云计算中基于可用带宽欧氏距离的LDoS攻击检测方法

doi:10.6040/j.issn.1671-9352.3.2015.090

摘要/Abstract

摘要： 根据云计算数据中心网络(data center networks, DCNS)架构的特点,从网络架构的角度对低速率拒绝服务(low-rate denial of service, LDoS)攻击进行建模。提出基于可用带宽欧氏距离的LDoS攻击检测方法,其本质是依据LDoS攻击导致同一路由域内所有链路可用带宽同时增大的特征,将可用带宽的平均欧氏距离作为LDoS攻击检测测度。改进了传统的探测间隔模型(probe gap model, PGM),并将其专门用于云计算环境下的可用带宽测量。在实际的网络环境中对LDoS攻击效果和LDoS检测性能进行测试,结果表明:1)DCNS内的LDoS攻击比洪水式拒绝服务(flooding denial of service, FDoS)攻击更具危害;2)所提出的检测方法能够准确检测LDoS攻击,检测率达到98%。

关键词: 云计算, 可用带宽, 欧氏距离, 低速率拒绝服务攻击, 攻击检测

Abstract: According to the architecture of the cloud computing Data Center Networks(DCNs), the Low-rate Denial of Service(LDoS)attack is modeled from the view of network architecture. Furthermore, the euclidean approach is applied to the available bandwidth to detect LDoS attacks. As LDoS attacks force the links co-located in the same routing domain to increase their available bandwidths, the average euclidean distance is applied as the measurement for detecting LDoS attacks. And then, the traditional Probe Gap Model(PGM)is improved to test the available bandwidth specifically in cloud computing. Experiments in practical network are conducted to test the attack effect and the detection performance. Test results verify: 1)LDoS attacks present more damages than Flooding Denial of Service(FDoS)attacks in cloud computing DCNs, 2)The proposed detection approach can detect LDoS attack accurately, and achieves 98% detection probability.

Key words: cloud computing, available bandwidth, attack detection, euclidean distance, low-rate denial of service attack

中图分类号:

TP393

岳猛,吴志军,姜军. 云计算中基于可用带宽欧氏距离的LDoS攻击检测方法[J]. 山东大学学报（理学版）, 2016, 51(9): 92-100.

参考文献

[1] Brian Hayes. Cloud computing[J]. Communications of the ACM, 2008, 51(7):9-11.
[2] Amazon. Amazon simple storage service(S3)[EB/OL]. [2015-05-03].http://aws.amazon.com/s3/.
[3] HONG C, ZHANG M, FENG D G. AB-ACCS: a cryptographic access control scheme for cloud storage[J]. Journal of Computer Research and Development, 2010, 47: 259-265.
[4] 冯登国, 张敏, 张妍等. 云计算安全研究[J]. 软件学报, 2011, 22(1):71-83. FENG Dengguo, ZHANG Min, ZHANG Yan, et al. Study on cloud computing security[J]. Journal of Software, 2011, 22(1):71-83.
[5] Mohammad Alizadeh, Albert G Greenberg, David A Maltz, et al. Data center TCP(DCTCP)[J]. ACM Sigcomm Computer Communication Review, 2010, 40(4):63-74.
[6] 赵宇.云计算数据中心网络传输协议研究[D].北京:中国科学院研究生院硕士论文, 2012. ZHAO Yu. Research on transport protocols in cloud data center network[D]. Beijing: Graduate School of Chinese Academy of Sciences, 2012.
[7] Joseph Idziorek, Mark F Tannian, Doug Jacobson. The insecurity of cloud utility models[J]. IT Professional, 2013, 15(2): 22-27.
[8] Ashley Chonka, YANG Xiang, ZHOU Wanlei, et al. Cloud security defense to protect cloud computing against HTTP-DoS and XML-DoS attacks[J]. Journal of Network and Computer Applications, 2011, 34(4):1097-1107.
[9] JOSHI B, VIJAYAN A S, JOSHI B K. Securing cloud computing environment against DDoS attacks[C] //Proceedings of 2012 International Conference on Computer Communication and Informatics(ICCCI 2011), 2012:1-5.
[10] Harkeerat Singh Bedi, Sajjan Shiva. Securing cloud infrastructure against co-resident dos attacks using game theoretic defense mechanisms[C] //Proceedings of International Conference on Advances in Computing, Communications and Informatics(ICACCI-2012). New York: ACM, 2012:463-469.
[11] KEROMYTIS A D, MISRA V,RUBENSTEIN D. SOS: an architecture for mitigating DDoS attacks[J]. Selected Areas in Communications, 2004, 22(1):176-188.
[12] 韩志杰, 段晓阳. 基于云计算平台的防御拒绝服务攻击方法[J]. 信息化研究, 2011, 37(5):67-70. HAN Zhijie, DUAN Xiaoyang. Defense strategy of denial of service attacks based on cloud computing platform[J]. Informatization Research, 2011, 37(5):67-70.
[13] 韩伟. 基于Hadoop云计算平台下DDoS攻击防御研究[D]. 太原:太原科技大学, 2011. HAN Wei. Research on defending DDoS attacks based on hadoop cloud computing platform[D]. Taiyuan:Taiyuan University of Science and Technology, 2011.
[14] YANG Lanjuan, ZHANG Tao, SONG Jinyu, et al. Defense of DDoS attack for cloud computing[C] //Proceedings of the 2012 IEEE International Conference on Computer Science and Automation Engineering(CSAE). Piscataway: IEEE, 2012:626-629.
[15] 吴志军, 崔奕, 岳猛. 基于虚拟散列安全访问路径VHSAP的云计算路由平台防御DDoS攻击方法[J]. 通信学报, 2015, 36(1):1-8. WU Zhijun, CUI Yi, YUE Meng. VHSAP-based approach of defending against DDoS attacks for cloud computing routing platforms[J]. Journal on Communciations, 2015, 36(1):1-8.
[16] 吴志军, 岳猛. 基于卡尔曼滤波的LDDoS攻击检测方法[J]. 电子学报, 2008, 36(8): 1590-1594. WU Zhijun, YUE Meng. Detection of LDDoS attack based on kalman filtering[J]. Acta Electronica Sinica, 2008, 36(8):1590-1594.
[17] 吴志军, 曾化龙, 岳猛. 基于时间窗统计的LDoS攻击测方法的研究[J]. 通信学报, 2010, 31(12):55-62. WU Zhijun, ZENG Hualong, YUE Meng. Approach of detecting LDoS attack based on time window statistic[J]. Journal on Communciations, 2010, 31(12):55-62.
[18] TANG Y, LUO X, HUI Q, et al. Modeling the vulnerability of feedback-control based internet services to low-rate DoS attacks[J].IEEE Transactions on Information Forensics Security, 2014, 9(3):339-353.
[19] LUO J, YANG X, WANG J, et al. On a mathematical model for low-rate shrew DDoS[J]. IEEE Transaction on Infornation Forensics Security, 2014, 9(7):1069-1083.
[20] WU Zhijun, HU Ran, YUE Meng. Flow-oriented detection of low-rate denial of service attacks[J].International Journal of Communication Systems, 2016, 29(1):130-141.
[21] YANG Guang, GERLA M, SANADIDI M Y. Defense against low-rate TCP-targeted denial-of-service attacks[C] //Proceedings of the 9th IEEE International Symposium on Computers Communications(ISCC 04). New York:IEEE, 2004, 1:345-350.
[22] FENG Zhenqian, BAI Bing, ZHAO Baokang, et al. Shrew attack in cloud data center networks[C] // Proceedings of the 7th International Conference on Mobile Ad-hoc and Sensor Networks(MSN 2011). Los Alamitos: IEEE Computer Society, 2011:441-445.
[23] BAKSHI A, YOGESH B. Securing cloud from DDOS attacks using intrusion detection system in virtual machine[C] //Proceedings of the 2nd International Conference on Communication Software and Networks(ICCSN 2010). Piscataway:IEEE, 2010:260-263.
[24] KUZMANOVIC A, KNIGHTLY E W. Low-rate TCP-targeted denial of service attacks[J]. ACM Sigcomm Computer Communication Review, 2003, 33(4):75-86.
[25] LIU Huan. A new form of DOS attack in a cloud and its avoidance mechanism[C] //Proceedings of the 2010 ACM Workshop on Cloud Computing Security Workshop.New York: ACM, 2010:65-76.
[26] AL-FARES M, LOUKISSAS A, VAHDAT A. A scalable, commodity data center network architecture[C] //Proceedings of the ACM SIGCOMM 2008 Conference on Data Communication. New York: ACM, 2008:63-74.
[27] GUO C, LU Guohan, LI Dan, et al. Bcube: a high performance, server-centric network architecture for modular data centers[J]. ACM Sigcomm Computer Communication Review, 2009, 39(4):63-74.
[28] Wayne Jansen, Timothy Grance. Guidelines on security and privacy in public cloud computing[R]. National Institute of Standards and Technology, 2011.
[29] RISTENPART T, TROMER E, SHACHAM H, et al. Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds[C] // Proceedings of the 16th ACM Conference on Computer and Communications Security. New York: ACM, 2009:199-212.
[30] KATABI D, BAZZI I, YANG X. A passive approach for detecting shared bottlenecks[C] //Proceeding of the 10th IEEE International Conference on Computer Communications and Networks. Piscataway: IEEE, 2001:174-181.
[31] RUBENSTEIN D, KUROSE J, TOWSLEY D. Detecting shared congestion of flows via end-to-end measurement[J]. IEEE/ACM Transactions on Networking, 2002, 10(3):381-395.
[32] KIM M, KIM T, SHIN Y, et al. Scalable clustering of internet paths by shared congestion[C] //Proceedings of the 25th IEEE Infocom. Piscataway:IEEE, 2006:1-10.
[33] 马飞, 刘峰, 李竹伊. 云计算环境下虚拟机快速实时迁移方法[J]. 北京邮电大学学报, 2012, 35(1):103-106. MA Fei, LIU Feng, LI Zhuyi. Fast live migration method of virtual machine in cloud computing environment[J]. Journal of Beijing University of Posts and Telecommunications, 2012, 35(1):103-106.
[34] 周逸秋, 陈兵, 钱红燕,等. 一种高精度低负载的可用带宽测量机制[J]. 应用科学学报, 2015, 33(2):155-166. ZHOU Yiqiu, CHEN Bing, QIAN Hongyan, et al. Accurate and low overhead mechanism for measuring available bandwidth[J]. Journal of Applied Sciences, 2015, 33(2):155-166.
[35] 陆俊杰, 朱尚明. 一种降速率包列可用带宽测量算法[J]. 华东理工大学学报(自然科学版), 2014, 54(6):769-773. LU Junjie, ZHU Shangmin. A decreasing rate chirp algorithm for available bandwidth estimation[J]. Journal of East China University of Science and Technology(Sci & Tech), 2014, 54(6):769-773.
[36] Brad Hedlund.Understanding hadoop clusters and the network[EB/OL].[2015-04-22].http://bradhedlund.com/2011/09/10/understanding-hadoop-clusters-and-the-network/.
[37] Anurag Khandelwal, Navendu Jain, Seny Kamara. Attacking Data Center networks from the Inside[R]. USA: Microsoft Research, 2015.
[38] CHEN Y, HWANG K. Collaborative detection and filtering of shrew DDoS attacks using spectral analysis[J]. Journal of Parallel and Distributed Computing, 2006, 66(9): 1137-1151.

多维度评价

Viewed

Full text

Abstract

Cited

Shared

Discussed