

Abstract:In this paper, we introduce a SDN(Software Defined Network) based DDoS(Distributed Denial of Service) Defense mechanism. Our mechanism employs SDN's flexibility to redirect packets. The traffic between clients and servers is relayed by a group of dynamic proxy node switches. After several shuffles, our mechanism can mitigate DDoS attack as well as quarantine attackers. The simulation results confirm the effectiveness of our mechanism. In order to accelerate the process of segregating, we propose a efficient algorithm replacing enumerative algorithm. Numerical results verify that the performance of efficient algorithm is closed to enumerative one.

Bing Wang,Yao Zheng,Wenjing Lou,Y. Thomas Hou

DOI: https://doi.org/10.1016/j.comnet.2015.02.026

IF: 5.493

2015-04-01

Computer Networks

Abstract:Cloud computing has become the real trend of enterprise IT service model that offers cost-effective and scalable processing. Meanwhile, Software-Defined Networking (SDN) is gaining popularity in enterprise networks for flexibility in network management service and reduced operational cost. There seems a trend for the two technologies to go hand-in-hand in providing an enterprise’s IT services. However, the new challenges brought by the marriage of cloud computing and SDN, particularly the implications on enterprise network security, have not been well understood. This paper sets to address this important problem.We start by examining the security impact, in particular, the impact on DDoS attack defense mechanisms, in an enterprise network where both technologies are adopted. We find that SDN technology can actually help enterprises to defend against DDoS attacks if the defense architecture is designed properly. To that end, we propose a DDoS attack mitigation architecture that integrates a highly programmable network monitoring to enable attack detection and a flexible control structure to allow fast and specific attack reaction. To cope with the new architecture, we propose a graphic model based attack detection system that can deal with the dataset shift problem. The simulation results show that our architecture can effectively and efficiently address the security challenges brought by the new network paradigm and our attack detection system can effectively report various attacks using real-world network traffic.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

肖军,云晓春,张永铮

DOI: https://doi.org/10.3724/sp.j.1016.2010.01713

2010-01-01

Chinese Journal of Computers

Abstract:Mitigating Distributed Denial-of-Service(DDoS)attacks becomes more challenging with increasing available resources and techniques for attackers.Current network-layer security devices fail to counter application-layer DDoS(App-DDoS)attacks for the normal traffic feature on the network layer.In this paper,to handle App-DDoS attacks,a novel defense model is proposed.App-DDoS attack is divided into 5 types based on the attack URL generating way.Based on the differences between normal sessions and attack sessions,the paper proposes the session behavior suspicion parameters and the session suspicion model,which can be used to differentiate normal sessions from App-DDoS sessions accurately.The model is combined with 3 forwarding policies,including First-Come First-Serve(FCFS),Low Suspicion First(LSF)and Round Robin respectively to defend against 5 types of App-DDoS attacks.Simulation result with real Web trace shows that these forwarding policies perform well when the forwarding rate equals to the maximum normal request arrival rate,and FCFS and Round Robin perform better than LSF on the normal request response delay.

Kun Lv,Yun Chen,Changzhen Hu

DOI: https://doi.org/10.1016/j.inffus.2019.01.001

IF: 18.6

2019-01-01

Information Fusion

Abstract:Advanced persistent threats (APTs) pose a grave threat in cyberspace because of their long latency and concealment. In this paper, we propose a hybrid strategy game-based dynamic defense model to optimally allocate constrained secure resources for the target network. In addition, values of profits of players in this game are computed by a novel data-fusion method called NetF. Based on network protocols and log documents, the NetF deciphers data packets collected from different networks to natural language to make them comparable. Using this algorithm, data observed from the Internet and wireless sensor networks (WSNs) can be fused to calculate the comprehensive payoff of every node precisely. The Nash equilibrium can be computed using the value to detect the possibility of a node being a malicious node. Using this method, the dynamic optimal defense strategy can be allocated to every node at different times, which enhances the security of the target network obviously. In experiments, we illustrate the obtained results via case studies of a cluster of heterogeneous networks. The results guide planning of optimal defense strategies for different kinds of nodes at different times.

Trung V. Phan,Minho Park

DOI: https://doi.org/10.1109/access.2019.2896783

IF: 3.9

2019-01-01

IEEE Access

Abstract:Software-defined networking (SDN) is the key outcome of extensive research efforts over the past few decades toward transforming the Internet infrastructure to be more programmable, configurable, and manageable. However, critical cyber-threats in the SDN-based cloud environment are rising rapidly, in which distributed denial-of-service (DDoS) attack is one of the most damaging cyber attacks. In this paper, we propose an efficient solution to tackle DDoS attacks in the SDN-based cloud environment. We first introduce a new hybrid machine learning model based on support vector machine and self-organizing map algorithms to improve the traffic classification. Then, we propose an enhanced history-based IP filtering scheme ( $eHIPF$ ) to improve the attack detection rate and speed. Finally, we introduce a novel mechanism that combines both the hybrid machine learning model and the $eHIPF$ scheme to make a DDoS attack defender for the SDN-based cloud environment. The testbed is implemented in an SDN-based cloud with service function chaining. Through practical experiments, the proposed DDoS attack defender is proven to outperform existing mechanisms for DDoS attack classification and detection. The comprehensive experiments conducted with various DDoS attack levels prove that the proposed mechanism is an effective, innovative approach to defend DDoS attacks in the SDN-based cloud.

computer science, information systems,telecommunications,engineering, electrical & electronic

Wanchun Dou,Qi Chen,Jinjun Chen

DOI: https://doi.org/10.1016/j.future.2012.12.011

IF: 7.307

2013-01-01

Future Generation Computer Systems

Abstract:Distributed Denial-of-Service attack (DDoS) is a major threat for cloud environment. Traditional defending approaches cannot be easily applied in cloud security due to their relatively low efficiency, large storage, to name a few. In view of this challenge, a Confidence-Based Filtering method, named CBF, is investigated for cloud computing environment, in this paper. Concretely speaking, the method is deployed by two periods, i.e., non-attack period and attack period. More specially, legitimate packets are collected in the non-attack period, for extracting attribute pairs to generate a nominal profile. With the nominal profile, the CBF method is promoted by calculating the score of a particular packet in the attack period, to determine whether to discard it or not. At last, extensive simulations are conducted to evaluate the feasibility of the CBF method. The result shows that CBF has a high scoring speed, a small storage requirement, and an acceptable filtering accuracy. It specifically satisfies the real-time filtering requirements in cloud environment.

Shibo Luo,Jun Wu,Jianhua Li,Bei Pei

DOI: https://doi.org/10.1109/FCST.2015.11

2015-01-01

Abstract:Distributed Denial of Service (DDoS) attack is a major threat to Internet based killer applications, such as independent news web sites, e-business and online games. Detecting and blocking such clever attacks has become difficult. Software-Defined Networks (SDN) has emerged as a future communication network architecture which decouples network control and forwarding. It has some particular features such as central control and programmability to combat against DDoS attack. In this paper, we survey DDoS attacks and existing defense mechanisms, and draw a conclusion of the needs of defense mechanism for successful combating against DDoS. Then, we analyze the particular features of SDN and conclude it is conducive to countermeasure DDoS attack. According the analysis, we construct a defense mechanism for DDoS in SDN. At last, we illustrate how this mechanism could combat against DDoS attacks through a working example.

Dang Nan

DOI: https://doi.org/10.4018/IJISMD.2020010101

2020-02-28

International Journal of Information System Modeling and Design

Abstract:In order to realize the power system defense security, this article puts forward the idea and method of constructing power dispatching automation systems with a cloud computing architecture and realizes the unified management of distributed resources with server virtualization technology. Real-time online migration of each module of the scheduling system is realized by using the in-memory data transfer technology. The multi-node network heartbeat detection technology is used to realize the complete monitoring of the server cluster. In the form of an independent disk array, the fault node is removed, and the service is restored automatically. The whole disaster reserve of the system is realized by means of remote resource mapping. System analysis results show that compared with traditional architecture, the service interruption probability of the new scheduling automation system is effectively reduced. Fault redundancy capacity in the station is increased from a key module 2 node to multi-node protection of all modules.

English Else

Pengdeng Li,Xiaofan Yang

DOI: https://doi.org/10.1109/access.2019.2932020

IF: 3.9

2019-01-01

IEEE Access

Abstract:Advanced persistent threat (APT) for data theft poses a severe threat to cloud storage systems (CSSs). An APT actor may steal valuable data from the target CSS even in a strategic fashion. To protect a CSS from APT, the cloud defender has to dynamically allocate the limited security resources to recover the compromised storage servers, aiming at mitigating his total loss. This paper addresses this dynamic cloud storage recovery (DCSR) problem by employing differential game theory. First, by introducing an expected state evolution model capturing the CSS's expected state evolution process under a combination of attack strategy and recovery strategy, we measure the APT attacker's net benefit and the cloud defender's total loss. On this basis and in the worst-case situation where the cloud defender assumes that the APT attacker has full knowledge of his expected loss, we reduce the DCSR problem to a differential game-theoretic problem (the DCSR* problem) to characterize the strategic interactions between the two parties. Second, we derive a necessary condition for Nash equilibrium of the DCSR* problem and thereby introduce the concept of competitive strategy profile. Next, we study the structural properties of the competitive strategy profile, followed by some numerical examples. Then, we conduct extensive comparative experiments to exhibit that the competitive strategy profile is superior to a large number of randomly generated strategy profiles in the sense of Nash equilibrium solution concept. Finally, we briefly analyze the practicability (scalability and feasibility) of this paper. Our findings will be helpful to enhance the APT defense capabilities of the cloud defender.

Zhenqian Feng,Bing Bai,Baokang Zhao,Jinshu Su

DOI: https://doi.org/10.1109/msn.2011.71

2011-01-01

Abstract:Multi-tenancy and lack of network performance isolation among tenants together make the public cloud vulnerable to attacks. This paper studies one of the potential attacks, namely, low-rate denial-of-service (DoS) attack (or \textit{Shrew} attack for short), in cloud data center networks (DCNs). To explore the feasibility of launching Shrew attack from the perspective of a normal external tenant, we first leverage a loss-based probe to identify the locations and capabilities of the underlying bottlenecks, and then make use of the low-latency feature of DCNs to synchronize the participating attack flows. Moreover, we quantitatively analyze the necessary and sufficient traffic for an effective attack. Using a combination of analytical modeling and extensive experiments, we demonstrate that a tenant could initiate an efficient Shrew attack with extremely little traffic, e.g., milliseconds-long burst traffic, which imposes significant difficulty for the switching boxes and counter-DoS mechanisms to detect. We identify that both the conventional protocol assumption and new features of DCNs enable such Shrew attack, and new techniques are required to thwart it in the DCNs.