FAPA: flooding attack protection architecture in a cloud system

The rate of acceptance of clouds each year is making cloud computing the leading IT computational technology. While cloud computing can be productive and economical, it is still vulnerable to different types of external threats, one of which is a denial of service (DoS) attack. Taking the cloud providers’ security services could cause disputes and involvement of hidden costs. Rather than depending on cloud providers, we have proposed a model, called flooding attack protection architecture (FAPA), to detect and filter packets when DoS attacks occur. FAPA can run locally on top of the client’s terminal and is independent of the provider’s cloud machine. In FAPA, detection of denial of service is accomplished through traffic pattern analysis and it removes flooding by filtering. Both in the cloud and on the cluster, our experimental results demonstrated that FAPA was able to detect and filter packets to successfully remove a DoS attack.

[1]  George V. Moustakides,et al.  The fast Data Projection Method for stable subspace tracking , 2005, 2005 13th European Signal Processing Conference.

[2]  Jörg Schwenk,et al.  On Technical Security Issues in Cloud Computing , 2009, 2009 IEEE International Conference on Cloud Computing.

[3]  Huan Liu,et al.  A new form of DOS attack in a cloud and its avoidance mechanism , 2010, CCSW '10.

[4]  Harkeerat Singh Bedi,et al.  Securing cloud infrastructure against co-resident DoS attacks using game theoretic defense mechanisms , 2012, ICACCI '12.

[5]  Daniel Massey,et al.  Collecting the internet AS-level topology , 2005, CCRV.

[6]  David Moore,et al.  Internet quarantine: requirements for containing self-propagating code , 2003, IEEE INFOCOM 2003. Twenty-second Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE Cat. No.03CH37428).

[7]  Yasir Malik,et al.  Defense and Monitoring Model for Distributed Denial of Service Attacks , 2012, ANT/MobiWIS.

[8]  Thomer M. Gil,et al.  MULTOPS: A Data-Structure for Bandwidth Attack Detection , 2001, USENIX Security Symposium.

[9]  Christoph Meinel,et al.  Intrusion Detection in the Cloud , 2009, 2009 Eighth IEEE International Conference on Dependable, Autonomic and Secure Computing.

[10]  Sally Floyd,et al.  Pushback Messages for Controlling Aggregates in the Network , 2001 .

[11]  Aikaterini Mitrokotsa,et al.  DDoS attacks and defense mechanisms: classification and state-of-the-art , 2004, Comput. Networks.

[12]  Heejo Lee,et al.  On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets , 2001, SIGCOMM 2001.

[13]  Leo Breiman,et al.  Random Forests , 2001, Machine Learning.

[14]  Susan V. Vrbsky Security Attacks and Solutions in Clouds Kazi Zunnurhain , 2010 .

[15]  Salvatore J. Stolfo,et al.  A data mining framework for building intrusion detection models , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[16]  Roberto Di Pietro,et al.  Secure virtualization for cloud computing , 2011, J. Netw. Comput. Appl..

[17]  William J. Bolosky,et al.  Mach: A New Kernel Foundation for UNIX Development , 1986, USENIX Summer.

[18]  Anja Feldmann,et al.  Building an AS-topology model that captures route diversity , 2006, SIGCOMM 2006.

[19]  Hovav Shacham,et al.  Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds , 2009, CCS.

[20]  B. B. Gupta,et al.  Dynamic and Auto Responsive Solution for Distributed Denial-of-Service Attacks Detection in ISP Network , 2012, ArXiv.

[21]  Bill Cheswick,et al.  Firewalls and internet security - repelling the wily hacker , 2003, Addison-Wesley professional computing series.

[22]  Irfan Habib,et al.  Virtualization with KVM , 2008 .

[23]  Bharti Suri,et al.  Cloud Service Brokers: An Emerging Trend in Cloud Adoption and Migration , 2013, 2013 20th Asia-Pacific Software Engineering Conference (APSEC).

[24]  Basappa B. Kodada,et al.  Protection Against DDoS and Data Modification Attack in Computational Grid Cluster Environment , 2012 .

[25]  Xin Liu,et al.  Efficient and Secure Source Authentication with Packet Passports , 2006, SRUTI.

[26]  Lixin Gao On inferring autonomous system relationships in the internet , 2001, TNET.

[27]  Roberto Di Pietro,et al.  CUDACS: Securing the Cloud with CUDA-Enabled Secure Virtualization , 2010, ICICS.

[28]  Madjid Merabti,et al.  Secure Cloud Computing for Critical Infrastructure: A Survey , 2012 .

[29]  Walter Willinger,et al.  In search of the elusive ground truth: the internet's as-level connectivity structure , 2008, SIGMETRICS '08.

[30]  Angelos D. Keromytis,et al.  A Multilayer Overlay Network Architecture for Enhancing IP Services Availability against DoS , 2011, ICISS.

[31]  Anant Agarwal,et al.  A Unified Operating System for Clouds and Manycore: fos , 2009 .

[32]  Kazi Zunnurhain,et al.  FAPA: a model to prevent flooding attacks in clouds , 2012, ACM-SE '12.

[33]  Michele C. Weigle,et al.  Tmix: a tool for generating realistic TCP application workloads in ns-2 , 2006, CCRV.

[34]  Debashis Basak,et al.  Virtualizing networking and security in the cloud , 2010, OPSR.

[35]  Aman Bakshi,et al.  Securing Cloud from DDOS Attacks Using Intrusion Detection System in Virtual Machine , 2010, 2010 Second International Conference on Communication Software and Networks.

[36]  N. Sandlin PAY AS YOU GO , 1989 .

[37]  S. Chandran,et al.  Constructing Inter-Domain Packet Filters to Control IP Spoofing Based on BGP Updates , 2015 .

[38]  Farzad Sabahi,et al.  Virtualization-level security in cloud computing , 2011, 2011 IEEE 3rd International Conference on Communication Software and Networks.

[39]  Steve Mansfield-Devine DDoS: threats and mitigation , 2011, Netw. Secur..

[40]  Mladen A. Vouk,et al.  Cloud Computing – Issues, Research and Implementations , 2008, CIT 2008.

[41]  Wenke Lee,et al.  Lares: An Architecture for Secure Active Monitoring Using Virtualization , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[42]  Huaglory Tianfield,et al.  Evaluation of Experiments on Detecting Distributed Denial of Service (DDoS) Attacks in Eucalyptus Private Cloud , 2012, SOFA.

[43]  Bernd Freisleben,et al.  Increasing virtual machine security in cloud environments , 2012, Journal of Cloud Computing: Advances, Systems and Applications.

[44]  Farouk Kamoun,et al.  DDoS flooding attack detection scheme based on F-divergence , 2012, Comput. Commun..

[45]  Jun Li,et al.  SAVE: source address validity enforcement protocol , 2002, Proceedings.Twenty-First Annual Joint Conference of the IEEE Computer and Communications Societies.

[46]  J J Sah,et al.  Impact of DDOS Attacks on Cloud Environment , 2013 .

[47]  Tal Garfinkel,et al.  A Virtual Machine Introspection Based Architecture for Intrusion Detection , 2003, NDSS.

[48]  Wanlei Zhou,et al.  Source-based filtering scheme against DDOS attacks , 2008 .

[49]  Daniele Sgandurra,et al.  Cloud security is not (just) virtualization security: a short paper , 2009, CCSW '09.

[50]  Athanasios V. Vasilakos,et al.  Security in cloud computing: Opportunities and challenges , 2015, Inf. Sci..

[51]  Mohamed Almorsy,et al.  CloudSec: A security monitoring appliance for Virtual Machines in the IaaS cloud model , 2011, 2011 5th International Conference on Network and System Security.

[52]  A B M Shawkat Ali,et al.  Classifying different denial-of-service attacks in cloud computing using rule-based learning , 2012, Secur. Commun. Networks.

[53]  Kang G. Shin,et al.  Hop-count filtering: an effective defense against spoofed DDoS traffic , 2003, CCS '03.

[54]  Dengguo Feng,et al.  CloudSEC: A Cloud Architecture for Composing Collaborative Security Services , 2010, 2010 IEEE Second International Conference on Cloud Computing Technology and Science.

[55]  Randy H. Katz,et al.  A view of cloud computing , 2010, CACM.

[56]  Paul Ferguson,et al.  Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing , 1998, RFC.

[57]  James Won-Ki Hong,et al.  Monitoring and detecting abnormal behavior in mobile cloud infrastructure , 2012, 2012 IEEE Network Operations and Management Symposium.

[58]  Wanlei Zhou,et al.  Cloud security defence to protect cloud computing against HTTP-DoS and XML-DoS attacks , 2011, J. Netw. Comput. Appl..

[59]  Song Guo,et al.  Can We Beat DDoS Attacks in Clouds? , 2014, IEEE Transactions on Parallel and Distributed Systems.

[60]  Xiaowei Yang,et al.  A DoS-limiting network architecture , 2005, SIGCOMM '05.

[61]  Josep Torrellas,et al.  Proceedings of the 1st workshop on Architectural and system support for improving software dependability , 2006, ASPLOS 2006.

[62]  Nils Gruschka,et al.  Vulnerable Cloud: SOAP Message Security Validation Revisited , 2009, 2009 IEEE International Conference on Web Services.

[63]  Anat Bremler-Barr,et al.  Spoofing prevention method , 2005, Proceedings IEEE 24th Annual Joint Conference of the IEEE Computer and Communications Societies..

[64]  Ying Chen,et al.  Hybrid Intrusion Detection with Weighted Signature Generation over Anomalous Internet Episodes , 2007, IEEE Transactions on Dependable and Secure Computing.

[65]  Mohamed Hamdi,et al.  Security of Cloud Computing , 2015 .

[66]  David Lie,et al.  Manitou: a layer-below approach to fighting malware , 2006, ASID '06.

[67]  Lixin Gao,et al.  On inferring and characterizing Internet routing policies , 2003, Journal of Communications and Networks.

[68]  Vern Paxson,et al.  An analysis of using reflectors for distributed denial-of-service attacks , 2001, CCRV.

[69]  Alexander Lazovik,et al.  IEEE International Conference on Cloud Computing , 2010 .

[70]  Heejo Lee,et al.  BASE: an incrementally deployable mechanism for viable IP spoofing prevention , 2007, ASIACCS '07.

[71]  Dawn Xiaodong Song,et al.  StackPi: New Packet Marking and Filtering Mechanisms for DDoS and IP Spoofing Defense , 2006, IEEE Journal on Selected Areas in Communications.

[72]  Volker Roth,et al.  Listen and whisper: security mechanisms for BGP , 2004 .

[73]  Farzad Sabahi,et al.  Secure Virtualization for Cloud Environment Using Hypervisor-based Technology , 2012 .

[74]  Angelos D. Keromytis,et al.  Using graphic turing tests to counter automated DDoS attacks against web servers , 2003, CCS '03.

[75]  Ian H. Witten,et al.  The WEKA data mining software: an update , 2009, SKDD.

[76]  Craig Partridge,et al.  Single-packet IP traceback , 2002, TNET.

[77]  Mladen A. Vouk,et al.  Cloud computing — Issues, research and implementations , 2008, ITI 2008 - 30th International Conference on Information Technology Interfaces.

[78]  Frederick Livingston,et al.  Implementation of Breiman's Random Forest Machine Learning Algorithm , 2005 .

[79]  Mostafa H. Ammar,et al.  Prefix-preserving IP address anonymization: measurement-based security evaluation and a new cryptography-based scheme , 2004, Comput. Networks.

[80]  Kai Hwang,et al.  Cloud Security with Virtualized Defense and Reputation-Based Trust Mangement , 2009, 2009 Eighth IEEE International Conference on Dependable, Autonomic and Secure Computing.

[81]  Li Xiang,et al.  The study on data security in Cloud Computing based on Virtualization , 2011, 2011 IEEE International Symposium on IT in Medicine and Education.