JOURNAL OF SHANDONG UNIVERSITY(NATURAL SCIENCE) ›› 2016, Vol. 51 ›› Issue (9): 92-100.doi: 10.6040/j.issn.1671-9352.3.2015.090

Previous Articles     Next Articles

An approach of detecting LDoS attacks based on the euclidean distance of available bandwidth in cloud computing

  

  1. 1. School of Electronics &
    Information Engineering, Tianjin University, Tianjin 300072, China;
    2.School of Electronics &
    Information Engineering, Civil Aviation University of China, Tianjin 300300, China
  • Received:2015-09-11 Online:2016-09-20 Published:2016-09-23

Abstract: According to the architecture of the cloud computing Data Center Networks(DCNs), the Low-rate Denial of Service(LDoS)attack is modeled from the view of network architecture. Furthermore, the euclidean approach is applied to the available bandwidth to detect LDoS attacks. As LDoS attacks force the links co-located in the same routing domain to increase their available bandwidths, the average euclidean distance is applied as the measurement for detecting LDoS attacks. And then, the traditional Probe Gap Model(PGM)is improved to test the available bandwidth specifically in cloud computing. Experiments in practical network are conducted to test the attack effect and the detection performance. Test results verify: 1)LDoS attacks present more damages than Flooding Denial of Service(FDoS)attacks in cloud computing DCNs, 2)The proposed detection approach can detect LDoS attack accurately, and achieves 98% detection probability.

Key words: cloud computing, available bandwidth, attack detection, euclidean distance, low-rate denial of service attack

CLC Number: 

  • TP393
[1] Brian Hayes. Cloud computing[J]. Communications of the ACM, 2008, 51(7):9-11.
[2] Amazon. Amazon simple storage service(S3)[EB/OL]. [2015-05-03].http://aws.amazon.com/s3/.
[3] HONG C, ZHANG M, FENG D G. AB-ACCS: a cryptographic access control scheme for cloud storage[J]. Journal of Computer Research and Development, 2010, 47: 259-265.
[4] 冯登国, 张敏, 张妍等. 云计算安全研究[J]. 软件学报, 2011, 22(1):71-83. FENG Dengguo, ZHANG Min, ZHANG Yan, et al. Study on cloud computing security[J]. Journal of Software, 2011, 22(1):71-83.
[5] Mohammad Alizadeh, Albert G Greenberg, David A Maltz, et al. Data center TCP(DCTCP)[J]. ACM Sigcomm Computer Communication Review, 2010, 40(4):63-74.
[6] 赵宇.云计算数据中心网络传输协议研究[D].北京:中国科学院研究生院硕士论文, 2012. ZHAO Yu. Research on transport protocols in cloud data center network[D]. Beijing: Graduate School of Chinese Academy of Sciences, 2012.
[7] Joseph Idziorek, Mark F Tannian, Doug Jacobson. The insecurity of cloud utility models[J]. IT Professional, 2013, 15(2): 22-27.
[8] Ashley Chonka, YANG Xiang, ZHOU Wanlei, et al. Cloud security defense to protect cloud computing against HTTP-DoS and XML-DoS attacks[J]. Journal of Network and Computer Applications, 2011, 34(4):1097-1107.
[9] JOSHI B, VIJAYAN A S, JOSHI B K. Securing cloud computing environment against DDoS attacks[C] //Proceedings of 2012 International Conference on Computer Communication and Informatics(ICCCI 2011), 2012:1-5.
[10] Harkeerat Singh Bedi, Sajjan Shiva. Securing cloud infrastructure against co-resident dos attacks using game theoretic defense mechanisms[C] //Proceedings of International Conference on Advances in Computing, Communications and Informatics(ICACCI-2012). New York: ACM, 2012:463-469.
[11] KEROMYTIS A D, MISRA V,RUBENSTEIN D. SOS: an architecture for mitigating DDoS attacks[J]. Selected Areas in Communications, 2004, 22(1):176-188.
[12] 韩志杰, 段晓阳. 基于云计算平台的防御拒绝服务攻击方法[J]. 信息化研究, 2011, 37(5):67-70. HAN Zhijie, DUAN Xiaoyang. Defense strategy of denial of service attacks based on cloud computing platform[J]. Informatization Research, 2011, 37(5):67-70.
[13] 韩伟. 基于Hadoop云计算平台下DDoS攻击防御研究[D]. 太原:太原科技大学, 2011. HAN Wei. Research on defending DDoS attacks based on hadoop cloud computing platform[D]. Taiyuan:Taiyuan University of Science and Technology, 2011.
[14] YANG Lanjuan, ZHANG Tao, SONG Jinyu, et al. Defense of DDoS attack for cloud computing[C] //Proceedings of the 2012 IEEE International Conference on Computer Science and Automation Engineering(CSAE). Piscataway: IEEE, 2012:626-629.
[15] 吴志军, 崔奕, 岳猛. 基于虚拟散列安全访问路径VHSAP的云计算路由平台防御DDoS攻击方法[J]. 通信学报, 2015, 36(1):1-8. WU Zhijun, CUI Yi, YUE Meng. VHSAP-based approach of defending against DDoS attacks for cloud computing routing platforms[J]. Journal on Communciations, 2015, 36(1):1-8.
[16] 吴志军, 岳猛. 基于卡尔曼滤波的LDDoS攻击检测方法[J]. 电子学报, 2008, 36(8): 1590-1594. WU Zhijun, YUE Meng. Detection of LDDoS attack based on kalman filtering[J]. Acta Electronica Sinica, 2008, 36(8):1590-1594.
[17] 吴志军, 曾化龙, 岳猛. 基于时间窗统计的LDoS攻击测方法的研究[J]. 通信学报, 2010, 31(12):55-62. WU Zhijun, ZENG Hualong, YUE Meng. Approach of detecting LDoS attack based on time window statistic[J]. Journal on Communciations, 2010, 31(12):55-62.
[18] TANG Y, LUO X, HUI Q, et al. Modeling the vulnerability of feedback-control based internet services to low-rate DoS attacks[J].IEEE Transactions on Information Forensics Security, 2014, 9(3):339-353.
[19] LUO J, YANG X, WANG J, et al. On a mathematical model for low-rate shrew DDoS[J]. IEEE Transaction on Infornation Forensics Security, 2014, 9(7):1069-1083.
[20] WU Zhijun, HU Ran, YUE Meng. Flow-oriented detection of low-rate denial of service attacks[J].International Journal of Communication Systems, 2016, 29(1):130-141.
[21] YANG Guang, GERLA M, SANADIDI M Y. Defense against low-rate TCP-targeted denial-of-service attacks[C] //Proceedings of the 9th IEEE International Symposium on Computers Communications(ISCC 04). New York:IEEE, 2004, 1:345-350.
[22] FENG Zhenqian, BAI Bing, ZHAO Baokang, et al. Shrew attack in cloud data center networks[C] // Proceedings of the 7th International Conference on Mobile Ad-hoc and Sensor Networks(MSN 2011). Los Alamitos: IEEE Computer Society, 2011:441-445.
[23] BAKSHI A, YOGESH B. Securing cloud from DDOS attacks using intrusion detection system in virtual machine[C] //Proceedings of the 2nd International Conference on Communication Software and Networks(ICCSN 2010). Piscataway:IEEE, 2010:260-263.
[24] KUZMANOVIC A, KNIGHTLY E W. Low-rate TCP-targeted denial of service attacks[J]. ACM Sigcomm Computer Communication Review, 2003, 33(4):75-86.
[25] LIU Huan. A new form of DOS attack in a cloud and its avoidance mechanism[C] //Proceedings of the 2010 ACM Workshop on Cloud Computing Security Workshop.New York: ACM, 2010:65-76.
[26] AL-FARES M, LOUKISSAS A, VAHDAT A. A scalable, commodity data center network architecture[C] //Proceedings of the ACM SIGCOMM 2008 Conference on Data Communication. New York: ACM, 2008:63-74.
[27] GUO C, LU Guohan, LI Dan, et al. Bcube: a high performance, server-centric network architecture for modular data centers[J]. ACM Sigcomm Computer Communication Review, 2009, 39(4):63-74.
[28] Wayne Jansen, Timothy Grance. Guidelines on security and privacy in public cloud computing[R]. National Institute of Standards and Technology, 2011.
[29] RISTENPART T, TROMER E, SHACHAM H, et al. Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds[C] // Proceedings of the 16th ACM Conference on Computer and Communications Security. New York: ACM, 2009:199-212.
[30] KATABI D, BAZZI I, YANG X. A passive approach for detecting shared bottlenecks[C] //Proceeding of the 10th IEEE International Conference on Computer Communications and Networks. Piscataway: IEEE, 2001:174-181.
[31] RUBENSTEIN D, KUROSE J, TOWSLEY D. Detecting shared congestion of flows via end-to-end measurement[J]. IEEE/ACM Transactions on Networking, 2002, 10(3):381-395.
[32] KIM M, KIM T, SHIN Y, et al. Scalable clustering of internet paths by shared congestion[C] //Proceedings of the 25th IEEE Infocom. Piscataway:IEEE, 2006:1-10.
[33] 马飞, 刘峰, 李竹伊. 云计算环境下虚拟机快速实时迁移方法[J]. 北京邮电大学学报, 2012, 35(1):103-106. MA Fei, LIU Feng, LI Zhuyi. Fast live migration method of virtual machine in cloud computing environment[J]. Journal of Beijing University of Posts and Telecommunications, 2012, 35(1):103-106.
[34] 周逸秋, 陈兵, 钱红燕,等. 一种高精度低负载的可用带宽测量机制[J]. 应用科学学报, 2015, 33(2):155-166. ZHOU Yiqiu, CHEN Bing, QIAN Hongyan, et al. Accurate and low overhead mechanism for measuring available bandwidth[J]. Journal of Applied Sciences, 2015, 33(2):155-166.
[35] 陆俊杰, 朱尚明. 一种降速率包列可用带宽测量算法[J]. 华东理工大学学报(自然科学版), 2014, 54(6):769-773. LU Junjie, ZHU Shangmin. A decreasing rate chirp algorithm for available bandwidth estimation[J]. Journal of East China University of Science and Technology(Sci & Tech), 2014, 54(6):769-773.
[36] Brad Hedlund.Understanding hadoop clusters and the network[EB/OL].[2015-04-22].http://bradhedlund.com/2011/09/10/understanding-hadoop-clusters-and-the-network/.
[37] Anurag Khandelwal, Navendu Jain, Seny Kamara. Attacking Data Center networks from the Inside[R]. USA: Microsoft Research, 2015.
[38] CHEN Y, HWANG K. Collaborative detection and filtering of shrew DDoS attacks using spectral analysis[J]. Journal of Parallel and Distributed Computing, 2006, 66(9): 1137-1151.
[1] WANG Xiao-yan, CHEN Xing-shu, WANG Yi-tong, GE Long. Performance measurement and analysis of cloud computing network based on OpenStack [J]. JOURNAL OF SHANDONG UNIVERSITY(NATURAL SCIENCE), 2018, 53(1): 30-37.
[2] HAN Pan-pan, QIN Jing. Verifiable and searchable encryption scheme for outsourced database in cloud computing [J]. JOURNAL OF SHANDONG UNIVERSITY(NATURAL SCIENCE), 2017, 52(9): 41-53.
[3] HUANG Yu-qing, ZHAO Bo, XIAO Yu, TAO Wei. A vTPM-VM live migration scheme based on KVM [J]. JOURNAL OF SHANDONG UNIVERSITY(NATURAL SCIENCE), 2017, 52(6): 69-75.
[4] CHEN Guang-rui, CHEN Xing-shu, WANG Yi-tong, GE Long. A software update mechanism for virtual machines in IaaS multi-tenant environment [J]. JOURNAL OF SHANDONG UNIVERSITY(NATURAL SCIENCE), 2017, 52(3): 60-67.
[5] YAO Ke, ZHU Bin-rui, QIN Jing. Verifiable public key searchable encryption protocol based on biometrics [J]. JOURNAL OF SHANDONG UNIVERSITY(NATURAL SCIENCE), 2017, 52(11): 11-22.
[6] LIU Ting, ZHAO Yu-chen, LIU Yang, SUN Ya-nan. An alert fusion-based smart grid attack detection method [J]. JOURNAL OF SHANDONG UNIVERSITY(NATURAL SCIENCE), 2014, 49(09): 35-40.
[7] CAI Hong-yun, TIAN Jun-feng. Research of data privacy protection for cloud computing [J]. JOURNAL OF SHANDONG UNIVERSITY(NATURAL SCIENCE), 2014, 49(09): 83-89.
[8] LUO hai-yan, LÜ Ping, LIU Lin-zhong, YANG Xun. Enterprises trust comprehensive evaluation based on fussy rough AHP in cloud computing [J]. JOURNAL OF SHANDONG UNIVERSITY(NATURAL SCIENCE), 2014, 49(08): 111-117.
[9] LIU Yang, QIN Feng-lin, GE Lian-sheng. Measurement study of cloud computing: a survey [J]. J4, 2013, 48(11): 27-35.
[10] YU Ming, WANG Dong-ju. Detectability of TCP-based DDoS attacks at their sourceend networks [J]. J4, 2012, 47(11): 50-53.
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
No Suggested Reading articles found!