您的位置:山东大学 -> 科技期刊社 -> 《山东大学学报(理学版)》

山东大学学报(理学版) ›› 2016, Vol. 51 ›› Issue (9): 92-100.doi: 10.6040/j.issn.1671-9352.3.2015.090

• • 上一篇    下一篇

云计算中基于可用带宽欧氏距离的LDoS攻击检测方法

岳猛1,吴志军2*,姜军2   

  1. 1. 天津大学电子信息工程学院, 天津 300072;2.中国民航大学电子信息工程学院, 天津 300300
  • 收稿日期:2015-09-11 出版日期:2016-09-20 发布日期:2016-09-23
  • 通讯作者: 吴志军(1965— ),男,教授,博士生导师,研究方向为信息安全. E-mail:zjwu@cauc.edu.cn E-mail:myue-23@163.com
  • 作者简介:岳猛(1984— ),男,博士,研究方向为信息安全.E-mail:myue-23@163.com
  • 基金资助:
    国家自然基金资助项目(61170328);中央高校基本科研基金资助项目(3122016D005)

An approach of detecting LDoS attacks based on the euclidean distance of available bandwidth in cloud computing

  1. 1. School of Electronics &
    Information Engineering, Tianjin University, Tianjin 300072, China;
    2.School of Electronics &
    Information Engineering, Civil Aviation University of China, Tianjin 300300, China
  • Received:2015-09-11 Online:2016-09-20 Published:2016-09-23

摘要: 根据云计算数据中心网络(data center networks, DCNS)架构的特点,从网络架构的角度对低速率拒绝服务(low-rate denial of service, LDoS)攻击进行建模。提出基于可用带宽欧氏距离的LDoS攻击检测方法,其本质是依据LDoS攻击导致同一路由域内所有链路可用带宽同时增大的特征,将可用带宽的平均欧氏距离作为LDoS攻击检测测度。改进了传统的探测间隔模型(probe gap model, PGM),并将其专门用于云计算环境下的可用带宽测量。在实际的网络环境中对LDoS攻击效果和LDoS检测性能进行测试,结果表明:1)DCNS内的LDoS攻击比洪水式拒绝服务(flooding denial of service, FDoS)攻击更具危害;2)所提出的检测方法能够准确检测LDoS攻击,检测率达到98%。

关键词: 云计算, 可用带宽, 欧氏距离, 低速率拒绝服务攻击, 攻击检测

Abstract: According to the architecture of the cloud computing Data Center Networks(DCNs), the Low-rate Denial of Service(LDoS)attack is modeled from the view of network architecture. Furthermore, the euclidean approach is applied to the available bandwidth to detect LDoS attacks. As LDoS attacks force the links co-located in the same routing domain to increase their available bandwidths, the average euclidean distance is applied as the measurement for detecting LDoS attacks. And then, the traditional Probe Gap Model(PGM)is improved to test the available bandwidth specifically in cloud computing. Experiments in practical network are conducted to test the attack effect and the detection performance. Test results verify: 1)LDoS attacks present more damages than Flooding Denial of Service(FDoS)attacks in cloud computing DCNs, 2)The proposed detection approach can detect LDoS attack accurately, and achieves 98% detection probability.

Key words: cloud computing, available bandwidth, attack detection, euclidean distance, low-rate denial of service attack

中图分类号: 

  • TP393
[1] Brian Hayes. Cloud computing[J]. Communications of the ACM, 2008, 51(7):9-11.
[2] Amazon. Amazon simple storage service(S3)[EB/OL]. [2015-05-03].http://aws.amazon.com/s3/.
[3] HONG C, ZHANG M, FENG D G. AB-ACCS: a cryptographic access control scheme for cloud storage[J]. Journal of Computer Research and Development, 2010, 47: 259-265.
[4] 冯登国, 张敏, 张妍等. 云计算安全研究[J]. 软件学报, 2011, 22(1):71-83. FENG Dengguo, ZHANG Min, ZHANG Yan, et al. Study on cloud computing security[J]. Journal of Software, 2011, 22(1):71-83.
[5] Mohammad Alizadeh, Albert G Greenberg, David A Maltz, et al. Data center TCP(DCTCP)[J]. ACM Sigcomm Computer Communication Review, 2010, 40(4):63-74.
[6] 赵宇.云计算数据中心网络传输协议研究[D].北京:中国科学院研究生院硕士论文, 2012. ZHAO Yu. Research on transport protocols in cloud data center network[D]. Beijing: Graduate School of Chinese Academy of Sciences, 2012.
[7] Joseph Idziorek, Mark F Tannian, Doug Jacobson. The insecurity of cloud utility models[J]. IT Professional, 2013, 15(2): 22-27.
[8] Ashley Chonka, YANG Xiang, ZHOU Wanlei, et al. Cloud security defense to protect cloud computing against HTTP-DoS and XML-DoS attacks[J]. Journal of Network and Computer Applications, 2011, 34(4):1097-1107.
[9] JOSHI B, VIJAYAN A S, JOSHI B K. Securing cloud computing environment against DDoS attacks[C] //Proceedings of 2012 International Conference on Computer Communication and Informatics(ICCCI 2011), 2012:1-5.
[10] Harkeerat Singh Bedi, Sajjan Shiva. Securing cloud infrastructure against co-resident dos attacks using game theoretic defense mechanisms[C] //Proceedings of International Conference on Advances in Computing, Communications and Informatics(ICACCI-2012). New York: ACM, 2012:463-469.
[11] KEROMYTIS A D, MISRA V,RUBENSTEIN D. SOS: an architecture for mitigating DDoS attacks[J]. Selected Areas in Communications, 2004, 22(1):176-188.
[12] 韩志杰, 段晓阳. 基于云计算平台的防御拒绝服务攻击方法[J]. 信息化研究, 2011, 37(5):67-70. HAN Zhijie, DUAN Xiaoyang. Defense strategy of denial of service attacks based on cloud computing platform[J]. Informatization Research, 2011, 37(5):67-70.
[13] 韩伟. 基于Hadoop云计算平台下DDoS攻击防御研究[D]. 太原:太原科技大学, 2011. HAN Wei. Research on defending DDoS attacks based on hadoop cloud computing platform[D]. Taiyuan:Taiyuan University of Science and Technology, 2011.
[14] YANG Lanjuan, ZHANG Tao, SONG Jinyu, et al. Defense of DDoS attack for cloud computing[C] //Proceedings of the 2012 IEEE International Conference on Computer Science and Automation Engineering(CSAE). Piscataway: IEEE, 2012:626-629.
[15] 吴志军, 崔奕, 岳猛. 基于虚拟散列安全访问路径VHSAP的云计算路由平台防御DDoS攻击方法[J]. 通信学报, 2015, 36(1):1-8. WU Zhijun, CUI Yi, YUE Meng. VHSAP-based approach of defending against DDoS attacks for cloud computing routing platforms[J]. Journal on Communciations, 2015, 36(1):1-8.
[16] 吴志军, 岳猛. 基于卡尔曼滤波的LDDoS攻击检测方法[J]. 电子学报, 2008, 36(8): 1590-1594. WU Zhijun, YUE Meng. Detection of LDDoS attack based on kalman filtering[J]. Acta Electronica Sinica, 2008, 36(8):1590-1594.
[17] 吴志军, 曾化龙, 岳猛. 基于时间窗统计的LDoS攻击测方法的研究[J]. 通信学报, 2010, 31(12):55-62. WU Zhijun, ZENG Hualong, YUE Meng. Approach of detecting LDoS attack based on time window statistic[J]. Journal on Communciations, 2010, 31(12):55-62.
[18] TANG Y, LUO X, HUI Q, et al. Modeling the vulnerability of feedback-control based internet services to low-rate DoS attacks[J].IEEE Transactions on Information Forensics Security, 2014, 9(3):339-353.
[19] LUO J, YANG X, WANG J, et al. On a mathematical model for low-rate shrew DDoS[J]. IEEE Transaction on Infornation Forensics Security, 2014, 9(7):1069-1083.
[20] WU Zhijun, HU Ran, YUE Meng. Flow-oriented detection of low-rate denial of service attacks[J].International Journal of Communication Systems, 2016, 29(1):130-141.
[21] YANG Guang, GERLA M, SANADIDI M Y. Defense against low-rate TCP-targeted denial-of-service attacks[C] //Proceedings of the 9th IEEE International Symposium on Computers Communications(ISCC 04). New York:IEEE, 2004, 1:345-350.
[22] FENG Zhenqian, BAI Bing, ZHAO Baokang, et al. Shrew attack in cloud data center networks[C] // Proceedings of the 7th International Conference on Mobile Ad-hoc and Sensor Networks(MSN 2011). Los Alamitos: IEEE Computer Society, 2011:441-445.
[23] BAKSHI A, YOGESH B. Securing cloud from DDOS attacks using intrusion detection system in virtual machine[C] //Proceedings of the 2nd International Conference on Communication Software and Networks(ICCSN 2010). Piscataway:IEEE, 2010:260-263.
[24] KUZMANOVIC A, KNIGHTLY E W. Low-rate TCP-targeted denial of service attacks[J]. ACM Sigcomm Computer Communication Review, 2003, 33(4):75-86.
[25] LIU Huan. A new form of DOS attack in a cloud and its avoidance mechanism[C] //Proceedings of the 2010 ACM Workshop on Cloud Computing Security Workshop.New York: ACM, 2010:65-76.
[26] AL-FARES M, LOUKISSAS A, VAHDAT A. A scalable, commodity data center network architecture[C] //Proceedings of the ACM SIGCOMM 2008 Conference on Data Communication. New York: ACM, 2008:63-74.
[27] GUO C, LU Guohan, LI Dan, et al. Bcube: a high performance, server-centric network architecture for modular data centers[J]. ACM Sigcomm Computer Communication Review, 2009, 39(4):63-74.
[28] Wayne Jansen, Timothy Grance. Guidelines on security and privacy in public cloud computing[R]. National Institute of Standards and Technology, 2011.
[29] RISTENPART T, TROMER E, SHACHAM H, et al. Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds[C] // Proceedings of the 16th ACM Conference on Computer and Communications Security. New York: ACM, 2009:199-212.
[30] KATABI D, BAZZI I, YANG X. A passive approach for detecting shared bottlenecks[C] //Proceeding of the 10th IEEE International Conference on Computer Communications and Networks. Piscataway: IEEE, 2001:174-181.
[31] RUBENSTEIN D, KUROSE J, TOWSLEY D. Detecting shared congestion of flows via end-to-end measurement[J]. IEEE/ACM Transactions on Networking, 2002, 10(3):381-395.
[32] KIM M, KIM T, SHIN Y, et al. Scalable clustering of internet paths by shared congestion[C] //Proceedings of the 25th IEEE Infocom. Piscataway:IEEE, 2006:1-10.
[33] 马飞, 刘峰, 李竹伊. 云计算环境下虚拟机快速实时迁移方法[J]. 北京邮电大学学报, 2012, 35(1):103-106. MA Fei, LIU Feng, LI Zhuyi. Fast live migration method of virtual machine in cloud computing environment[J]. Journal of Beijing University of Posts and Telecommunications, 2012, 35(1):103-106.
[34] 周逸秋, 陈兵, 钱红燕,等. 一种高精度低负载的可用带宽测量机制[J]. 应用科学学报, 2015, 33(2):155-166. ZHOU Yiqiu, CHEN Bing, QIAN Hongyan, et al. Accurate and low overhead mechanism for measuring available bandwidth[J]. Journal of Applied Sciences, 2015, 33(2):155-166.
[35] 陆俊杰, 朱尚明. 一种降速率包列可用带宽测量算法[J]. 华东理工大学学报(自然科学版), 2014, 54(6):769-773. LU Junjie, ZHU Shangmin. A decreasing rate chirp algorithm for available bandwidth estimation[J]. Journal of East China University of Science and Technology(Sci & Tech), 2014, 54(6):769-773.
[36] Brad Hedlund.Understanding hadoop clusters and the network[EB/OL].[2015-04-22].http://bradhedlund.com/2011/09/10/understanding-hadoop-clusters-and-the-network/.
[37] Anurag Khandelwal, Navendu Jain, Seny Kamara. Attacking Data Center networks from the Inside[R]. USA: Microsoft Research, 2015.
[38] CHEN Y, HWANG K. Collaborative detection and filtering of shrew DDoS attacks using spectral analysis[J]. Journal of Parallel and Distributed Computing, 2006, 66(9): 1137-1151.
[1] 王小艳,陈兴蜀,王毅桐,葛龙. 基于OpenStack的云计算网络性能测量与分析[J]. 山东大学学报(理学版), 2018, 53(1): 30-37.
[2] 韩盼盼,秦静. 云计算中可验证的外包数据库加密搜索方案[J]. 山东大学学报(理学版), 2017, 52(9): 41-53.
[3] 黄宇晴,赵波,肖钰,陶威. 一种基于KVM的vTPM虚拟机动态迁移方案[J]. 山东大学学报(理学版), 2017, 52(6): 69-75.
[4] 陈广瑞,陈兴蜀,王毅桐,葛龙. 一种IaaS多租户环境下虚拟机软件更新服务机制[J]. 山东大学学报(理学版), 2017, 52(3): 60-67.
[5] 姚克,朱斌瑞,秦静. 基于生物信息的可验证公钥可搜索加密协议[J]. 山东大学学报(理学版), 2017, 52(11): 11-22.
[6] 周先存, 黎明曦, 李瑞霞, 徐明鹃, 凌海波. 多点协作复制攻击检测研究[J]. 山东大学学报(理学版), 2015, 50(07): 54-65.
[7] 蔡红云, 田俊峰. 云计算中的数据隐私保护研究[J]. 山东大学学报(理学版), 2014, 49(09): 83-89.
[8] 刘烃, 赵宇辰, 刘杨, 孙亚楠. 基于报警数据融合的智能电网攻击检测方法[J]. 山东大学学报(理学版), 2014, 49(09): 35-40.
[9] 罗海燕, 吕萍, 刘林忠, 杨洵. 云环境下基于模糊粗糙AHP的企业信任综合评估[J]. 山东大学学报(理学版), 2014, 49(08): 111-117.
[10] 刘洋,秦丰林,葛连升. 云计算测量研究综述[J]. J4, 2013, 48(11): 27-35.
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
No Suggested Reading articles found!