DDoS Attack in Cloud Computing

DDoS Attack in Cloud Computing2010. 10. 11

B. Cha

Agenda• DDoS Attacks 과 DDoS defense 분류 • Scenarios of DDoS Attacks in Cloud Computing

– Attacks using Clod Computing– Defense in Cloud Computing– Target in Eucalyptus– Sign of Attacks in Cloud Computing

• Anomaly Detection in Cloud Computing– Proposed Multistage DDoS Attack Detection – Monitoring– Lightweight Anomaly Detection

• Coarse-grained data • Bayesian Method• Triggered

– Focused Anomaly Detection• STM• LTM

DDoS Attack 분류

DDoS Attack 분류

DDoS defense 분류

Malicious Client

Services

Node ControllersClC & CC

DDoSAttacks

Leases Re-

sources

Legacy Target System

Node ControllersClC & CC

Cloud Sys-tem

(B)

(C)

(A)

DDoS Attacks using Cloud Comput-ing

Node ControllersClC & CC

Assumption: 1. Private Clouds

Normal Manager

Malicious Client

Services

Node ControllersClC & CC

DDoSAttacks

Leases Re-

sources

Legacy System

Node Con-

trollers

Cloud Con-

troller

Target Cloud Sys-

tem

DDoS Attacks using Cloud Comput-ing

(B)

(C)

(A)

Node ControllersClC & CC

ClusterCon-

troller

(1) (2)

Normal Manager

Node ControllersClC & CC

Cloud Sys-tem

(C)

Malicious Client

ServicesDDoS

Attacks

Leases Re-

sources

Legacy System

Defense in Cloud Computing

(B)

Node Con-

trollers

Cloud Con-

troller

Target Cloud Sys-

tem

(A)

ClusterCon-

troller

(1)(2) (3)Normal Client

Normal Manager

Node ControllersClC & CC

Cloud Sys-tem

(C)

Malicious Client

Services

Service Re-

quest

Leases Re-

sources

Legacy System

Defense in Cloud Computing

(B)

Node Con-

trollers

Cloud Con-

troller

Target Cloud Sys-

tem

(A)

ClusterCon-

troller

(2)

Malicious Man-ager

External Moni-tor

Used Resources Amount in aspect of availability

(1)

Elastics Forces(Fatigue) Measurement

in DDoS attacks

EC2ools

CLC Users, Key-pairs, Image Metadata

SC

S3 Tools

Walrus

CC

NC

SC CC

NC

Cluster A

Cluster B

Front-end Node

Each Node

Client 1

Target in Eucalyptus

Source System

Target Cloud System

DDoS AttackiTG

jSRC

Traf -fic

Src

jSRC

Traf -fic

Tg

iTG

TimeTg XT

Time

XT

Traf -fic

Traf -fic

Cloud Burst Attack

(a)

(b)

Time

(1) (2)

Sign of Attacks in Cloud Computing

Tg XT

Coarse-grained Data

Fine-grained Data

Prior & Poste-rior Prob.

Multistage DDoS Attack Detection• Multistage DDoS Attack Detection

– Stage 1: Monitoring– Stage 2: Lightweight Anomaly Detection– Stage 3: Focused Anomaly Detection

• Considerations in Monitoring– Volume Data in Cloud– Monitoring Location

• Source-End• Victim-End

– Interval delta_T

• Considerations in Learning Alg.– Unsupervised Learning Alg.– Supervised or Semi-supervised Learning Alg.: Bulk Anomaly– Relation between distance based and statistical anomalies for two-dimensional

data sets

Multistage DDoS Attack Detection• Considerations in Lightweight Anomaly Detection

– Top List• In-bound• Out-bound

– Detection Algorithm• Entropy• Statistics Techniques• Chi-Square

– Coarse-grained data• 굵은 덩어리 -> DDoS Attacks• Fine-grained data: Normal & 임계치 결정

– Bayesian Method• 사전 확률 (Prior Probability) 과 사후 확률 (Posterior Probability)• 사후 확률은 베이즈 정리에 의해서 사전 확률과 우도 (Likelihood function)d 에 의해서 계산 가능

)()()(

)()()( TGPSRCTGL

SRCPTGPTGSRCP

SRCTGP

)()()(

)(TGP

SRCPSRCTGPTGSRCP

tconsngnormalizaiiorlikelihoodposteriortan_

Pr

Multistage DDoS Attack Detection• Considerations in Focused Anomaly Detection

– Interval delta_T– Time Policy

• STM(Short-Term Memory)• LTM(Long-Term Memory)

– LTM• History• Symptom of Attacks

– Scanning , Stealth Scanning• Attack Scenario• Misuse Detection Rule

Time

Stage

Interval delta_TSTM LTM

Monitoring

Lightweight AD

Focused AD

Coarse-grained data

Volume data in Cloud