Frequency-Minimal Utility-Maximal Moving Target Defense Against DDoS in SDN-Based Systems

With the increase of DDoS attacks, resource adaptation schemes need to be effective to protect critical cloud-hosted applications. Specifically, they need to be adaptable to attack behavior, and be dynamic in terms of resource utilization. In this paper, we propose an intelligent strategy for proactive and reactive application migration by leveraging the concept of ‘moving target defense’ (MTD). The novelty of our approach lies in: (a) stochastic proactive migration frequency minimization across heterogeneous cloud resources to optimize migration management overheads, (b) market-driven migration location selection during proactive migration to optimize resource utilization, cloud service providers (CSPs) cost and user quality of experience, and (c) fast converging cost-minimizing reactive migration coupled with a ‘false reality’ pretense to reduce the future attack success probability. We evaluate the effectiveness of our proposed MTD-based defense strategy using a Software-defined Networking (SDN) enabled GENI Cloud testbed for a “Just-in-time news articles and video feeds” application. Our frequency minimization results show more than 40% reduction in DDoS attack success rate in the best cases when compared to the traditional periodic migration schemes on homogeneous cloud resources. The results also show that our market-driven migration location selection strategy decreases CSP cost and increases resource utilization by 30%.

[1]  Mark Stamp,et al.  Handbook of Information and Communication Security , 2010, Handbook of Information and Communication Security.

[2]  Jian Yuan,et al.  Monitoring the macroscopic effect of DDoS flooding attacks , 2005, IEEE Transactions on Dependable and Secure Computing.

[3]  Lina Yao,et al.  CloudArmor: Supporting Reputation-Based Trust Management for Cloud Services , 2016, IEEE Transactions on Parallel and Distributed Systems.

[4]  Fei Li,et al.  Catch Me If You Can: A Cloud-Enabled DDoS Defense , 2014, 2014 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.

[5]  Cynthia A. Phillips,et al.  Computer-attack graph generation tool , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[6]  Thomas E. Carroll,et al.  Analysis of network address shuffling as a moving target defense , 2014, 2014 IEEE International Conference on Communications (ICC).

[7]  Sonia Fahmy,et al.  Automating DDoS Experimentation , 2007, DETER.

[8]  Vyas Sekar,et al.  Bohatei: Flexible and Elastic DDoS Defense , 2015, USENIX Security Symposium.

[9]  Charles B. Silio,et al.  Procedure for detection of and response to Distributed Denial of Service cyber attacks on complex enterprise systems , 2012, 2012 IEEE International Systems Conference SysCon 2012.

[10]  Sushil Jajodia,et al.  A moving target defense approach to mitigate DDoS attacks against proxy-based architectures , 2016, 2016 IEEE Conference on Communications and Network Security (CNS).

[11]  Ruby B. Lee,et al.  New cache designs for thwarting software cache-based side channel attacks , 2007, ISCA '07.

[12]  Quanyan Zhu,et al.  Proactive Defense Against Physical Denial of Service Attacks Using Poisson Signaling Games , 2017, GameSec.

[13]  Douglas Jacobson,et al.  Detecting fraudulent use of cloud resources , 2011, CCSW '11.

[14]  Radha Poovendran,et al.  Effectiveness of IP address randomization in decoy-based moving target defense , 2013, 52nd IEEE Conference on Decision and Control.

[15]  Somesh Jha,et al.  Automated generation and analysis of attack graphs , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[16]  Fei Li,et al.  A moving target DDoS defense mechanism , 2014, Comput. Commun..

[17]  Joseph Idziorek,et al.  Exploiting Cloud Utility Models for Profit and Ruin , 2011, 2011 IEEE 4th International Conference on Cloud Computing.

[18]  Srikanth Kandula,et al.  Botz-4-sale: surviving organized DDoS attacks that mimic flash crowds , 2005, NSDI.

[19]  Wenqing Wu,et al.  Architecting Programmable Data Plane Defenses into the Network with FastFlex , 2019, HotNets.

[20]  Akihiro Nakao,et al.  GENI: A federated testbed for innovative network experiments , 2014, Comput. Networks.

[21]  David K. Y. Yau,et al.  Realtime DDoS Defense Using COTS SDN Switches via Adaptive Correlation Analysis , 2018, IEEE Transactions on Information Forensics and Security.

[22]  Jean-Pierre Seifert,et al.  Deconstructing new cache designs for thwarting software cache-based side channel attacks , 2008, CSAW '08.

[23]  H. Jonathan Chao,et al.  PacketScore: a statistics-based packet filtering scheme against distributed denial-of-service attacks , 2006, IEEE Transactions on Dependable and Secure Computing.

[24]  Dawn Xiaodong Song,et al.  FIT: fast Internet traceback , 2005, Proceedings IEEE 24th Annual Joint Conference of the IEEE Computer and Communications Societies..

[25]  Ali Kartit,et al.  A NEW APPROACH TO INTRUSION DETECTION SYSTEM , 2012 .

[26]  Wanlei Zhou,et al.  Entropy-Based Collaborative Detection of DDOS Attacks on Community Networks , 2008, 2008 Sixth Annual IEEE International Conference on Pervasive Computing and Communications (PerCom).

[27]  Ehab Al-Shaer,et al.  Openflow random host mutation: transparent moving target defense using software defined networking , 2012, HotSDN '12.

[28]  Hongzi Mao,et al.  Learning scheduling algorithms for data processing clusters , 2018, SIGCOMM.

[29]  Chin Guok,et al.  Software-Defined Networking for Big-Data Science - Architectural Models from Campus to the WAN , 2012, 2012 SC Companion: High Performance Computing, Networking Storage and Analysis.

[30]  Amitangshu Pal,et al.  Whack-a-Mole: Software-defined Networking driven Multi-level DDoS defense for Cloud environments , 2018, 2018 IEEE 43rd Conference on Local Computer Networks (LCN).

[31]  Srikanth Kandula,et al.  This Paper Is Included in the Proceedings of the 12th Usenix Symposium on Operating Systems Design and Implementation (osdi '16). Graphene: Packing and Dependency-aware Scheduling for Data-parallel Clusters G: Packing and Dependency-aware Scheduling for Data-parallel Clusters , 2022 .

[32]  Swades De,et al.  Contention Based Multichannel MAC Protocol for Distributed Cognitive Radio Networks , 2014, IEEE Transactions on Mobile Computing.

[33]  Harry G. Perros,et al.  SDN-based solutions for Moving Target Defense network protection , 2014, Proceeding of IEEE International Symposium on a World of Wireless, Mobile and Multimedia Networks 2014.

[34]  Moises Sudit,et al.  Cyber attack modeling and simulation for network security analysis , 2007, 2007 Winter Simulation Conference.

[35]  F. Richard Yu,et al.  Software-Defined Networking (SDN) and Distributed Denial of Service (DDoS) Attacks in Cloud Computing Environments: A Survey, Some Research Issues, and Challenges , 2016, IEEE Communications Surveys & Tutorials.

[36]  Venkatesan Sridhar,et al.  A moving target defense approach to mitigate DDoS attacks against proxy-based architectures , 2016 .

[37]  Scott A. DeLoach,et al.  Investigating the application of moving target defenses to network security , 2013, 2013 6th International Symposium on Resilient Control Systems (ISRCS).

[38]  Prasad Calyam,et al.  Frequency-minimal moving target defense using software-defined networking , 2016, 2016 International Conference on Computing, Networking and Communications (ICNC).

[39]  Sachin Shetty,et al.  Moving Target Defense for Distributed Systems , 2016, Wireless Networks.