Frequency-Minimal Utility-Maximal Moving Target Defense Against DDoS in SDN-Based Systems (original) (raw)
Related papers
Moving Target Defense for SDN-Based Cloud Datacenter Network Protection
International Journal of Advanced Trends in Computer Science and Engineering , 2021
The significant advance of software Defined Networking (SDN) technology has enabled several complex system operations to be highly dynamic, flexible and robust; particularly in terms of programmability and controllability with the help of SDN controllers. Accordingly, many security operations have utilized this capability to be optimally deployed in a complex network using the SDN functionalities. Moving target defense (MTD) has emerged as an adaptive and proactive defense mechanism aiming to thwart a potential attacker. The key underlying idea of MTD is to increase uncertainty and confusion for attackers by changing attack surface (i.e., system or network configurations) that can invalidate the intelligence collected by the attackers and interrupt attack execution; ultimately leading to attack failure. In this research, by leveraging the advanced SDN technology, the model of MTD using SDN-based system framework design is proposed. The model uses a runtime model that allows the proposed framework to infer the current state of the system. Based on the obtained information, the MTD mechanism using SDN can provide proactive, adaptive and affordable defense services for the exploitable aspects of the cloud datacenter network to increase uncertainty and complexity to the attackers and reduce the likelihood of an attack and minimize cloud security risk. The research also validates the outperformance of the proposed MTD technique in attack success rate via simulation on SDN-based cloud datacenter network experiments in a virtualized environment.
Securing cloud computing environment by mitigating DDoS attacks: Movingtarget defence approach
2016
Cloud computing with its recent development, made it’s accessible by almost everyone. Millions and millions of people daily store their data in the cloud platform and utilize for various kind of need. In this scenario, distributed denial of service (DDoS) attacks is one of the common issues in the day-to-day usage, which severally affects the availability of the resources or services. The challenge is to create a DDoS detection and mitigation system that can protect against both volumetric and application-specific resource starvation and exhaustion attacks. In this paper, a new method named MOTAG has been proposed. This method of moving-target defence to overcome DDoS attacks will repeatedly shuffle the assignments between client to server in order to identify the malicious clients first and then to quarantine them.
AVDR: A Framework for Migration Policy to Handle DDoS Attacked VM in Cloud
Wireless Personal Communications, 2020
The recent trends of Distributed Denial of Service (DDoS) attacks in cloud computing have revealed a new menace of DDoS attacks called collateral damages on non-target stakeholders. These stakeholders are victim Virtual Machine (VM), sibling VMs, host physical machine, other host physical machines, VMs on other host machine, users of attacked and co-hosted VMs, cloud providers and cloud customer. The main reason behind these collateral damages are the features of cloud like virtualization, auto-scaling, resource sharing, and migrations. During the DDoS attacks due to the massive number of requests, it will result in host overload situation. In cloud, this overload situation is handled by various existing migration policies. These simple migration policies are not efficient if the attacked VMs are present in the cloud network. Therefore a supporting framework, Attacked VM Detection and Recovery (AVDR) is proposed in this work. Proposed AVDR framework improves the performance of existing migration policies and reduces the collateral damages. The AVDR framework is based on attack strength ' Y as ', thus a linear model to evaluate ' Y as ' is also proposed. The dataset used for the modeling of ' Y as ' is generated over the VM instances created on AWS. It consists of both the attack as well as benign request traces. The results prove the effectiveness of the proposed work.
Proactive DDoS Attack Mitigation in Cloud-Fog Environment using Moving Target Defense
ArXiv, 2020
Distributed Denial of Service (DDoS) attacks are serious cyber attacks and mitigating DDoS attacks in cloud is a topic of ongoing research interest which remains a major security challenge. Fog computing is an extension of cloud computing which has been used to secure cloud. Moving Target Defense (MTD) is a newly recognized, proactive security defense that can be used to mitigate DDoS attacks on cloud. MTD intends to make a system dynamic in nature and uncertain by changing attack surface continuously to confuse attackers. In this paper, a novel DDoS mitigation framework is presented to support Cloud-Fog Platform using MTD technique (CFPM). CFPM applies migration MTD technique at fog layer to mitigate DDoS attacks in cloud. It detects attacker among all the legitimate clients proactively at the fog layer and isolate it from innocent clients. CFPM uses an effective request handling procedure for load balancing and attacker isolation procedure which aims to minimize disruption to clou...
Maintaining Cloud Performance Under Ddos Attacks
The popularity of cloud computing has been growing where the cloud became an attractive alternative rather than classic information processing system. The distributed denial of service (DDoS) attack is one of the famous attacks to cloud computing. This paper proposes a Multiple Layer Defense (MLD) scheme to detect and mitigate DDoS attacks which due to resource depletion. The MLD consists of two layers. The first layer has an alarm system send alarms to cloud management when DDoS attacks start. The second layer includes an anomaly detection system detects VM is infected by DDoS attacks. Also,MLD tested with a different DDoS attack ratio to show scheme stability. MLD evaluated by The energy consumption and the overall SLA violations. The results show the great effect of the MLD to reduce the energy consumption and the overall SLA violation for all datasets. Also, the MLD shows acceptable stability and reactivity with different DDoS attack ratio.
Attack Graph-Based Moving Target Defense in Software-Defined Networks
IEEE Transactions on Network and Service Management, 2020
Moving target defense (MTD) has emerged as a proactive defense mechanism aiming to thwart a potential attacker. The key underlying idea of MTD is to increase uncertainty and confusion for attackers by changing the attack surface (i.e., system or network configurations) that can invalidate the intelligence collected by the attackers and interrupt attack execution; ultimately leading to attack failure. Recently, the significant advance of software-defined networking (SDN) technology has enabled several complex system operations to be highly flexible and robust; particularly in terms of programmability and controllability with the help of SDN controllers. Accordingly, many security operations have utilized this capability to be optimally deployed in a complex network using the SDN functionalities. In this paper, by leveraging the advanced SDN technology, we developed an attack graph-based MTD technique that shuffles a host's network configurations (e.g., MAC/IP/port addresses) based on its criticality, which is highly exploitable by attackers when the host is on the attack path(s). To this end, we developed a hierarchical attack graph model that provides a network's vulnerability and network topology, which can be utilized for the MTD shuffling decisions in selecting highly exploitable hosts in a given network, and determining the frequency of shuffling the hosts' network configurations. The MTD shuffling with a high priority on more exploitable, critical hosts contributes to providing adaptive, proactive, and affordable defense services aiming to minimize attack success probability with minimum MTD cost. We validated the out performance of the proposed MTD in attack success probability and MTD cost via both simulation and real SDN testbed experiments.
Journal of Network and Information Security, 2018
Several overlay-based solutions have been proposed to protect network servers from DoS/DDoS attacks. The common objective in the existing solutions is to prevent the attacking traffic from reaching the servers by hiding the location of target server computers. The recent evolutions in DDoS attacks, especially in the increase in the number of bots involved in a DDoS attack and in the degree of control such bots have to the hijacked host computers, pause serious threats to the overlay-based solutions. We designed and assessed the potential of new overlay-based security architecture that addresses the recent evolutions in DDoS attacks. The new security architecture, called "Layered Migrating Overlay (LMO)", is designed to protect cloud servers (a) when their legitimate users convert to DoS/ DDoS attackers or (b) when DDoS attacks are launched from the legitimate users' host computers that are hijacked by DDoS coordinators. LMO copes with the situations by sieving attacking traffic from the hijacked legitimate users' host computers using dynamic binary user splits over the migrating entry points to an overlay network. Our discrete event driven simulation suggested that LMO will efficiently sieve DDoS attacking hosts in many different situations, when a small number of attacking hosts hide behind a large legitimate user group, or when a stampede of DDoS attacking hosts occupy the majority of incoming traffic, without requiring a large number of migrating entry points. We also found that how quickly each migrating entry point can detect excess traffic is a key to keep convergence delay short.
Proceedings of the 35th Annual ACM Symposium on Applied Computing, 2020
Moving target defense (MTD) has been developed as an emerging technology to enhance system/network security by randomly and continuously changing attack surface. Despite the significant progress of recent efforts in analyzing the security effectiveness of MTD mechanisms, critical gaps still exist in terms of the impact of running MTD mechanisms on system performance and dependability, exposing a critical design tradeoff between security and performance. To investigate the tradeoff, we propose performability models for evaluating services hosted in software-defined networks with a time-based MTD mechanism being deployed. We developed analytical models for evaluating key performability metrics, in terms of response time, throughput, availability, host utilization, a number of requests lost, and cost (i.e., energy consumption plus profits lost due to dropped jobs). Our results showed that using the time-based MTD mechanism can (1) improve service response time and host utilization; (2) introduce a higher number of requests lost and higher overall cost; and (3) reduce service availability while still handling most of the jobs without much performance degradation. CCS CONCEPTS • Networks → Network performance modeling; • Computing methodologies → Model development and analysis; • Security and privacy → Network security;
Unprecedented Smart Algorithm for Uninterrupted SDN Services During DDoS Attack
Computers, Materials & Continua
In the design and planning of next-generation Internet of Things (IoT), telecommunication, and satellite communication systems, controller placement is crucial in software-defined networking (SDN). The programmability of the SDN controller is sophisticated for the centralized control system of the entire network. Nevertheless, it creates a significant loophole for the manifestation of a distributed denial of service (DDoS) attack straightforwardly. Furthermore, recently a Distributed Reflected Denial of Service (DRDoS) attack, an unusual DDoS attack, has been detected. However, minimal deliberation has given to this forthcoming single point of SDN infrastructure failure problem. Moreover, recently the high frequencies of DDoS attacks have increased dramatically. In this paper, a smart algorithm for planning SDN smart backup controllers under DDoS attack scenarios has proposed. Our proposed smart algorithm can recommend single or multiple smart backup controllers in the event of DDoS occurrence. The obtained simulated results demonstrate that the validation of the proposed algorithm and the performance analysis achieved 99.99% accuracy in placing the smart backup controller under DDoS attacks within 0.125 to 46508.7 s in SDN.
Availability is one of the primary security issues in Cloud computing environment. The existing solutions that address the availability related issues can be applied in cloud computing environment, but because of their unique characteristics, such as on-demand self service, rapid elasticity, etc., there is a need to develop a detection mechanism that must satisfy the characteristics and an optimal profit for the Cloud Service Provider (CSP). A solution named Escape-on-Sight (EoS) algorithm is proposed in this paper that helps in detecting the attacker's characteristics by analyzing traffic conditions stage by stage and protects the Data Center (DC) from malicious traffic. The profit analysis shows that the proposed approach has a reasonable chance of deploying EoS mechanism at DCs that are prone to DDoS attacks.