Detecting fraudulent use of cloud resources

Initial threat modeling and security research on the public cloud model has primarily focused on the confidentiality and integrity of data transferred, processed, and stored in the cloud. Little attention has been paid to the external threat sources that have the capability to affect the financial viability, hence the long-term availability, of services hosted in the public cloud. Similar to an application-layer DDoS attack, a Fraudulent Resource Consumption (FRC) attack is a much more subtle attack carried out over a longer duration of time. The objective of the attacker is to exploit the utility pricing model which governs the resource usage in the cloud model by fraudulently consuming web content with the purpose of depriving the victim of their long-term economic availability of hosting publicly accessible web content in the cloud. In this paper, we thoroughly describe the FRC attack and discuss why current application-layer DDoS detection schemes are not applicable to a more subtle attack. We propose three detection metrics that together form the criteria for identifying a FRC attack from that of normal web activity. Experimental results based on three plausible attack scenarios show that an attacker without knowledge of the web log has a difficult time mimicking the self-similar and consistent request semantics of normal web activity.

[1]  George Kingsley Zipf,et al.  Human behavior and the principle of least effort , 1949 .

[2]  Srikanth Kandula,et al.  Botz-4-sale: surviving organized DDoS attacks that mimic flash crowds , 2005, NSDI.

[3]  D. Sculley,et al.  Rank Aggregation for Similar Items , 2007, SDM.

[4]  Hiroaki Kobayashi,et al.  Modeling of cache access behavior based on Zipf's law , 2008, MEDEA '08.

[5]  Balachander Krishnamurthy,et al.  Flash crowds and denial of service attacks: characterization and implications for CDNs and web sites , 2002, WWW.

[6]  John Langford,et al.  Telling humans and computers apart automatically , 2004, CACM.

[7]  Bruce A. Mah,et al.  An empirical model of HTTP network traffic , 1997, Proceedings of INFOCOM '97.

[8]  David C. Yen,et al.  An investigation of Zipf's Law for fraud detection (DSS#06-10-1826R(2)) , 2008, Decis. Support Syst..

[9]  Wanlei Zhou,et al.  CALD: Surviving Various Application-Layer DDoS Attacks That Mimic Flash Crowd , 2010, 2010 Fourth International Conference on Network and System Security.

[10]  Toshihiko Yamakami,et al.  A Zipf-Like Distribution of Popularity and Hits in the Mobile Web Pages with Short Life Time , 2006, 2006 Seventh International Conference on Parallel and Distributed Computing, Applications and Technologies (PDCAT'06).

[11]  John C. Mitchell,et al.  How Good Are Humans at Solving CAPTCHAs? A Large Scale Evaluation , 2010, 2010 IEEE Symposium on Security and Privacy.

[12]  Jeff Yan,et al.  A low-cost attack on a Microsoft captcha , 2008, CCS.

[13]  Supranamaya Ranjan,et al.  DDoS-Shield: DDoS-Resilient Scheduling to Counter Application Layer Attacks , 2009, IEEE/ACM Transactions on Networking.

[14]  Li Fan,et al.  Web caching and Zipf-like distributions: evidence and implications , 1999, IEEE INFOCOM '99. Conference on Computer Communications. Proceedings. Eighteenth Annual Joint Conference of the IEEE Computer and Communications Societies. The Future is Now (Cat. No.99CH36320).

[15]  Jelena Mirkovic,et al.  Modeling Human Behavior for Defense Against Flash-Crowd Attacks , 2009, 2009 IEEE International Conference on Communications.

[16]  Nir Kshetri,et al.  The Economics of Click Fraud , 2010, IEEE Secur. Priv..

[17]  Pedro José Marrón,et al.  User centric walk: an integrated approach for modeling the browsing behavior of users on the Web , 2005, 38th Annual Simulation Symposium.

[18]  Mark Levene,et al.  Evaluating Variable-Length Markov Chain Models for Analysis of User Web Navigation Sessions , 2007, IEEE Transactions on Knowledge and Data Engineering.

[19]  Kazuyuki Narisawa,et al.  Detecting Blog Spams using the Vocabulary Size of All Substrings in Their Copies , 2006 .

[20]  Dimitris Gavrilis,et al.  Flash Crowd Detection Using Decoy Hyperlinks , 2007, 2007 IEEE International Conference on Networking, Sensing and Control.

[21]  Shunzheng Yu,et al.  Monitoring the Application-Layer DDoS Attacks for Popular Websites , 2009, IEEE/ACM Transactions on Networking.

[22]  Martin F. Arlitt,et al.  Web server workload characterization: the search for invariants , 1996, SIGMETRICS '96.

[23]  P. Mell,et al.  The NIST Definition of Cloud Computing , 2011 .

[24]  Moni Naor,et al.  Rank aggregation methods for the Web , 2001, WWW '01.

[25]  M. Zhanikeev,et al.  Methods of Distinguishing Flash Crowds from Spoofed DoS Attacks , 2007, 2007 Next Generation Internet Networks.

[26]  Azer Bestavros,et al.  Self-similarity in World Wide Web traffic: evidence and possible causes , 1996, SIGMETRICS '96.

[27]  Joseph Idziorek,et al.  Exploiting Cloud Utility Models for Profit and Ruin , 2011, 2011 IEEE 4th International Conference on Cloud Computing.

[28]  B. E. Ellison,et al.  On Two-Sided Tolerance Intervals for a Normal Distribution , 1964 .