DDoS Attack in Cloud Computing

2010. 10. 11B. Cha

Agenda• DDoS Attacks 과 DDoS defense 분류 • Scenarios of DDoS Attacks in Cloud Computing

– Attacks using Clod Computing– Defense in Cloud Computing– Target in Eucalyptus– Sign of Attacks in Cloud Computing

• Anomaly Detection in Cloud Computing– Proposed Multistage DDoS Attack Detection – Monitoring– Lightweight Anomaly Detection

• Coarse-grained data • Bayesian Method• Triggered

– Focused Anomaly Detection• STM• LTM

DDoS Attack 분류

DDoS Attack 분류

DDoS defense 분류

Malicious Client

Services

Node Controllers

ClC & CC

DDoSAttacks

Leases Re-

sources

Legacy Target System

Node Controllers

ClC & CC

Cloud Sys-tem

(B)

(C)

(A)

DDoS Attacks using Cloud Comput-ing

Node Controllers

ClC & CC

Assumption: 1. Private Clouds

Normal Manager

Malicious Client

Services

Node Controllers

ClC & CC

DDoSAttacks

Leases Re-

sources

Legacy System

Node Con-

trollers

Cloud Con-

troller

Target Cloud Sys-

tem

DDoS Attacks using Cloud Comput-ing

(B)

(C)

(A)

Node Controllers

ClC & CC

ClusterCon-

troller

(1) (2)

Normal Manager

Node Controllers

ClC & CC

Cloud Sys-tem

(C)

Malicious Client

Services

DDoSAttacks

Leases Re-

sources

Legacy System

Defense in Cloud Computing

(B)

Node Con-

trollers

Cloud Con-

troller

Target Cloud Sys-

tem

(A)

ClusterCon-

troller

(1)

(2) (3)Normal Client

Normal Manager

Node Controllers

ClC & CC

Cloud Sys-tem

(C)

Malicious Client

Services

Service Re-

quest

Leases Re-

sources

Legacy System

Defense in Cloud Computing

(B)

Node Con-

trollers

Cloud Con-

troller

Target Cloud Sys-

tem

(A)

ClusterCon-

troller

(2)

Malicious Man-ager

External Moni-tor

Used Resources Amount in aspect of availability

(1)

Elastics Forces(Fatigue) Measurement

in DDoS attacks

EC2ools

CLC Users, Key-pairs, Image Metadata

SC

S3 Tools

Walrus

CC

NC

SC CC

NC

Cluster A

Cluster B

Front-end Node

Each Node

Client 1

Target in Eucalyptus

Source System

Target Cloud System

DDoS Attack

iTG

jSRC

Traf-fic

Src

jSRC

Traf-fic

Tg

iTG

Time

Tg XT

Time

XT

Traf-fic

Traf-fic

Cloud Burst Attack

(a)

(b)

Time

(1) (2)

Sign of Attacks in Cloud Computing

Tg XT

Coarse-grained Data

Fine-grained Data

Prior & Poste-rior Prob.

Multistage DDoS Attack Detection

• Multistage DDoS Attack Detection– Stage 1: Monitoring– Stage 2: Lightweight Anomaly Detection– Stage 3: Focused Anomaly Detection

• Considerations in Monitoring– Volume Data in Cloud– Monitoring Location

• Source-End• Victim-End

– Interval delta_T

• Considerations in Learning Alg.– Unsupervised Learning Alg.– Supervised or Semi-supervised Learning Alg.: Bulk Anomaly– Relation between distance based and statistical anomalies for two-dimen-

sional data sets

Multistage DDoS Attack Detection

• Considerations in Lightweight Anomaly Detection– Top List

• In-bound• Out-bound

– Detection Algorithm• Entropy• Statistics Techniques• Chi-Square

– Coarse-grained data• 굵은 덩어리 -> DDoS Attacks• Fine-grained data: Normal & 임계치 결정

– Bayesian Method• 사전 확률 (Prior Probability) 과 사후 확률 (Posterior Probability)• 사후 확률은 베이즈 정리에 의해서 사전 확률과 우도 (Likelihood function)d 에 의해서 계산 가능

)()()(

)()()( TGPSRCTGL

SRCP

TGPTGSRCPSRCTGP

)(

)()()(

TGP

SRCPSRCTGPTGSRCP

tconsngnormalizai

iorlikelihoodposterior

tan_

Pr

Multistage DDoS Attack Detection

• Considerations in Focused Anomaly Detection– Interval delta_T– Time Policy

• STM(Short-Term Memory)• LTM(Long-Term Memory)

– LTM• History• Symptom of Attacks

– Scanning , Stealth Scanning

• Attack Scenario• Misuse Detection Rule

Time

Stage

Interval delta_TSTM LTM

Monitoring

Lightweight AD

Focused AD

Coarse-grained data

Volume data in Cloud