CBF: A Packet Filtering Method for DDoS Attack Defense in Cloud Environment

Distributed Denial-of-Service attack (DDoS) is a major threat for cloud environment. Traditional defending approaches cannot be easily applied in cloud security due to their relatively low efficiency, large storage, to name a few. In view of this challenge, a Confidence-Based Filtering method, named CBF, is investigated for cloud computing environment, in this paper. Concretely speaking, the method is deployed by two periods, i.e., non-attack period and attack period. More specially, legitimate packets are collected at non-attack period, for extracting attribute pairs to generate a nominal profile. With the nominal profile, the CBF method is promoted by calculating the score of a particular packet at attack period, to determine whether to discard it or not. At last, extensive simulations are conducted to evaluate the feasibility of the CBF method. The result shows that CBF has a high scoring speed, a small storage requirement and an acceptable filtering accuracy, making it suitable for real-time filtering in cloud environment.

[1]  Cheng Jin,et al.  Defense Against Spoofed IP Traffic Using Hop-Count Filtering , 2007, IEEE/ACM Transactions on Networking.

[2]  Xin Yuan,et al.  Controlling IP Spoofing through Interdomain Packet Filters , 2008, IEEE Transactions on Dependable and Secure Computing.

[3]  Wanlei Zhou,et al.  Low-Rate DDoS Attacks Detection and Traceback by Using New Information Metrics , 2011, IEEE Transactions on Information Forensics and Security.

[4]  Randy H. Katz,et al.  A view of cloud computing , 2010, CACM.

[5]  Liang-Jie Zhang,et al.  CCOA: Cloud Computing Open Architecture , 2009, 2009 IEEE International Conference on Web Services.

[6]  Jennifer Widom,et al.  Models and issues in data stream systems , 2002, PODS.

[7]  Wanlei Zhou,et al.  Chaos theory based detection against network mimicking DDoS attacks , 2009, IEEE Communications Letters.

[8]  Jinjun Chen,et al.  An evaluation method of outsourcing services for developing an elastic cloud platform , 2010, The Journal of Supercomputing.

[9]  Kotagiri Ramamohanarao,et al.  Survey of network-based defense mechanisms countering the DoS and DDoS problems , 2007, CSUR.

[10]  Min Sik Kim,et al.  Real-Time Detection of Stealthy DDoS Attacks Using Time-Series Decomposition , 2010, 2010 IEEE International Conference on Communications.

[11]  Shunzheng Yu,et al.  Monitoring the Application-Layer DDoS Attacks for Popular Websites , 2009, IEEE/ACM Transactions on Networking.

[12]  Sneha Kumar Kasera,et al.  Fast and robust signaling overload control , 2001, Proceedings Ninth International Conference on Network Protocols. ICNP 2001.

[13]  M.T. Goodrich,et al.  Probabilistic Packet Marking for Large-Scale IP Traceback , 2008, IEEE/ACM Transactions on Networking.

[14]  Akihiro Nakao,et al.  DDoS Defense Deployment with Network Egress and Ingress Filtering , 2010, 2010 IEEE International Conference on Communications.

[15]  Shun-Zheng Yu,et al.  A Large-Scale Hidden Semi-Markov Model for Anomaly Detection on User Browsing Behaviors , 2009, IEEE/ACM Transactions on Networking.

[16]  Katerina J. Argyraki,et al.  Optimal Filtering of Source Address Prefixes: Models and Algorithms , 2009, IEEE INFOCOM 2009.

[17]  Wanlei Zhou,et al.  Traceback of DDoS Attacks Using Entropy Variations , 2011, IEEE Transactions on Parallel and Distributed Systems.

[18]  H. Jonathan Chao,et al.  PacketScore: a statistics-based packet filtering scheme against distributed denial-of-service attacks , 2006, IEEE Transactions on Dependable and Secure Computing.

[19]  H. Jonathan Chao,et al.  ALPi: A DDoS Defense System for High-Speed Networks , 2006, IEEE Journal on Selected Areas in Communications.

[20]  Minyi Guo,et al.  Flexible Deterministic Packet Marking: An IP Traceback System to Find the Real Source of Attacks , 2009, IEEE Transactions on Parallel and Distributed Systems.