Design Issues of Enhanced DDoS Protecting Scheme under the Cloud Computing Environment

Du to the growth of the Internet and the increase of data, many companies have begun to migrate their data services from the Web to the Cloud, but it comes with many security issues, such as Distributed Denial of Service (DDoS) attacks and Zero-day attacks. DDoS is a critical threat under cloud computing environment, it attempts to make a machine or network unavailable to their users. Confidence Based Filtering (CBF) is one of the conventional approaches to defending against DDoS. The CBF method is to collect the packets and extract attribute pairs for calculating the score of each packet, then it decides to discard it or not. However, the weight of each attribute pair and the threshold value in the calculation is static in the CBF method. Therefore, we propose a novel method called N-CBF that improves these drawbacks of the CBF method. First, the N-CBF scheme can dynamically adjust the weight values of each attribute pair. Second, each packet will have the unique threshold value. Third, we performed simulations to compare and analyze the effectiveness and efficiency of N-CBF scheme according to the KPIs. Then, the simulation results indicate that the proposed N-CBF scheme can obtain higher detection ratios on average of 9.02% and a little overhead in average processing time than CBF. Finally, the N-CBF can support more refined and robust protection mechanisms against DDoS attacks and also provide a more secure cloud computing environment.

[1]  Abdulaziz Aborujilah,et al.  Cloud computing in academic institutions , 2013, ICUIMC '13.

[2]  Shun-Zheng Yu,et al.  A Large-Scale Hidden Semi-Markov Model for Anomaly Detection on User Browsing Behaviors , 2009, IEEE/ACM Transactions on Networking.

[3]  P. Mell,et al.  The NIST Definition of Cloud Computing , 2011 .

[4]  Kotagiri Ramamohanarao,et al.  Survey of network-based defense mechanisms countering the DoS and DDoS problems , 2007, CSUR.

[5]  Shun-Zheng Yu,et al.  A large-scale hidden semi-Markov model for anomaly detection on user browsing behaviors , 2009, TNET.

[6]  H. Jonathan Chao,et al.  PacketScore: a statistics-based packet filtering scheme against distributed denial-of-service attacks , 2006, IEEE Transactions on Dependable and Secure Computing.

[7]  David Wetherall,et al.  Preventing Internet denial-of-service with capabilities , 2004, Comput. Commun. Rev..

[8]  Peter Reiher,et al.  A taxonomy of DDoS attack and DDoS defense mechanisms , 2004, CCRV.

[9]  Cheng Jin,et al.  Defense Against Spoofed IP Traffic Using Hop-Count Filtering , 2007, IEEE/ACM Transactions on Networking.

[10]  Yao Zheng,et al.  DDoS Attack Protection in the Era of Cloud Computing and Software-Defined Networking , 2014, 2014 IEEE 22nd International Conference on Network Protocols.

[11]  H. Jonathan Chao,et al.  ALPi: A DDoS Defense System for High-Speed Networks , 2006, IEEE Journal on Selected Areas in Communications.

[12]  Jinjun Chen,et al.  A confidence-based filtering method for DDoS attack defense in cloud environment , 2013, Future Gener. Comput. Syst..

[13]  Aikaterini Mitrokotsa,et al.  DDoS attacks and defense mechanisms: classification and state-of-the-art , 2004, Comput. Networks.

[14]  Stuart Harvey Rubin,et al.  Distributed denial of service attacks , 2000, Smc 2000 conference proceedings. 2000 ieee international conference on systems, man and cybernetics. 'cybernetics evolving to systems, humans, organizations, and their complex interactions' (cat. no.0.